ACCORDING to GitGuardian's State of Secrets Sprawl 2026 report, in 2025 there were 29 million new hardcoded secrets detected, a 34% year-on-year rise and the largest single-year jump on record, with overall sprawl accelerating alongside AI adoption and distributed software delivery.
The findings show three core trends: AI services drove 81% more leaks year over year, with leaks tied to AI services numbering 1,275,105 in 2025, and eight of the ten fastest-growing categories AI-related, including retrieval APIs, orchestration tools and managed backends.
Internal repositories remain a major risk, as 32.2% contain at least one hardcoded secret compared with 5.6% of public repos, and 28% of leaks originated entirely outside code in collaboration platforms such as Slack, Jira and Confluence, with 56.7% of those being rated critical.
The report also highlights exposure in self-hosted GitLab and Docker registries, where thousands of credentials were found—80,000 discovered, 10,000 still valid—with 18% of scanned Docker images containing secrets and 15% of those being valid. It notes 64% of secrets from 2022 remain valid four years later, underscoring the need for automated rotation and remediation, and points to a shift toward non-human identity governance to manage ever-broader access.