29 Million Hardcoded Secrets Found in 2025: GitGuardian State of Secrets Sprawl

GitGuardian's State of Secrets Sprawl 2026 report found 29 million new hardcoded secrets committed to public repositories in 2025 — a 34% year-over-year increase and the largest single-year jump since the report began. That's 29 million API keys, database credentials, private keys, tokens, and certificates committed to public code in a single year. The number is both a product of developer workflow failures and a structural problem with how software is built and shipped.

The Actual Numbers

29 million secrets in 2025, up from approximately 21.6 million in 2024 (the implied prior-year figure for a 34% increase). GitGuardian scans public GitHub, GitLab, and Bitbucket repositories in near-real-time. These are not historical repos — the scan covers active commits. The 29 million figure represents secrets committed for the first time in 2025, not cumulative exposure across all public code ever written.

Breaking it down by type (based on GitGuardian's historical breakdown patterns): generic API keys and tokens represent the largest category. Cloud provider credentials (AWS, GCP, Azure access keys) are the highest-severity subset. Database connection strings, private keys (RSA, ECDSA, PGP), and OAuth tokens make up the remainder.

The 34% increase year-over-year outpaces both public repository growth (roughly 20% YoY on GitHub) and developer population growth. More secrets per developer, per repo, per commit — the rate is getting worse faster than the underlying activity is growing.

Why This Keeps Happening Despite Awareness

Developer education about secrets management has improved substantially over the past five years. GitHub Push Protection, which blocks commits containing detected secrets before they reach the remote, has been free and enabled by default for public repos since 2024. GitGuardian and competitors offer free scanning tools. The awareness and tooling exist.

The problem is workflow friction. The secret gets committed because the developer is solving a different problem — they're testing an integration, debugging a production issue, or shipping a quick fix — and the credential is the path of least resistance. The cognitive overhead of secret management (vault setup, environment variable configuration, CI/CD injection) competes with the immediate task at hand.

AI code assistants accelerate this pattern. When a developer uses an AI assistant to generate integration code, the generated snippet often includes placeholder credentials that the developer replaces with real values — and then commits. The code generation is fast; the credential hygiene step requires switching context to a secrets management system. Fast code + high developer velocity = more secrets committed.

What Gets Found After the Commit

GitGuardian's data shows that when a secret is committed to a public repo, the median time to first access by a non-committing actor (automated scanner, threat actor, or researcher) is under four minutes. Secrets have a very short window between commitment and detection.

The downstream impact depends on the secret type. AWS access keys with broad IAM permissions are monetized immediately — cryptocurrency mining instances are spun up within minutes of discovery by automated scanners that continuously monitor GitHub commit streams. Database credentials with internet-accessible endpoints lead to data exfiltration. OAuth tokens enable account takeover or API abuse depending on the scopes granted.

Revocation is the only reliable fix. Secrets that remain active after being committed — even briefly — should be treated as compromised. GitGuardian's own incident data shows that a meaningful percentage of organizations that discover a previously committed secret cannot confirm it was never accessed.

The AI-Generated Code Multiplier

The 34% jump in 2025 correlates with the adoption curve of AI coding assistants. GitHub Copilot reached 1.8 million paid users in 2024. Cursor crossed 500,000 active users in late 2024. Claude Code, Windsurf, and others added developer volume throughout 2025.

AI assistants don't commit secrets directly — developers do. But the pattern of AI-generated boilerplate that includes credential placeholders, combined with higher-velocity coding, creates more moments where a secret ends up in staging code that gets committed. This isn't a theoretical concern; security researchers have documented AI-assisted codebases with higher rates of credential exposure than comparable non-AI codebases.

What Developers Should Actually Do

The technical fixes are well-known but under-implemented:

Pre-commit hooks: Install git-secrets or gitleaks as pre-commit hooks. Both tools scan staged changes for credential patterns before they reach the index. Setup takes 10 minutes; it catches the most common failure mode (committing by accident).

GitHub Push Protection: If you're on GitHub, enable Push Protection on all repositories. For organizations, it can be enforced at the org level. It blocks pushes containing detected secrets and requires explicit bypass with a justification.

Secrets management in CI/CD: GitHub Actions Secrets, GitLab CI Variables, and Doppler all provide secure secret injection at build time. Secrets should never be in .env files committed to repos — use .env.example with placeholder values and inject real values via the CI/CD pipeline.

Rotate on suspicion: If there's any possibility a secret was committed — even to a private repo, even briefly — rotate it immediately. The cost of rotation is low; the cost of a leaked AWS key with EC2 permissions is several thousand dollars in cryptocurrency mining charges in the first 24 hours.

The Responsibility Split

GitGuardian's report implicitly indicts the development platforms as much as individual developers. GitHub has the technical capability to block all known secret patterns at push time — it does this for some patterns via Push Protection, but not comprehensively. The argument for comprehensive blocking is straightforward: the externality of a leaked credential (AWS bill, data breach, account takeover) is borne by someone other than the developer who committed it.

Platform-level enforcement is more reliable than developer-level discipline at scale. The 34% YoY increase suggests developer-level education isn't moving the needle fast enough.

Key Takeaways

• 29 million hardcoded secrets in 2025 — 34% YoY increase, the largest single-year jump in GitGuardian history
• Growth outpaces repo growth: secrets are increasing faster than developer or repository volume — more secrets per commit, not just more commits
• Median time to external access: under 4 minutes after a secret is committed to a public repo — treat any committed secret as compromised
• AI code assistants are a contributing factor: higher velocity coding + AI-generated boilerplate = more credential placeholder commits
• Immediate fixes: enable GitHub Push Protection, install gitleaks as a pre-commit hook, move all secrets to CI/CD environment injection
• AWS key exposure = immediate cryptocurrency mining — automated scanners monitor GitHub commit streams in real-time and spin up mining instances within minutes