What Happened
Researchers found that GitHub Copilot would auto-complete code with valid API keys, passwords, and secrets it had memorized from public repositories during training. Developers could inadvertently expose credentials.
Impact
Security risk for any developer using Copilot without reviewing suggestions. Highlighted data leakage in code generation models. GitHub added secret scanning features in response.
Cost: Security patches, potential credential compromises
How to Prevent This
- Never commit secrets to public repos (source of problem)
- Secret scanning in CI/CD pipelines
- Review all AI-generated code before committing
- Use environment variables and secret managers