In December 2022, a 200-person SaaS company received an AWS bill for $47,000 in a single weekend. The cause: an API key had been exposed in a public GitHub repository for 11 hours.
This wasn’t a careless company. They had code reviews, CI tests, and a security team. But no one was scanning their repositories for secrets. The key had been committed during a late-night debugging session, noted as “temporary,” and never rotated.
The Scale Problem
Secrets leak more often than people think — not just in public repos, but also in:
- Private repositories accessible to former employees
- Temporary branches that are never cleaned up
- Code comments in configuration files
- Hardcoded environment variables added during a hotfix at 2am
GitGuardian’s research found that 1 in 10 commits in private repositories contains some kind of secret. In public repositories, the ratio is higher. And unlike most vulnerabilities, secrets have a near-instant exploitation window.
Why the Cost Is So High
The problem isn’t just the immediate exposure. The real cost comes from three factors:
1. Detection Time
The average time between a secret leaking and being detected is 23 days, according to IBM. In that window, the secret may have been scraped by automated bots (which monitor GitHub in real time), sold on credential marketplaces, or already used to access infrastructure. By the time the team finds out, the attacker has had three weeks of undetected access.
2. Blast Radius
One secret isn’t one account. A compromised AWS key can provide access to:
- S3 buckets with customer data
- EC2 instances for cryptocurrency mining
- Email services for spam or phishing
- IAM roles that can provision additional resources
The initial credential is rarely the end of the chain. Attackers pivot laterally using the access granted by the first secret they find.
3. Remediation Cost
Rotating a secret in production isn’t trivial. It involves:
- Identifying every service and system that uses it
- Coordinating a synchronized rotation to avoid downtime
- Forensic audit of access logs to understand what was accessed during the exposure window
- Potential customer notification if PII was involved
The average cost of a credential-related breach is $4.5 million (IBM Cost of a Data Breach Report). Most of that cost isn’t the initial exploit — it’s the remediation, notification, and reputational damage.
The Production Multiplier
Not all exposed secrets carry the same financial weight. A secret hardcoded in a feature branch that never ships has a different risk profile than the same secret in main.
Gerion’s Financial Impact Engine reflects this reality: secrets detected on production branches (main, master, release/*) carry a 10× cost multiplier. An API key for a payment provider committed to a feature branch might represent €400 in estimated remediation cost. The same key in production represents €4,000 — because rotating it in a live environment requires coordinated downtime, customer communication, and forensic review.
This branched cost model changes which secrets you fix first. Not “the most recent commit” or “the highest CVSS score” — but “the secret with the highest actual exposure cost given where it lives in your codebase.”
How Gitleaks Works in Gerion
Gerion uses Gitleaks as its secret scanner. Gitleaks analyzes the complete git history — not just the current state of the repository — to detect secrets that were added and then “removed” in a subsequent commit.
Removal doesn’t equal remediation. A secret deleted in commit abc123 is still present in the git history and can be accessed by anyone with repository access. Gitleaks finds it.
What Gerion adds on top of Gitleaks:
- Contextualization: a secret on
maincarries a 10× financial multiplier versus one on a feature branch - Deduplication: the same secret across multiple commits counts as a single finding — no noise inflation
- Financial impact: based on the service type (AWS, Stripe, GitHub, database credentials), the platform estimates the potential remediation cost range
- Full history scanning: every scan covers the complete git log, not just the diff of the current push
The Three-Minute Rule
If a secret reaches a public repository, assume it’s compromised within three minutes. GitHub scraping bots are faster than any manual response process. Security researchers, automated scanners, and malicious actors all monitor public commits in near real-time.
The only correct solution: it should never get there. Scan at pre-commit with a local Gitleaks hook, in CI on every push, and as a periodic analysis of the full repository history. If a secret slips through the first line, catch it before it reaches main. If it reaches main, catch it before it reaches public exposure.
Gerion does all three — and when something does get through, the Financial Impact Engine tells you exactly how much it’s costing you right now.