The uncontrolled proliferation of sensitive credentials — API keys, tokens, passwords, certificates — across codebases, cloud environments, CI/CD pipelines, and configuration files. In 2024, over 50 million leaked secrets were found on the dark web.
Expanded Definition
Secrets sprawl is the accumulation of credentials in places they were never meant to live for long, including source code, build logs, chat threads, artifact stores, and cloud configuration. In NHI operations, the issue is not merely storage volume; it is uncontrolled copy propagation across systems that create standing access for machines, agents, and automation.
Definitions vary across vendors, but the practical meaning is consistent: a secret becomes sprawl when teams lose track of where it exists, who can read it, whether it is still valid, and how quickly it can be revoked. That is why NHI governance treats secrets as operational identity material, not simple configuration values. The OWASP Non-Human Identity Top 10 frames this as a core workload identity problem, while the NHI security posture must also account for rotation, scope, and detection across the full lifecycle.
What makes secrets sprawl especially dangerous is that it often begins as convenience. A developer pastes an API key into a test file, a CI job prints an environment variable, or an AI-assisted commit includes a token in generated code. The most common misapplication is assuming that a secret is safe if it is stored in a private repository, which occurs when teams ignore cloning, caching, logs, and downstream artifact exposure.
For broader context on how this pattern spreads across identity surfaces, see the Guide to the Secret Sprawl Challenge and the OWASP Non-Human Identity Top 10.
Examples and Use Cases
Implementing secret control rigorously often introduces friction for developers and automation owners, requiring organisations to weigh faster delivery against tighter rotation, scanning, and revocation discipline.
- A CI/CD pipeline injects a cloud access key into logs during a failed deployment, exposing NHI credentials to anyone with build access.
- A service account token is embedded in a container image layer, then propagated to multiple registries and runtime environments.
- An AI coding assistant generates a commit that includes an API key in a config file, creating a leak that survives code review if scanning is weak.
- A collaboration tool thread contains a production password shared during incident response, which later gets indexed, forwarded, or copied into tickets.
- A public dependency or GitHub Action reads environment variables and unintentionally prints secrets during execution, turning supply chain tooling into a leak path.
NHIMG’s reporting on the Shai Hulud npm malware campaign shows how quickly a single compromise can turn into many exposed credentials, especially when developers depend on shared tooling. A similar pattern appears in the Reviewdog GitHub Action supply chain attack, where automation became the distribution channel for sensitive data. These cases are consistent with the OWASP Non-Human Identity Top 10 guidance on secret exposure and workload identity misuse.
Why It Matters in NHI Security
Secrets sprawl matters because every exposed credential can become an unmanaged NHI, bypassing intended controls around authentication, least privilege, and lifecycle governance. Once a secret is duplicated across repos, tickets, and pipelines, security teams lose the clean boundary needed for effective rotation and incident containment.
The scale of the problem is accelerating. GitGuardian’s State of Secrets Sprawl 2026 found that 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase. That does not count the copies that move into runners, chat tools, artifacts, or private repos. In practice, the issue is rarely detection alone; it is the delay between exposure and revocation.
This is why secrets sprawl intersects directly with NHI risk management, including JIT provisioning, ZSP, and incident response. If a secret remains valid after exposure, attacker dwell time expands even when the original leak is found. The Guide to the Secret Sprawl Challenge and the CI/CD pipeline exploitation case study both show that pipeline compromise and secret exposure reinforce each other. Organisations typically encounter the operational cost only after a breach, when emergency rotation, access review, and containment become unavoidable to address.
Further reading on dynamic secret handling is available in the Ultimate Guide to NHIs — Static vs Dynamic Secrets.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Directly addresses improper secret management across NHI and workload identity surfaces. |
| NIST CSF 2.0 | PR.AC-1 | Secret sprawl is an access control failure that expands unauthorized system reach. |
| NIST Zero Trust (SP 800-207) | Zero Trust assumes no implicit trust, which limits the blast radius of leaked secrets. |
Inventory, rotate, and restrict secrets so exposed credentials cannot persist as standing access.
