After scanning all 5.6 million public repositories on GitLab Cloud, a security engineer discovered more than 17,000 exposed secrets across over 2,800 unique domains.
Luke Marshall used the TruffleHog open-source tool to check the code in the repositories for sensitive credentials like API keys, passwords, and tokens.
The researcher previously scanned Bitbucket, where he found 6,212 secrets spread over 2.6 million repositories. He also checked the Common Crawl dataset that is used to train AI models, which exposed 12,000 valid secrets.
GitLab is a web-based Git platform used by software developers, maintainers, and DevOps teams to host code, for CI/CD operations, development collaboration, and repository management.
Marshall used a GitLab public API endpoint to enumerate every public GitLab Cloud repository, using a custom Python script to paginate through all results and sort them by project ID.
This process returned 5.6 million non-duplicate repositories, and their names were sent to an AWS Simple Queue Service (SQS).
Next, an AWS Lambda function pulled the repository name from SQS, ran TruffleHog against it, and logged the results.
“Each Lambda invocation executed a simple TruffleHog scan command with concurrency set to 1000,” describes Marshall.
“This setup allowed me to complete the scan of 5,600,000 repositories in just over 24 hours.”
The total cost for the entire public GitLab Cloud repositories using the above method was $770.
The researcher found 17,430 ver
TPRM report: https://www.rankiteo.com/company/trufflesecurity
"id": "tru1764352828",
"linkid": "trufflesecurity",
"type": "Vulnerability",
"date": "2025-11-28T00:00:00.000Z",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'incident': {'affected_entities': [{'customers_affected': '2,800+ unique '
'domains with '
'exposed secrets',
'industry': 'software development / '
'DevOps',
'location': 'Global (HQ: San Francisco, '
'USA)',
'name': 'GitLab Inc.',
'size': None,
'type': 'organization'},
{'customers_affected': None,
'industry': 'various (primarily '
'tech/software)',
'location': 'global',
'name': '2,800+ unique domains',
'size': None,
'type': ['organizations',
'developers',
'projects']}],
'customer_advisories': ['Developers and organizations using '
'GitLab Cloud public repositories were '
'implicitly notified via public '
'disclosure.'],
'data_breach': {'data_encryption': 'no (secrets were in '
'plaintext)',
'data_exfiltration': 'yes (secrets were publicly '
'accessible)',
'file_types_exposed': ['source code files',
'configuration files',
'environment files (e.g., '
'.env)'],
'number_of_records_exposed': '17,430 (GitLab) + '
'6,212 (Bitbucket) '
'+ 12,000 (Common '
'Crawl)',
'personally_identifiable_information': None,
'sensitivity_of_data': 'high (credentials with '
'potential for '
'unauthorized access)',
'type_of_data_compromised': ['API keys',
'passwords',
'authentication '
'tokens',
'private keys',
'database '
'credentials']},
'description': 'A security engineer, Luke Marshall, scanned all '
'5.6 million public repositories on GitLab Cloud '
'using the TruffleHog open-source tool and '
'discovered over 17,000 exposed secrets (e.g., '
'API keys, passwords, tokens) across more than '
'2,800 unique domains. The scan was conducted via '
"a custom Python script leveraging GitLab's "
'public API, AWS SQS, and AWS Lambda, completing '
'in ~24 hours at a cost of $770. Similar scans on '
'Bitbucket (6,212 secrets in 2.6M repositories) '
'and the Common Crawl dataset (12,000 secrets) '
'were also reported.',
'impact': {'brand_reputation_impact': ['potential erosion of '
"trust in GitLab's "
'platform security',
'reputational risk for '
'affected domains'],
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': ['API keys',
'passwords',
'tokens',
'sensitive credentials'],
'downtime': None,
'financial_loss': None,
'identity_theft_risk': ['high (due to exposed '
'credentials)'],
'legal_liabilities': None,
'operational_impact': ['potential unauthorized access '
'to systems/services',
'risk of account takeovers',
'supply chain attacks'],
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': ['GitLab Cloud public '
'repositories']},
'investigation_status': 'completed (by independent researcher)',
'lessons_learned': ['Public repositories require automated '
'secret scanning to prevent credential '
'exposure.',
'Developers must avoid hardcoding secrets in '
'code or use secure alternatives (e.g., '
'vaults).',
'Large-scale scans of public codebases can '
'reveal systemic security gaps.',
'Cost-effective cloud tools (AWS Lambda/SQS) '
'enable efficient security research at '
'scale.'],
'post_incident_analysis': {'corrective_actions': ['GitLab could '
'integrate '
'mandatory '
'secret '
'detection in '
'CI/CD '
'pipelines.',
'Promote use '
"of GitLab's "
'built-in '
'secret '
'detection (if '
'available).',
'Encourage '
'adoption of '
'.gitignore '
'rules for '
'credential '
'files.'],
'root_causes': ['Lack of enforced '
'secret scanning in '
'public repositories.',
'Developers '
'inadvertently '
'committing '
'credentials to '
'version control.',
'No automated checks '
'for hardcoded '
"secrets in GitLab's "
'default workflow.']},
'recommendations': ['GitLab should implement mandatory secret '
'scanning for all public repositories.',
'Organizations should audit their public '
'codebases for exposed credentials.',
'Use tools like TruffleHog or GitGuardian to '
'pre-scan commits for secrets.',
'Rotate all credentials found in the exposed '
'repositories.',
'Educate developers on secure credential '
'management practices.'],
'references': [{'date_accessed': None,
'source': "Researcher's report (Luke Marshall)",
'url': None},
{'date_accessed': None,
'source': 'GitLab documentation on public '
'repositories',
'url': 'https://docs.gitlab.com/'},
{'date_accessed': None,
'source': 'TruffleHog GitHub repository',
'url': 'https://github.com/trufflesecurity/truffleHog'}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': ['GitLab may enforce '
'stricter secret scanning '
'for public repositories',
'affected entities advised '
'to rotate exposed '
'credentials'],
'third_party_assistance': None},
'title': 'Exposure of 17,000+ Secrets in 5.6 Million Public '
'GitLab Repositories',
'type': ['data exposure',
'credential leakage',
'misconfiguration'],
'vulnerability_exploited': ['publicly accessible repositories',
'hardcoded secrets in code',
'lack of secret scanning']}}