Boston, USA, March 11, 2025, CyberNewswire
GitGuardian, the security leader behind Github’s most installed applications, today released the comprehensive 2025 State of Secrets Sprawl Report, revealing a widespread and persistent security crisis that threatens organizations of all sizes. The report saw a 25% increase in leaked secrets year over year, with 23.8 million new qualifications detected on public Github in 2024 alone.
Most Concerns of Enterprise Security Leaders: 70% of the secrets leaked in 2022 are active today, creating a growing attack surface that makes every day even more dangerous.
“The leaked secret explosion represents one of the most important yet underrated threats in cybersecurity,” said Eric Fourier, CEO of Gitguardian. “Unlike sophisticated zero-day exploits, attackers don’t need sophisticated skills to exploit these vulnerabilities. One published credential can provide unlimited access to critical systems and sensitive data.”
Eric Folier points out a 2024 US Treasury violation as a warning. This was not a sophisticated attack. This was a simple case of publicly available credentials bypassing millions of people in security investments. ”
Key findings from security leaders
This report identifies several important trends that require immediate attention.
Blind Spots: General Secrets
Despite Github’s push protection, it helps developers to detect known secret patterns. Common secrets, such as hardcoded passwords, database credentials, and custom authentication tokens, represent more than half of all detected leaks. These credentials lack standardized patterns, making them nearly impossible to detect with traditional tools.
Private Repositories: A false sense of security
The analysis reveals surprising truths. The complete 35% of all scanned private repositories contain at least one plain text secret, shattering the general assumption that private repositories are safe.
AWS IAM keys appeared in plain text in 8.17% of private repositories. It appeared frequently in private repositories (24.1%) compared to general repositories (8.94%) that appeared more than five times more frequently than public passwords (1.45%).
“The leaked secrets of private code repository must be treated as compromised,” emphasized Eric Folier. “Security teams must recognize that secrets should be treated as sensitive data regardless of where they reside.”
Beyond the Code: Secrets spread throughout the SDLC
Hardcoded secrets are everywhere, but especially in security blind spots such as collaboration platforms and container environments where security controls are usually weak:
Slack: 2.4% of channels in the analyzed workspace contained leaked secrets Jira: 6.1% of tickets publish their credentials and make it the most vulnerable collaboration tool Dockerhub.
The crisis of nonhuman identity
Non-human IDs (NHIS) including API keys, service accounts and automation tokens – significantly outweigh human identity in most organizations. However, these credentials often lack proper lifecycle management and rotation, resulting in persistent vulnerabilities.
Security leaders at the Fortune 500 company acknowledged the challenge. “We aim to spin secrets every year, but enforcement is difficult across the environment. Some credentials remain unchanged for years.”
Secret Manager: Not the perfect answer
Even organizations using Secrets Management Solutions remain vulnerable. A survey of 2,584 repositories leveraging secret managers revealed a 5.1% secret leak rate. This brings the overall GitHub average to above 4.6%.
Common problems are:
Secrets extracted from secret managers and hardcoded secrets elsewhere expose access to secret fragmented governance
Future path: Comprehensive secret security
As AI-generated code, automation, and cloud-native development accelerate, reports are predicted that secrecy of sprawls will only intensify. Github’s push protection has reduced some leaks, but there are particularly common secrets, private repositories and collaboration tools.
“For CISOS and security leaders, the goal is more than just detection. That’s the improvements before these vulnerabilities were exploited,” Eric Folier said. “This requires a comprehensive approach that includes automated discovery, detection, remediation, and stronger secret governance across all enterprise platforms.”
The report concludes with a strategic framework for organizations to broaden their secrets and deal with them.
Deployment of monitoring exposed credentials across all environments Establish a semi-automatic automatic turning policy for all credentials that implement centralized secret detection and repair
To read the 2025 Secrets Full State Sprawl Report, users can visit gitguardian.com.
Additional resources
GitGuardian – Website
The secret state will spread in 2025
About Gitguardian
GitGuardian is an end-to-end NHI security platform for software-driven organizations to enhance non-human identity (NHI) security and adhere to industry standards. GitGuardian integrates Secrets Security with NHI Governance as attackers are increasingly targeting NHI, such as service accounts and applications. This dual approach allows you to detect compromised secrets across your development environment, while managing non-developer identities and their secret lifecycles. The platform is the world’s most installed GitHub application, which supports over 450 types of secrets, provides public monitoring of leaked data, and deploys HoneyTokens for additional defense. Trusted by over 600,000 developers, Gitguardian is where large organizations like Snowflake, ING, BASF and Bouygues choose telecoms for robust secret protection.
contact
Media Contact
Holly Hegerman
Connect your marketing
hollyh@connectmarketing.com
+1 (801) 373-7888
Source link
