banner1
Logo Blinking Image
banner2

HOME
Breaking News

Scan of 5.6 million GitLab repositories reveals over 17,000 exposed secrets

by VARINDIA 2025-12-02
Scan of 5.6 million GitLab repositories reveals over 17,000 exposed secrets

A large-scale audit of GitLab Cloud public repositories uncovered more than 17,000 active secrets across nearly 2,800 domains, raising fresh concerns over developer security practices and the widespread leakage of sensitive credentials on open platforms.

 

 

A sweeping security assessment of GitLab Cloud has revealed more than 17,000 live secrets unintentionally exposed in public code. Security engineer Luke Marshall conducted the scan using TruffleHog, an open-source tool designed to detect sensitive credentials such as API keys, tokens, and passwords. The review covered all 5.6 million public repositories on the platform, highlighting significant risks stemming from insecure coding and repository hygiene.

Automation enables 24-hour scan of millions of repositories

To execute the large-scale audit, Marshall leveraged GitLab’s public API to enumerate every public repository and channelled the data through Amazon Web Services for automated analysis. Repository names were queued through AWS Simple Queue Service, while AWS Lambda instances ran TruffleHog scans with high concurrency. This setup enabled the entire scan to finish in just over 24 hours at a cost of $770.

The findings reveal 17,430 verified secrets—nearly triple the number discovered in a previous Bitbucket audit—with a 35% higher density of exposed credentials. Some secrets dated back to 2009 and remained active, despite industry-wide efforts to improve secret management.

GCP keys lead exposed credentials; notifications trigger revocations

Google Cloud Platform keys accounted for the largest share of leaked secrets, followed by MongoDB credentials, Telegram bot tokens, OpenAI keys, and more than 400 GitLab API keys.

To alert affected organizations, Marshall deployed automated notification workflows using AI-assisted email generation. His disclosures led to multiple bug bounty rewards totalling $9,000. While many companies responded by revoking compromised keys, a number of exposed secrets still remain publicly accessible on GitLab.

 
er

See What’s Next in Tech With the Fast Forward Newsletter

SECURITY
View All
Manufacturers Block Ransomware as Attackers Pivot to Data Theft, says Sophos

Manufacturers Block Ransomware as Attackers Pivot to Data Theft, says Sophos

Securonix and Orient Technologies to deliver advanced AI-powered SIEM capabilities

Securonix and Orient Technologies to deliver advanced AI-powered SIEM capabilities

Datadog highlights new capabilities with AWS across AI, observability and security

Datadog highlights new capabilities with AWS across AI, observability and security

SOFTWARE
View All
Hirect’s Ex Co-Founder & India CEO Raj Das launches HiBOSS, a peer to peer hyperlocal hiring marketplace app

Hirect’s Ex Co-Founder & India CEO Raj Das launches HiBOSS, a peer to peer hyperlocal hiring marketplace app

SAP Learning Hub Enables Students to Shape the Future of the Digital Revolution

SAP Learning Hub Enables Students to Shape the Future of the Digital Revolution

Zendesk collaborates with AWS to deliver AI-powered contact center transformation

Zendesk collaborates with AWS to deliver AI-powered contact center transformation

START - UP
View All
Ultraviolette Raises $45 Million in Series E Round Backed by Zoho and Lingotto

Ultraviolette Raises $45 Million in Series E Round Backed by Zoho and Lingotto

Veza Eyes $1 Billion Sale as Demand for AI-Era Data Access Security Surges

Veza Eyes $1 Billion Sale as Demand for AI-Era Data Access Security Surges

Moonshot AI Challenges U.S. Rivals with Resource-Efficient Innovation

Moonshot AI Challenges U.S. Rivals with Resource-Efficient Innovation

Tweets From @varindiamag

CIO - SPEAK
Automation has the potential to greatly improve efficiency and production

Automation has the potential to greatly improve efficiency and production

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

wew
wrdf
Start-Up and Unicorn Ecosystem
CHANNEL LEADERSHIP AWARD FOR OEM'S 2025

CHANNEL LEADERSHIP AWARD FOR OEM'S 2025

EMINENT VARS OF THE YEAR 2025

EMINENT VARS OF THE YEAR 2025

TRAILBLAZERS OF CLOUD EXCELLENCE: HOW CRAYON IS POWERING INDIA’S NEXT WAVE OF PARTNER-LED INNOVATION

TRAILBLAZERS OF CLOUD EXCELLENCE: HOW CRAYON IS POWERING INDIA’S NEXT WAVE OF PARTNER-LED INNOVATION

Elitegroup’s satellite tech marks major milestone with successful Lilium-2 and Lilium-3 launch

Elitegroup’s satellite tech marks major milestone with successful Lilium-2 and Lilium-3 launch

Wipro to help Odido with AI-enabled end-to-end iT modernization

Wipro to help Odido with AI-enabled end-to-end iT modernization

Pichai Says ‘Vibe Coding’ Is Making Programming More Fun

Pichai Says ‘Vibe Coding’ Is Making Programming More Fun

Russia Warns It Could Impose Total Ban on WhatsApp

Russia Warns It Could Impose Total Ban on WhatsApp

Study Finds Wi-Fi Signals Can Track Users Without Network Access

Study Finds Wi-Fi Signals Can Track Users Without Network Access

HCLTech with AWS to accelerate transformation of the financial services industry

HCLTech with AWS to accelerate transformation of the financial services industry

Sundar Pichai Cautions Users Against Blind Trust in AI

Sundar Pichai Cautions Users Against Blind Trust in AI

dsf