After scanning all 5.6 million public repositories on GitLab Cloud, a security engineer discovered more than 17,000 exposed secrets across over 2,800 unique domains.
Scanning Methodology and Findings
Luke Marshall, a security researcher, used the open source tool TruffleHog to check the code in the public repositories for sensitive credentials, including API keys, passwords, and tokens. Marshall previously conducted similar scans on Bitbucket and the Common Crawl dataset.
To conduct the scan, Marshall used a custom Python script and a GitLab public API endpoint to enumerate every public GitLab Cloud repository. The process returned 5.6 million non
duplicate repositories. These repository names were then fed into an AWS Simple Queue Service (SQS).
An AWS Lambda function pulled the repository names from SQS, ran the TruffleHog scan against them, and logged the results. This setup allowed Marshall to complete the scan of 5.6 million repositories in just over 24 hours at a total cost of $770.
Scale of the Exposure
Marshall found 17,430 verified live secrets on GitLab, which is nearly three times the number found in his previous Bitbucket scan. GitLab also showed a 35% higher secret density, indicating a greater concentration of exposed credentials per repository.
Historical data suggests that most leaked secrets are newer than 2018, though some valid secrets dating back to 2009 were also found. The largest number of leaked secrets, over 5,200, were Google Cloud Platform (GCP) credentials, followed by MongoDB keys, Telegram bot tokens, and OpenAI keys.
Marshall responsibly notified the affected parties associated with the 2,804 unique domains using an automated Python script combined with Claude Sonnet 3.7. In the process, the researcher collected bug bounties amounting to $9,000. While many organizations revoked their secrets following the notifications, an undisclosed number of credentials remain exposed on GitLab.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
