Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Cloud development environments and leaked secrets: what teams miss


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Scanning 22 million public cloud development environment projects across CodeSandbox, StackBlitz, CodePen, and JSFiddle found 8,792 verified unique secrets, including a GitHub employee token with write access to github/github, according to TruffleHog. Public sandboxes remain an ungoverned secrets surface because they lack native secret scanning, push protection, and automated revocation.

NHIMG editorial — based on content published by TruffleHog: Thousands of Live Secrets Found Across Four Cloud Development Environments

By the numbers:

Questions worth separating out

Q: What breaks when secrets are pasted into public cloud development environments?

A: What breaks is the assumption that public sandboxes are harmless sharing spaces.

Q: Why do public development environments create more NHI risk than many teams expect?

A: They create more NHI risk because the credential often matters more than the code around it.

Q: How do security teams know if exposed secrets are actually dangerous?

A: They should evaluate whether the secret is still valid, what scopes it carries, and which systems it can reach.

Practitioner guidance

  • Audit public cloud development environments for live credentials Inventory CodeSandbox, StackBlitz, CodePen, JSFiddle, and similar browser-based environments, then search for verified secrets, environment files, and embedded tokens that have been published publicly.
  • Prioritise revocation over clean-up after exposure For each confirmed secret, identify the issuing system, revoke or rotate the credential immediately, and verify whether the token had workflow, repository, or cloud-resource scope.
  • Classify findings by effective blast radius Triage exposed secrets by the resources they can reach, not by the platform where they were found, and route high-scope credentials to incident handling rather than routine hygiene.

What's in the full report

TruffleHog's full article covers the operational detail this post intentionally leaves for the source:

  • The enumeration methods used to discover millions of public projects across four cloud development environments.
  • The per-platform detection approach that produced verified secrets instead of pattern matches alone.
  • The GitHub employee token case, including the scope values and the downstream access it enabled.
  • The disclosure and bounty workflow used to coordinate revocation across multiple SaaS providers and platform owners.

👉 Read TruffleHog's analysis of thousands of live secrets in public cloud development environments →

Cloud development environments and leaked secrets: what teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Public development environments are now a credential governance problem, not just a developer convenience problem. The research shows that browser-based sandboxes can contain live secrets without the guardrails that Git platforms have begun to normalise. That shifts the control question from where code lives to where credentials can be introduced, persisted, and missed. Practitioners should treat public CDEs as part of the identity attack surface, not as an adjacent engineering tool.

A few things that frame the scale:

  • Only 44% of organisations are currently using a dedicated secrets management system, according to the 2024 State of Secrets Management Survey.
  • 54% of organisations are dissatisfied with their current secrets management solution because not all secrets are secured, and 43% cite lack of central management.

A question worth separating out:

Q: Who is accountable when a public sandbox leaks a live credential?

A: Accountability should sit with the system that issued the credential, the team that owns the shared workspace, and the security function that defines revocation and detection requirements. The sandbox is only the exposure point. The governance failure is usually upstream, in weak lifecycle controls and unclear ownership of the credential itself.

👉 Read our full editorial: Public cloud development environments hide credential exposure at scale



   
ReplyQuote
Share: