Notifications
Clear all
Topic starter
28/05/2026 11:37 am
TL;DR: ServiceNow tickets, knowledge bases, attachments and CMDB records can all become exposure points for secrets and NHI tokens, with Entro Security describing scanning, contextualisation and remediation workflows across those surfaces. The real issue is not detection alone but governance over where credentials appear, who can access them, and how quickly they are revoked.
NHIMG editorial — based on content published by Entro Security: Leaking Tickets, Secrets Exposure in ServiceNow Part 2
Questions worth separating out
Q: How should security teams handle secrets exposed in service desk tickets?
A: Treat exposed secrets in service desk tickets as active credential incidents, not documentation issues.
Q: Why are collaboration platforms such as ServiceNow risky for NHI governance?
A: Collaboration platforms are risky because they collect the exact material attackers want: tokens, API keys, logs and screenshots that may contain plaintext credentials.
Q: What is the difference between secret scanning and secret remediation?
A: Secret scanning finds exposed credentials, but remediation removes the operational risk.
Practitioner guidance
- Scan collaboration systems for exposed credentials Include ServiceNow tickets, KB articles, CMDB fields, comments and attachments in secret discovery routines.
- Attach ownership to every exposed NHI Map each exposed token or key back to an application owner, integration owner or service owner so remediation can be assigned without manual detective work.
- Automate rotation after confirmed exposure Trigger revocation or replacement workflows when a valid secret is found in a ticketing system.
With 28.65 million new hardcoded secrets detected in public GitHub commits in 2025, the broader signal is that secret sprawl is becoming a normal condition, not an exception?
👉 Read Entro Security's analysis of secrets exposure in ServiceNow tickets →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
28/05/2026 11:41 am
ServiceNow exposure is an NHI lifecycle problem, not just a ticketing hygiene problem. Secrets pasted into tickets only become manageable when teams treat them as lifecycle objects that can be found, owned, revoked and reviewed. That shifts the problem from helpdesk behaviour to governance over where credentials are allowed to exist. Practitioners should manage ServiceNow as part of the NHI control plane, not as an isolated workflow system.
A few things that frame the scale:
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to The State of Secrets Sprawl 2026.
- AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers.
A question worth separating out:
Q: When should organisations rotate a secret found in a support ticket?
A: Rotate immediately when the secret is valid, reusable or visible to anyone outside the original need-to-know group. Delaying rotation gives attackers time to replay the credential through integrations or scripts. If the secret has already been copied into other tools, treat the event as a wider NHI exposure, not a single-ticket issue.
👉 Read our full editorial: ServiceNow ticket leakage exposes a broader NHI governance gap
