Overview
In 2025, the risk landscape around secrets embedded in code continued to grow, revealing how rapidly sensitive credentials can proliferate across development work. A recent study analyzing billions of public GitHub commits uncovered a staggering surge: 29 million newly exposed hardcoded secrets in 2025 alone, representing a 34% year-over-year increase and the largest single-year jump on record. This trend, often referred to as secrets sprawl, underscores a systemic challenge where credentials can slip into codebases and linger, creating opportunities for misuse. The findings highlight the need for heightened awareness, stronger tooling, and tighter governance across modern software development workflows.
Event Snapshot
The report paints a clear picture of escalating exposure within public code repositories. While developers push more code and collaborate across platforms, the room for error grows—leading to a sharp rise in hardcoded secrets discovered in 2025. The scale of billions of commits across public GitHub emphasizes how widespread this issue is, and the record-setting increase signals that existing controls are not yet sufficient to curb the trend. Even as scanning tools and best practices advance, the data suggests a gap between what teams know and what they implement in day-to-day coding and release processes.
Impact and Implications
Hardcoded or improperly secured credentials found in code can be exploited to gain unauthorized access, steal data, or move laterally through networks. When such secrets exist in widely accessible repositories, the potential blast radius grows for organizations of all sizes. The sheer volume of exposed credentials complicates risk assessment, response, and remediation, and it can erode trust in software supply chains. For CISOs, developers, and security teams, the takeaway is clear: proactive discovery, disciplined handling of secrets, and resilient software practices are not optional but essential components of modern cybersecurity.
Protective Measures
- Adopt a centralized secret management solution and avoid embedding credentials directly in code or configuration files.
- Integrate automated secret scanning into the CI/CD pipeline and enforce pre-commit checks to catch secrets early.
- Use short-lived, revocable credentials and enforce the principle of least privilege across all accounts and services.
- Regularly scrub secret material from version history and rotate credentials after exposure or suspected compromise.
- Reference secrets via secure vaults or environment-specific configurations rather than storing them in repositories.
- Limit access to repositories containing sensitive material, and require MFA for privileged access to critical systems.
- Provide ongoing security training for developers on secure coding practices and the risks of hardcoded secrets.
