SecurityHigh

GitHub Copilot Leaks Hardcoded API Keys and Secrets

GitHub/Microsoft

What Happened

Researchers found that GitHub Copilot would auto-complete code with valid API keys, passwords, and secrets it had memorized from public repositories during training. Developers could inadvertently expose credentials.

Impact

Security risk for any developer using Copilot without reviewing suggestions. Highlighted data leakage in code generation models. GitHub added secret scanning features in response.

Cost: Security patches, potential credential compromises

How to Prevent This

  • Never commit secrets to public repos (source of problem)
  • Secret scanning in CI/CD pipelines
  • Review all AI-generated code before committing
  • Use environment variables and secret managers

Don't Let Your Company Be the Next Case Study

Take our 2-minute quiz to identify your AI risks before they become failures.

Assess Your AI Risks Now →

Most teams can't — find out in 2 minutes

Real AI failures analyzed • Free 2-minute assessment