The spread of secrets is not slowing down: by 2025, it was much faster than many security groups expected. GitGuardian’s State of Secrets Sprawl 2026 report analyzed the billions of commits across public GitHub and revealed 29 million new hardcoded secrets in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded.
This year’s findings reveal three key trends: AI has fundamentally reshaped how and where information is leaked, internal systems are more exposed than most organizations realize, and processing continues to be the industry’s Achilles’ heel.
Here are nine important takeaways.
1. Secrets grow faster than the number of developers
Since 2021, leaked secrets have grown by 152%, and GitHub’s community developer base has grown by 98%. More developers and more AI-assisted code generation means more data being streamed, and discovery alone can’t keep pace.
2. AI services have driven 81% more leaks year over year
GitGuardian found 1,275,105 leaked secrets linked to AI services in 2025, up 81% from 2024. Eight of the ten fastest growing categories of leaked secrets were related to AI. This is not just about OpenAI or Anthropic keys. The real explosion is happening in LLM infrastructure: retrieving APIs like Brave Search (+1,255%), orchestration tools like Firecrawl (+796%), and managed backends like Supabase (+992%). Every new AI integration introduces another machine’s detection, and each expands the attack surface. Deploying AI securely requires a proper privacy strategy.
3. Internal repositories are 6 times more likely to leak than public ones
While public GitHub gets the attention, internal repositories are where the high-value credentials reside. A GitGuardian study found that 32.2% of internal repos contain at least one hard-coded secret, compared to just 5.6% of public repositories. These are not test keys. CI/CD tokens, cloud access credentials, and database passwords, which are exactly what attackers target once they gain a foothold. Security due to ambiguity failed. Treat internal repos as first-level leak sources.
4. 28% of leaks occur without code at all
Secrets don’t just stay in archives. GitGuardian found that 28% of 2025 incidents occurred outside of source code, in Slack, Jira, Confluence, and similar collaboration tools. This leak is very dangerous: 56.7% of secrets found only in collaboration tools were rated as importantcompared to 43.7% of code-only cases. Teams share information during incident response, troubleshooting, and onboarding. If you only scan the code, you’re missing out on a quarter of your exposure. And the proofs that leak into collaborative tools are often very sensitive and difficult.
5. GitLab and Docker’s self-hosted registry exposes secrets at 3-4x the rate of public GitHub
GitGuardian discovered thousands of GitLab hosted events that inadvertently exposed them and the Docker registry in 2025. A scan of these systems revealed 80,000 credentials, 10,000 of which are still active. Secrets in Docker images were of particular concern: 18% of scanned Docker images contained secrets, and 15% of those were valid, compared to 12% of GitLab repositories with a 12% validation rate. Docker secrets are also very close to production. The perimeter between private and public is porous.
6. 64% of secrets leaked in 2022 are still valid today
Discovery is not a fix. GitGuardian’s retested secrets were verified as valid in 2022 and found that 64% were still valid four years later. This is not a zoom error. It’s proof that rotation and retrenchment are not routine, proprietary, or automatic in most organizations. Validations embedded in all build systems, CI variables, container images, and vendor integrations are difficult to change without breaking the product. For many teams, the safest short-term choice is to do nothing, leaving attackers with strong means of access.
7. Developer conclusions are a new layer of integration for authentication
The Shai-Hulud 2 supply chain attack gave researchers a rare glimpse into what secrets actually look like on vulnerable engineering machines. Across 6,943 systems, GitGuardian identified 294,842 secret events corresponding to 33,185 unique secrets. On average, each live secret appeared in eight different places on the same machine, spread across .env files, shell history, IDE configuration, cached tokens, and build artifacts. Even more impressive: 59 percent of the compromised devices were CI/CD drives, not personal laptops. Once secrets start to spread into the building infrastructure, they become an organizational disclosure issue, not just an individual hygiene issue.
Recently, an attack on the LiteLLM supply chain showed a similar pattern, with vulnerable packages favoring SSH keys, cloud credentials, and API tokens from developer machines where AI development tools focus.
8. MCP servers exposed 24,000+ secrets in their first year
The Model Context Protocol (MCP) makes AI systems more usable by connecting them to tools and data sources. It also introduces a new class of authentication exposures. In 2025, GitGuardian found 24,008 unique secrets in MCP-related configuration files on public GitHub, 2,117 of which were verified as valid. As agency AI adoption accelerates, MCP and similar agencies will become accustomed to placing credentials in configuration files, startup flags, and local JSON. The agent ecosystem is growing faster than security controls can adapt.
9. Shift from discovering secrets to mastering the impersonal
The field factor limit answers three questions on the scale:
– What non-human objects are there in the area where I live?
– Their owners?
– What can they achieve?
Organizations adopting agent AI need to go beyond visualization and build sustainable NHI governance. That means removing long-standing static credentials where possible, accepting short-term identity access, using leak secrets as an automated developer workflow, and managing every service account, CI job, and AI agent as a controlled identity with lifecycle management.
The Bottom Line
The spread of secrets is not slowing down. Accelerates with AI discovery, developer productivity tools, and distributed software delivery. The old model of scanning public places and hoping for enforcement is no longer enough. Security teams need visibility across internal systems, collaboration tools, container registrations, and developer endpoints. They need a maintenance workflow that can turn data around without disrupting production. And most importantly, they need to stop treating secrets as isolated events and start managing them as part of a wider non-human governance system.
The attack surface has changed. The question is whether security systems will change with it.
About Research
GitGuardian’s annual State of Secrets Sprawl report was published for the fifth time, analyzing billions of public actions on GitHub, monitoring internal events across customer environments, and conducting real-world research on hosted infrastructure exposures and supply chain compromises.
