DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Last call! Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • Secrets Management With Datadog Secret Backend Utility
  • Security Vulnerabilities in Pipeline as Code Scripts
  • Secret Management and Rotation
  • A Comprehensive Guide to Access and Secrets Management: From Zero Trust to AI Integration — Innovations in Safeguarding Sensitive Information

Trending

  • Measuring the Impact of AI on Software Engineering Productivity
  • How to Convert XLS to XLSX in Java
  • Mastering Advanced Traffic Management in Multi-Cloud Kubernetes: Scaling With Multiple Istio Ingress Gateways
  • Artificial Intelligence, Real Consequences: Balancing Good vs Evil AI [Infographic]
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. The Hidden Breach: Secrets Leaked Outside the Codebase Pose a Serious Threat

The Hidden Breach: Secrets Leaked Outside the Codebase Pose a Serious Threat

Secrets aren't just in code. Recent reports show major leaks in collaboration tools like Slack, Jira, and Confluence. Here’s what security teams need to know.

By 
Dwayne McDaniel user avatar
Dwayne McDaniel
·
Apr. 17, 25 · Analysis
Likes (0)
Comment
Save
Tweet
Share
3.7K Views

Join the DZone community and get the full member experience.

Join For Free

When you think of secrets scanning, most people immediately think about source code repositories on platforms like GitHub, GitLab, and Bitbucket. While the codebase is a source you absolutely should monitor, this is just a part of the overall secrets security story.

Indeed, secrets leaking in code are a major concern. In the GitGuardian’s 2025 State of Secrets Sprawl Report, the scale of this issue has surged dramatically. In 2024 alone, over 23.7 million new hardcoded secrets were added to public GitHub repositories — a 25% increase from the year before. And that’s just GitHub. 

However, that is not the full story. The report also shows that today’s many critical secrets exposures are not in your code; they’re in your collaboration tools. Platforms like Slack, Jira, Confluence, and other project management and productivity tools have become high-risk zones for leaked credentials. Even worse, secrets found in these systems are more likely to be critical, harder to detect, and almost entirely distinct from the plaintext credentials found in source code.

Secrets Are Sprawling Everywhere Work Happens

In a traditional security mindset, secrets management begins and ends in the repository. Once your team has adopted a vault solution and you are scanning for the code and CI/CD pipelines, you are well on your way to secrets management maturity. 

If you have gotten your developers to standardize on prevention tools like pre-commit git scanning or embedded tools in their favorite code editor, you have achieved a major milestone towards better secrets security.  

The reality is that secrets are leaking in every tool your team touches, not just code and CI/CD platforms but across your full digital workspace. Messaging apps, ticketing systems, internal wikis, and even container registries are now active battlegrounds for credential exposure.

In our 2025 State of Secrets Sprawl Report, we uncovered the fact that: 

  • 38% of secrets found in collaboration tools were classified as critical or urgent, compared to 31% in source code.
  • Only 7% of secrets overlap between SCM (Source Code Management) and collaboration tools—these are mostly completely separate exposures.

Venn diagram showing 7% overlap of secrets in code are also in collaboration tools

That last fact is extremely alarming and suggests that these secrets might be properly stored otherwise but are being copied in plaintext into workflow tools outside the codebase. Let's take a closer look at what systems are involved. 

Messaging Platforms: Slack and Microsoft Teams

Chat is fast. Chat is informal. And that’s exactly why it’s dangerous. Slack continues to be one of the most notorious hotspots for secrets leakage, especially in real-time incidents, engineering huddles, or postmortems. But it's not alone anymore. Microsoft Teams, now a core platform in many enterprise environments, faces the same risks.

Developers often share quick-fix credentials to help teammates debug without thinking through what happens if they get breached. Too often, once service accounts or API tokens are posted in threads, they are completely forgotten, yet these threads remain persistent in enterprise environments for years. Message history is retained indefinitely in many orgs, exposing secrets that are sometimes never rotated.

Security teams often lack access or scanning capabilities in these messaging ecosystems. And unlike code repos, there's no concept of pull requests or reviews, just a never-ending stream of text, files, and unmonitored links.

Ticketing Systems: Jira and ServiceNow

While Jira has long been a central planning platform for many dev teams, ServiceNow is quickly emerging as a critical risk vector — particularly in IT operations, security, and support workflows.

In both systems, secrets surface when support teams paste credentials to reproduce bugs or assist customers. Engineers all too often attach logs containing sensitive headers or tokens, which makes sense on the surface, as teams race to find root causes and fight fires, but the trail of secrets they leave behind is a nightmare waiting to happen.

