Security Researcher Finds 17,000+ Live Secrets in 5.6 Million Public GitLab Repositories
By
adrianwaj
6mo ago· 7 min readenInsight
100/100
Golden Brown
Bagelometer↗
Pure flour-power. Hearty enough to carry you through lunch.
Score100TypeanalysisSentimentneutral
Summary
A security researcher scanned 5.6 million public GitLab repositories using TruffleHog and discovered over 17,000 verified live secrets, earning over $9,000 in bug bounties through responsible disclosure. The research reveals significant security risks in public code repositories and demonstrates the effectiveness of automated scanning tools for identifying exposed credentials.
Key quotes
· 4 pulledI scanned every public GitLab Cloud repository (~5.6 million) with TruffleHog, found over 17,000 verified live secrets, and earned over $9,000 in bounties along the way.
This guest post by Security Engineer Luke Marshall was developed through Truffle Security's Research CFP program.
Luke specializes in investigating exposed secrets across open-source ecosystems, a path that led him into bug bounty work and responsible disclosure.
This is the last blog post in a two-part series exploring secrets exposed in popular Git platforms.
I scanned every public GitLab Cloud repository (~5.6 million) with TruffleHog, found over 17,000 verified live secrets, and earned over $9,000 in bounties along the way.
You might also wanna read
GitHub patches critical remote code execution vulnerability in under six hours after AI-assisted discovery
GitHub patched a critical remote code execution vulnerability in under six hours last month. The flaw, discovered by Wiz Research using AI m
The Verge·1mo ago
Critical Gogs RCE bug (CVSS 9.4) remains unpatched; exploit module now public
A critical remote code execution (RCE) vulnerability rated 9.4/10 has been discovered in Gogs, a popular open-source self-hosted Git service
theregister.com·10h ago