The proliferation of sensitive information continues, accelerating faster than most security teams expected in 2025. GitGuardian’s State of Secrets Sprawl 2026 report analyzed billions of commits across public GitHub and uncovered 29 million new hard-coded secrets in 2025 alone. This is a 34% increase over the previous year and the largest single-year increase ever.
This year’s findings reveal three core trends. With AI fundamentally reshaping how and where credentials are compromised, internal systems are far more at risk than most organizations realize, and remediation continues to be the industry’s Achilles heel.
Here are nine key strategic points.
1. Secrets are growing faster than the developer population
Since 2021, leaked sensitive information has increased by 152% and GitHub’s public developer base has grown by 98%. With more developers and more AI-assisted code generation, there will be more credentials in circulation than detection alone can handle.
2. AI service breaches increased by 81% year over year
GitGuardian detected 1,275,105 leaked secrets related to AI services in 2025. This is an 81% increase from 2024. Eight of the 10 fastest growing categories of leaked secrets were AI-related. This isn’t just about OpenAI or Anthropic keys. The real explosion is happening in LLM infrastructure. Search APIs like Brave Search (+1,255%), orchestration tools like Firecrawl (+796%), and managed backends like Supabase (+992%). Each new AI integration introduces a different machine identity, each time expanding the attack surface. Safely deploying AI requires a proper confidential security strategy.
3. Internal repositories are 6x more likely to be compromised than public repositories
While public GitHub gets all the attention, the most valuable credentials reside in internal repositories. GitGuardian research found that 32.2% of internal repositories contain at least one hardcoded secret, compared to just 5.6% of public repositories. These are not test keys. These are CI/CD tokens, cloud access credentials, and database passwords – the very assets that attackers target once they gain a foothold. Security through obscurity has failed. Treat internal repositories as primary leak sources.
4. 28% of leaks occur entirely outside of code
Secrets don’t just exist in repositories. GitGuardian found that 28% of incidents in 2025 occurred entirely outside the source code of Slack, Jira, Confluence, and similar collaboration tools. These leaks are more dangerous. 56.7% of sensitive information found in collaboration tools alone was rated critical, compared to 43.7% for code-only incidents. Teams share credentials during incident response, troubleshooting, and onboarding. If you’re just scanning the code, you’ll lose a quarter of your exposure. Also, credentials leaked in collaboration tools are usually more important and serious.
5. Self-hosted GitLab and Docker registries expose secrets 3-4 times more than public GitHub
GitGuardian discovered that thousands of self-hosted GitLab instances and Docker registries were inadvertently exposed in 2025. A scan of these systems revealed 80,000 credentials, 10,000 of which were still valid. Secrets in Docker images were a particular problem. 18% of scanned Docker images contained secrets, 15% of which were valid. On the other hand, the effectiveness rate for GitLab repositories was 12%. Docker secrets are also more production-like. The boundary between private and public is porous.
6. 64% of secrets leaked in 2022 are still valid today
Detection is not remediation. GitGuardian retested secrets found to be valid in 2022 and found that 64% were still exploitable four years later. This is not a rounding error. This is evidence that rotation and revocation are not routine, owned, or automated in most organizations. Credentials embedded in build systems, CI variables, container images, and vendor integrations are difficult to replace without disrupting operations. For many teams, the safest short-term choice is to do nothing and leave the attacker with a durable access path.
7. Developer endpoints are a new credential aggregation layer
The Shai-Hulud 2 supply chain attack allowed researchers to see what the secrets actually looked like on compromised developer machines. GitGuardian identified 294,842 secret occurrences across 6,943 systems, corresponding to 33,185 unique secrets. On average, each live secret existed in eight different locations on the same machine, spread across .env files, shell history, IDE configuration, cached tokens, and build artifacts. Even more surprising, 59% of the compromised machines were CI/CD runners rather than personal laptops. When secrets begin to spread to the build infrastructure, it becomes not only a personal hygiene issue, but an organizational exposure issue.
More recently, the same pattern was demonstrated in the LiteLLM supply chain attack, where compromised packages collected SSH keys, cloud credentials, and API tokens from developer machines with an increasing concentration of AI development tools.
8. MCP Server exposed over 24,000 secrets in its first year
Model Context Protocol (MCP) has made AI systems more useful by connecting them to tools and data sources. It also introduced a new type of credential leak. In 2025, GitGuardian discovered 24,008 unique secrets in MCP-related configuration files on public GitHub, of which 2,117 were confirmed to be valid. As agent AI adoption accelerates, MCP and similar frameworks will standardize the input of credentials into configuration files, launch flags, and local JSON. The agent ecosystem is growing faster than security controls can adapt.
9. Moving from detection of secrets to governance of non-human identities
The industry’s limiting factor is answering three questions at scale:
– What non-human identities are present in my environment?
– Who owns it?
– What do they have access to?
Organizations that adopt agent AI need to build continuous NHI governance beyond detection. This means eliminating long-lived static credentials wherever possible, adopting short-lived identity-driven access, implementing secret vaults as the default developer workflow, and treating all service accounts, CI jobs, and AI agents as managed identities with lifecycle management.
conclusion
The spread of secrets never stops. It is accelerating with the adoption of AI, developer productivity tools, and distributed software delivery. The old model of scanning public repositories and expecting compliance is no longer sufficient. Security teams need visibility across internal systems, collaboration tools, container registries, and developer endpoints. You need a remediation workflow that allows you to rotate credentials without disrupting operations. And most importantly, we need to stop treating secrets as isolated incidents and start managing them as part of a broader non-human identity governance program.
The attack target area has changed. The question is whether security programs will change accordingly.
About research
GitGuardian’s annual State of Secrets Sprawl report, now in its fifth edition, analyzes billions of public commits on GitHub, monitors internal incidents across customer environments, and conducts original research into self-hosted infrastructure exposures and supply chain compromises.
Source link
