Secrets sprawl isn’t slowing down: in 2025, it accelerated faster than most security teams anticipated. GitGuardian’s State of Secrets Sprawl 2026 report analyzed billions of commits across public GitHub and uncovered 29 million new hardcoded secrets in 2025 alone, a 34% increase year over year and the largest single-year jump ever recorded.
This year’s findings reveal three core trends: AI has fundamentally reshaped how and where credentials leak, internal systems are far more exposed than most organizations realize, and remediation continues to be the industry’s Achilles heel.
Here are nine strategic takeaways that matter.
1. Secrets are growing faster than the developer population
Since 2021, leaked secrets have grown 152%, while GitHub’s public developer base expanded 98%. More developers and more AI-assisted code generation mean more credentials in circulation, and detection alone can’t keep pace.
2. AI services drove 81% more leaks year over year
GitGuardian detected 1,275,105 leaked secrets tied to AI services in 2025, up 81% from 2024. Eight of the ten fastest-growing categories of leaked secrets were AI-related. This isn’t just about OpenAI or Anthropic keys. The real explosion is happening in LLM infrastructure: retrieval APIs like Brave Search (+1,255%), orchestration tools like Firecrawl (+796%), and managed backends like Supabase (+992%). Every new AI integration introduces another machine identity, and each one expands the attack surface. Deploying AI safely requires a proper secrets security strategy.
3. Internal repositories are 6x more likely to leak than public ones
While public GitHub gets the attention, internal repositories are where the highest-value credentials live. GitGuardian’s research found that 32.2% of internal repos contain at least one hardcoded secret, compared to just 5.6% of public repos. These aren’t test keys. They’re CI/CD tokens, cloud access credentials, and database passwords, the exact assets attackers target once they gain a foothold. Security through obscurity has failed. Treat internal repos as first-class leak sources.
4. 28% of leaks happen entirely outside code
Secrets don’t only live in repositories. GitGuardian found that 28% of incidents in 2025 originated entirely outside source code, in Slack, Jira, Confluence, and similar collaboration tools. These leaks are more dangerous: 56.7% of secrets found only in collaboration tools were rated critical, compared to 43.7% for code-only incidents. Teams share credentials during incident response, troubleshooting, and onboarding. If you’re only scanning code, you’re missing a quarter of your exposure. And the credentials leaking in collaboration tools are usually more critical and severe.
5. Self-hosted GitLab and Docker registries expose secrets at 3-4x the rate of public GitHub
GitGuardian discovered thousands of unintentionally exposed self-hosted GitLab instances and Docker registries in 2025. Scanning these systems revealed 80,000 credentials, with 10,000 still valid. Secrets in Docker images were particularly troubling: 18% of scanned Docker images contained secrets, and 15% of those were valid, compared to 12% of GitLab repositories with a 12% validity rate. Docker secrets are also more production-adjacent. The perimeter between private and public is porous.
6. 64% of secrets leaked in 2022 remain valid today
Detection is not remediation. GitGuardian retested secrets confirmed as valid in 2022 and found that 64% are still exploitable four years later. This is not a rounding error. It’s proof that rotation and revocation are not routine, owned, or automated in most organizations. Credentials embedded across build systems, CI variables, container images, and vendor integrations are hard to replace without breaking production. For many teams, the safest short-term choice is to do nothing, leaving attackers with durable access paths.
7. Developer endpoints are the new credential aggregation layer
The Shai-Hulud 2 supply chain attack gave researchers rare visibility into what secrets actually look like on compromised developer machines. Across 6,943 systems, GitGuardian identified 294,842 secret occurrences corresponding to 33,185 unique secrets. On average, each live secret appeared in eight different locations on the same machine, spread across .env files, shell history, IDE configs, cached tokens, and build artifacts. More striking: 59% of compromised machines were CI/CD runners, not personal laptops. Once secrets start sprawling into build infrastructure, they become an organizational exposure problem, not just an individual hygiene issue.
More recently, the LiteLLM supply chain attack demonstrated the same pattern, with compromised packages harvesting SSH keys, cloud credentials, and API tokens from developer machines where AI development tools are increasingly concentrated.
8. MCP servers exposed 24,000+ secrets in their first year
Model Context Protocol (MCP) made AI systems more useful by connecting them to tools and data sources. It also introduced a new class of credential exposure. In 2025, GitGuardian found 24,008 unique secrets in MCP-related config files on public GitHub, with 2,117 verified as valid. As agentic AI adoption accelerates, MCP and similar frameworks will normalize putting credentials into config files, startup flags, and local JSON. The agent ecosystem is expanding faster than security controls can adapt.
9. Shift from secrets detection to non-human identity governance
The industry’s limiting factor is answering three questions at scale:
– What non-human identities exist in my environment?
– Who owns them?
– What can they access?
Organizations embracing agentic AI need to move beyond detection and build continuous NHI governance. That means eliminating long-lived static credentials wherever possible, adopting short-lived identity-driven access, implementing secrets vaulting as the default developer workflow, and treating every service account, CI job, and AI agent as a governed identity with lifecycle management.
The Bottom Line
Secrets sprawl is not slowing down. It’s accelerating alongside AI adoption, developer productivity tools, and distributed software delivery. The old model of scanning public repos and hoping for compliance is no longer sufficient. Security teams need visibility across internal systems, collaboration tools, container registries, and developer endpoints. They need remediation workflows that can rotate credentials without breaking production. And most importantly, they need to stop treating secrets as isolated incidents and start managing them as part of a broader non-human identity governance program.
The attack surface has changed. The question is whether security programs will change with it.
About the Research
GitGuardian’s yearly State of Secrets Sprawl report was published for the 5th time, analyzing billions of public commits on GitHub, monitoring internal incidents across customer environments, and conducting original research on self-hosted infrastructure exposure and supply chain compromises.
Leave a Reply