In the original cloud environments, the safety of code and development pipelines is very important. The Code Security Report for 2025 highlights the most risks and trends facing organizations today. By analyzing hundreds of thousands of warehouses via platforms such as GitHub, GitLab and Azure Devops, research research is revealed in the main risks and poor technology that affect the development of production code and production environments.
To produce this report, researchers have benefited from the data collected during 2024 using Wiz Cloud and Wiz platforms. With visions directly derived from the real world code warehouses, VCS control platforms, and CI/CD pipelines, this research provides a practical view of the symbol's safety challenges. By connecting the code development platforms to cloud environments, we have made sure that the results capture the full range of risk, out of the code to the publication stage.
1. Gaytap warehouses: a major goal
GitHub popularity makes it a major position for developers – but also for attackers. It is worrying, 35 % of general GitHub warehouses provide malicious actors with ease of access to the exploits if developers make critical mistakes, such as making sensitive credentials. This enhances the need for tougher permissions and better warehouse management practices.
2. Show disturbing secrets
61 % of organizations have general warehouses that contain cloud secrets, such as API keys and arrival symbols. In the worst case scenario, something simple like the leaked access key can lead to data filtration, financial losses and reputable damage. The importance of preserving encrypted secrets cannot be exaggerated and stored in customary secret management tools.
3. The risk of weakness amid the use of self -hosted contestants
CI/CD contestants are a suitable solution, but they come with high risk. About 35 % of the institutions are used to self -host, which increases the risk of attackers to acquire a side movement through warehouses and organizations. Worse, the environments that host these contestants often suffer from poor maintenance of maintenance, leaving them vulnerable to high -influential vulnerabilities. VMS is installed with an average contestants 3 times the installed software packages and high / critical weaknesses of other VMS.
4. Dangerous and powerful domains
GitHub applications belonging to an external authority to simplify the workflow, but often expose institutions to unnecessary risks. Pull_requests and contents are set for more than 76 % of the institution's level applications. But this does not stop here – with regard to 80 % of applications with access to the Pull_requests grant, providing direct adjustments to warehouses. The misuse of such permissions – whether by applying harmful, kidnapped or through the supply chain attack – can lead to great concessions in the safety of the code.
Data is clear: The uninhabited risks in code control systems and release control systems represent major challenges for the modern institution. One of the disturbing levels of secrets is the insecurity CI/CD work, these weak points put production environments.
Do you want to explore all the results in detail and learn implementable strategies to protect your organization?
