Wiz
Blog

Secrets Found. Owners Identified. Issues Fixed.

Wiz closes the loop on exposed secrets with blast radius context, ownership intelligence, and actionable, AI-powered fixes.

Get a demoWatch 5-min demo
Karin Sukonik, Ziad Ghalleb

Every developer has been there: moving fast, pushing code, and realizing later that a credential made its way into a repo. It’s a common mistake, and with the rise of AI-assisted coding, it’s happening more often than security engineers would like.

It’s a common challenge. Wiz Threat Research found that 61% of organizations have public repositories containing cloud API keys or access tokens. These aren’t rare edge cases; they’re everyday realities of building software at speed.

The State of Code Security 2025 – Secrets in repositories

Many organizations already scan for secrets, but the tooling is fragmented. Code scanners, vaults, and cloud workload tools each address part of the problem in isolation. The result is noise, blind spots, and recurring leaks.

Wiz brings it all together. By combining blast radius context, ownership intelligence, and actionable, AI-powered fixes, Wiz helps security and development teams detect, prioritize, remediate, and prevent secrets exposure across the entire SDLC.

Secrets exposure in the age of AI

In 2025, the problem is accelerating. AI and LLMs have supercharged software production, increasing the total lines of code and the potential for secrets to be embedded or replicated, more than ever before.

Secrets now live in code repositories, CI/CD pipelines, cloud storage, SaaS tools, vaults, and unstructured data. AI-assisted development is also multiplying the challenge:

  • LLMs trained on large public datasets can unintentionally leak secrets across boundaries, resurfacing credentials they ingested from one company’s public repo into another company’s codebase.

  • AI copilots scoped to private repos can pick up hardcoded secrets hidden in .env files, test directories, or old configs and reinsert them into unrelated files in the same codebase, spreading exposure internally.

  • More lines of code mean more chances for exposure, turning detection into a needle-in-a-haystack challenge.

For a deeper dive into new patterns and emerging trends, read:

wiz blog

Leaking Secrets in the Age of AI

Read more

Wiz for end-to-end secrets protection

Wiz addresses this by combining broad and deep coverage. It detects hundreds of types of secrets and credentials, scanning the full Git history from the first commit to every branch, as well as all new pull requests, and container images. 

It goes beyond code to cover cloud resources like S3 buckets, container registries, and managed databases, plus SaaS platforms such as Snowflake, Office 365, and more soon. 

Wiz also helps secure built-in cloud secrets stores by detecting misconfigurations like missing rotation lifecycles, monitoring audit logs, and flagging suspicious activity like attempts to pull all secrets in one call.

All of this rolls up into a single view across IDE, repo, pipeline, cloud, and runtime, making secrets sprawl visible and measurable for the first time.

From noisy alerts to real risks

Traditional code scanners rely heavily on regex or entropy checks, flagging anything that looks like a secret regardless of whether it’s valid. The result: endless false positives, expired keys, and test credentials that waste time and erode trust. Real risks get buried in the noise, especially when these scanners are run on the entire Git history.

Wiz filters out the noise before it reaches your backlog. Pattern-based matching finds known secret types, while AI-powered generic detection catches the ones that don’t follow standard formats. A built-in validation engine calls providers like GitHub, OpenAI, Stripe, and others to confirm whether a secret is active, expired, or revoked.

Example of a valid personal GitHub fine-grained personal access token (PAT)

The Wiz Security Graph contextualizes the secret findings and prioritizes them based on their blast radius–factoring in attack paths, lateral movement potential, and identity insights.

Example of a cloud API key granting access to sensitive data in S3 buckets and found exposed in a public code repository

Secrets as a supply chain risk

When secrets are exposed in CI/CD systems or SaaS integrations, the consequences can be immediate. They can be used to inject malicious code, pivot into production systems, or exfiltrate sensitive data.

We’ve seen it happen time and time again. In one case, AWS keys exposed in GitLab were used to exfiltrate 6TB of data from S3 buckets. In another case, where the Kong Ingress Controller open-source project was compromised, attackers exfiltrated pipeline secrets in a 'Dependabot confusion attack'.

Wiz maps each exposed secret to its true blast radius, showing what it can access and where it can be exploited. Scope and permissions analysis flags secrets tied to admin accounts or production workloads.

Fixing leaks without breaking production

Responding to an exposed secret is one thing. Doing it without causing downtime is another. Rotation without understanding dependencies can break services. In many organizations, it’s also unclear who should take the lead: DevOps, security, or engineering.

Wiz removes this uncertainty by automatically linking each finding to its original code author. If that developer has left the organization, it falls back to the designated owners of the repository where the secret resides, determined by analyzing CODEOWNERS files and mapping GitHub user accounts.

Example of ownership context tied to a repository branch (incl. Commit Authors & Code Owners)

From there, AI-generated remediation guidance provides precise CLI commands or Terraform updates to revoke and rotate the secret quickly and safely. All of this is delivered directly into developer workflows, IDEs, pull request comments, Jira, Slack, and paired with impact analysis so fixes don’t take production down.

Bonus point: Security teams get confirmation when remediation is complete, backed by periodic validity checks. How? Wiz tracks secret findings status (valid → invalid).

Stop the bleeding and nudge developers towards what’s right

The best way to handle a secret leak is to prevent it from ever happening. Wiz enforces consistent guardrails across the SDLC, detecting secrets at the pre-commit stage, blocking PR merges or failing builds when policies are violated, and applying granular ignore rules to avoid unnecessary noise. 

Example of a Code & CI/CD scanning policy to block secrets

In addition, longer-term posture policies help security teams run cleanup campaigns and maintain healthy code repository hygiene.

Example of a posture policy to remediate secrets buried deep in the Git history

The layered approach advantage

By combining code, CI/CD, cloud, vault, and runtime data in one place, Wiz eliminates the silos that keep security teams guessing. The Wiz Security Graph correlates signals in real time, and threat intelligence from Wiz Research flows straight into the platform, turning emerging exposure data into actionable controls almost instantly.

Secret security isn’t just about scanning. It’s a continuous loop of detection, prioritization, remediation, and prevention. And you can close the loop with Wiz today.

See how Wiz can help you secure secrets from code to cloud. Request a demo and get a full view of your exposure, plus the tools to fix it before it becomes an incident.

Tags
#Product & Company News

Continue reading

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo