The Rising Tide of Secrets Sprawl: GitGuardian’s Report Exposes a Growing Security Crisis

Listen to this Post

GitGuardian’s latest “State of Secrets Sprawl” report is sounding the alarm on one of the fastest-growing threats in modern software environments: the explosion of secret leaks driven by non-human identities (NHIs). As DevOps continues to scale through automation, AI assistance, and microservices, credentials and access tokens are being mishandled at unprecedented rates, exposing organizations to critical security risks.

In 2024 alone, over 23.77 million secrets were leaked on GitHub — a 25% increase from the previous year. And while developers scramble to innovate with tools like GitHub Copilot and Docker, the report makes it clear: speed is coming at the cost of security.

This isn’t just a GitHub problem. GitGuardian’s analysis reveals a systemic issue across development and collaboration tools, including private repositories, Docker Hub, Slack, and Jira. Most concerning? Many of these exposed secrets are still active, and often come with excessive permissions, giving attackers full access to critical systems.

The report issues a clear warning: secrets sprawl is outpacing traditional security measures. Without proactive, lifecycle-based secrets management, organizations are sleepwalking into a breach.

Secrets Sprawl in 2025: What You Need to Know

1. Secrets Leaks Are Accelerating

  • In 2024, 23.77 million new secrets were leaked on GitHub.
  • That’s a 25% increase year-over-year.

2. The Non-Human Identity Explosion

  • Non-human identities (NHIs) now outnumber humans by 45:1 in DevOps.
  • These include service accounts, CI/CD bots, AI agents, Kubernetes nodes, etc.
  • NHIs are essential but dangerous when not governed properly.

3. Secrets Remain Active for Years

  • 70% of secrets exposed in 2022 are still active today.
  • Lack of rotation and poor secrets hygiene are to blame.

4. Private Repositories Are Not Safer

  • Secrets are 8x more likely to appear in private repositories.
  • Developers feel “safe” in private repos and cut corners.
  • Enterprise credentials (like AWS IAM keys) are 5x more common in private repos.

5. AI Development Tools Add Risk

  • Repositories using GitHub Copilot had a 40% higher rate of secret leaks.
  • AI tools may trade security for speed, encouraging bad practices.

6. Docker Hub Is a Secrets Minefield

  • Over 100,000 valid secrets were found in Docker images.
  • 97% were embedded in image layers, often in <15MB files.
  • 65% of leaks stemmed from ENV instructions in Dockerfiles.

7. Collaboration Tools Are a New Frontier

– Platforms like Slack, Jira, and Confluence now account for highly critical leaks.
– Only 7% of secrets in collaboration tools are also in code.
– Secrets shared in these tools often bypass detection and cross department lines.

8. Permissions Are Excessively Broad

  • 99% of GitLab API keys had full or read access.

– 96% of GitHub tokens allowed write access.

– These broad privileges drastically increase attack impact.

9. Secret Managers Are Not a Silver Bullet

  • Even with secrets management tools in place, leaks occurred in 5.1% of repos.
  • Fixing this requires end-to-end visibility, not isolated tooling.

What Undercode Say: Secrets Management Is a Lifecycle, Not a Plugin

The 2025 GitGuardian report is more than a wake-up call — it’s a brutal audit of current DevSecOps hygiene. At Undercode, we see a clear pattern: organizations are investing in tools but not in strategy.

Let’s break down what’s really happening:

  1. The Rise of NHIs Is Inevitable — But Not Unmanageable

Automation

Recommendation: Treat NHIs like users — give them minimal privileges, log their activity, and rotate their credentials regularly.

2. Security by Obscurity Is Dying

Relying on private repositories as a defense mechanism is like locking the front door but leaving your windows open. The data makes it clear: private repos are leaking worse than public ones.

Recommendation: Apply the same secrets scanning and alerting rigor to private repos. Obscurity is not security.

3. Copilot and AI Tools Need Guardrails

GitHub Copilot is a double-edged sword. While it boosts productivity, it’s also writing insecure code faster than ever. Developers are unknowingly embedding secrets in auto-generated code.

Recommendation: Integrate AI coding tools with real-time secrets scanning. Don’t let speed sabotage security.

4. Container Hygiene Is Being Ignored

Docker Hub is essentially an archive of publicly available attack vectors. With secrets hiding in image layers, attackers don’t even need to look at code anymore.

Recommendation: Implement CI/CD rules to scan image layers before pushing. Also, never hardcode secrets via ENV.

  1. The Slack Factor: Credential Leaks Are Going Social
    We’re seeing a dangerous trend: developers (and non-devs) pasting secrets into chat, ticketing, or documentation tools. These environments are often unmonitored and poorly secured.

Recommendation: Expand your secrets scanning to cover SaaS tools, not just repos. Leaks don’t live only in Git.

6. Permissions Are Still Too Generous

Overprivileged credentials remain a major risk amplifier. Why does a bot need full repo access? Or why does a token persist after its purpose is done?

Recommendation: Follow the principle of least privilege — and kill secrets that are no longer in use.

7. Tooling Alone Doesn’t Solve the Problem

Even the best secrets managers won’t save you if developers aren’t trained and workflows don’t enforce hygiene. Secrets hygiene is a culture, not just a configuration.

Recommendation: Invest in dev education, enforce secrets rotation, and integrate scanning into every phase of the SDLC.

Fact Checker Results

✅ Claim: 23.77M secrets were leaked on GitHub in 2024 — Verified via GitGuardian data
✅ Claim: Copilot-enabled repos have 40% more leaks — Confirmed in multiple security analyses
✅ Claim: Private repos are 8x more likely to contain secrets — Backed by comparative scan reports

Bottom line: Secrets management is no longer just a dev issue — it’s a business continuity threat. The time for reactive security is over.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image