Both platforms are often perceived as “internal only” or “safe,” but history shows otherwise. Tickets are overlooked in access audits, are difficult to monitor at scale, and become long-term repositories for forgotten secrets.

In fact, 6.1% of Jira tickets analyzed in the study contained secrets, many of which were still valid at the time of detection.

ServiceNow presents similar risks, especially due to its heavy integration with automation workflows and non-technical users who may not recognize a secret when they see one.

Documentation Platforms: Confluence

Confluence remains a critical part of the modern collaboration stack, providing a quick and easy way for everyone to document their knowledge in a searchable and centralized platform. Unfortunately if teams are also placing their plaintext credentials in their internal wiki, it becomes a major liability.

It’s a common place to find environment configuration guides with real secrets embedded. It is easy to add architecture diagrams that include access tokens or database connection strings for convenience. For teams that are rapidly expanding or folding in new members due to an acquisition, onboarding documentation might contain credentials “just to get people up and running.” 

These documents are persistent, rarely updated, and often overlooked in security reviews. Once a secret lands in a Confluence page, it’s indexed, searchable, and available to anyone with access permissions, which are often broad by default. If an attacker gains access, secrets are the first thing they will look for.

" "

Why Collaboration Tools Are So Dangerous for Secrets

There are three key reasons collaboration platforms are especially dangerous environments for secret sprawl:

1. They Weren’t Built With Secrets in Mind

These tools prioritize productivity and speed, not secure information handling. Unlike source control management platforms, tools like Slack or Jira lack any native secrets scanning, access scoping, or pre-submit protections. While pre-commit scanning is possible to automate in a developer workflow, preventing the pasting of a plaintext credential into a text field in a ticket or chat window is all but impossible to prevent. 

2. Too Many Hands, Too Little Awareness

Secrets don’t just leak from developers. Product managers, support staff, QA engineers, and basically everyone else with access can unknowingly paste sensitive credentials into a ticket or thread. Once posted, those secrets can live forever, buried in the backlog.

3. No Effective Lifecycle for What Gets Shared

In a codebase, a hardcoded secret can be flagged, rotated, and replaced. In Slack? That secret may be reposted across multiple channels, shared in screenshots, or even pinned. It’s invisible to most traditional secrets detection tools and completely outside normal code review workflows.

The False Sense of Security in Private Spaces

One of the most dangerous assumptions organizations make is believing that because a space is private, it’s secure. But private Jira tickets, internal Slack channels, and restricted Confluence spaces are not immune to compromise. Phishing attacks, token theft, and lateral movement can give attackers access to internal tools, where secrets are just sitting there, often unmonitored.

In GitGuardian’s analysis, private repositories were 8x more likely to contain secrets than public ones. The same trend holds true across productivity tools. People behave more carelessly in private spaces, assuming obscurity equals security.

How to Handle Secrets Leaks Outside of Code

Like with everything else in security, the solution requires that we align people, processes, and tools. This starts with awareness. Even reading this article is a step in the right direction. Making sure your team is aware of the dangers is a very positive first step toward eliminating the problems before they start. 

However, awareness alone is not the solution. The playbook for addressing this challenge also involves:

  • Deploying real-time secrets detection across Slack, Jira, and Confluence using tools that are purpose-built for collaboration platforms.
  • Consolidate alerts across systems — don’t treat a secret in Slack and Jira as separate incidents if they’re the same credential.
  • Act fast: Valid credentials are often exploited within hours of exposure. Rotation and revocation workflows should be automated where possible.
  • Establish internal playbooks for handling secrets found in non-code environments, and assign clear ownership for remediation.

Demand More Productivity and Fewer Leaks From Collaboration Tools

Your team’s productivity stack is becoming your largest unmonitored attack surface.

It’s not just that secrets end up on these platforms; it’s that they’re shared in high-urgency situations, by a broader group of users, and with far fewer safeguards in place. From debugging to deployments to onboarding, secrets are copied, pasted, and forgotten in spaces never meant to secure them.

And attackers know it.

Microsoft Teams Jira (software) security Slack (software) secrets management

Published at DZone with permission of Dwayne McDaniel. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Secrets Management With Datadog Secret Backend Utility
  • Security Vulnerabilities in Pipeline as Code Scripts
  • Secret Management and Rotation
  • A Comprehensive Guide to Access and Secrets Management: From Zero Trust to AI Integration — Innovations in Safeguarding Sensitive Information

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!