Symmetric cryptography powers everything from HTTPS to JWT tokens, but key management remains a significant challenge. This developer guide covers three critical use cases—session keys, self-use keys, and pre-shared keys—with practical strategies for secure generation, rotation, and storage.
AI adoption accelerates secret sprawl as organizations connect to multiple providers. Our investigation of a leaked xAI API key, which granted access to unreleased Grok models, reveals critical flaws in their disclosure process, highlighting necessary improvements in this domain.
MCP rapidly enhances AI capabilities but introduces security challenges through its distributed architecture. Especially, the distributed nature of MCP requires a lot of NHIs and their secrets. Our research shows that MCP is a new source of leaks that already discloses real-world secrets.
Responsible disclosure is an often overlooked but critical component of cybersecurity alerting processes. Explore key best practices that can enhance communication and collaboration with researchers, turning potential security threats into opportunities for stronger defense.
At JSSI 2025, French IT security experts discussed the cloud's impact on security. Presentations covered strategy and technical analysis. GitGuardian’s researchers shared insights on detecting secrets in the cloud and responsibly disclosing them to companies.
On March 14, 2025, the popular GitHub action tj-actions/changed-files was compromised, exposing secrets in CI logs. GitGuardian's analysis identified leaked secrets like GitHub tokens, AWS keys, and more.
In the past 6 months, our security research team disclosed 24 critical vulnerabilities. Most have been successfully remediated. Our team's contributions to cybersecurity have been formally recognized, with our researchers being listed in both Bayer's and Oracle's Security Researcher Hall of Fame.
Artifactory token leaks are not the most common, but they pose significant risks, exposing sensitive assets and enabling supply chain attacks. This article explores the dangers of leaked tokens and proposes mitigation strategies, including token scoping and implementing least privilege policies.
While Artifactory tokens aren't the most common leaked secrets, GitGuardian's research reveals their critical nature in corporate environments. Recent investigations across major industries show how these tokens frequently expose sensitive resources through build configurations and DevOps code.
On December 4, 2024, the Ultralytics Python module was backdoored to deploy a cryptominer. Using GitGuardian’s data, we reconstructed deleted commits, connecting the dots with the initial analysis. This investigation highlights the value of GitGuardian’s data in understanding supply chain attacks.
At GitGuardian we see things that no one should ever see. We detect and collect leaked secrets that are so hideous we could lose our sanity. Let us introduce you to some of the most terrifying leaks we saw this year. If you dare.
GitGuardian is the code security platform for
the DevOps generation.
With automated secrets detection and
remediation, our platform enables Dev, Sec, and Ops to advance together
towards the Secure Software Development Lifecycle.
Subscribe to our newsletter to receive the latest content and updates from GitGuardian.
