VendorsThe State of Secrets Sprawl 2026
The State of Secrets Sprawl 2026
Cybersecurity reports and statistics published by The State of Secrets Sprawl 2026
8 categories1 reports
Recent Statistics & Reports
In 2025, 28.65 million new hardcoded secrets were found in new public GitHub commits, a 34% increase from the previous year.
5/27/2026•
Hardcoded SecretsGitHub
Internal repos are 6x more likely to contain hardcoded secrets than public ones.
5/27/2026•
Internal ReposLeaked Secrets
Leaks outside of the codebase are 13% more likely to be categorized as critical than secrets discovered inside the code.
5/27/2026•
Leaked Secrets
Secrets found in self‐hosted, private GitLab instances and Docker registries were 3 to 4 times more likely to be valid.
5/27/2026•
GitLabDockerSelf-Hosted
28% of incidents originate entirely outside repositories—in Slack, Jira, Confluence, and similar tools.
5/27/2026•
Leaked Secrets
Eight of the ten types of leaked secrets showing the sharpest increase year over year are tied to AI services.
5/27/2026•
Leaked SecretsAI Services
LLM infrastructure (orchestration, retrieval augmented generation (RAG), vector storage) is leaking 5x faster than core model providers.
5/27/2026•
LLM InfrastructureCode Model ProvidersLeaked Secrets
Developers who rely on Claude Code to produce code and co‐author commits leak secrets at 2x the baseline rate.
5/27/2026•
Claude CodeLeaked Secrets
MCP servers exposed 24,000+ secrets in their first full year of adoption.
5/27/2026•
MCPLeaked Secrets