Abstract

In modern development, version control is essential—but hidden risks often lie within its architecture. Across GitHub, GitLab, and Bitbucket, dangling commits introduce a significant security vulnerability. These remnants—left behind when developers reset, modify, or delete files, believing sensitive data has been removed—persist within the repository history, containing secrets like API keys, credentials, and proprietary configurations. While the existence of dangling commits is not new, identifying and extracting sensitive information from them remains challenging.

In our research, we leveraged techniques allowing us to systematically identify and enumerate dangling commits, both within specific repositories and at scale across major Git platforms. This large-scale analysis uncovered alarming amounts of exposed secrets, revealing a widespread yet often overlooked security gap.

In this talk, we’ll discuss our methods for discovering these hidden risks, the engineering setup behind our at-scale analysis, and the challenges encountered along the way. We’ll conclude with practical solutions and best practices for preventing such exposures through effective repository hygiene. For organizations, this session is a crucial wake-up call to secure all aspects of their repositories—from visible code to hidden remnants—from silent but significant risks.