Static secrets in a public repo: what IAM teams need to rethink

TL;DR: A public GitHub repository exposed AWS GovCloud admin keys, plaintext passwords, and Kubernetes access data for months in a contractor-managed CISA environment, according to Akeyless and Brian Krebs. The incident shows that secret handling is still too often built around human failure instead of architectures that remove static credentials before they can leak.

NHIMG editorial — based on content published by Akeyless covering the CISA GitHub secret exposure: static credentials in a public repository and the case for brokered access

By the numbers:

• The repository had existed since November 2025, which means six months of continuous exposure.
• The exposed AWS keys remained valid for an additional 48 hours after the account was taken down.

Questions worth separating out

Q: How should teams handle privileged access when secrets can be copied into public repositories?

A: They should remove the durable secret from the workflow entirely and move to short-lived, identity-bound issuance.

Q: Why do static credentials create more risk than ephemeral access for cloud admins?

A: Static credentials create standing privilege, which means one leak can remain usable until someone finds and revokes it.

Q: What do security teams get wrong about secret scanning and push protection?

A: They often treat scanning as the primary control when it is really a last line of defence.

Practitioner guidance

• Replace durable admin keys with brokered access Issue privileged cloud access as short-lived sessions tied to identity and workload context.
• Eliminate plaintext credential exports Block workflows that allow passwords, kubeconfigs, or API keys to be exported into CSVs, notes, or browser-managed files.
• Audit repository guardrails and default settings Verify that push protection, secret scanning, and repository policy settings are enabled by default across all managed environments.

What's in the full article

Akeyless's full article covers the operational detail this post intentionally leaves for the source:

• The Akeyless-specific dynamic secret workflow for AWS GovCloud admin access and how it is configured.
• The zero-knowledge fragment architecture used for static secrets and how it changes recovery and disclosure assumptions.
• The Secure Remote Access session model for Kubernetes, SSH, and database access.
• The federal deployment posture described for GovCloud, including audit and cryptographic handling details.

👉 Read Akeyless's analysis of the CISA GitHub secret exposure and static credential risk →

Static secrets in a public repo: what IAM teams need to rethink?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →