Organizations that assume secrets protection is solely about scanning public repositories and codebases for API keys, passwords, and tokens may be overlooking a major blind spot.
Collaboration and project management platforms such as Slack, Jira, and Confluence have become high-risk zones for leaked credentials due to their widespread — and largely unmonitored — use in enterprise environments. And a recent study by GitGuardian found that the secrets exposed in these systems are frequently more critical and harder to detect than those found in source code.
A lack of integrated scanning capabilities in these platforms means third-party products and awareness training are the best option for mitigating the threat. Here's what you need to know.
[ Special Report: Why secrets are leaked | How hackers get access | How to mitigate risk ]
Secrets leaks are up, and expanding
GitGuardian’s analysis of millions of repositories revealed a substantial — though not entirely unexpected — increase in newly leaked secrets within public GitHub commits in 2024. The company's researchers uncovered a startling 23,770,171 hardcoded secrets in their sample, representing a 25% rise from 2023.
The increase in secrets exposures aligned with a broader trend GitGuardian has been tracking for years: steady growth of the accidental exposure of sensitive credentials in public code. More than one-third (35%) of private repositories in the study contained at least one plaintext secret.
For the second year in a row, GitGuardian's researchers also observed an increase in secrets exposed in collaboration and project management tools such as Slack, Jira, and Confluence. And 38% of the secrets the company uncovered in these tools were critical or urgent, compared to just 31% in source code management tools.
GitGuardian said in a blog post that summarized the results of its research:
"The reality is that secrets are leaking in every tool your team touches, not just code and CI/CD platforms but across your full digital workspace. Messaging apps, ticketing systems, internal wikis, and even container registries are now active battlegrounds for credential exposure."
The big leakers exposed
Jira, Atlassian’s project management tool, had the highest risk rate, with 6.1% of all Jira tickets analyzed by GitGuardian containing at least one secret. GitGuardian attributed this high incidence to the common practice among developers of sharing sensitive credentials in tickets, likely for troubleshooting purposes.
Slack was another major concern, with secrets frequently shared in real time through messages. And while less common, secrets also appeared in Confluence documents often enough to warrant concern.
James McQuiggan, security awareness advocate at KnowBe4, said that the risk from collaboration tools is higher than typically seen in the codebase, primarily because of the relative sensitivity of the secrets.
"Secrets in Slack and Jira are often more critical because they come from operational workflows and are the most common tools used in project management."
—James McQuiggan
For example, a Jira ticket might contain a production database password shared, and a Slack message might include an admin API for a critical integration. Exposed API keys, credentials, or tokens can give bad actors direct access to internal systems. The bad actors can use that access to escalate privileges, enable lateral movement, and execute other malicious actions.
As an example, some of the secrets that GitGuardian uncovered enabled access to enterprise databases, AWS infrastructure, GitHub Enterprises, and artifact storage systems. "These tools capture credentials shared in urgency like tokens, keys, and passwords, usually embedded in tickets, chats, or documentation and often tied to privileged systems or third-party services," McQuiggan said.
Tools have a major blind spot
What makes matters worse is that most widely used project management and collaboration platforms lack built-in mechanisms for detecting and removing secrets — a safeguard that many source code management systems provide.
Additionally, the secrets that GitGuardian found in these collaboration tools were distinct and unique — like full SSH keys in Slack messages — making them harder to find with standard scanning tools.
Ensar Seker, CISO at SOCRadar, said platforms such as Slack, Jira, and Confluence have evolved from simple productivity tools into core components of the modern software development lifecycle. What makes these platforms so risky is their informality and ubiquity, Seker said.
"[While] they’ve accelerated collaboration, they’ve also introduced new blind spots for security teams, especially around secrets management. Teams often share API keys, credentials, internal tokens, and configuration details in real time during troubleshooting or incident response."
—Ensar Seker
Unlike secrets in source code, secrets in collaboration and productivity tools are live, shared across roles, and often untracked. They tend to be environment-specific, privileged, actively in use, and not stale or deprecated. Often, developers share the secrets with multiple people, Seker said. And security tools are frequently optimized for code repositories, not communication platforms — and that leaves a coverage gap.
"Security teams must now defend two parallel channels: structured, scanned codebases and unstructured, dynamic collaboration streams."
—Ensar Seker
Third-party tools for real-time secrets detection
Unfortunately, many of the tools that developers rely on for collaboration such as chat, project tracking, and documentation platforms lack built-in capabilities to detect and alert on exposed API keys, passwords, tokens, and other secrets.
Some platforms, such as Microsoft Purview for Teams and SharePoint, offer basic data loss prevention (DLP) features. But these tools often don't offer the automated scanning, real-time alerting, and automated policy enforcement capabilities that are required to mitigate the secrets exposure threat via collaboration platforms, said Rom Carmel, co-founder and CEO at Apono.
"The unstructured nature of secrets in collaboration tools makes them harder to detect with traditional scanning methods."
—Rom Carmel
To close the gap, organizations should consider using third-party secrets-scanning tools, DLP products, and automated mechanisms for enforcing security polices for collaboration platforms, Carmel said.
Atlassian's "Security in Jira" feature allows users to tap security tools to centralize vulnerability management and potentially look for secrets within Jira. Carmel said such integration is very helpful.
"Collaboration platform providers should [also] integrate advanced security features, collaborate with third-party security tools, offer training resources, and implement automatic leak prevention measures to help organizations safeguard sensitive credentials."
—Rom Carmel
Developer awareness and training are essential
Secrets exposure in software environments often stems from a lack of proper awareness and training among developers. Many are often under tight delivery deadlines and unknowingly hardcode passwords, API keys, tokens, and other sensitive data into code that they later commit to public repositories. KnowBe4's McQuiggan said training and proper awareness of the threat of exposure are essential for software development teams.
"People don't leak secrets out of malicious intent. Organizations should educate their users to help them understand the risk, provide and demonstrate alternatives, and reinforce secure behaviors."
—James McQuiggan
Development teams need to understand that Slack isn’t a vault and Jira isn’t a secure notes app, said SOCRadar's Seker. The best technology in the world won’t help if developers, DevOps, and support engineers don’t understand the risks of casually sharing credentials. "That means continuous, contextual education, ideally using real examples from red team simulations or past incidents," he said.
Native support for secrets scanning is needed
Jason Soroko, senior fellow at Sectigo, said collaboration platform providers can play their part by integrating native capabilities for scanning and alerting for secrets. They should also offer settings that allow organizations to configure for tighter security and to better secure API integrations. "Enhancing platform security in this manner is essential to counter the expanding risk tied to growing enterprise use," Soroko said.
Slack, Atlassian, and other vendors of collaboration and productivity platforms must recognize that they are now part of the enterprise threat surface, said Seker. And with that comes a responsibility to support security as a first-class feature.
"We’re well past the point where ‘DevSecOps’ only covers source code. Today, it’s about ‘CollabSecOps’ — securing the full spectrum of developer and IT collaboration tools — because that’s where modern software and modern risk lives."
—Ensar Seker
