Today we, at GitGuardian, are happy to release the 2022 edition of the State of Secrets Sprawl.

Our previous edition, which has become the reference on secrets leaks, aimed at answering a simple question: how big of a problem is secrets sprawl on public GitHub?

We concluded that the problem was not only growing at a very fast pace but also that most leaks happen out of sight of companies' security teams.

The figures this year confirm this trend and even show that the phenomenon is probably underestimated: in 2021, our monitoring of public GitHub revealed a two-fold increase in the number of secrets leaked, reaching just over 6M. On average, 3 commits out of 1,000 exposed at least one secret, a 50% increase compared to 2020.

But that’s not all: with this edition, we wanted to push the analysis further.

Leveraging our unique position as the leading secrets detection platform, we wanted to get to the bottom of the situation faced by IT professionals. For this, we conducted an in-depth study on the state of secrets sprawl in corporate repositories.
Monitoring thousands of repositories in real-time and scanning the entire history of corporate codebases provided us with the data to depict a realistic view of the state of application security in the DevOps era.

If there is a single conclusion to be drawn from it, it is that the amount of work required for both remediating real-time incidents and investigating leaks detected in the git history (which can still represent a threat) far exceeds current AppSec teams' capabilities.

When compared to open-source corporate repositories, private ones are also four times more likely to expose a secret, comforting the idea that they permeate a false sense of secrecy.

The historical volume of secrets-in-code, coupled with their constant growth, jeopardizes the remediation capacity of security teams, primarily application security engineers. This, in turn, puts the whole transition process to DevSecOps at risk.
The challenge for companies is therefore to address the threat of secrets sprawling while avoiding overworked teams. In our experience, the best way forward is to move towards a collaborative prevention model between AppSec and Developers.

What you will find in the report:

  • What's the growth rate of the secrets sprawl phenomenon on public GitHub?
  • How frequent are cloud providers' credentials leaks?
  • Are increasing detected credentials a sign of growing popularity?
  • How many Docker images expose at least one secret on Docker Hub?
  • When do leaks occur the most? Where do they originate from?
  • How do breaches and supply chain attacks relate to leaked credentials?
  • What is the reality of the problem posed by leaking secrets for AppSec teams?
  • Do leaks occur more often on corporate private repositories?
  • How to solve the problem of secrets sprawl at scale?