The Gitguardian’s secret state of 2025 reveals the surprising magnitude of secret disclosure in modern software environments. Promoting this is the rapid growth of non-human identity (NHIS), surpassing human users over the years. Security measures and governance for the identity of these machines must be prepared to continue to be deployed and create unprecedented levels of security risk.
The report reveals that in 2024 alone, 23.77 million incredible new secrets have been leaked on GitHub. This is a 25% increase from the previous year. This dramatic increase highlights how the spread of inhuman identities (NHIs) such as service accounts, microservices, and AI agents rapidly expands the attack surface of threat actors.
The crisis of nonhuman identity
NHI’s secrets, including API keys, service accounts and Kubernetes workers, outperform human identity at least 45:1 in a DevOps environment. These machine-based credentials are essential to modern infrastructure, but mismanagement poses important security challenges.
The most concern is the persistence of exposed credentials. Gitguardian’s analysis found that 70% of the secrets first detected in public repositories in 2022 were active today, indicating systematic impediments to qualification rotation and management practices.
Private Repositories: A false sense of security
Organizations may believe that code is secure in private repositories, but the data tells a different story. Private repositories are about eight times more likely to contain secrets than public ones. This suggests that many teams rely on “security through ambiguity” rather than implementing proper secret management.
The report found significant differences in the types of secrets leaked in private and public repositories.
Generic secrets represent 74.4% of all leaks in private repositories and 58% of public passwords, but 24% of all general secrets in private repositories appear in 8% of private repositories, compared to only 9% of enterprise credentials in general repositories, but only 1.5% of public repositories
This pattern suggests that developers are more cautious about public code, but often cut corners of environments that appear to be protected.
AI exacerbates the problem
Github Copilot and other AI coding assistants can increase productivity, but they also increase security risks. Copilot enabled repositories have a 40% higher incidence of secret leakage compared to repositories that are not supported by AI.
This nasty statistics suggest that AI-driven development may accelerate code production, while encouraging developers to prioritize speed over security and embed qualifications in ways that traditional development practices may circumvent.
Docker Hub: Over 100,000 valid secrets are published
In an unprecedented analysis of 15 million public Docker images from Docker Hub, Gitguardian has discovered over 100,000 valid secrets, including AWS keys, GCP keys, and Github tokens belonging to Fortune 500 companies.
This study found that 97% of these valid secrets were found only in the image layer, with most being displayed in layers smaller than 15MB. ENV instructions alone account for 65% of all leaks, highlighting the key blind spots of container security.
Beyond Source Code: The Secrets of Collaboration Tools
Secret leaks are not limited to code repositories. The report found collaboration platforms such as Slack, Jira and Confluence have become key vectors for qualification exposure.
Surprisingly, the secrets found on these platforms tend to be more important than the secrets in the source code repository, with 38% of incidents being classified as extremely important or urgent compared to 31% of source code management systems. This occurs because these platforms do not have the security controls that are present in modern source code management tools.
Surprisingly, only 7% of the secrets found in collaboration tools are also found in the codebase. This secret territory has become a unique challenge that most secret scanners cannot mitigate. I am also upset by the fact that users of these systems are crossing all departmental boundaries. This means that everyone may be exonerating their qualifications on these platforms.
Privilege issues
To exacerbate the risk, Gitguardian discovered that leaked qualifications often have excessive authority.
99% of GitLab API keys had full access (58%) or read-only access (41%), 96% of GitHub tokens had write access.
These broader privileges greatly amplify the potential impact of leaked credentials, allowing attackers to move sideways and escalate privileges more easily.
Breaking the secret cycle broadens
While organizations are increasingly adopting secret management solutions, the reports emphasize that these tools alone are not enough. Gitguardian discovered that even repositories using secret managers had a leaked secret incidence of 5.1% in 2024.
This issue requires a comprehensive approach that addresses the entire secret lifecycle, combining auto-discovery with integration of Swift remediation processes and security across development workflows.
As our report concludes, “The 2025 Secret State Sprawl Report provides a harsh warning to pose their associated secrets and security risks, as non-human identities increase. A reactive, fragmented approach to secret management is not sufficient in the world of automated deployment, AI-generated code, and rapid application delivery.”
Source link
