Security

GitGuardian 2026: 28.65M new secrets, Claude Code commits leaking at 2x baseline

Jorge de los Santos, CTO & Co-Founder · June 3, 2026 · 13 min read

GitGuardian's annual report: 28.65M new hardcoded secrets in public GitHub in 2025 (+34% YoY). AI-service leaks surged 81%. Claude Code co-authored commits leak at 3.2% — more than double the 1.5% baseline. 24,008 secrets sit in public MCP config files.

GitGuardian 2026: 28.65M new secrets, Claude Code commits leaking at 2x baseline

The 2026 Secrets-Sprawl Numbers Are Sharp Enough to Change the Operating Assumption

GitGuardian’s annual “State of Secrets Sprawl 2026” landed at the end of March 2026 with the cleanest empirical case the agentic-DevOps category has had for treating secrets management as a continuous-reconciliation workload rather than a periodic scan-and-rotate workload.

The headline numbers tell the story. 28,649,024 new hardcoded secrets landed in public GitHub commits in 2025 — a 34% year-over-year increase and the largest annual jump in the report’s history. Public GitHub commit volume climbed to roughly 1.94 billion (+43% YoY), the developer population grew 33%, and yet secrets are leaking at 1.6x the rate the developer population is growing — and have been since 2021. AI-service-tied secrets surged 81% to 1,275,105 detections in 2025. Claude Code co-authored commits leak secrets at 3.2% — more than double the 1.5% baseline across all public GitHub commits, and a number whose denominator went from 22 Claude Code co-authored commits in January 2025 to roughly 2.16 million in December. 24,008 unique secrets are sitting in public MCP-config files, with 2,117 of them already confirmed valid — a brand-new exposure class that did not exist as a measurable category in the 2025 report. And the institutional-memory number: 64% of valid secrets first detected in 2022 are still not revoked in 2026 — four years on, on the customer side of the secrets-management shared-responsibility line, after every detection notification, after every CI-pipeline failure, after every vendor-side rotation prompt.

Read together, the four numbers describe a workload that has outgrown the human-led secrets-management workflow on every measurable axis: rate of new exposures, AI-tool-driven exposure multiplier, novel-surface-area count, and historical-remediation-completion lag. The structural lesson is the same one the batch 29 coverage of the Harness “AI Velocity Paradox” data made for the deployment pipeline: AI coding tools have multiplied the front-of-pipeline output rate, the operational tier at the back of the pipeline has not modernized to absorb the load, and the engineers in the middle of the pipeline are reporting that current ways of working are not sustainable. The GitGuardian 81%-AI-service-leak-surge number is the secrets-side data companion to the Harness 81%-unsustainable number on the deployment side.

The shape that responds to the rate is the same on both sides of the comparison: the active operational layer — a coordinated team of specialized agents that absorbs the continuous-reconciliation workload, with BYOK pricing on the model keys, capability-tier governance on every remediation, and an immutable audit trail across every revocation.

What Continuous Secrets Reconciliation Actually Demands of a Platform Team

Five concrete obligations sit on the customer side of the secrets-management shared-responsibility line once the GitGuardian-level rate of exposure is taken as the operating assumption. None of them is satisfied by “we run a secrets scanner on the pre-commit hook.”

1. Continuous secrets discovery across every surface the customer’s developers touch. Not just the git repository surface. Also the AI-coding-tool surface (Claude Code, Cursor, GitHub Copilot, Windsurf, JetBrains AI Assistant, Anthropic’s Claude Sonnet 4.6 in every IDE-host configuration), the MCP-config-file surface (the 24,008-unique-secrets surface that the 2026 report measured for the first time), the workflow-automation surface (n8n / Zapier / Make.com / Pipedream control-plane stored credentials — a class the n8n CVE-2025-68613 KEV listing put on the public record this quarter), the CI/CD pipeline surface, the collaboration-tool surface (~28% of incidents originate from leaks in collaboration and productivity tools, not just repositories), the package-registry surface, the container-image-layer surface, and the runtime-cloud-service surface. Every surface where a credential can land is a surface that needs continuous discovery.

