GitGuardian Secrets Sprawl 2025: 70% of 2022 Leaks Still Live

GitGuardian's State of Secrets Sprawl 2025 catalogued credentials exposed on public GitHub during 2024. The headline number — 23.8 million new secrets, a 25% rise — is less interesting than the persistence figure: 70% of secrets leaked back in 2022 remained exploitable in 2025. Most leaked credentials are not rotated when discovered, either because the leak is never detected by the issuing organisation, or because rotation is judged too operationally expensive.

A separate analysis of 15 million public Docker images turned up 100,000 valid secrets, including AWS access keys and GitHub tokens tied to Fortune 500 organisations. The pattern is the same as in source repositories: hardcoded credentials accumulate over time, container images get republished without re-baking, and the resulting credential graveyard is freely searchable.

The architectural fix is not better detection. The fix is shorter-lived credentials — workload identity, short-rotation OIDC tokens, just-in-time secret retrieval, and the explicit prohibition of static long-lived secrets in any new system. Detection then becomes a backstop for the residual legacy population, not the primary control.