About the Speaker

In modern development, version control is essential—but hidden risks often lie within its architecture. Across GitHub, GitLab, and Bitbucket, dangling commits introduce a significant security vulnerability. These remnants—left behind when developers reset, modify, or delete files, believing sensitive data has been removed—persist within the repository history, containing secrets like API keys, credentials, and proprietary configurations. While the existence of dangling commits is not new, identifying and extracting sensitive information from them remains challenging.

In our research, we leveraged techniques allowing us to systematically identify and enumerate dangling commits, both within specific repositories and at scale across major Git platforms. This large-scale analysis uncovered alarming amounts of exposed secrets, revealing a widespread yet often overlooked security gap.

In this talk, we’ll discuss our methods for discovering these hidden risks, the engineering setup behind our at-scale analysis, and the challenges encountered along the way. We’ll conclude with practical solutions and best practices for preventing such exposures through effective repository hygiene. For organizations, this session is a crucial wake-up call to secure all aspects of their repositories—from visible code to hidden remnants—from silent but significant risks.

Kumar Ashwin is a security professional with expertise in web, cloud, and software supply chain security. He has presented at renowned conferences like x33fcon, BSides, and c0c0n, and actively engages with communities such as Null, Winja, and DEFCON Cloud Village. Having worked in offensive security, security engineering, and security research, Ashwin focuses on evolving security practices and enhancing software supply chain resilience. His work has helped organizations strengthen their security posture. For more insights, visit his blog at [krash.dev](https://krash.dev/).