When you think of secrets scanning, most people immediately think about source code repositories on platforms like GitHub, GitLab, and Bitbucket. While the codebase is a source you absolutely should monitor, this is just a part of the overall secrets security story.
Indeed, secrets leaking in code are a major concern. In the GitGuardian’s 2025 State of Secrets Sprawl Report, the scale of this issue has surged dramatically. In 2024 alone, over 23.7 million new hardcoded secrets were added to public GitHub repositories—a 25% increase from the year before. And that’s just GitHub.
However, that is not the full story. The report also shows that today’s many critical secrets exposures are not in your code; they’re in your collaboration tools. Platforms like Slack, Jira, Confluence, and other project management and productivity tools have become high-risk zones for leaked credentials. Even worse, secrets found in these systems are more likely to be critical, harder to detect, and almost entirely distinct from the plaintext credentials found in source code.
Secrets Are Sprawling Everywhere Work Happens
In a traditional security mindset, secrets management begins and ends in the repository. Once your team has adopted a vault solution and you are scanning for the code and CI/CD pipelines, you are well on your way to secrets management maturity. If you have gotten your developers to standardize on prevention tools like pre-commit git scanning, as you can do with ggshield, or embedded tools in their favorite code editor, you have achieved a major milestone towards better secrets security.
The reality is that secrets are leaking in every tool your team touches, not just code and CI/CD platforms but across your full digital workspace. Messaging apps, ticketing systems, internal wikis, and even container registries are now active battlegrounds for credential exposure.
In our 2025 State of Secrets Sprawl Report, we uncovered the fact that:
- 38% of secrets found in collaboration tools were classified as critical or urgent, compared to 31% in source code.
- Only 7% of secrets overlap between SCM (Source Code Management) and collaboration tools—these are mostly completely separate exposures.
That last fact is extremely alarming and suggests that these secrets might be properly stored otherwise but are being copied in plaintext into workflow tools, outside the codebase. Let's take a closer look at what systems are involved.
Messaging Platforms: Slack & Microsoft Teams
Chat is fast. Chat is informal. And that’s exactly why it’s dangerous. Slack continues to be one of the most notorious hotspots for secrets leakage, especially in real-time incidents, engineering huddles, or postmortems. But it's not alone anymore. Microsoft Teams, now a core platform in many enterprise environments, faces the same risks.
Developers often share quick-fix credentials to help teammates debug without thinking through what happens if they get breached. Too often, once service accounts or API tokens are posted in threads, they are completely forgotten, yet these threads remain persistent in enterprise environments for years. Message history is retained indefinitely in many orgs, exposing secrets that are sometimes never rotated.
Security teams often lack access or scanning capabilities in these messaging ecosystems. And unlike code repos, there's no concept of pull requests or reviews, just a never-ending stream of text, files, and unmonitored links.
Ticketing Systems: Jira & ServiceNow
While Jira has long been a central planning platform for many dev teams, ServiceNow is quickly emerging as a critical risk vector—particularly in IT operations, security, and support workflows.
In both systems, secrets surface when support teams paste credentials to reproduce bugs or assist customers. Engineers all too often attach logs containing sensitive headers or tokens, which makes sense on the surface, as teams race to find root causes and fight fires, but the trail of secrets they leave behind is a nightmare waiting to happen.
Both platforms are often perceived as “internal only” or “safe,” but history shows otherwise. Tickets are overlooked in access audits, are difficult to monitor at scale, and become long-term repositories for forgotten secrets.
In fact, 6.1% of Jira tickets analyzed in GitGuardian’s 2025 study contained secrets—many of which were still valid at the time of detection.
ServiceNow presents similar risks, especially due to its heavy integration with automation workflows and non-technical users who may not recognize a secret when they see one.
Documentation Platforms: Confluence
Confluence remains a critical part of the modern collaboration stack, providing a quick and easy way for everyone to document their knowledge in a searchable and centralized platform. Unfortunately if teams are also placing their plaintext credentials in their internal wiki, it becomes a major liability.
It’s a common place to find environment configuration guides with real secrets embedded. It is easy to add architecture diagrams that include access tokens or database connection strings for convenience. For teams that are rapidly expanding or folding in new members due to an acquisition, onboarding documentation might contain credentials “just to get people up and running.”
These documents are persistent, rarely updated, and often overlooked in security reviews. Once a secret lands in a Confluence page, it’s indexed, searchable, and available to anyone with access permissions, which are often broad by default. If an attacker gains access, secrets are the first thing they will look for.
