GitGuardian reports rise in leaked secrets linked to AI-assisted coding in 2025

The 2025 report from GitGuardian reveals changes in software development linked to the increased use of Artificial Intelligence (AI) tools. These changes corresponded with a higher incidence of exposed credentials known as secrets across public and internal code environments. The report emphasizes the persistence of human error in leaking sensitive information despite AI assistance.

The data indicates a 43% year-over-year rise in public code commits, doubling the growth rate seen before 2025. Leaked secrets increased 34% year-over-year, totaling approximately 29 million detected instances, the highest single-year count recorded. Secrets have been growing 1.6 times faster than the developer population since 2021.

AI-assisted code commits showed a higher than average leak rate, with Claude Code-assisted commits leaking secrets at a rate of roughly 3.2%, about double the baseline across GitHub. AI-related credential leaks, particularly those connected to AI services, rose by 81% year-over-year. Configuration practices for Model Context Protocol (MCP) contributed to exposing over 24,000 unique secrets through documentation-recommended credential placement.

The scope of exposures extends beyond code repositories; internal repositories were found to be six times more susceptible to hardcoded secrets than public repositories. Additionally, nearly 28% of leak incidents originated in collaboration and productivity tools. Developer machines also increased in importance as part of the credential perimeter due to deep access by AI agents, raising risks related to prompt injection and supply-chain-style attacks.

Eric Fourrier, GitGuardian's CEO, said, “AI agents need local credentials to connect across systems, turning developer laptops into a massive attack surface. We built our local scanning and identities inventory tool to protect them. Security teams need to map out exactly which machines hold which secrets, surfacing critical weaknesses like overprivileged access and exposed production keys.” The report further documents challenges in secret management, noting that approximately 60% of policy violations involve long-lived credentials, and 64% of valid secrets from 2022 remain unrevoked as of 2026.

The organizations involved outlined the need for treating non-human identities as distinct security assets with dedicated governance, contextual awareness, and automated remediation across both code and non-code platforms. This approach aims to address the growing backlog in secret management and improve governance beyond detection.