A TruffleHog-powered open source scan by security engineer Luke Marshall uncovered more than 17,000 live secrets inside public GitLab repositories.
An open source scanning initiative has exposed 17,430 verified live secrets across 5.6 million public GitLab Cloud repositories, marking one of the largest credential leaks tied to open repositories. The findings spanned 2,804 unique domains and revealed that GitLab’s secret density is 35% higher than Bitbucket, with nearly three times the number of live secrets.
The research was led by security engineer Luke Marshall, who used TruffleHog, the open-source secret-scanning tool, to conduct the sweep. Marshall enumerated every public GitLab Cloud repository through a GitLab public API endpoint, supported by a custom Python script for pagination and project sorting. This process identified 5.6 million non-duplicate repositories, whose names were relayed to AWS Simple Queue Service (SQS) for automated scanning.
An AWS Lambda function pulled each entry from SQS and ran TruffleHog at scale. Marshall explained: “Each Lambda invocation executed a simple TruffleHog scan command with concurrency set to 1000.”
According to him, “This setup allowed me to complete the scan of 5,600,000 repositories in just over 24 hours.” The entire operation cost $770.
The exposed secrets included more than 5,200 Google Cloud Platform credentials, followed by MongoDB keys, Telegram bot tokens, OpenAI keys, and 400+ GitLab keys. Most leaks were newer than 2018, though some valid secrets dated back to 2009.
Marshall used automated workflows, Claude Sonnet 3.7, and custom scripts for large-scale notifications. Many organisations revoked compromised keys, though some remain exposed. His efforts also yielded $9,000 in bug bounties.
The incident highlights how open-source tools and open repositories amplify both innovation and security risk.
