GitGuardian's recent "2025 State of Secrets Sprawl Report" reveals an alarming trend in cybersecurity: a 25% year-on-year increase in leaked secrets, with 23.8 million new credentials identified on public GitHub in 2024. Most concerning is that 70% of secrets leaked in 2022 remain active, posing an ever-growing risk to organisations.
Blind spots
Generic secrets, including hardcoded passwords and database credentials, now account for over 58% of all detected leaks. Unlike API keys or OAuth tokens, these secrets lack standardised patterns, making them difficult to detect with conventional tools. This oversight leaves organisations vulnerable to attacks that require minimal skill to exploit, as demonstrated by the 2024 U.S. Treasury Department breach, where a single leaked API key allowed attackers to bypass security measures.
False sense of security
A surprising finding is that 35% of private repositories contain hardcoded secrets, challenging the assumption that private code is secure. AWS IAM keys, for instance, appear in plaintext in 8% of private repositories, significantly more often than in public ones. This underscores the need for security teams to treat secrets in private repositories as compromised and implement robust security measures.
Secrets sprawl across the SDLC
Secrets are not confined to code repositories; they are also prevalent in collaboration platforms and container environments. For example, Jira tickets exposed credentials in 6.1% of cases, while DockerHub contains over 7,000 valid AWS keys embedded in image layers. This highlights the importance of extending security controls beyond traditional code management systems.
The non-human identity crisis
Non-human identities (NHIs), such as API keys and service accounts, outnumber human identities in most organisations but often lack proper lifecycle management. This creates persistent vulnerabilities, as many credentials remain unchanged for years. Implementing regular rotation policies for these credentials is crucial.
Secrets managers: Not a complete solution
Even organisations using secrets management solutions are not immune to leaks. A study found a 5.1% leakage rate among repositories using secrets managers, surpassing the overall GitHub average. Common issues include hardcoded secrets extracted from managers and insecure authentication to these systems.
What to do now
As AI, automation and cloud-native development accelerate, secrets sprawl is expected to worsen. It is recommended that CISOs and security professionals must prioritise remediation over mere detection. A comprehensive approach is essential, encompassing automated discovery, detection, and remediation of credentials, along with robust governance frameworks.
The report advocates for:
- Monitoring exposed credentials across all environments.
- Centralising secrets detection and remediation.
- Implementing semi-automated rotation policies.
- Establishing clear developer guidelines for secure vault usage.
