In the cloud-country environment, the safety of your code repository and development pipelines is important. 2025 Code Safety Report today highlights the most risk and trends in front of organizations. By analyzing hundreds of thousands of repository in platforms such as Github, Gitlab, and Azure Devops, Wiz Danger Research exposes major risks and misconceptions that affect the production code development and production environment.
To produce this report, our researchers took advantage of the data collected in 2024 using WIZ Cloud and WIZ code platforms. With the insight obtained directly from the real -world code repository, version control system (VCS) platforms and CI/CD pipelines, this research gives an actionable look Code-Travel Safety ChallengesBy connecting the code growth platforms to the cloud environment, we have ensured that the results capture the full scope of risks from the codes from the original to the culmination phase.
1. Github repository: a major goal
Github’s popularity makes it a central center for developers – but also for the attackers. Cautiously, 35% Github repository are public, providing evaluation actors easy to exploit if developers make important mistakes, such as making accidentally sensitive credentials. It confirms strict permissions and the need for better repository management practices.
2. Dangerous secret exposure
61% Organizations contain public repository Cloud secretsLike API keys and access tokens. In the worst situation, leaked AWS access key may be as simple as some data exfIs, financial loss and reputed damage. The importance of keeping mysteries encrypted and stored in dedicated secret management equipment cannot be overstated.
3. Vulnerable risk
Self-hosted CI/CD runners are a convenient solution, but they come with high risks. About this 35% Enterprises use non-prickly self-hosted runners, which increases the risk of attaining the attackers lateral movement Recovers across repository and organizations. Worse, the hosting environment of these runners often suffers from poor maintenance hygiene, causing them to exposure to high-effects weaknesses. VMs with runners are average on average 3 times more Software package installed and high / important weaknesses than other VMs.
4. Dangerous and powerful scope
The third-party Github apps streamlves the workflows, but often expose organizations to unnecessary risk. pull_requests And Contact Scope is assigned to over 76% Organization level apps. But it does not stop here – a related 80% Apps with pull_requests Scope grant right access, allows direct modifications in repository. Abuse of such permissions – whether a malicious or kidnapped app or through the supply chain attack – can lead to significant agreement in code integrity.
The data is clear: code and version in control systems offer important challenges for modern enterprises. From the level of danger of the mysteries of unprotected CI/CD workflows, these weaknesses endanger the production environment.
Want to detect all findings to the safety of your organization and learn actionable strategies?
