GitGuardian’s 5th State of Secrets Sprawl report is here. In this blog, we unpack the key findings behind the 2026 edition, from AI-driven leak growth to the remediation gaps security teams can’t ignore.

GitGuardian Blog provides insights, tutorials, and updates on secrets management, code security, and developer best practices. Covering topics such as credential leaks, code scanning, and secure development workflows, GitGuardian Blog offers resources for developers, security professionals, and DevOps teams. Readers can learn about detecting and preventing secrets exposure, securing code repositories, and implementing secure coding practices through GitGuardian's articles and security guides.

GitGuardian

GitGuardian's 2026 State of Secrets Sprawl report reveals 28.65 million hardcoded secrets were added to public GitHub in 2025, a 34% year-over-year increase. AI service secret leaks surged 81%, with 8 of the 10 fastest-growing leak categories tied to AI services. LLM infrastructure (RAG, orchestration, vector storage) leaked 5× faster than core model providers. Claude Code-assisted commits showed a 3.2% secret-leak rate vs. a 1.5% baseline. MCP configuration files exposed 24,008 unique secrets, partly because official documentation encourages unsafe hardcoding patterns. Internal repos are 6× more likely than public ones to contain secrets, and 28% of incidents originate outside code repositories in tools like Slack and Jira. Analysis of 6,943 compromised developer machines found nearly 295,000 secret occurrences, with 59% of compromised machines being CI/CD runners. Critically, 64% of secrets confirmed valid in 2022 remain exploitable today, highlighting a severe remediation gap. The report calls for NHI governance frameworks covering ownership, access scope, and lifecycle management.

The State of Secrets Sprawl 2026: AI-Service Leaks Surge 81% and 29M Secrets Hit Public GitHub

Developer workstations are now a prime target for secrets theft

64% of valid secrets from 2022 are still active and exploitable