29 Million New Secrets in 2025: The Hardcoded Credentials Crisis Is Accelerating
The secrets sprawl problem is not just persistent — it is accelerating. GitGuardian's State of Secrets Sprawl 2026 report, published this week and covered by The Hacker News, analyzed billions of commits across public GitHub repositories and uncovered 29 million new hardcoded secrets in 2025 alone, representing a 34% year-over-year increase. The scope of the problem — API keys, cloud credentials, database passwords, and authentication tokens embedded in source code and committed to public repositories — is growing faster than most security teams anticipated, and the report identifies nine takeaways that should inform every CISO's secrets management strategy heading into the rest of 2026.
| Metric | Value |
|---|---|
| New secrets found in 2025 | 29 million |
| Year-over-year increase | +34% |
| Analysis scope | Billions of commits, public GitHub |
| Report author | GitGuardian |
| Primary risk | Hardcoded credentials in source code |
| Key concern | Validity persistence — secrets remain active long after exposure |
Why Secrets Sprawl Keeps Getting Worse
The 34% year-over-year increase in hardcoded secrets is not driven by developers becoming more careless. It reflects structural pressures in modern software development:
Developer velocity and tooling pressure: AI code assistants, including GitHub Copilot, ChatGPT, and others, generate code quickly — but the code they produce often includes credential patterns copied from documentation, examples, or training data. Developers accepting AI suggestions without careful review are inadvertently committing secrets at greater frequency.
Microservices proliferation: Modern architectures rely on hundreds of interconnected services, each requiring authentication credentials. More services mean more credential strings in more repositories, with more developers handling them.
Third-party integrations: The SaaS ecosystem has expanded dramatically. Every Stripe key, Twilio token, Slack webhook, and SendGrid credential represents another secret to manage — and potentially to accidentally commit.
Monorepo and polyrepo sprawl: As organizations scale engineering teams, repository counts grow. More repositories mean more surface area for accidental credential exposure, particularly in configuration files, CI/CD scripts, and infrastructure-as-code.
The 9 CISO Takeaways
1. Volume alone understates the problem
With 29 million new secrets discovered in public GitHub in 2025, the visible surface represents a fraction of the actual problem. Private repositories, internal development servers, artifact registries, and CI/CD pipeline logs contain additional secrets — many of which GitGuardian's public scan cannot reach. CISOs should treat the public GitHub findings as a lower bound.
2. Secrets validity is the true risk multiplier
The critical finding from GitGuardian's report is not the volume of exposed secrets — it is that many exposed secrets remain valid and active for extended periods after exposure. An API key committed to a public repository in January 2025 may still be functional in March 2026 if the owning organization has not detected the exposure and rotated the credential. Validity persistence transforms a compliance issue into an active attack surface.
3. Generic detectors miss the long tail
Generic secret scanning rules catch well-known patterns: AWS access keys, GitHub tokens, Stripe keys with recognizable prefixes. But the long tail of organization-specific secrets — internal service credentials, proprietary authentication tokens, database connection strings — often escapes generic detection. CISOs need tools that combine generic pattern matching with custom rules tuned to their specific technology stack.
4. The developer feedback loop is broken
Secrets get committed because developers either do not know they are secrets or do not know they should not be in the repository. Pre-commit hooks and secrets scanning integrated into the development workflow — before commits reach remote repositories — are significantly more effective than reactive post-commit scanning. The feedback loop needs to be as close to the developer action as possible.
5. AI-generated code is a new vector
GitGuardian's analysis identifies AI-generated code as an emerging contributor to secrets sprawl. Code suggestions from AI assistants may include example credentials, placeholder secrets that look real, or patterns from the AI's training data. Development teams using AI code generation without secrets scanning in the CI pipeline face elevated risk.
6. Non-human identities are underprotected
While human credential hygiene gets most attention, the report highlights the growing problem of non-human identity (NHI) secrets: service account keys, machine-to-machine authentication tokens, CI/CD pipeline credentials, and infrastructure automation secrets. These credentials often have longer lifespans than human credentials, are less frequently rotated, and may have broader permissions than necessary.
7. The remediation window is shrinking
The time between public commit and first malicious scan of a GitHub repository is measured in minutes, not hours. Automated bots continuously scan public repositories for credential patterns. A secret that is committed and pushed at 2 AM and discovered by the security team at 9 AM has been exposed to automated scanners for seven hours — sufficient time for credential abuse in many scenarios.
8. Secrets sprawl enables supply chain attacks
Exposed credentials in public repositories are increasingly being exploited not just for direct access but as entry points for supply chain attacks. Credentials for package registries (npm, PyPI), container registries, or code signing certificates allow attackers to publish malicious packages or tamper with software distribution channels, multiplying the downstream impact far beyond the credential holder's own infrastructure.
9. Remediation without prevention compounds the problem
Organizations that focus on reactive secrets detection — scanning repos and revoking exposed credentials after the fact — are on a treadmill. Without pre-commit hooks, developer education, and systematic reduction of secret hardcoding through secrets management tooling (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, etc.), the discovery-and-revoke cycle will continue to expand with developer velocity.
| CISO Priority | Action |
|---|---|
| Short-term | Enable pre-commit secret scanning across all engineering teams |
| Short-term | Scan all existing public and private repositories for exposed secrets |
| Short-term | Revoke and rotate any detected valid credentials immediately |
| Medium-term | Implement centralized secrets management (Vault, cloud KMS) |
| Medium-term | Enforce secrets scanning in CI/CD pipelines as a blocking check |
| Medium-term | Audit non-human identity credentials — service accounts, pipelines |
| Long-term | Eliminate hardcoded secrets by design — move to dynamic secret generation |
| Long-term | Build AI code review workflows that flag generated credential patterns |
Tools and Approaches
Pre-commit scanning: Tools like detect-secrets, gitleaks, and GitGuardian's own pre-commit hook can scan staged changes before they reach the repository. This is the highest-ROI intervention because it prevents secrets from ever entering version control.
Repository scanning: GitGuardian, Semgrep, and GitHub's native secret scanning (for public repos and paid tiers) can audit existing repositories for historical and current exposures.
Secrets management platforms: Centralized secrets management tools issue dynamic credentials — short-lived, automatically rotated secrets that are fetched at runtime rather than stored in configuration files. This architectural approach eliminates the hardcoding problem at its source.
NHI governance: Dedicated non-human identity management platforms help organizations inventory service accounts, API keys, and machine credentials, enforce rotation policies, and detect anomalous usage patterns.
What the 34% Increase Signals
A 34% year-over-year increase is not noise — it is a structural trend. The growth in hardcoded secrets is tracking with the growth in developer headcount, AI code generation adoption, and third-party SaaS integration. Security teams and tooling investments that are growing at a slower rate than the exposure surface are falling behind.
The State of Secrets Sprawl 2026 report is a signal that the industry's current approach to secrets management — primarily reactive, primarily developer-education-based, primarily focused on human credentials — is insufficient. The path to meaningful reduction in secrets exposure runs through automation: pre-commit hooks that block secrets before they land, CI/CD gates that prevent secrets from reaching branches, and secrets management infrastructure that makes hardcoding technically unnecessary.
Key Takeaways
- GitGuardian found 29 million new hardcoded secrets in public GitHub in 2025, a 34% year-over-year acceleration — the problem is getting worse, not better.
- Validity persistence is the true multiplier: exposed secrets that remain active for days or weeks after exposure represent an active, exploitable attack surface.
- AI code generation is contributing to secrets sprawl as developers accept suggestions containing credential patterns without review.
- Non-human identity credentials — service accounts, CI/CD tokens, machine-to-machine keys — are underprotected and under-rotated relative to human credentials.
- Pre-commit scanning is the highest-leverage intervention: blocking secrets from entering version control is far more effective than reactive detection and rotation.
- The 34% growth rate signals that current approaches are structurally insufficient; centralized secrets management and dynamic credential issuance are required to bend the curve.