Secrets
What is Secret Sprawl?
Also known as: 시크릿 스프롤 · 시크릿 확산 · 시크릿 산재 · 크리덴셜 확산 · Credential Sprawl · Secrets Sprawl
The condition where credentials, API keys, and tokens are scattered across code repositories, CI systems, environment variable stores, chat messages, wikis, and documents without a single inventory or ownership record. Rotating a single value becomes expensive because the team does not know how many copies exist. Recent incidents like the April 2026 Vercel exposure and the Bitwarden CLI npm compromise are textbook secret-sprawl outcomes.
More terms in Secrets
- CredentialAny secret value that proves an identity to a system — a password, API key, OAuth token, TLS private key, SSH key, or JWT. In NHI security, "credential" usually refers to the machine-to-machine secret, not a human password. The word is used interchangeably with "secret" in most operational contexts.
- Secret ScanningThe process of automatically searching code repositories, CI logs, container images, SaaS documents, chat transcripts, and other locations for accidentally committed credentials. Modern secret scanning goes beyond regex (which produces noise) to use entropy analysis, contextual parsing, and provider-specific validators that prove a leaked key is actually live before paging the owner. Cremit Argus runs this across public and private code plus SaaS surfaces.
- Credential LeakageThe accidental disclosure of a credential to someone who should not have access — an API key committed to a public repo, a token printed in a log, a secret pasted in Slack, a .env file bundled into a client-side JavaScript build. Different from Secret Sprawl (an inventory problem): leakage is an active exposure event that needs immediate rotation, scope review of what the credential could reach, and forensic review of logs.