Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Source code secrets: what IAM and security teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Source code repositories are frequently carrying plaintext secrets, and Orca Security cites 85% of organisations with secrets embedded in source code, alongside the 2024 breach cost average of $4.88 million and 1,732 breaches in H1 2025. That combination makes source code a governance problem, not just a developer hygiene issue.

NHIMG editorial — based on content published by Orca Security: source code security and supply chain risk analysis

By the numbers:

Questions worth separating out

Q: How should security teams handle secrets found in source code repositories?

A: They should treat the finding as an access incident, not a housekeeping task.

Q: Why do plaintext secrets in repositories create such a large security risk?

A: Because they collapse the distance between code access and production access.

Q: What do organisations get wrong about source code security?

A: They often treat it as a developer practice problem rather than a governance problem.

Practitioner guidance

  • Scan every repository and pipeline for committed secrets Run continuous secret discovery across source control, pull requests, build logs, forks, and artefacts so exposed credentials are found before attackers use them.
  • Rotate credentials immediately after any exposure event Replace API keys, database credentials, and service account tokens as soon as a leak is suspected, then verify that old values no longer authenticate anywhere.
  • Separate credentials by environment and use short-lived access where possible Keep development, staging, and production credentials distinct so a single repository leak does not provide direct access to all environments.

What's in the full article

Orca Security's full analysis covers the operational detail this post intentionally leaves for the source:

  • Step-by-step source code security controls for repository access, branch protection, and commit signing.
  • Operational guidance for automated key rotation, secrets scanning, and environment separation.
  • Open source dependency assessment practices, including maintainer verification and license enforcement.
  • Implementation context around Orca Security's platform coverage across cloud and Kubernetes environments.

👉 Read Orca Security's analysis of source code secrets and supply chain risk →

Source code secrets: what IAM and security teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Source code secrecy is now identity governance, not just application security. Once plaintext secrets live in repositories, the control problem shifts from code review to credential lifecycle. That means source code security has to be governed like NHI security because the object being stolen is access, not merely information. Practitioners should treat every repository as a potential identity inventory.

A few things that frame the scale:

  • DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
  • Our research also shows that when AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

A question worth separating out:

Q: How can teams reduce the blast radius of a leaked repository secret?

A: They should scope credentials to one environment, one service, and the shortest practical lifetime, then rotate them automatically. They also need branch protection, commit signing, and secret scanning so the same exposure pattern is less likely to recur. Blast-radius reduction only works when secret lifecycle and source control governance are managed together.

👉 Read our full editorial: Source code secrets are driving lateral movement and supply chain risk



   
ReplyQuote
Share: