Public GitLab repositories exposed more than 17,000 secrets

Recorded: Nov. 28, 2025, 10:02 p.m.

Original

News

Featured
Latest

GreyNoise launches free scanner to check if you're part of a botnet

The Black Friday 2025 Cybersecurity, IT, VPN, & Antivirus Deals

Microsoft to secure Entra ID sign-ins from script injection attacks

New ShadowV2 botnet malware used AWS outage as a test opportunity

Save on this ethical hacking bundle: $33 through December 7th

Man behind in-flight Evil Twin WiFi attacks gets 7 years in prison

Microsoft: Windows updates make password login option invisible

Public GitLab repositories exposed more than 17,000 secrets

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Virus Removal Guides

Latest
Most Viewed
Ransomware

Remove the Theonlinesearch.com Search Redirect

Remove the Smartwebfinder.com Search Redirect

How to remove the PBlock+ adware browser extension

Remove the Toksearches.xyz Search Redirect

Remove Security Tool and SecurityTool (Uninstall Guide)

How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo

How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

How to remove Antivirus 2009 (Uninstall Instructions)

Locky Ransomware Information, Help Guide, and FAQ

CryptoLocker Ransomware Information Guide and FAQ

CryptorBit and HowDecrypt Information Guide and FAQ

CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Startup Database
Uninstall Database
Glossary
Chat on Discord
Send us a Tip!
Welcome Guide

HomeNewsSecurityPublic GitLab repositories exposed more than 17,000 secrets

Public GitLab repositories exposed more than 17,000 secrets

By Bill Toulas

November 28, 2025
12:43 PM
0

After scanning all 5.6 million public repositories on GitLab Cloud, a security engineer discovered more than 17,000 exposed secrets across over 2,800 unique domains.
Luke Marshall used the TruffleHog open-source tool to check the code in the repositories for sensitive credentials like API keys, passwords, and tokens.
The researcher previously scanned Bitbucket, where he found 6,212 secrets spread over 2.6 million repositories. He also checked the Common Crawl dataset that is used to train AI models, which exposed 12,000 valid secrets.

GitLab is a web-based Git platform used by software developers, maintainers, and DevOps teams to host code, for CI/CD operations, development collaboration, and repository management.
Marshall used a GitLab public API endpoint to enumerate every public GitLab Cloud repository, using a custom Python script to paginate through all results and sort them by project ID.
This process returned 5.6 million non-duplicate repositories, and their names were sent to an AWS Simple Queue Service (SQS).
Next, an AWS Lambda function pulled the repository name from SQS, ran TruffleHog against it, and logged the results.
“Each Lambda invocation executed a simple TruffleHog scan command with concurrency set to 1000,” describes Marshall.
“This setup allowed me to complete the scan of 5,600,000 repositories in just over 24 hours.”
The total cost for the entire public GitLab Cloud repositories using the above method was $770.
The researcher found 17,430 verified live secrets, nearly three times as many as in Bitbucket, and with a 35% higher secret density (secrets per repository), too.
Historical data shows that most leaked secrets are newer than 2018. However, Marshall also found some very older secrets dating from 2009, which are still valid today.

Volume of exposed secretsSource: Truffle Security
The largest number of leaked secrets, over 5,200 of them, were Google Cloud Platform (GCP) credentials, followed by MongoDB keys, Telegram bot tokens, and OpenAI keys.
The researcher also found a little over 400 GitLab keys leaked in the scanned repositories.

Types of exposed secrets on GitLabSource: Truffle Security
In the spirit of responsible disclosure and because the discovered secrets were associated with 2,804 unique domains, Marshall relied on automation to notify affected parties and used Claude Sonnet 3.7 with web search ability and a Python script to generate emails.
In the process, the researcher collected multiple bug bounties that amounted to $9,000.
The researcher reports that many organizations revoked their secrets in response to his notifications. However, an undisclosed number of secrets continue to be exposed on GitLab.

Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Get the guide

Related Articles:
Code beautifiers expose credentials from banks, govt, tech orgsGreyNoise launches free scanner to check if you're part of a botnetGlobalProtect VPN portals probed with 2.3 million scan sessionsAttackers Now Bypass App-Based MFA, Hardware Biometrics Stop ThemThe hidden risks in your DevOps stack data—and how to address them

Developer Environment
GitLab
Scanner
Secret Scanning
Secrets
Token

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Popular Stories

Microsoft: Exchange Online outage blocks access to Outlook mailboxes

Code beautifiers expose credentials from banks, govt, tech orgs

GreyNoise launches free scanner to check if you're part of a botnet

Sponsor Posts

Review of Passwork: Affordable Enterprise-Grade Password Manager

Overdue a password health-check? Audit your Active Directory for free

WSUS can’t keep up in a remote-first world. Cloud-native patching fixes what VPNs never could

CMMC Made Simple. Get audit-ready with Huntress—faster, easier, and more affordable.

Upcoming Webinar

Main Sections

News
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Public GitLab repositories exposed a significant number of secrets, highlighting a vulnerability within the platform’s public repository ecosystem. Luke Marshall, a security engineer, conducted a comprehensive scan of 5.6 million public GitLab Cloud repositories, revealing 17,430 verified live secrets across over 2,800 unique domains. This discovery underscores a substantial risk for developers and organizations utilizing GitLab for code hosting and collaboration.

The scan, executed using TruffleHog, a tool for detecting and extracting secrets, identified a variety of sensitive credentials, including Google Cloud Platform (GCP) credentials accounting for over 5,200 secrets, followed by MongoDB keys and Telegram bot tokens. Notably, a substantial number of secrets, approximately 400, were GitLab keys present within the scanned repositories. The research also uncovered a surprising number of older secrets, some dating back to 2009, which remained valid and accessible, indicating a potential persistence of vulnerability. The overall density of secrets per repository was 35% higher than what was observed in the Bitbucket repository landscape, signifying a greater concentration of exposed credentials within the public GitLab environment.

The methodology employed by Marshall involved leveraging a GitLab public API endpoint to enumerate all public repositories, coupled with a custom Python script for pagination and sorting. An AWS Simple Queue Service (SQS) was utilized to manage the high volume of repository names, and an AWS Lambda function orchestrated the TruffleHog scans. This automated approach enabled the completion of the scan within approximately 24 hours, with a total cost of $770. Following the discovery, Marshall proactively notified affected parties, utilizing Claude Sonnet 3.7 with web search capabilities and a Python script to automate email communication. This responsible disclosure resulted in the revocation of numerous secrets, generating a total of $9,000 in bug bounties. Despite these efforts, a portion of the identified secrets continued to be exposed on GitLab, highlighting the ongoing challenge of maintaining secure environments within collaborative code repositories. This incident serves as a critical reminder of the importance of diligent secret management practices and regular security audits within developer workflows.