Why Collaboration Tools Are So Dangerous for Secrets
There are three key reasons collaboration platforms are especially dangerous environments for secret sprawl:
1. They Weren’t Built With Secrets in Mind
These tools prioritize productivity and speed, not secure information handling. Unlike source control management platforms, tools like Slack or Jira lack any native secrets scanning, access scoping, or pre-submit protections. While pre-commit scanning is possible to automate in a developer workflow, preventing the pasting of a plaintext credential into a text field in a ticket or chat window is all but impossible to prevent.
2. Too Many Hands, Too Little Awareness
Secrets don’t just leak from developers. Product managers, support staff, QA engineers, and basically everyone else with access, can unknowingly paste sensitive credentials into a ticket or thread. Once posted, those secrets can live forever, buried in the backlog.
3. No Effective Lifecycle for What Gets Shared
In a codebase, a hardcoded secret can be flagged, rotated, and replaced. In Slack? That secret may be reposted across multiple channels, shared in screenshots, or even pinned. It’s invisible to most traditional secrets detection tools and completely outside normal code review workflows.
The False Sense of Security in Private Spaces
One of the most dangerous assumptions organizations make is believing that because a space is private, it’s secure. But private Jira tickets, internal Slack channels, and restricted Confluence spaces are not immune to compromise. Phishing attacks, token theft, and lateral movement can give attackers access to internal tools, where secrets are just sitting there, often unmonitored.
In GitGuardian’s analysis, private repositories were 8x more likely to contain secrets than public ones. The same trend holds true across productivity tools. People behave more carelessly in private spaces, assuming obscurity equals security.
How to handle secrets leaks outside of code
Like with everything else in security, the solution requires we align people, processes and tools. This starts with awareness. Even reading this article is a step in the right direction. Making sure your team is aware of the dangers is a very positive first step toward eliminating the problems before they start. However, awareness alone is not the solution.The playbook for addressing this challenge also involves:
- Deploying real-time secrets detection across Slack, Jira, and Confluence using tools that are purpose-built for collaboration platforms.
- Consolidate alerts across systems—don’t treat a secret in Slack and Jira as separate incidents if they’re the same credential.
- Act fast: Valid credentials are often exploited within hours of exposure. Rotation and revocation workflows should be automated where possible.
- Establish internal playbooks for handling secrets found in non-code environments, and assign clear ownership for remediation.
Ferdinand Boas
How GitGuardian Can Help Solves the Secrets Sprawl Problem Everywhere It Happens
GitGuardian’s platform was purpose-built to meet the realities of modern secret sprawl, not just in your repositories, but across your entire digital workspace. Its mission is simple: find non-human identity secrets fast, validate them, and empower your teams to remediate them before attackers can act.
With native integrations into Slack, Microsoft Teams, Jira, Confluence, and ServiceNow, GitGuardian continuously monitors the collaboration and productivity tools where secrets most often escape detection. These integrations require no invasive changes or user disruption—they plug directly into your existing workflows to deliver real-time protection where your team actually works.
GitGuardian helps reduce the risk with:
- Real-Time Detection - Secrets are flagged the moment they’re shared—whether in a Slack thread, a Jira comment, or a Confluence doc—minimizing dwell time and exposure.
- Contextual Validation and Prioritization - GitGuardian uses intelligent validation to determine if exposed secrets are still active and in use, filtering out noise and highlighting the incidents that matter most.
- Cross-Platform Incident Correlation - If the same secret appears in multiple tools (say, Jira and Teams), GitGuardian correlates these as a single incident, cutting through alert fatigue and helping teams respond faster.
- Automated Remediation Workflows - Secrets can be revoked or rotated directly from within the platform using integrated workflows, ensuring security teams don’t just detect leaks, they fix them fast.
- Centralized Governance & KPIs - GitGuardian provides full visibility into where secrets are being exposed, who’s involved, and how quickly incidents are resolved—allowing teams to measure, improve, and scale their secrets management posture.
By meeting developers, support teams, and operators inside the tools they already use, GitGuardian turns collaboration from a liability into a defensible line of security.
More productivity and less leaks from collaboration tools
Your team’s productivity stack is becoming your largest unmonitored attack surface.
It’s not just that secrets end up in these platforms, it’s that they’re shared in high-urgency situations, by a broader group of users, and with far fewer safeguards in place. From debugging to deployments to onboarding, secrets are copied, pasted, and forgotten in spaces never meant to secure them.
And attackers know it.
GitGuardian is here to help you solve this challenge. We would love to work with you to add real-time monitoring to your favorite collaboration tools, empowering your security teams to take action before an attacker can find and exploit these keys to your kingdom. We are here to help you eliminare secrets sprawl, no matter where those secrets end up.
