The Hidden Breach: Secrets Leaked Outside the Codebase Pose a Serious Threat

When you think of secrets scanning, most people immediately think about source code repositories on platforms like GitHub, GitLab, and Bitbucket. While the codebase is a source you absolutely should monitor, this is just a part of the overall secrets security story.

Indeed, secrets leaking in code are a major concern. In the GitGuardian’s 2025 State of Secrets Sprawl Report, the scale of this issue has surged dramatically. In 2024 alone, over 23.7 million new hardcoded secrets were added to public GitHub repositories — a 25% increase from the year before. And that’s just GitHub. 

However, that is not the full story. The report also shows that today’s many critical secrets exposures are not in your code; they’re in your collaboration tools. Platforms like Slack, Jira, Confluence, and other project management and productivity tools have become high-risk zones for leaked credentials. Even worse, secrets found in these systems are more likely to be critical, harder to detect, and almost entirely distinct from the plaintext credentials found in source code.

Secrets Are Sprawling Everywhere Work Happens

In a traditional security mindset, secrets management begins and ends in the repository. Once your team has adopted a vault solution and you are scanning for the code and CI/CD pipelines, you are well on your way to secrets management maturity. 

If you have gotten your developers to standardize on prevention tools like pre-commit git scanning or embedded tools in their favorite code editor, you have achieved a major milestone towards better secrets security.  

The reality is that secrets are leaking in every tool your team touches, not just code and CI/CD platforms but across your full digital workspace. Messaging apps, ticketing systems, internal wikis, and even container registries are now active battlegrounds for credential exposure.

In our 2025 State of Secrets Sprawl Report, we uncovered the fact that: 

• 38% of secrets found in collaboration tools were classified as critical or urgent, compared to 31% in source code.
• Only 7% of secrets overlap between SCM (Source Code Management) and collaboration tools—these are mostly completely separate exposures.

That last fact is extremely alarming and suggests that these secrets might be properly stored otherwise but are being copied in plaintext into workflow tools outside the codebase. Let's take a closer look at what systems are involved. 

Messaging Platforms: Slack and Microsoft Teams

Chat is fast. Chat is informal. And that’s exactly why it’s dangerous. Slack continues to be one of the most notorious hotspots for secrets leakage, especially in real-time incidents, engineering huddles, or postmortems. But it's not alone anymore. Microsoft Teams, now a core platform in many enterprise environments, faces the same risks.

Developers often share quick-fix credentials to help teammates debug without thinking through what happens if they get breached. Too often, once service accounts or API tokens are posted in threads, they are completely forgotten, yet these threads remain persistent in enterprise environments for years. Message history is retained indefinitely in many orgs, exposing secrets that are sometimes never rotated.

Security teams often lack access or scanning capabilities in these messaging ecosystems. And unlike code repos, there's no concept of pull requests or reviews, just a never-ending stream of text, files, and unmonitored links.

Ticketing Systems: Jira and ServiceNow

While Jira has long been a central planning platform for many dev teams, ServiceNow is quickly emerging as a critical risk vector — particularly in IT operations, security, and support workflows.

In both systems, secrets surface when support teams paste credentials to reproduce bugs or assist customers. Engineers all too often attach logs containing sensitive headers or tokens, which makes sense on the surface, as teams race to find root causes and fight fires, but the trail of secrets they leave behind is a nightmare waiting to happen.

Both platforms are often perceived as “internal only” or “safe,” but history shows otherwise. Tickets are overlooked in access audits, are difficult to monitor at scale, and become long-term repositories for forgotten secrets.

In fact, 6.1% of Jira tickets analyzed in the study contained secrets, many of which were still valid at the time of detection.

ServiceNow presents similar risks, especially due to its heavy integration with automation workflows and non-technical users who may not recognize a secret when they see one.

Documentation Platforms: Confluence

Confluence remains a critical part of the modern collaboration stack, providing a quick and easy way for everyone to document their knowledge in a searchable and centralized platform. Unfortunately if teams are also placing their plaintext credentials in their internal wiki, it becomes a major liability.

It’s a common place to find environment configuration guides with real secrets embedded. It is easy to add architecture diagrams that include access tokens or database connection strings for convenience. For teams that are rapidly expanding or folding in new members due to an acquisition, onboarding documentation might contain credentials “just to get people up and running.” 

These documents are persistent, rarely updated, and often overlooked in security reviews. Once a secret lands in a Confluence page, it’s indexed, searchable, and available to anyone with access permissions, which are often broad by default. If an attacker gains access, secrets are the first thing they will look for.

Why Collaboration Tools Are So Dangerous for Secrets

There are three key reasons collaboration platforms are especially dangerous environments for secret sprawl:

1. They Weren’t Built With Secrets in Mind

These tools prioritize productivity and speed, not secure information handling. Unlike source control management platforms, tools like Slack or Jira lack any native secrets scanning, access scoping, or pre-submit protections. While pre-commit scanning is possible to automate in a developer workflow, preventing the pasting of a plaintext credential into a text field in a ticket or chat window is all but impossible to prevent. 

2. Too Many Hands, Too Little Awareness

Secrets don’t just leak from developers. Product managers, support staff, QA engineers, and basically everyone else with access can unknowingly paste sensitive credentials into a ticket or thread. Once posted, those secrets can live forever, buried in the backlog.

3. No Effective Lifecycle for What Gets Shared

In a codebase, a hardcoded secret can be flagged, rotated, and replaced. In Slack? That secret may be reposted across multiple channels, shared in screenshots, or even pinned. It’s invisible to most traditional secrets detection tools and completely outside normal code review workflows.

The False Sense of Security in Private Spaces

One of the most dangerous assumptions organizations make is believing that because a space is private, it’s secure. But private Jira tickets, internal Slack channels, and restricted Confluence spaces are not immune to compromise. Phishing attacks, token theft, and lateral movement can give attackers access to internal tools, where secrets are just sitting there, often unmonitored.

In GitGuardian’s analysis, private repositories were 8x more likely to contain secrets than public ones. The same trend holds true across productivity tools. People behave more carelessly in private spaces, assuming obscurity equals security.

How to Handle Secrets Leaks Outside of Code

Like with everything else in security, the solution requires that we align people, processes, and tools. This starts with awareness. Even reading this article is a step in the right direction. Making sure your team is aware of the dangers is a very positive first step toward eliminating the problems before they start. 

However, awareness alone is not the solution. The playbook for addressing this challenge also involves:

• Deploying real-time secrets detection across Slack, Jira, and Confluence using tools that are purpose-built for collaboration platforms.
• Consolidate alerts across systems — don’t treat a secret in Slack and Jira as separate incidents if they’re the same credential.
• Act fast: Valid credentials are often exploited within hours of exposure. Rotation and revocation workflows should be automated where possible.
• Establish internal playbooks for handling secrets found in non-code environments, and assign clear ownership for remediation.

Demand More Productivity and Fewer Leaks From Collaboration Tools

Your team’s productivity stack is becoming your largest unmonitored attack surface.

It’s not just that secrets end up on these platforms; it’s that they’re shared in high-urgency situations, by a broader group of users, and with far fewer safeguards in place. From debugging to deployments to onboarding, secrets are copied, pasted, and forgotten in spaces never meant to secure them.

And attackers know it.