2. Per-secret validity verification at discovery time, not at rotation time. A secret that has been pasted into a repository, an MCP config file, or a workflow-automation stored credential is not the same as a secret that is in active use against the upstream API. The 2,117-confirmed-valid number out of 24,008 unique MCP-config secrets is roughly an 8.8% valid-secret rate — small enough that scanning without validation produces 91.2% noise, large enough that 2,117 live valid secrets in publicly discoverable MCP config files is a four-figure-incident-count posture on a single surface. Validity verification has to be part of the discovery primitive, not a separate downstream workflow.

3. Per-secret revocation-and-rotation orchestration with the upstream provider. Discovery without revocation is not remediation. The 64%-still-unrevoked-after-four-years number out of the 2022 valid-secret cohort is the customer-side institutional-memory failure. Every detected valid secret has to land in a revocation queue that drives the upstream provider’s revocation API (AWS IAM, GitHub PAT API, Stripe API, OpenAI API, Anthropic API, Google Cloud IAM, Azure AD, the long tail of vendor APIs), captures the revocation receipt in the audit trail, triggers the rotation workflow against the consuming systems, and confirms the rotation took effect downstream. None of those steps is a one-call workflow; the orchestration is the work.

4. Per-secret blast-radius reconciliation against the deployed-asset inventory. When a valid secret is discovered, the platform team needs to know what the secret can do across the customer’s deployed footprint. Which IAM bindings does it inherit. Which managed-service surfaces does it have access to. Which workflow-automation control planes hold a copy of it. Which CI/CD pipelines reference it. Which production systems have it cached. The blast-radius calculation is the input to the revocation prioritization — and is itself a continuous-reconciliation workload because the deployed-asset inventory is changing continuously.

5. Immutable audit-trail entry for every discovery, every validation, every revocation, every rotation, and every exception. Internal audit, external auditors, cyber-insurance underwriting, federal-contracting compliance chains, and the customer’s own quarterly security-posture review all increasingly anchor against the auditor-readable artifact for every secret-management action. The audit trail is not a side effect — it is the load-bearing deliverable for every remediation cycle.

Each of the five obligations is a continuous workload. The aggregate workload is a multiple of what any reasonably-sized platform-engineering team can absorb by hand at the 2026 rate of new exposures. The 2026 secrets-management posture is the active operational layer.

Why AI Coding Tools Specifically Multiply the Workload (and Specifically Justify the Operational-Layer Response)

The GitGuardian numbers attribute the 2025 acceleration to two specific mechanisms that the agentic-DevOps category has been arguing for explicitly through the spring.

Mechanism one: AI coding tools normalize hardcoded credentials in generated code. When an AI coding tool produces a code sample that calls an API, the path of least resistance for the model is to inline the credential at the call site. Best-practice prompting (use environment variables, use the platform’s secrets manager, use the IDE’s credential proxy) has to be enforced by the tool host or the customer’s coding standard; the model itself defaults to the inline path. The 3.2% leak rate on Claude Code co-authored commits versus the 1.5% baseline is the empirical signature of that default. The same signature shows up across every AI coding tool measured in the GitGuardian dataset.

Mechanism two: MCP normalizes hardcoded credentials in tool-server configs. The Model Context Protocol that emerged across 2025 as the standard interface for AI assistants to call external tools and data sources also normalized a credential-handling pattern: the MCP server config file embeds the credentials the agent needs to call the underlying API. Official setup guides for many MCP servers walk the developer through inlining the credential directly into the config. The 24,008-unique-secrets number in public MCP-config files is the measurable consequence of that normalization, against a sample of the public GitHub commit set — that is, on the part of the MCP-config-file surface that is on public GitHub. The wider exposure surface includes the entire universe of MCP-config files that live on developer laptops, in private repositories, in internal package registries, and on the workflow-automation control plane.

Both mechanisms are products of the AI-tool ecosystem itself. Neither will be reduced by exhortation. The mitigation has to live in the operational layer — at the customer’s continuous-discovery, continuous-validation, continuous-revocation surface, expressed as agent capability rather than as developer-side discipline.


