The Alarming Growth of Secrets Sprawl
The phenomenon of secrets sprawl has been accelerating at an unprecedented rate, as evidenced by GitGuardian's analysis of billions of public GitHub commits in 2025. With 29 million new hardcoded secrets identified-a staggering 34% year-over-year increase-the urgency to address this threat is evident. This significant jump reflects the proliferation of developers and the rise of AI-assisted code generation, which inherently expands the volume of credentials in circulation. Detection mechanisms alone are falling short, as the pace of leaks far outstrips the ability to respond effectively.
Particularly alarming is the rise in AI-related secrets, with categories such as LLM infrastructure retrieval APIs and orchestration tools experiencing exponential growth. These AI integrations introduce additional machine identities, compounding the risks by expanding the attack surface. The complexity and magnitude of this issue highlight the need for a more structured approach to secrets security.
Internal Repositories: The Hidden Risk
While public repositories often garner the most attention, GitGuardian's research emphasizes that internal repositories harbor the most sensitive credentials. In 2025, 32.2% of internal repositories contained at least one hardcoded secret, compared to 5.6% in public repositories. These are not trivial test keys but critical credentials, such as CI/CD tokens, cloud access keys, and database passwords. Once attackers infiltrate, these assets become high-priority targets, facilitating deeper system breaches.
The assumption that internal systems are inherently safer due to limited public exposure is flawed. This misconception often leads to a lack of robust monitoring and mitigation efforts, leaving organizations vulnerable to internal leaks. Treating internal repositories as first-class sources of exposure is essential to safeguard high-value credentials.
Beyond Code: Secrets in Collaboration Tools
GitGuardian's findings reveal that not all secrets are confined to code repositories. In 2025, 28% of incidents originated from collaboration tools like Slack, Jira, and Confluence. These leaks are particularly hazardous, as 56.7% of the exposed secrets in such tools were deemed critical, compared to 43.7% for code-only incidents. Credentials shared during activities such as incident response and onboarding often include highly sensitive information.
This trend underscores a critical oversight in many organizations: focusing solely on scanning source code while neglecting other channels where sensitive data is exchanged. Comprehensive monitoring and security measures must extend to all digital communication platforms to address this significant gap.
The Challenge of Persistent Vulnerabilities
One of the most glaring issues in managing secrets sprawl is the lack of effective remediation. GitGuardian's research shows that 64% of secrets confirmed as valid in 2022 remained exploitable in 2025. This persistence highlights the absence of routine rotation and revocation practices in most organizations. The difficulty of replacing embedded credentials without disrupting production workflows often results in inaction, leaving systems exposed to long-term exploitation.
Secrets embedded in CI variables, container images, and vendor integrations are particularly challenging to manage. Without automated solutions to handle secret rotation and revocation, the risks associated with static credentials grow over time, creating durable vulnerabilities for attackers to exploit.
Secrets Sprawl in Build Infrastructure
The ShaiHulud 2 supply chain attack offered a rare glimpse into the extent of secrets sprawl within compromised systems. Across nearly 7,000 developer machines, GitGuardian identified over 290,000 secret occurrences, with many secrets appearing in multiple locations, including environment files, shell history, and cached tokens.
Even more concerning, 59% of compromised systems were CI/CD runners rather than personal devices, indicating that build infrastructure is a critical vulnerability point. Once secrets proliferate into these systems, they become an organization-wide challenge, demanding collective action and robust protocols to mitigate exposure effectively.