In cloud-native environments, the security of your code repositories and development pipelines is critical. The 2025 State of Code Security Report sheds light on the most pressing risks and trends facing organizations today. By analyzing hundreds of thousands of repositories across platforms like GitHub, GitLab, and Azure DevOps, Wiz Threat Research uncovers key risks and misconfigurations that impact production code development and production environments.
A Data-Driven Lens on Security
To produce this report, our researchers leveraged data collected throughout 2024 using the Wiz Cloud and Wiz Code platforms. With insights directly derived from real-world code repositories, version control systems (VCS) platforms, and CI/CD pipelines, this research provides an actionable look at code-driven security challenges. By connecting code development platforms to cloud environments, we've ensured that results capture the full scope of risks, from code origin to the deployment stage.
Key Findings from the Report
1. GitHub Repositories: A Prime Target
GitHub’s popularity makes it a central hub for developers—but also for attackers. Alarmingly, 35% of GitHub repositories are public, providing malicious actors with easy access to exploits if developers make critical mistakes, such as accidentally committing sensitive credentials. This reinforces the need for stricter permissions and better repository management practices.
2. Alarming Secrets Exposure
61% of organizations have public repositories containing cloud secrets, like API keys and access tokens. In a worst-case scenario, something as simple as a leaked AWS access key could lead to data exfiltration, financial losses, and reputational damage. The importance of keeping secrets encrypted and stored in dedicated secret management tools cannot be overstated.
3. Vulnerability Risks amid usage of Self-Hosted Runners
Self-hosted CI/CD runners are a convenient solution, but they come with high risks. About 35% of enterprises use non-ephemeral self-hosted runners, which increases the risk of attackers gaining lateral movement across repositories and organizations. Even worse, environments hosting these runners often suffer from poor maintenance hygiene, leaving them exposed to high-impact vulnerabilities. VMs with runners have on average 3 times more software packages installed and High / Critical vulnerabilities than other VMs.
4. Dangerous and powerful scopes
Third-party GitHub Apps streamline workflows but often expose organizations to unnecessary risk. pull_requests and contents scopes are assigned to over 76% of organization level Apps. But this does not stop here - a concerning 80% of Apps with the pull_requests scope grant write access, allowing for direct modifications to repositories. Misuse of such permissions—whether by a malicious or a hijacked App or through a supply chain attack—can lead to significant compromises in code integrity.
Get the full picture
The data is clear: unmanaged risks in code and version control systems present significant challenges for the modern enterprise. From alarming levels of secrets exposure to insecure CI/CD workflows, these vulnerabilities jeopardize production environments.
Want to explore all the findings in detail and learn actionable strategies to protect your organization?
