🚨 24 Million Secrets Exposed on GitHub—AI Is Making It Worse

A recent report revealed that over 24 million secrets— including API keys, SSH tokens, and passwords—have been exposed on GitHub. What's more alarming? Repositories using GitHub Copilot are 40% more likely to leak these sensitive credentials.

As AI tools generate code faster than ever, developers may unknowingly include secrets in their commits. These leaked credentials are a goldmine for attackers, and many developers don’t even realize they’re leaking them.

How to Fix It:

1. Enable GitHub Secret Scanning & Push Protection

These built-in features automatically detect secrets before and after pushing code.

2. Use Secret Managers

Store credentials in secure vaults like AWS Secrets Manager or HashiCorp Vault—never in code.

3. Avoid Hardcoding Secrets

Use environment variables and config files that are excluded from version control.

4. Run Secret Scanners

Tools like Gitleaks, TruffleHog, and Prompt Security help detect exposed secrets automatically.

5. Revoke & Rotate Leaked Keys Immediately

If a secret is leaked, treat it as compromised—revoke it and replace it.

Final Word:

AI coding tools can be powerful, but they come with hidden risks. Security hygiene must evolve with the pace of development. Don't let automation become a liability—scan, protect, and educate.

CheckDot is SAFU research on CheckDot .