Secrets Sprawl in GitHub Repositories

What is secrets sprawl?

Secrets, including API keys, passwords, encryption keys, and other credentials, are critical components of modern software operations, which makes managing them a top priority for development and security teams. Secrets sprawl is the spread of those secrets across various environments, tools, and repositories. When left unchecked, this sprawl can be intensely frustrating for developers and introduce significant platform vulnerabilities for security teams.

The developer’s perspective

For developers, working with secrets is a very common aspect of the development pipeline. Poor secrets management practices that lead to extensive secrets sprawl have a number of frustrating effects:

• Time wasted: Extended secrets sprawl increases the time developers spend managing secrets, whether they are debugging mismatches, tracking down secrets in the sprawl, or attempting to revoke or rotate credentials.
• Insecure practices: To save time, developers insert secrets directly into their code or share sensitive files via insecure methods like email or messaging platforms. While these shortcuts reduce immediate frustration, they create significant security risks.
• Management overhead: When secrets are scattered across various repositories, services, and environments, even routine tasks like updating or revoking a secret become cumbersome and error-prone.
• Accidental leaks: The more widespread and unmanaged secrets are, the higher the likelihood of unintentional exposure, whether through forgotten debug logs, outdated repositories, or misconfigured access controls.

Secrets sprawl in Git commits

A common avenue for leaked secrets is through the near ubiquity of open-source code. Around 90% of code currently in production is open-source, and while open-source code is highly useful, it’s also publically available. This means that any secrets accidentally committed to a repository are potentially available to anyone with the tools to scan for and leverage exposed secrets. If developers accidentally include secrets in their commits, they’ve instantly introduced a security vulnerability. As you might imagine, The frequency of leaked secrets in GitHub commits only increases with secrets sprawl.

GitGuardian, a service that scans github commits to alert authors of leaked secrets in their commits, published a report including a number of concerning statistics regarding the frequency of accidentally leaked secrets.

Even in an age where tech development already seems widespread, the report shows that development is only increasing. GitGuardian noted there were 50 million new code repositories on GitHub, a 22% increase from the year before. Unsurprisingly, the number of new leaked secrets was up 28%, reaching a figure well over 12 million. There are a ton of figures in the report, and I recommend any reader take their own look at, but here are a few I thought were of particular note:

• More than 1 in 10 commit authors leaked a secret
• 4.6% of active repositories leaked a secret

From a hacker’s perspective, secrets sprawl is a goldmine. When system vulnerabilities are presented directly to them, hackers have little need to search for infrastructural weaknesses to exploit or set up elaborate phishing scams.

Lack of remediation

Perhaps even more troubling than the number and frequency of secrets leaked in public repositories is their subsequent lack of remediation. GitGuardian sends notices to commit authors after they detect secrets, so the authors can rotate those secrets and make sure to keep them out of future versioned commits, yet little is done.

GitGuardian’s data underscores the magnitude of this issue: 90% of exposed valid secrets remain active for at least five days after the notice is delivered, illustrating the lack of remediation practices in place.

Combatting secrets sprawl and leaked secrets

The first step in combating poor secrets management is equipping your team with the proper tools. Implementing these tools at the development level is incredibly important to reducing sprawl and preventing leaked secrets in GitHub commits. Here are key practices to consider:

1. Adopt a shift-left security approach Integrating security practices early in the software development cycle is essential. By embedding secrets detection tools directly into developers’ workflows, such as within IDEs or CI/CD pipelines, organizations can catch potential leaks before they are committed to a repository. This proactive approach reduces risk and minimizes the cost and complexity of remediation.
2. Centralize secrets management Use a centralized secrets management platform as a single source of truth for sensitive information. By consolidating secrets into a secure, managed system, organizations can track and audit secrets usage to identify anomalies, simplify and secure the sharing, updating, and rotating of secrets across teams, and standardize access controls to implement the principle of least privilege. Centralization greatly reduces the risk of secrets sprawl.
3. Automate secrets rotation and revocation Manual secrets management is inherently error-prone and inefficient, especially at scale. Automation tools, like those offered by Doppler, enable organizations to rotate secrets regularly, instantly revoke credentials, and keep secrets synchronized across development environments without manual intervention. Features like these reduce the burden of secrets management on developers.
4. Use tools designed for secrets detection and management Tools like GitGuardian and others continuously scan repositories for exposed secrets and alert developers to potential vulnerabilities. Doppler provides a developer-first platform to securely manage and distribute secrets across environments, enhancing both security and efficiency and decreasing the risk of committing secrets to GitHub.

Get the tools to fix your secrets sprawl

With millions of new repositories created each year and a growing number of leaked secrets, organizations must take decisive action to secure their sensitive information.

By implementing a comprehensive secrets management solution, organizations can:

• Reduce the risk of unauthorized access and data breaches.
• Streamline development workflows and enhance productivity.
• Ensure compliance with industry regulations and best practices.

Ultimately, secrets are called “secrets” for a reason—they are meant to be protected. By prioritizing secrets management in the development pipeline, organizations can safeguard their assets, protect their reputations, and build a more secure digital future. Check out how Doppler can help you secure your development pipeline!