https://pub.mdpi-res.com/futureinternet/futureinternet-16-00201/article_deploy/html/images/futureinternet-16-00201-ag.png?1718331021=

https://codesecure.com/wp-content/uploads/2025/04/evolution-of-development-methodologies.png

A large scale investigation into public GitLab Cloud repositories has uncovered a significant and alarming security problem. A security researcher scanned millions of publicly accessible repositories and discovered more than seventeen thousand exposed secrets. These secrets included active API keys, access tokens, private keys and passwords that could grant unauthorized access to cloud platforms, business applications, development environments and even internal company systems.

This discovery highlights a persistent and dangerous issue in today’s development ecosystem. Public source code repositories continue to leak sensitive information at scale, and attackers are increasingly automating the harvesting of these secrets. For organizations relying on GitLab Cloud, this finding demonstrates that a single overlooked commit can unintentionally expose critical infrastructure.

How the Secrets Were Discovered

https://miro.medium.com/v2/resize%3Afit%3A1400/1%2A3FUKPgdSFHLSitfqHuDmzQ.png

https://d3gribjq2zt3oj.cloudfront.net/blog-hub/wp-content/uploads/2023/12/qr-code-scanning-problems.png

https://docs.cloud.google.com/static/artifact-analysis/images/aa-diagram.png

The researcher carried out the investigation by using GitLab’s public application programming interface to enumerate every public repository hosted on the platform. More than five million repositories were identified and fed into a scanning pipeline built on a cloud based serverless infrastructure.

A queueing system was used to process each repository efficiently. Each repository name was pushed into a cloud queue, and a serverless function retrieved these entries and scanned them using an automated secret detection tool. The tool inspected files for sensitive data patterns such as credential structures, private key markers, authentication tokens and configuration keys used by common cloud providers.

The entire operation ran for roughly one day and produced a large dataset of exposed secrets. More than seventeen thousand of the detected secrets were confirmed to be live and active, meaning they could be used immediately to authenticate into services or environments belonging to the owners of the repositories.

What the Research Revealed

https://cdn.prod.website-files.com/5ff66329429d880392f6cba2/67f3e0e68dbecc6513d58d20_3%20-%207.04-min.jpg

https://delinea.com/hs-fs/hubfs/Delinea/blog-images/In-Post%20Graphic/delinea-blog-the-identity-attack-chain.jpg?height=1152&name=delinea-blog-the-identity-attack-chain.jpg&width=2500

https://wp-marketing-prod-content.s3.eu-west-1.amazonaws.com/wp-content/uploads/2023/08/18131205/6-types-of-risk-exposure-2.1.png

The findings were more severe than expected. The density of exposed secrets within GitLab repositories was significantly higher than similar audits conducted on other code hosting platforms. The secrets were spread across thousands of projects, ranging from personal repositories to enterprise codebases.

Many of the exposed credentials were directly tied to cloud infrastructure. These included cloud provider access keys, continuous integration tokens, storage access credentials, identity tokens and keys associated with third party services. Because these were active secrets, an attacker could have used them to access sensitive data, deploy malicious code, manipulate development pipelines or pivot deeper into an organization’s environment.

This level of exposure also raises concern for supply chain security. Public repositories containing leaked credentials can be used to compromise software development pipelines, manipulate builds or introduce backdoors into libraries and dependencies distributed to other organizations.

Why This Matters for Development and Security Teams

https://res.cloudinary.com/snyk/image/upload/f_auto%2Cw_2560%2Cq_auto/v1613516800/wordpress-sync/diagram_03.png

https://www.researchgate.net/publication/385070759/figure/fig5/AS%3A11431281287578257%401730292661234/SECURE-CODING-PROCESS-Diagram-Description-This-diagram-illustrates-the-secure-coding.ppm

https://beehiiv-images-production.s3.amazonaws.com/uploads/asset/file/cf8f3105-89b3-4a4a-b7c9-30cf8b5e647e/ssc_blog.png?t=1694537033

The discovery emphasizes that secrets management remains one of the weakest points in modern software development. Hardcoded credentials often end up inside repositories due to convenience, misconfiguration or developer oversight. Once committed, even for a moment, they become part of the version history and can be accessed publicly forever unless fully removed and rotated.

For security teams this means the attack surface is significantly larger than most organizations assume. Public repositories must be treated with the same caution as internet exposed services. No secret should ever be committed to source control. This includes personal projects, shared experiments and legacy repositories that developers may have forgotten about.

Organizations must adopt a defense strategy that includes:

• Automated secret scanning in every development and deployment pipeline
• Strict policies preventing the use of hardcoded credentials
• Continuous rotation of keys and tokens
• Centralized secret vaults and environment variable based authentication
• Organization wide training on secure coding hygiene

These measures ensure that even if credentials accidentally appear in code, automated systems catch the exposure before attackers do.

The Larger Impact on Cloud and Infrastructure Security

https://us.norton.com/content/dam/blogs/images/norton/am/cloud-security-risks-01.png

https://www.optiv.com/sites/default/files/inline-images/img1.png

https://blog.gitguardian.com/content/images/size/w1200/2025/05/pub-priv-repos-article.png

The exposure of thousands of active credentials across GitLab shows how easily attackers can gain unauthorized access to cloud environments. A single leaked access key can be used to read or modify sensitive data, manipulate cloud configurations, or deploy malicious workloads.

In cloud native architectures where services constantly communicate with each other using keys and tokens, the value of these secrets cannot be overstated. If an attacker gains access to them, they may bypass traditional perimeter defenses entirely. This makes exposed secrets one of the most powerful weapons in the hands of cybercriminals.

The event also serves as a reminder that organizations must take supply chain security seriously. An attacker who compromises one developer’s repository can potentially compromise every downstream product, integration or dependency connected to it.

Conclusion

The discovery of more than seventeen thousand active secrets in public GitLab repositories is a clear signal that credential exposure is a widespread and ongoing problem. As cloud adoption grows and development speeds increase, secret leakage becomes more frequent and more dangerous. The only effective defense is to integrate secret hygiene deeply into the culture of development and security.

Automated scanning, secure storage practices, key rotation and continuous auditing are essential. Organizations cannot rely on developers remembering to protect credentials. Security must be built into the workflow at every stage.