TL;DR: Secret sprawl, hardcoded credentials, and inconsistent controls still expose infrastructure and application secrets across pipelines, CI/CD, and cloud tooling, according to Bitwarden. The core issue is not storage alone but whether secrets are centralized, auditable, and operationally manageable before exposure becomes a breach path.
NHIMG editorial — based on content published by Bitwarden: flexible secrets management for modern development teams
By the numbers:
- Only 44% of organisations are currently using a dedicated secrets management system.
Questions worth separating out
Q: How should security teams reduce secret sprawl in development pipelines?
A: Start by identifying every place a secret can appear, including code, CI/CD jobs, wrappers, and deployment artifacts.
Q: Why do hardcoded credentials create more risk than many teams expect?
A: Hardcoded credentials create risk because they are easy to copy, hard to inventory, and often survive long after the system that used them changes.
Q: How do teams know whether a secrets management programme is actually working?
A: A secrets programme is working when teams can show central visibility, consistent retrieval logging, fast revocation, and a shrinking number of hidden copies.
Practitioner guidance
- Inventory every secret distribution path Map where credentials move today, including code repositories, CI/CD systems, wrappers, environment files, and container build steps.
- Eliminate hardcoded credentials from build and runtime assets Scan applications, scripts, and pipeline definitions for embedded API keys, passwords, and certificates.
- Tie secret access to auditable retrieval events Require logging for every secret fetch, not just administrative changes.
What's in the full article
Bitwarden's full blog post covers the operational detail this post intentionally leaves for the source:
- Exact CLI and SDK integration patterns for injecting secrets into applications and infrastructure
- Specific wrapper examples for package managers and developer tooling environments
- Named integration paths for GitHub Actions, Terraform, Jenkins, Kubernetes, and other pipeline tools
- Customer implementation examples showing how teams adapted the platform to their own workflows
👉 Read Bitwarden's guidance on flexible secrets management for developer teams →
Secrets sprawl and pipeline exposure: what IAM teams need to know?
Explore further
Secret sprawl is not a storage problem. It is a lifecycle failure. The article correctly points to decentralised management and hardcoded credentials as the operational breakpoints, but the deeper issue is that secrets often outlive the process that created them. Once a credential is duplicated across pipelines and scripts, revocation becomes partial, delayed, and inconsistent. The practitioner conclusion is that secrets governance must be measured by removal and retirement, not by how many vaults exist.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of organisations are currently using a dedicated secrets management system, according to The 2024 State of Secrets Management Survey.
A question worth separating out:
Q: What is the difference between secrets rotation and secrets governance?
A: Rotation changes a credential on a schedule. Governance defines who can access it, where it can appear, how it is logged, and how it is removed when no longer needed. A team can rotate secrets frequently and still leave exposed copies behind. Governance is broader because it controls the full lifecycle and distribution model.
👉 Read our full editorial: Developer secrets management still fails when secrets sprawl wins