See the IAN team run on your cloud. We connect to your AWS account via a scoped read-only role, run the Observe-tier agents, and leave you with a concrete audit report — cost waste, security exposure, compliance gaps, and a labor-offset estimate. You keep the findings regardless of next steps. Get a free infrastructure audit →


What the GitGuardian 2026 Data Means for the Platform-Engineering Roadmap

Four operational questions the GitGuardian report shifts for the 2026 platform-engineering roadmap.

  • Secrets management is now a continuous-reconciliation workload, not a one-time-scan workload. The 1.6x-per-year secrets-leak-rate-versus-developer-population-growth trend has held since 2021. The 2026 rate is not the new floor — the trajectory says 2027 is higher. The roadmap question is not “should we have secrets scanning” — it is “where does the continuous-reconciliation workload live operationally, and what is the agent-team shape that absorbs it?”
  • The exposure surface set has grown. MCP-config files and workflow-automation control planes are first-class surfaces now. The 2025 report did not measure MCP-config files as a category; the 2026 report measured 24,008 unique secrets on the surface with 2,117 already confirmed valid. The 2027 report will measure additional surfaces that do not yet have a category. The roadmap question is “how do we add a new exposure surface to the continuous-reconciliation loop in days, not quarters?”
  • Validity verification belongs at the discovery primitive, not at the rotation workflow. The 91.2% noise floor on unvalidated MCP-config scans is too high for a human-led triage queue. The roadmap question is “which secrets are live against the upstream provider right now, and how do we tier the remediation queue against that signal?”
  • The 64%-unrevoked-after-four-years number is the institutional-memory deliverable. The roadmap question is “where does the per-secret revocation queue live, who drives it forward, and how does the audit trail prove that valid secrets get revoked within the customer’s stated SLA?” The answer in 2026 is a coordinated team of specialized agents on the active operational layer.

The four shifts together are the difference between a 2026 platform-engineering roadmap that bets on developer-side discipline plus a pre-commit scanner and a 2026 platform-engineering roadmap that runs continuous secrets reconciliation as a first-class workload of the platform team’s agent fabric.

The Secrets-Reconciliation Posture Crosses Two Agent Pillars

The continuous secrets-reconciliation workload sits at the intersection of two agent pillars on the active operational layer.

  • Security agent. Watches the customer’s repository, AI-coding-tool, MCP-config, workflow-automation, CI/CD, collaboration-tool, package-registry, container-image, and runtime-cloud-service surfaces in real time. Detects every new secret exposure with the discovery primitive. Validates every detection against the upstream provider with the validity-verification primitive. Drives the revocation queue against the upstream provider’s revocation API. Triggers the downstream rotation workflow. Captures the audit-trail entry for every step. Surfaces unsafe gaps (a valid secret that has not been revoked within the customer’s stated SLA, a high-blast-radius secret on a low-priority queue) as Operate-tier remediation candidates.
  • Resource-operations agent. Maintains the live deployed-asset inventory the security agent reads to compute the per-secret blast-radius calculation. Every IAM binding, every managed-service surface, every workflow-automation control plane, every CI/CD pipeline reference, every production-system cache that holds a credential is captured in the inventory with the per-asset version, the per-asset tag set, and the per-asset compliance binding. The inventory is the input the security agent reads to prioritize the revocation queue.

The two agents work as a coordinated team. A security agent that surfaces the secret detection without the resource-operations agent’s inventory has no blast-radius calculation. A resource-operations agent that maintains inventory without the security agent’s discovery stream has no signal that a particular asset just became part of a credential’s blast radius. The 2026 secrets-management shape is the two pillars working together on the same operational fabric, against the same continuous-reconciliation queue.

How IAN Helps: The Security and Resource-Operations Agents on the Active Operational Layer

IAN is the AI DevOps team for cloud infrastructure, delivered as a coordinated team of specialized agents on the active operational layer. The GitGuardian 2026 data is the empirical case for the category IAN has been building toward.

  • Security agent secrets channel. The security agent runs continuous secrets discovery across the customer’s connected repository, AI-coding-tool, MCP-config, workflow-automation, CI/CD, collaboration-tool, package-registry, container-image, and runtime-cloud-service surfaces. Every detection is validated against the upstream provider’s verification surface. Validated secrets are surfaced as Observe-tier audit-trail entries with an Operate-tier remediation PR against the customer’s secrets-management policy and a per-secret revocation orchestration against the upstream provider.
  • Resource-operations agent deployed-asset inventory. The resource-operations agent maintains a live inventory of every IAM binding, every managed-service surface, every workflow-automation control plane, every CI/CD pipeline reference, every production-system cache, and every container-image layer across the connected accounts. Each entry captures the per-asset tag set, the per-asset version, the per-asset compliance binding, and the per-asset reachability calculation. The inventory is the input the security agent reads to compute every per-secret blast-radius calculation and prioritize the revocation queue.
  • Capability-tier governance on every secrets action. Observe-tier scans (continuous discovery, continuous validation, continuous inventory maintenance) run automatically. Operate-tier remediations (revocation queue execution, rotation-workflow trigger, secrets-policy drift correction) require pre-authorization once. Administer-tier actions (high-blast-radius revocation against production credentials, organization-wide secrets-policy edits, separation-of-duties policy edits) require explicit human approval with separation-of-duties.
  • BYOK on model keys. Customers bring their own Anthropic / OpenAI keys. The agent layer does not see continuous secrets reconciliation as an LLM-call-markup opportunity. Pricing is usage-based on orchestration actions, with a monthly minimum.
  • Immutable audit trail. Every discovery, every validation, every revocation, every rotation, every exception, every Administer-tier approval lands in the customer’s per-tenant audit-trail store. The audit trail is the reconciliation artifact for internal audit, external auditors, cyber-insurance underwriting, federal-contracting compliance, and the customer’s own quarterly security-posture review.

The Three-Phase Rollout

Phase 1 — Observe the secrets-management posture across the surface set. Run the security and resource-operations agents in Observe mode against the connected repository, AI-coding-tool, MCP-config, workflow-automation, CI/CD, collaboration-tool, package-registry, container-image, and runtime-cloud-service surfaces. Produce the per-surface secrets-discovery baseline, the per-secret validity verification result, the per-secret blast-radius calculation, the historical unrevoked-secret backlog, and the per-secret compliance-binding catalog. Two-to-four weeks.

Phase 2 — Codify the per-tier scope and promote to Operate-tier. Pre-authorize the Operate-tier scope for the revocation queue execution against the upstream providers, the rotation-workflow trigger against the consuming systems, and the secrets-policy drift correction across the surface set. Codify the per-secret blast-radius prioritization policy. Codify the Administer-tier approval policy for high-blast-radius production-credential revocation with explicit justification and separation-of-duties. Two-to-three months.

Phase 3 — Cross the security / resource / compliance agent loop. Every secret detection feeds the resource-operations agent’s tag-and-lifecycle pass. Every revocation feeds the deployment-agent’s release-window planner (in case the consuming system needs a coordinated re-deploy). Every audit-trail entry feeds the compliance-agent’s reconciliation pass. The team coordinates as a team. The cross-pillar context is the active operational layer.

The GitGuardian “State of Secrets Sprawl 2026” data is the empirical case. 28.65M new hardcoded secrets in 2025, 81% AI-service-leak surge, Claude Code co-authored commits at 2x the baseline, 24,008 unique secrets on a brand-new MCP-config-file surface, 64% of 2022 valid secrets still unrevoked four years on. The structural response is the active operational layer — a coordinated team of specialized agents that absorbs the continuous-reconciliation workload, with humans in the loop only where judgment matters. That is the shape IAN delivers.


Get a free infrastructure audit → | See pricing →

Next step: talk to the team

30 minutes. We'll look at your cloud together and scope what we'd take off your plate — see pricing.

Related Posts