Git token leakage and the DevOps secrets governance gap

TL;DR: A leaked GitLab personal access token let attackers clone private repositories, harvest hard-coded cloud and SaaS keys, and pivot into production at Pearson, with similar exposure patterns also seen at the Internet Archive, according to Unosecur. Static secrets in source control remain a systemic identity failure, not a point-in-time code hygiene issue.

NHIMG editorial — based on content published by Unosecur: How one leaked Git token can wreck multi-cloud security

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: What breaks when Git tokens and hard-coded secrets are left in source control?

A: Source control becomes an access path instead of a safe delivery system.

Q: Why do long-lived repository tokens create so much identity risk?

A: They create standing privilege outside ordinary human login controls.

Q: How do teams know whether secret scanning is actually working?

A: They should see secrets detected in both live code and historical commits, owners assigned to each finding, and revocation completed before the credential is reused.

Practitioner guidance

• Scan repositories for exposed secrets across history Search current branches, tags, and full Git history for PATs, API keys, certificates, and connection strings, including copied .git/config artefacts and forked repositories.
• Enforce owner mapping and expiry for every token Attach a human or system owner to each credential, record the issuing system, and quarantine tokens that have no clear lifecycle owner or a stale creation date.
• Rotate credentials the moment exposure is confirmed Treat a leaked token as active compromise until every related secret has been revoked, replaced, and verified across AWS, GCP, Snowflake, Salesforce, and any linked services.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• The full GitLab token exposure chain, including the public .git/config path and repository cloning sequence.
• The practical detection and response steps for identifying hard-coded AWS, GCP, Snowflake, and Salesforce keys in source control.
• The GitHub integration workflow, including owner mapping, alerting, and optional token revocation playbooks.
• The specific CI/CD and DevOps controls used to turn secret discovery into a repeatable workflow.

👉 Read Unosecur's analysis of how one leaked Git token can expose multi-cloud security →

Git token leakage and the DevOps secrets governance gap?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →