The 2025 State of Code Security Report highlights ongoing vulnerabilities in code repositories, especially concerning public repo exposure and insecure CI/CD practices. Key findings include widespread secrets leaks, increasing attacks targeting package ecosystems, and risky configurations in GitHub workflows—underscoring the deep interconnection between code security and cloud environments. #XZUtils #Funnull #GitHubActions
Keypoints
- The report is structured into main sections such as Executive Summary, Year in Review, Current Landscape, Methodology, Usage Statistics, Repository Security, and CI/CD Security, each discussing specific themes like attack trends, security posture metrics, and platform usage.
- It presents key statistics, including GitHub’s dominance with 80% of repositories, over 30% of GitHub repos being public, and only 12% of organizations enabling GitHub Actions at the organization level.
- Significant trends include a rise in multi-platform VCS strategies, increased exposure of secrets and cloud keys in private and public repositories, and prevalent insecure defaults in CI/CD workflows.
- The report emphasizes cybersecurity threats such as secrets leaks leading to cloud intrusions, sophisticated supply chain attacks on package ecosystems like NPM and PyPI, and security misconfigurations in CI/CD pipeline setups.
- Recurring themes involve the deep integration of code repositories with cloud environments, the importance of securing self-hosted runners, and the risk posed by excessive permissions in workflows and third-party apps.
- Impactful insights highlight the ongoing need for improved security controls, better configuration management, and the adoption of comprehensive security tools that connect code and cloud security postures for holistic protection.
Source: Awesome Annual Security Reports - The reports in this collection are limited to content which does not require a paid subscription, membership, or service contract. (https://github.com/jacobdjwilson/awesome-annual-security-reports/)