The 2025 State of Code Security Report from Wiz paints a concerning picture of the current state of code security within enterprise organizations. The report, based on an analysis of hundreds of thousands of repositories across major platforms, highlights several critical vulnerabilities and risky practices.
GitHub Repositories: A Prime Target
A staggering 35% of GitHub repositories are public. This makes them easy targets for malicious actors looking to exploit developer oversights. This alarming statistic underscores the need for robust security measures within development workflows.
Alarming Secrets Exposure in Public Repositories
The report reveals a shocking 61% of organizations expose secrets—such as cloud credentials—in public repositories. This exposes sensitive data to potential attacks. This highlights a critical failure to adhere to industry best practices regarding secret management.
Self-Hosted Runners: A Critical Vulnerability
The use of non-ephemeral self-hosted runners introduces significant risk. The report indicates that 35% of enterprises are vulnerable to attacks that could enable lateral movement across repositories and even entire organizations. This emphasizes the need for careful consideration of runner configurations and security implications.
Dangerous GitHub App Permissions
Most GitHub Apps possess overly permissive scopes, including pull_request and contents. This grants unauthorized access for direct code modification. This lack of granular permission control represents a significant security risk.
Conclusions
The increasing integration of code and cloud environments necessitates a holistic security approach. Vulnerabilities span from code repositories to deployment pipelines and cloud infrastructures, creating complex attack surfaces.
Organizations must adopt a comprehensive strategy that bridges these interconnected systems to effectively mitigate threats. This requires a shift from a vertical, team-specific approach to a horizontal, organization-wide strategy.
For more insights into ransomware threats, a significant concern in today’s landscape, see our coverage of “Top 10 Ransomware Groups of 2024: The Year’s Most Active Cyber Threats“.
