Security firm GitGuardian has announced a report showing that the unintended exposure of credentials such as API keys and passwords, known as “secrets sprawl,” has worsened significantly during 2024. The report found an increase of 25% in secrets found in public GitHub code repositories compared to the previous year.
The report, “The State of Secrets Sprawl 2025,” was based on scanning public GitHub activity and anonymised customer data. Researchers detected nearly 23.8 million new hardcoded secrets in public GitHub commits alone during 2024, suggesting an increasing trend in sensitive credentials being leaked from development environments.
(Image courtesy of GitGuardian)
Secret sprawl has been cited as the cause of a number of high-profile hacking incidents over the past year, such as a leak of all of the New York Times source code, and a credential leak at business analytics company Sisense.
A big contributor to the increase is the rise in “generic” secrets which don’t have a recognisable format like API keys or OAuth tokens. According to the report, these are often hardcoded passwords, database connection strings, custom authentication tokens and encryption keys. These accounted for 58% of detected secrets last year, up from 49% in 2023. The report suggests that automated scanning tools, such as GitHub’s own protection mechanisms, often miss this secret format.
The report lauds the efforts of tools such as GitHub’s Push Protection, which is designed to block commits containing known credential patterns. The leaks of OpenAI keys and GitHub app keys, in particular, have dropped dramatically thanks to their inclusion in this tool, which uses simple pattern matching to identify these keys. These tools do struggle with generic secrets and credentials that don’t have standard prefixes, however.
There was also a big contrast in the findings between public and private repositories, with private repositories eight times more likely to contain secrets. This suggests that developers have a false sense of security and assume that the private nature of the repository removes the risk – a practice that the report suggests amounts to security through obscurity.
The report also found secrets leaked in places other than source code repositories – with collaboration and project management tools such as Slack, Jira and Confluence often containing many secrets. More incidents were considered critical in these tools than in GitHub – and these were generally attributed to less security-aware employees and fewer safeguards being built into these other tools.
(Image courtesy of GitGuardian)
The researchers also scanned public Docker Hub images at a large scale. This revealed over 100,000 secrets, including AWS and GCP keys, and some seemingly belonging to Fortune 500 companies. The report suggests that the lack of a partner notification system for secret exposure on Docker Hub contributes significantly to this.
Going on to look at the validity of the secrets found, the report found that many exposed secrets stay active long after they’ve been published, with 70% of secrets detected in 2022 were still active in 2024. The researchers suggest that ineffective credential lifecycle management, particularly for non-human service accounts, is to blame, citing examples of some organisations provisioning keys with multi-year lifespans as they don’t have a robust ability to rotate keys. Leaked credentials often had excessive permissions – 96% of leaked GitHub tokens had write access, thus increasing the potential damage from a compromised secret.
GitGuardian has used machine learning in this new report to improve secret hunting. Previously, the team had erred on the side of caution to avoid false positives with their secrets detection engine. Any element of doubt about whether a string was a secret would lead to its rejection. The new ML models made the researchers more confident in validating less-structured secrets.
GitHub has been increasingly proactive in writing tools to try to reduce secret sprawl, with GitHub Secret Protection available to help detect and prevent secret leaks. GitHub has also used AI for Copilot secret scanning to deal with the the nuanced and varied structures of generic passwords. Similarly, GitLab has GitLab Secret Push Protection fulfilling a similar objective.
The GitGuardian report is available to download now.
