Full Report
GitGuardian's State of Secrets Sprawl report for 2025 reveals the alarming scale of secrets exposure in modern software environments. Driving this is the rapid growth of non-human identities (NHIs), which have been outnumbering human users for years. We need to get ahead of it and prepare security measures and governance for these machine identities as they continue to be deployed, creating an
Analysis Summary
# Main Topic
Alarming scale of secrets exposure in modern software environments, primarily driven by the rapid and extensive growth of Non-Human Identities (NHIs) such as service accounts, microservices, and AI agents, which now significantly outnumber human users and expand the attack surface.
## Key Points
* **Volume of Leaks:** An astounding 23.77 million new secrets were leaked on GitHub in 2024, representing a 25% surge from the previous year.
* **NHI Proliferation:** NHI secrets now outnumber human identities by a ratio of at least 45-to-1 in DevOps environments.
* **Persistence of Leaks:** 70% of secrets first detected in public repositories in 2022 remain active today, indicating systemic failure in credential rotation.
* **Private Repository Risk:** Private repositories are approximately 8 times more likely to contain secrets than public ones (e.g., 74.4% of leaks in private vs. 58% in public repositories contain generic secrets).
* **AI Tool Impact:** Repositories using AI coding assistants (like Copilot) showed a 40% higher incidence rate of secret leaks, suggesting prioritization of speed over security.
* **Container Blind Spots:** Analysis of Docker Hub revealed over 100,000 valid secrets (including AWS/GCP keys) in image layers, with `ENV` instructions accounting for 65% of these leaks.
* **Collaboration Tool Vector:** Secrets found in platforms like Slack, Jira, and Confluence tend to be more critical than those in source code, and only 7% of these leaks are also found in the code base.
## Threat Actors
* **Focus Area:** The report focuses on *vulnerabilities leading to exposure* rather than specific external threat actor attribution.
* **Implied Actors:** Threat actors who leverage exposed credentials from public repositories, container images, and collaboration platforms to gain initial access or move laterally.
## TTPs
* **Publication/Exposure:** Developers embedding secrets directly into source code, configuration files, Docker image layers, and collaboration tool messages.
* **Persistence:** Failure to rotate exposed credentials, allowing discovered secrets to remain active for years.
* **Location of Exposure:** Secrets are commonly found in:
* Public GitHub repositories.
* Private code repositories (often generic passwords).
* Docker image layers (via `ENV` instructions).
* Collaboration platforms (Slack, Jira).
## Affected Systems
* **Code Hosting:** GitHub (public and private repositories).
* **Container Ecosystem:** Docker Hub (public images).
* **Cloud Credentials:** AWS IAM keys, GCP keys.
* **Collaboration Platforms:** Slack, Jira, Confluence.
* **CI/CD Components:** Kubernetes workers (implied as part of NHI infrastructure).
## Mitigations
* **Credential Hygiene:** Implement robust credential rotation processes, as 70% of leaked secrets remain active years later.
* **Secrets Management Adoption:** Recognize that formal secrets managers are insufficient alone; even repositories using them still exhibit a 5.1% leak incidence rate.
* **Comprehensive Lifecycle Approach:** Adopt a comprehensive strategy addressing the entire secrets lifecycle, combining automated detection with swift remediation.
* **Scanning Expansion:** Implement secret scanning across collaboration tools (Slack, Jira) alongside traditional source code environments, as leaks here are unique vectors.
* **Container Security:** Focus remediation efforts on Docker image layers and `ENV` instructions during the container build process.
* **Principle of Least Privilege:** Review and restrict permissions on exposed credentials; 96% of leaked GitHub tokens had write access, and 95% offered full repository access.
## Conclusion
The proliferation of NHIs is creating an unprecedented security risk characterized by high volumes of persistently exposed secrets across development code, containers, and collaboration platforms. A fragmented or reactive approach is inadequate. Organizations must immediately prioritize comprehensive secrets lifecycle governance, aggressive credential rotation, and expanded scanning visibility beyond source code into infrastructure components and developer communication channels to mitigate the risks posed by machine identities.