Secrets Sprawl on the Rise: Key Insights from GitGuardian’s 2026 Report
The phenomenon of “secrets sprawl,” referring to the uncontrolled proliferation of sensitive information such as API keys, passwords, and tokens within code and other environments, shows no signs of abating. According to GitGuardian’s latest report on the state of secrets sprawl, the issue escalated significantly in 2025, with a staggering 29 million new hardcoded secrets identified across public GitHub. This represents a 34% increase from the previous year, marking the largest single-year surge recorded to date.
The findings unveil three critical trends that are reshaping the landscape of cybersecurity. First, artificial intelligence (AI) has dramatically altered the manner and locations from which credentials can leak. The rapid adoption of AI services has proven to be a double-edged sword; GitGuardian reported that leaks associated with these services surged by 81% from 2024 to 2025. Ten of the fastest-growing categories of credential leaks were AI-related, suggesting that as organizations increasingly rely on generative models and machine learning, they inadvertently expand their attack surfaces.
Additionally, the report highlights a troubling reality: internal systems are six times more likely to leak sensitive information than public repositories. Specifically, GitGuardian found that over 32% of internal repositories harbored at least one hardcoded secret, compared to just 5.6% of public repositories. These vulnerabilities often involve critical assets such as CI/CD tokens and cloud access credentials that attackers actively target once they breach an organization’s defenses. The recommendation is clear: internal repositories should be treated as prime sources of potential leaks rather than as obscure, lesser concerns.
Interestingly, the research reveals that a significant 28% of leaks originate outside of traditional code repositories, emerging instead from collaboration tools like Slack and Jira. GitGuardian noted that secrets found solely within these platforms were rated critical 56.7% of the time, compared to 43.7% for those discovered in code, underscoring the need for teams to evaluate security protocols that extend beyond mere code scanning.
The deluge of credentials extends beyond conventional public and internal repository concerns. GitGuardian observed that self-hosted instances of GitLab and Docker registries expose secrets at rates anywhere from three to four times higher than those of public GitHub. Their analysis revealed tens of thousands of credentials scattered across these platforms, amplifying the call for more rigorous security practices.
Moreover, evidence shows that a staggering 64% of secrets detected in 2022 remain valid and exploitable today, indicating that remediation efforts are significantly lacking. This persistence serves as a reminder that rotating and revoking credentials should not be an afterthought but rather an essential operational practice to safeguard organizational assets.
The rapid evolution of credential exposure associated with emerging technologies is compounded by trends in developer productivity. In the context of recent supply chain attacks, insights reveal that secrets often reside in unexpected locations, such as .env files and cached tokens on compromised machines. A recent investigation into the Shai-Hulud 2 attack uncovered over 294,000 secret occurrences across nearly 7,000 developer systems, highlighting the urgent need for organizations to view credential management as an organizational-level priority.
As businesses integrate agentic AI and adopt advanced development tools, the risk extends to new frameworks that normalize the inclusion of credentials in configuration files. The Model Context Protocol (MCP), for example, is designed to enhance the utility of AI systems but has also introduced a new category of credential exposure. GitGuardian identified thousands of secrets encoded within MCP-related config files, emphasizing the need for robust monitoring and governance.
Ultimately, organizations must shift their focus from merely detecting rogue secrets to implementing comprehensive governance over non-human identities. This necessitates a thorough understanding of the non-human agents within their tech environments, including comprehensive audits of existing identities, associated access rights, and robust management protocols to limit exposure. The landscape of cybersecurity threats has evolved, and proactive measures are essential to mitigate the risks associated with secrets sprawl.
In conclusion, as organizations navigate an increasingly complex threat landscape, the insights gained from GitGuardian’s 2026 report serve as a critical reminder that robust security strategies must extend far beyond traditional approaches and consider the broader implications of credential management across all systems and platforms.