blog.gitguardian.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-05-04.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-05-04 2026 | Local Guardrails for Secrets Security in the Age of AI Coding AssistantsAISecretsSupply Chain | Library for local secret scanning, ggshield, addresses the shift of software supply chain attack surfaces to developer workstations. It detects hardcoded credentials in .env files, terminal history, build output, and AI prompts, mitigating risks before they reach remote repositories or pipelines. The tool integrates directly into developer workflows via editors, Git hooks, terminals, and AI coding assistants, preventing credential exposure and simplifying incident response. |
| 2026-04-23 2026 | No Off Season: Three Supply Chain Campaigns Hit npm PyPI and Docker Hub in 48 HoursSupply Chain | Analysis of three recent supply chain campaigns targeting npm, PyPI, and Docker Hub, including Checkmarx KICS, CanisterSprawl (pgserve, Namastex.ai), and xinference, highlights the consistent objective of stealing developer secrets like API keys and cloud credentials. These attacks, attributed in part to threat actor TeamPCP, demonstrate sophisticated evasion techniques and cross-ecosystem propagation. |
| 2026-04-22 2026 | Top 10 Non-Human Identity Security Tools and Platforms for 2026Secrets | Library for detecting and preventing non-human identity (NHI) security risks, specifically addressing hardcoded API keys, overprivileged service accounts, stale OAuth tokens, and misconfigured workload identities. It offers comprehensive discovery, exposure detection across git history and CI/CD pipelines, lifecycle management, authorization and least privilege enforcement, and governance features to aid compliance with standards like SOC 2 and ISO 27001. This tool targets large DevSecOps organizations to secure complex, multi-cloud, and ephemeral workloads. |
| 2026-04-22 2026 | AI Is Fueling Secrets Sprawl: GitGuardian Reports 81% Surge of AI-Service LeaksSecrets | Report detailing GitGuardian's findings on secrets sprawl, highlighting an 81% surge in AI-service leaks and a 34% YoY increase in newly leaked secrets on GitHub due to AI adoption. The analysis covers increased risk from AI-assisted commits, emerging MCP configuration risks, expanded attack surfaces via collaboration tools and developer machines, and challenges in prioritizing and remediating long-lived secrets, underscoring the need for dedicated Non-Human Identity governance. |
| 2026-04-19 2026 | Shai-Hulud: A Persistent Secret Leaking Campaign — GitGuardianSupply Chain | Analysis of the Shai-Hulud campaign details a persistent supply chain attack targeting NPM packages like @ctrl/tinycolor, using malicious GitHub Actions to exfiltrate secrets from local environments and repositories. Similar to the s1ngularity and GhostActions campaigns, this attack injects compromised workflows to steal credentials, including GitHub tokens, NPM tokens, and AWS Keys. GitGuardian's HasMySecretLeaked service allows developers to check for compromised secrets without exposing their values. |
| 2026-04-16 2026 | Supply Chain Security: Sigstore and Cosign - GitGuardianSupply Chain | Library for signing and verifying container images using Sigstore's Cosign. This resource details Sigstore, a suite of tools designed to secure software supply chains by ensuring software integrity. It focuses on Cosign, a tool for signing artifacts within OCI registries, utilizing features like hardware and KMS signing, and integration with Kubernetes Secrets. The library allows users to generate key pairs, sign images by digest, and verify signatures against a provided public key, addressing the challenges of managing and integrating cryptographic signing into CI/CD workflows. |
| 2026-04-15 2026 | The Future Of GitHub Actions Security And What You Can Do Right NowSupply Chain | Library for securing GitHub Actions, focusing on proactive measures and current realities. It addresses GitHub's evolving roadmap toward deterministic workflow dependencies, centralized execution policy, and tighter secret scoping. The library helps organizations manage the immediate risks of scattered secrets and compromised automation layers, providing visibility, detection, and remediation for existing environments before platform-level controls are fully implemented. |
| 2026-04-11 2026 | The Nx s1ngularity Attack: Inside the Credential LeakSupply Chain | Tool for scanning local environments for compromise from the Nx s1ngularity supply chain attack. It detects leaked credentials, including GitHub tokens, npm keys, SSH private keys, API keys, and cryptocurrency wallet files, and checks for exploitation of LLM client configuration files for tools like Claude and Gemini. The tool also provides a privacy-preserving service to check if specific secrets were exfiltrated. |
| 2026-04-11 2026 | Terraform Secrets Management Best PracticesSecrets | Library for managing secrets within Terraform configurations. It highlights best practices such as avoiding hard-coded secrets, leveraging secrets managers like AWS Secrets Manager, and utilizing the `sensitive` flag for outputs. The library also details how Terraform states and plans can expose sensitive data and introduces ephemeral resources as a mechanism to fetch secrets without persisting them in the state file. |
| 2026-04-11 2026 | 2,622 Valid Certificates Exposed: Google-GitGuardian StudySecrets | Survey of X.509 certificate leaks mapping over 40,000 private keys to TLS certificates, revealing 2,600 valid certificates at risk. The GitGuardian and Google study highlights a critical misunderstanding of private key risks, with many organizations failing to revoke exposed certificates after disclosure campaigns. Techniques used included Certificate Transparency log analysis and OSINT for attribution, uncovering systemic failures in key management and revocation processes across Fortune 500 companies, healthcare providers, and government agencies. |
| 2026-04-10 2026 | Renovate & Dependabot: The new Malware Delivery SystemSupply Chain | Library analyzing how automated dependency updaters like Renovate and Dependabot can inadvertently accelerate malware distribution in supply chain attacks. It details how these tools, designed for efficiency, can bypass security scrutiny by automatically merging malicious package updates, as seen with the Axios and trivy-action compromises. The entry highlights the implicit trust afforded to bot-generated pull requests and their potential to introduce malware rapidly, even into CI/CD pipelines through workflow modifications. |
| 2026-04-10 2026 | The State of Secrets Sprawl 2026: AI-Service Leaks Surge 81%Secrets | Report detailing the surge in hardcoded secrets on public GitHub, with AI service leaks increasing 81% and LLM infrastructure leaking 5x faster than core model providers. The analysis highlights insecure patterns in MCP configuration guides, the significant risk of secrets in internal repositories and collaboration tools like Slack and Jira, and the expanding attack surface of developer workstations and CI/CD runners due to AI agents. It also emphasizes the persistent issue of un-remediated valid secrets and the critical need for robust Non-Human Identity (NHI) governance. |
| 2026-04-10 2026 | Protecting Your Software Supply Chain: Typosquatting and Dependency ConfusionSupply Chain | Library detailing typosquatting and dependency confusion attacks on software supply chains. These attacks exploit developers' typographical errors when downloading packages from registries like npm and PyPI, or through compromised dependencies. Real-world examples such as the Codecov and Event Stream breaches highlight how attackers infiltrate systems by mimicking legitimate packages, leading to data breaches, system compromises, and reputational damage. The library provides insights for engineering managers and security practitioners to protect their infrastructure from these evolving threats. |
| 2026-04-10 2026 | The State of Secrets Sprawl 2025Secrets | Report on the State of Secrets Sprawl 2025 details a significant increase in leaked secrets, with 23.8 million found on public GitHub in 2024, a 25% rise. Generic secrets comprise 58% of leaks, and a troubling 70% of secrets from 2022 remain active, expanding the attack surface. The report highlights that 35% of private repositories also contain secrets, including AWS IAM keys and hardcoded passwords, and secrets are prevalent across the SDLC in tools like Jira and Slack. The U.S. Treasury Department's BeyondTrust breach illustrates the real-world impact of exposed credentials. |
| 2026-04-03 2026 | Secret Scanning Tools 2026: Protect Code and Prevent Credential LeaksSecrets | Library for detecting and preventing secret leaks in code, offering continuous scanning, broad detector coverage for AWS, GCP, Azure, and internal tokens, and integration with GitHub, GitLab, and Slack. It utilizes pattern matching, entropy detection, and context-aware validation, with machine learning to reduce false positives and dedicated remediation workflows to address detected issues across the software development lifecycle. |