Security engineer Luke Marshall analyzed more than 5.6 million public GitLab Cloud repositories for exposed secrets in a large-scale investigation.
Using TruffleHog, he identified 17,430 still-valid credentials spread across more than 2,800 organizations. The investigation built on an earlier scan of Bitbucket, where significantly fewer secrets were found despite the lower number of repositories. Marshall thus shows that GitLab contains a higher concentration of leaked data and that this problem is structural within development platforms.
5.6 million unique repositories
To systematically search the entire GitLab environment, Marshall used the public GitLab API and a Python script that retrieved all projects via pagination. The list of 5.6 million unique repositories was then processed via AWS Simple Queue Service. An AWS Lambda function took each repository from the queue, performed a TruffleHog scan, and recorded the results.
He describes that each Lambda call performed a simple scan with a set concurrency of a thousand processes. This allowed the entire operation to be completed in just over 24 hours. The total cost of the investigation was approximately $770.
The results show a clear pattern. GitLab contains nearly three times as many working secrets as Bitbucket and also has a 35 percent higher density of leaked data per repository. Most of the exposed credentials date from after 2018, but Marshall also discovered keys from 2009 that were still usable. This points to
TPRM report: https://www.rankiteo.com/company/trufflesecurity
"id": "tru1764592319",
"linkid": "trufflesecurity",
"type": "Breach",
"date": "2025-12-01T00:00:00.000Z",
"severity": "85",
"impact": "",
"explanation": "Attack with significant impact with customers data leaks: - Attack which causes leak of personal information of customers (only if no ransomware) - Attack by hackers which causes data leak of customer information (only if no ransomware)"{'incident': {'affected_entities': [{'customers_affected': '2,800+ '
'organizations',
'industry': 'software development',
'location': 'global',
'name': 'GitLab Inc.',
'size': None,
'type': 'organization'}],
'customer_advisories': ['Organizations using GitLab are advised '
'to scan repositories for exposed '
'secrets and rotate credentials '
'immediately.'],
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': ['source code files',
'configuration files',
'environment files'],
'number_of_records_exposed': 17430,
'personally_identifiable_information': None,
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['credentials',
'API keys',
'secrets',
'authentication '
'tokens']},
'description': 'Security engineer Luke Marshall conducted a '
'large-scale investigation of over 5.6 million '
'public GitLab Cloud repositories, identifying '
'17,430 still-valid credentials across more than '
'2,800 organizations. The scan revealed a higher '
'concentration of leaked secrets in GitLab '
'compared to Bitbucket, indicating a systemic '
'issue within development platforms. The '
'investigation utilized the GitLab API, AWS '
'services (SQS and Lambda), and TruffleHog to '
'systematically scan repositories, completing the '
'operation in ~24 hours at a cost of '
'approximately $770. Exposed credentials dated as '
'far back as 2009, with most post-2018, '
'highlighting persistent security risks in '
'version control platforms.',
'impact': {'brand_reputation_impact': ['potential erosion of '
"trust in GitLab's "
'security practices',
'negative perception of '
'affected organizations'],
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': ['credentials',
'API keys',
'secrets'],
'downtime': None,
'financial_loss': None,
'identity_theft_risk': ['high (due to exposed '
'credentials)'],
'legal_liabilities': None,
'operational_impact': ['potential unauthorized access '
'to systems',
'compromised organizational '
'security'],
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': ['GitLab Cloud repositories']},
'investigation_status': 'completed',
'lessons_learned': ['Development platforms like GitLab and '
'Bitbucket are high-risk vectors for secret '
'leakage due to hardcoded credentials in '
'repositories.',
'Automated secret scanning tools (e.g., '
'TruffleHog) are effective for large-scale '
'detection but require proactive use by '
'organizations.',
'Old credentials (e.g., from 2009) can '
'remain valid and exposed for years, '
'emphasizing the need for regular credential '
'rotation.',
'GitLab has a higher density of leaked '
'secrets compared to Bitbucket, suggesting '
'platform-specific vulnerabilities or user '
'behavior patterns.'],
'post_incident_analysis': {'corrective_actions': ['GitLab could '
'integrate '
'mandatory '
'secret '
'scanning for '
'public '
'repositories.',
'Organizations '
'should adopt '
'zero-trust '
'principles '
'for '
'credential '
'management.',
'Educational '
'campaigns for '
'developers on '
'secure coding '
'practices.'],
'root_causes': ['Lack of automated '
'secret detection in '
'GitLab repositories.',
'Developer practices '
'of hardcoding '
'credentials in '
'source code.',
'Insufficient '
'platform-level '
'protections against '
'secret leakage.',
'Long-lived '
'credentials without '
'enforced rotation '
'policies.']},
'recommendations': ['Organizations should implement automated '
'secret scanning in CI/CD pipelines to '
'prevent credential exposure.',
'Regular audits of repositories for '
'hardcoded secrets should be mandatory, with '
'immediate rotation of exposed keys.',
'GitLab and similar platforms should enforce '
'stricter default protections (e.g., '
'blocking pushes containing secrets).',
'Developers should use dedicated secret '
'management tools (e.g., HashiCorp Vault) '
'instead of hardcoding credentials.',
'Public repositories should be treated as '
'compromised by default; sensitive data '
'should never be committed.'],
'references': [{'date_accessed': None,
'source': "Luke Marshall's Investigation Report "
'(GitLab Secrets Exposure)',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': ['public disclosure of '
'findings by Luke '
'Marshall'],
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': ['recommendation for '
'organizations to rotate '
'exposed credentials',
'enhanced secret scanning '
'for repositories'],
'third_party_assistance': None},
'title': 'Large-Scale Exposure of Secrets in GitLab Cloud '
'Repositories',
'type': ['data exposure', 'secret leakage', 'misconfiguration'],
'vulnerability_exploited': ['improper secret management',
'hardcoded credentials in '
'repositories',
'lack of secret scanning']}}