AI leaks your company’s code secrets faster than ever
Summary
GitGuardian's "State of Secrets Sprawl" report, published in March, revealed a critical surge in hardcoded secrets, with 28.65 million new instances found in public GitHub commits during 2025. This represents a 34% increase from 2024, marking the largest single-year jump ever recorded. The report firmly attributes this escalation to AI coding, noting that eight of the ten fastest-growing types of leaked secrets are linked to AI services, with LLM infrastructure leaking five times faster than core model providers. Specifically, developers using Claude Code leak secrets at twice the baseline rate, with Claude Code and OpenClaw being major contributors to these leaks. The problem extends to internal repositories, which hold six times more secrets than public ones, as exemplified by the Red Hat Consulting GitLab breach in September. Alarmingly, 64% of secrets leaked in 2022 remain valid and vulnerable, indicating a widespread failure to remediate these exposures.
Key takeaway
For AI Security Engineers overseeing development, the escalating rate of hardcoded secrets due to AI coding demands urgent attention. Your current secret detection methods are insufficient if 64% of leaks remain valid. You must implement robust preventative processes to block secret commits, educate your teams on secure credential management, and reduce over-reliance on AI bots for security-critical code. Prioritize security over development convenience to mitigate severe data breaches.
Key insights
AI coding tools significantly accelerate the hardcoding and leaking of sensitive secrets, creating widespread vulnerabilities.
Principles
- AI coding bots lack competence in secure secret management.
- Internal repositories do not provide a sufficient security boundary.
- Over-reliance on AI tools can degrade core developer security skills.
Method
First, understand the specific secret sprawl problem, then establish processes to prevent secret commits, and ensure developers comprehend the risks.
In practice
- Scan all code repositories for hardcoded secrets.
- Implement automated secret detection and remediation.
- Educate developers on secure credential handling.
Topics
- AI Coding Security
- Secret Sprawl
- Hardcoded Credentials
- GitHub Security
- LLM Infrastructure
- Code Repository Management
Best for: CTO, VP of Engineering/Data, AI Architect, Software Engineer, AI Security Engineer, Director of AI/ML
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Pivot to AI.