CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!
Secrets and secrets sprawl

Table of content

Secrets sprawl best practices

What makes secrets sprawl such a common problem?

We know that secrets are necessary to tie together different components of an application. Development and Operations teams need constant access to these secrets to build, connect, test and deploy applications. As a result, secrets represent a special type of information that needs to be both tightly-wrapped and widely-distributed.

It is no secret that enforcing good security practices at the organization level is hard. Developers today are faced with large turnover inside companies, and are often spread across many different teams and geographies. They must master a growing number of technologies and are under increasing pressure due to shortened release cycles. This makes secret management very complicated and an ever-changing challenge.

This is further complicated when VCS like git are introduced because secrets can be buried deep inside the history. The current version of source code might look clean, while the history might contain credentials that were added, removed, and then completely forgotten about. Valid secrets in the git history represent a real threat and any secret that reaches the VCS must be considered compromised.


What are some of the best practices to securely manage secrets like API keys?

Storing and managing secrets like API keys and other credentials can be challenging. Even the most careful policies can sometimes be circumvented in exchange for convenience. We have put together a helpful cheat sheet and article explaining the best practices for managing secrets.

As a minimum here are some points you should consider:

  • Never store unencrypted secrets in git repositories
  • > Avoid `git add *` commands on git
  • > Add sensitive files in .gitignore
  • > Don’t rely on code reviews to discover secrets
  • > Use automated secrets scanning on repositories
  • Don’t share your secrets unencrypted in messaging systems like Slack
  • Store secrets safely (method to be used depends on every use case)
  • > Default to minimal permission scope for APIs
  • > Whitelist IP addresses where appropriate
  • > Use short-lived secrets


What is the state of secrets sprawl on GitHub?

At GitGuardian, we’ve been monitoring every single commit pushed to public GitHub since July 2017. Three and a half years later, we’ve uncovered millions of secrets and millions of pro bono alerts to developers. The State of Secrets Sprawl report measures this exposure of secrets within public repositories on GitHub and how this serious threat is evolving year to year. It also includes an in-depth study on the state of secrets sprawl in corporate repositories and Docker Hub.

Download the full Report!

Download the report to gain valuable insights into how companies with the strongest security postures successfully tackle this challenge.

Download the Report