The State of Secrets Sprawl 2025

Soujanya Ain -

Today, we’re unveiling the State of Secrets Sprawl 2025 report, GitGuardian’s latest deep dive into the widespread exposure of sensitive credentials. This year’s findings show no improvement in the fight against secrets sprawl, with 23.8 million secrets leaked on public GitHub repositories in 2024, marking a 25% year-over-year increase.

Despite GitHub Push Protection’s efforts to curb exposure, secrets sprawl is accelerating, particularly with generic secrets, which accounted for 58% of all leaked credentials.

More troubling, 70% of secrets leaked in 2022 remain active today, dramatically expanding the attack surface for threat actors. This ongoing crisis highlights the urgent need for proactive remediation and better security hygiene across all industries.


Secrets Sprawl on GitHub: A Worsening Crisis

GitHub remains the primary battleground for exposed secrets. In 2024, our analysis of 1.4 billion commits revealed the staggering scale of the issue:

  • 1.9M pro-bono alerts sent.
  • 4.6% of all public repositories contain a secret.
  • 35% of private repositories contain secrets.
  • 15% of commit authors leaked a secret.
  • 38% of incidents in collaboration and project management tools (Slack, Jira or Confluence) are classified as highly critical or urgent compared to 31% in Source Control Management Systems (SCMs).

Public leaks remain the most visible issue, but private repositories and collaboration tools also present a growing risk.

The Hidden Danger of Non-Revoked Secrets

One of the most concerning revelations is the persistence of leaked credentials. Our research shows that 70% of secrets leaked in 2022 remain valid today, providing attackers with prolonged access to critical systems.

Real-world breaches illustrate this threat. In 2024, a U.S. Treasury Department breach was traced back to a leaked API key for BeyondTrust’s authentication platform. Attackers bypassed millions of dollars in security investments simply by exploiting an exposed credential.

“Unlike zero-day vulnerabilities, attackers don’t need sophisticated tools—just one leaked credential can grant unrestricted access to critical systems and sensitive data,” warns Eric Fourrier, CEO of GitGuardian.

Beyond Public Repos: The Private Repository Risk

Many organizations wrongly assume that private repositories offer sufficient protection. However, our research found that 35% of customers' private repositories contain plaintext secrets.

  • AWS IAM keys in 8% of private repositories (5x more frequent than public repositories).
  • Hardcoded passwords appearing 3x more often in private repositories than in public ones.
  • MongoDB credentials are the most commonly leaked secret in public repositories (18.8%).
“Leaked secrets in private repositories must be treated as compromised,” stresses Eric Fourrier. “Security teams must recognize that secrets should be treated as sensitive data regardless of where they reside.”

Secrets Exposure Across the SDLC

The problem extends far beyond code repositories. Secrets now sprawl across the entire software development lifecycle (SDLC), often lurking in places where security teams have little visibility. Key findings include:

  • Slack: 2.4% of corporate Slack channels contained leaked secrets.
  • Jira: 6.1% of Jira tickets exposed credentials, making it the most vulnerable collaboration tool.
  • DockerHub: 98% of detected secrets were found in image layers, with 7,000 valid AWS keys still exposed.

These figures highlight the urgent need to expand secrets detection beyond code and into collaboration tools, ticketing systems, and container environments.

This is just a glimpse into the concerning trends we've uncovered. The State of Secrets Sprawl 2025 report dives deeper into the limitations of PAM tools like secrets managers, showing that misconfigurations and insecure practices continue to plague organizations even with dedicated vaulting solutions. 

We also delve further into the impact of AI on secrets security, analyzing how the use of coding assistants like GitHub Copilot can contribute to the problem.

A Call for Comprehensive Secrets Security

The State of Secrets Sprawl 2025 report makes it clear: secrets management must evolve beyond detection. Organizations need to act decisively to prevent, discover, detect, and remediate leaked credentials before they are exploited.

GitGuardian recommends a multi-layered approach to secrets security:

  • Deploy real-time monitoring for leaked credentials across all environments.
  • Implement centralized secrets detection to track exposure across repositories, collaboration tools, and containers.
  • Enforce semi-automated secrets rotation policies to eliminate long-lived credentials.
  • Provide clear guidelines for developers on secure vault usage and secrets hygiene.
“For CISOs and security leaders, the goal isn't just detection—it's the remediation of these vulnerabilities before they're exploited,” says Eric Fourrier.

Read the press release

Stay tuned for more updates from GitGuardian as we continue to monitor and combat the ever-growing threat of secrets exposure.