Key Findings

• 29 million new secrets leaked on GitHub in 2025

• 81% increase in AI service credential leaks

• Public GitHub commits increased 43% year-over-year

• Secret leak rates in AI-assisted code are 2× baseline

• Internal repositories 6× more likely to contain hardcoded secrets

Background

The year 2025 marked a transformative period in software development, characterized by unprecedented AI adoption and acceleration of software creation workflows. GitGuardian's annual "State of Secrets Sprawl" report reveals a dramatic shift in how software is created, integrated, and potentially compromised.

AI Adoption and Development Dynamics

The software ecosystem experienced explosive growth, with public GitHub commits rising 43% and the active developer population expanding by 33%. This rapid expansion was primarily driven by AI-assisted coding tools that democratized software development, enabling individuals with minimal formal training to build complex applications quickly.

Secret Leak Patterns

AI-assisted coding platforms demonstrated higher secret leak rates compared to traditional development methods. For instance, Claude Code-assisted commits showed a 3.2% secret leak rate, nearly double the GitHub-wide baseline of 1.5%. These leaks often stem from human decision-making rather than purely technological failures.

Infrastructure and Credential Risks

AI service infrastructure presented unique security challenges. The report identified 1,275,105 leaked AI service credentials, with an 81% year-over-year increase. Notably, infrastructure like LLM orchestration and vector storage platforms leaked credentials five times faster than core model providers.

Organizational Exposure

Internal repositories remained the most significant risk, being six times more likely than public repositories to contain hardcoded secrets. Additionally, approximately 28% of credential exposure incidents originated from collaboration and productivity tools beyond traditional code repositories.

Governance and Remediation Challenges

The research highlighted persistent issues with secret management:

• 60% of policy violations involved long-lived credentials

• 46% of critical secrets lack vendor-provided validation mechanisms

• 64% of valid secrets from 2022 remained unrevoked by 2026

Recommendations

GitGuardian recommends organizations treat non-human identities as first-class security assets, implementing dedicated governance, contextual analysis, and automated remediation strategies across code and non-code surfaces.

Sources

• https://hackread.com/gitguardian-reports-an-81-surge-of-ai-service-leaks-as-29m-secrets-hit-public-github/

• https://blog.gitguardian.com/the-state-of-secrets-sprawl-2026/

• https://news.backbox.org/2026/03/17/gitguardian-reports-an-81-surge-of-ai-service-leaks-as-29m-secrets-hit-public-github/