Credential Sprawl Accelerates: 28.6 M Hard‑coded Secrets Discovered in 2025 Across Public & Private Repos
What Happened — GitGuardian’s 2026 “State of Secrets Sprawl” report documents 28.65 million new hard‑coded secrets appearing in public GitHub commits during 2025, with internal repositories and self‑hosted tools showing an even higher density of exposed keys, tokens, and passwords. AI‑driven development pipelines are adding fresh categories of credentials, and many of the leaked secrets remain valid for years.
Why It Matters for TPRM —
- Credential leakage expands the attack surface of every third‑party software supply chain, increasing the likelihood of lateral movement into production environments.
- Persistent, valid secrets enable credential‑stuffing and unauthorized API access long after initial exposure, threatening data confidentiality and service integrity.
- Traditional scanning tools often miss internal or self‑hosted repositories, leaving a blind spot in vendor risk assessments.
Who Is Affected — Technology SaaS providers, cloud‑hosted CI/CD platforms, AI‑model service vendors, and any organization that outsources development, DevOps, or infrastructure management.
Recommended Actions —
- Expand third‑party scanning to include private Git repositories, self‑hosted GitLab/Docker registries, and collaboration tools (Slack, Jira, Confluence).
- Enforce secret‑management policies: rotate credentials regularly, use vault solutions, and integrate secret‑detection CI/CD gates.
- Require vendors to provide evidence of secret‑scanning coverage and remediation timelines in their security questionnaires.
Technical Notes — The surge is driven by hard‑coded API keys, cloud access tokens, and service‑account passwords embedded in code, configuration files, and AI‑tooling scripts. No specific CVE is cited; the vector is primarily misconfiguration and stolen credentials resulting from inadequate secret hygiene. Source: Help Net Security