Full Report
Explore the key insights on code and cloud security risks shaping 2025.
Analysis Summary
# Industry News: Wiz Reveals Alarming Code Security Risks in 2025 Report
## Summary
Wiz Threat Research's 2025 State of Code Security Report, analyzing hundreds of thousands of repositories, highlights critical, widespread security hygiene failures across development pipelines, including high rates of secret exposure in public repositories and risky configurations surrounding self-hosted CI/CD runners. These findings emphasize that vulnerabilities originating in code development platforms (like GitHub) are directly translating into material risks for production cloud environments.
## Key Details
- Date: Implied release Q4 2024 / Early 2025 (based on 2024 data collection)
- Companies Involved: Wiz Threat Research
- Category: Industry Report / Market Analysis
## The Story
Wiz Threat Research analyzed data from 2024 collected via its Cloud and Code platforms, focusing on GitHub, GitLab, and Azure DevOps. The report reveals severe deficiencies in code security practices that bridge the gap between development and deployment. Key metrics include: 35% of GitHub repositories being public; 61% of organizations having public repositories exposing cloud secrets (API keys); 35% of enterprises using risky, non-ephemeral self-hosted CI/CD runners that often have tripled vulnerability counts compared to standard VMs; and widespread over-provisioning of permissions (write access) granted to third-party GitHub Apps.
## Business Impact
### For the Companies Involved
- **Wiz:** Strengthens its position as a thought leader in cloud-native security, leveraging proprietary data to drive visibility and product adoption across the Code-to-Cloud security spectrum. This report serves as a powerful marketing and sales tool.
### For Competitors
- Forces competing CNAPP and developer security tool vendors to benchmark their own visibility into the software supply chain and align their product roadmaps to address these specific, quantified developer risks.
### For Customers
- Provides concrete, data-backed validation of inherent risks in their existing infrastructure, creating immediate business justification for investment in DevSecOps tooling, secrets management, and repository governance.
### For the Market
- Confirms the shift of critical security boundaries away from traditional perimeter defense and deeply into the software development lifecycle (SDLC). It drives demand for integrated security solutions that map code risks to runtime impact.
## Technical Implications
The findings underscore the danger of combining legacy deployment practices (like non-ephemeral, poorly maintained self-hosted runners) with modern, highly permissive cloud access tokens (secrets). The technical innovation Wiz highlights is the necessity of connecting code scanning directly to cloud environment context to accurately assess the blast radius of repository misconfigurations.
## Strategic Analysis
- Market Positioning: Wiz reinforces its strategic positioning at the convergence point of Infrastructure Security, Application Security, and Cloud Security (the CNAPP space), specifically targeting the "Shift Left" narrative with hard data showing the consequence of *not* shifting left.
- Competitive Advantage: The depth of data derived from analyzing real-world repositories provides a significant advantage over reports relying on synthetic testing environments or limited samples.
- Challenges: Organizations face the challenge of remediation sprawl, needing to prioritize fixing secrets in public repos versus hardening CI/CD infrastructure, requiring sophisticated risk prioritization tools.
## Industry Reactions
- Analyst reports will likely categorize infrastructure-as-code (IaC) and code repository hygiene as the highest unmanaged risk vectors of 2025.
- Experts will stress the findings regarding self-hosted runners as a critical area for immediate remediation, positioning them as high-value targets for attackers seeking lateral movement.
- Market response will likely favor vendors that offer unified solutions spanning secrets management, IaC scanning, and CI/CD security gate enforcement.
## Future Outlook
- We expect increased vendor focus (and subsequent acquisition activity) targeting mature self-hosted runner hardening tools and AI-enhanced secrets detection that can trace credentials back to their point of origin and revocation status.
- Watch for regulatory bodies or industry standards groups to start issuing specific hardening guides based on threat intelligence similar to this report.
## For Security Professionals
Security Engineering and DevSecOps teams must immediately audit public/private repository visibility, enforce automated secrets scanning in pre-commit/commit stages, tightly scope permissions for all third-party applications, and aggressively move away from maintaining long-lived, self-hosted CI/CD environments in favor of managed/ephemeral runners.