Last year, security researchers found close to 29 million “secrets” in publicly available code.
These include credentials, API keys, AI tokens and even MCP configuration files.
These hard-coded secrets are stored in plain text, across both public and private code repositories. Researchers also found them in developers’ workstations, CI/CD deliverers and Slack channels.
And AI is making the problem worse, with AI-assisted commits adding to this “secrets sprawl”. The number of leaked secrets in AI-assisted commits has doubled, according to researchers at GitGuardian.
For five years, GitGuardian has published a study into plain-text secrets in code, based on its own monitoring. In 2021 it detected 11m secrets on GitHub; now the figure is 28.6m.
Researchers are finding unstructured credentials such as passwords, private keys, or custom tokens unencrypted and hard coded in application code. And, they warn, the majority stay exploitable for years. The growth of non-human identities (NHIs) only makes the situation worse.
Unless developers control how they manage secrets in their code, we are leaving the door open to malicious actors, argues Dwayne McDaniel, principal developer advocate at GitGuardian.
About our guest:
Dwayne McDaniel is a principal developer advocate who has been on a mission to “help people figure stuff out” for over a decade. At GitGuardian, he specializes in secrets security and non-human identity governance across cloud and DevOps environments. A frequent speaker at events like DevOpsDays and BSides, he helps security and engineering teams better understand complex issues.
Be the first to comment