Research from GitGuardian reveals the real-world impact of leaked Kubernetes secrets found on public GitHub and Docker Hub. Three secret formats are analyzed: TLS client certificates (kubeconfig), JWT service account tokens, and container registry credentials (dockerconfigjson). A scan in fall 2025 found 44 active exposed clusters, with 30% exposed for over two years, plus 2,034 registry credentials of which 46% were still valid — exposing 309 private Docker images and 730 private GitHub repositories. The post details exploitation chains (lateral movement, persistence, credential harvesting) and practical hardening steps: network isolation, short-lived OIDC credentials, least-privilege service accounts, read-only registry tokens, and credential rotation at decommission. In Q1 2026, GitGuardian detectors caught nearly 2,000 new Kubernetes secret leaks on GitHub, 28% valid at leak time.
Table of contents
Three Surfaces, Three Secret FormatsKubernetes API ServerKubernetes Container RegistriesPublic Leaks & Responsible DisclosuresFrom Research to ProductSort: