Source code secrets: what IAM and security teams need to know

TL;DR: Source code repositories are frequently carrying plaintext secrets, and Orca Security cites 85% of organisations with secrets embedded in source code, alongside the 2024 breach cost average of $4.88 million and 1,732 breaches in H1 2025. That combination makes source code a governance problem, not just a developer hygiene issue.

NHIMG editorial — based on content published by Orca Security: source code security and supply chain risk analysis

By the numbers:

• 85% of organizations have plaintext secrets embedded in their source code repositories.
• The average cost of a data breach reached $4.88 million in 2024.
• 1,732 data breaches occurred in the first half of 2025.

Questions worth separating out

Q: How should security teams handle secrets found in source code repositories?

A: They should treat the finding as an access incident, not a housekeeping task.

Q: Why do plaintext secrets in repositories create such a large security risk?

A: Because they collapse the distance between code access and production access.

Q: What do organisations get wrong about source code security?

A: They often treat it as a developer practice problem rather than a governance problem.

Practitioner guidance

• Scan every repository and pipeline for committed secrets Run continuous secret discovery across source control, pull requests, build logs, forks, and artefacts so exposed credentials are found before attackers use them.
• Rotate credentials immediately after any exposure event Replace API keys, database credentials, and service account tokens as soon as a leak is suspected, then verify that old values no longer authenticate anywhere.
• Separate credentials by environment and use short-lived access where possible Keep development, staging, and production credentials distinct so a single repository leak does not provide direct access to all environments.

What's in the full article

Orca Security's full analysis covers the operational detail this post intentionally leaves for the source:

• Step-by-step source code security controls for repository access, branch protection, and commit signing.
• Operational guidance for automated key rotation, secrets scanning, and environment separation.
• Open source dependency assessment practices, including maintainer verification and license enforcement.
• Implementation context around Orca Security's platform coverage across cloud and Kubernetes environments.

👉 Read Orca Security's analysis of source code secrets and supply chain risk →

Source code secrets: what IAM and security teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →