Plaintext secrets in Git repositories: what IAM teams need to know

TL;DR: A 2025 cloud security report cited by Orca Security found that 85% of organizations have plaintext secrets embedded in source code repositories, making exposed Git history a durable access path for attackers. Secrets caught before commit or push reduce blast radius, but governance still depends on preventing credential material from reaching shared repositories in the first place.

NHIMG editorial — based on content published by Orca Security: Git hooks for secret detection and blocking plaintext secrets in repositories

By the numbers:

• 85% of organizations have plaintext secrets embedded in their source code repositories.

Questions worth separating out

Q: How should security teams prevent secrets from reaching shared Git repositories?

A: Use a two-layer approach.

Q: Why do plaintext secrets in Git create long-term identity risk?

A: Because Git preserves history by design, a leaked secret can survive beyond the original file change and remain usable in copies, forks, and cached data.

Q: What fails when teams rely on cleanup after a secret is committed?

A: The failure is assuming deletion equals removal.

Practitioner guidance

• Implement pre-commit secret detection on developer endpoints Block commits that contain API keys, tokens, passwords, or certificates before they are written into Git history.
• Enforce pre-receive checks on every shared SCM server Reject pushes that include plaintext secrets even if local hooks were skipped or disabled.
• Tie secret detection to immediate credential revocation When a secret is found in a repository, rotate or revoke the underlying credential before remediation is considered complete.

What's in the full article

Orca Security's full post covers the operational detail this post intentionally leaves for the source:

• How Orca's pre-commit hook behaves inside local developer workflows and where it fits best
• How the pre-receive hook enforces repository policy on GitLab Self-Managed and Bitbucket Datacenter
• What the Orca CLI does when installing hooks across multiple repositories and machines
• How Orca positions scan speed, limited diff scanning, and developer experience in day-to-day use

👉 Read Orca Security's analysis of Git hooks for secret detection →

Plaintext secrets in Git repositories: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →