Wiz

State of Code Security in 2025

From exposed secrets and public repositories to risky CI/CD practices, our research reveals that the convenience of modern development often makes security more challenging. With the right approach, the two can coexist.  

The 2025 State of Code Security Report helps you identify risks in your code repositories and their critical connections to cloud environments. Based on an analysis of hundreds of thousands of repositories across major platforms, our research uncovers common security pitfalls in modern software development.

Fact 1

Github repositories: a prime target 

With 35% of GitHub repositories public, this leading platform remains a major focus for malicious actors exploiting developer missteps. 

  Tweet  Share

Fact 2

Alarming Secrets Exposure 

Counter to industry best practices, private repositories are used as a place to store secrets. 61% of organizations have secrets—like cloud credentials—exposed in public repositories, leaving sensitive data vulnerable to attack. 

  Tweet  Share

Fact 3

Self-Hosted Runners Create Critical Vulnerabilities 

Non-ephemeral self-hosted runners pose a significant risk, with 35% of enterprises exposed to potential attacks that allow lateral movement across repositories and organizations.  

  Tweet  Share

Fact 4

The Hidden Danger of GitHub App Permissions  

The vast majority of GitHub Apps have dangerous permission scopes, such as pull_request and contents, allowing direct code modifications.

  Tweet  Share

Conclusions

The fusion of code and cloud in modern development demands a holistic approach to security – one that is horizontal, and spans the full organization, rather than verticalized and limited to a specific team. As our research shows, vulnerabilities span from code repositories to deployment pipelines and cloud infrastructures, creating complex attack surfaces. By adopting a comprehensive view of security that bridges these interconnected systems, organizations can better protect against threats and stay ahead of attackers who exploit these connections.