
2026 Gartner® Magic Quadrant™ for Software Supply Chain Security: 5 takeaways
The Magic Quadrant™ for Software Supply Chain Security is a 45-minute read. Here's what we feel security leaders need to pull from it.
Secrets management is the set of practices, policies, and tools that control how sensitive credentials are created, stored, distributed, rotated, and retired across software systems. In a security context, a secret is any piece of information that grants access to a protected resource: API keys, database passwords, cryptographic private keys, OAuth tokens, certificates, and SSH credentials.
Secrets management answers the question of how software components authenticate to each other securely, at scale, without hard-coding credentials into code that developers can read, commit, and accidentally publish.
The analogy
A hospital pharmacy holds controlled substances. Medications are not left on open shelves for anyone to take. Access is logged, quantities are tracked, every dispensing event requires authorization, and inventory is audited regularly. The pharmacy does not give out the master key to anyone who asks. Secrets management works the same way for software credentials.
Walk the analogy through:
Secrets become a supply chain problem the moment they leave the environment they were meant for. That happens more often than most organizations realize. Some examples:
Scale of the problem ReversingLabs identified over 40,000 leaked secrets across major open-source repositories in 2023, including API tokens, private keys, and service account credentials embedded inside published packages. Those secrets remain accessible in version history even after a corrective commit removes them from the current codebase. |
Practice | What it means in practice |
|---|---|
Never hardcode secrets | Secrets belong in a vault or injected at runtime through environment variables from a secrets manager. No credential should appear as a string literal in source code. |
Rotate secrets regularly | Automated rotation limits the window an attacker can exploit a stolen credential. Short-lived tokens (minutes to hours) are preferable to long-lived keys wherever the system supports them. |
Scan repositories and binaries | Automated scanning catches secrets before they are committed or distributed. Binary analysis surfaces secrets that made it past source code scanning by catching what is compiled into artifacts. |
Apply least privilege | A secret should grant access only to the specific resource the requesting system needs, with the minimum scope required. A build server credential should not grant production database access. |
Audit and monitor access | Log every secrets access event. Alert on anomalous patterns: unusual access times, unexpected source IPs, access to secrets the requesting system has never previously used. |
What counts as a secret in software security?
Any credential that grants access to a protected resource: API keys, database passwords, OAuth and session tokens, SSH private keys, TLS/SSL certificates and their private keys, cloud provider credentials, and encryption keys. Anything that proves identity or enables decryption is a secret that requires managed storage and controlled access.
Is it safe to store secrets in environment variables?
Environment variables are safer than hardcoded strings in source code, but they are not a secrets management solution. Environment variables are often logged, visible to other processes on the same host, and inherited by child processes. A dedicated secrets manager that injects credentials at runtime with short lifespans and access logging provides meaningfully stronger protection.
How do secrets end up inside compiled software?
Developers sometimes embed credentials during the build process: connection strings baked into configuration files that are bundled with the application, API keys passed as build-time arguments that get compiled into binary constants, or tokens included in Docker build steps that persist in container image layers. Binary analysis can detect these embedded secrets even when source code scanning does not.
What should an organization do when a secret is leaked?
Rotate the secret immediately. Treat the leaked credential as fully compromised from the moment it was exposed, not from the moment the leak was discovered. Investigate where the secret was used to determine whether unauthorized access occurred during the exposure window. Review how the leak happened and close the gap before issuing a replacement credential.

The Magic Quadrant™ for Software Supply Chain Security is a 45-minute read. Here's what we feel security leaders need to pull from it.

With a ‘vulnpocalypse’ expected, AppSec leaders are calling for the companies to invest in a Great Refactor Fund to secure open source.

SecOps leaders must tackle cost and risk to deliver autonomous vulnerability operations. But with frontier AI, it's critical.