2 min Security

‘Increasing number of secrets leak in public GitHub repositories’

‘Increasing number of secrets leak in public GitHub repositories’

The amount of secrets leaked in public GitHub repositories is higher than ever. A report puts the total number of new leaks at 12.8 million by 2023.

12.8 million secrets were not properly shielded in public GitHub repositories in 2023. As a result, sensitive data is visible to everyone. Among the leaked data are, for example, login credentials that accidentally get into the code.

This figure only gives insight into how many insufficiently protected secrets are added over the time span of one year. The total number of leaks is higher because developers do not always act after the risk is reported to them. This states a report by GitGuardian.

GitGuardian monitors the situation on GitHub annually and specializes in discovering secrets in source code. The report can, therefore, provide insight into how the situation is changing. It does not look too good, as the situation is said to have never been worse.

Disproportionate growth

The number of leaks grew faster last year than the number of additional public repositories. It is 28 percent more leaks discovered, compared to a 22 percent increase in the number of public repositories.

GitGuardian reported the 12.8 million new leaks to those responsible. The notification just did not get a quick response; 90 percent of the secrets remained visible for at least five more days. According to the report, developers still have something to gain in this area.

Solution not freely available

GitHub is aware of the problems and is monitoring the situation closely. One solution the platform offers is push protection. This feature blocks publication if secrets are found.

There are only two problems with this solution. First, the solution only scans for a few leaks, which were programmed in advance. Finally, the feature is only available in the paid service GitHub Advanced Security.

Also read: Internal data Mercedes-Benz was accessible due to public GitHub token