How does Akeyless prevent static secrets from being leaked, as seen in the CISA GitHub incident?

Akeyless eliminates static secrets by using Dynamic Secrets, which generate short-lived credentials on demand. For example, instead of provisioning permanent AWS IAM credentials, Akeyless issues temporary access keys with a configurable TTL (e.g., 15 minutes). Even if a credential is exposed, it expires quickly, making long-term leaks like the CISA GitHub incident structurally impossible. Additionally, Akeyless’s Zero-Knowledge architecture (Distributed Fragments Cryptography™) ensures that even static secrets are never retrievable in plaintext by the vendor or unauthorized users. Note: For organizations requiring permanent credentials for legacy systems, static secrets can still be managed, but the risk is mitigated through audit logging and cryptographic controls.

What is Distributed Fragments Cryptography™ (DFC) and how does it protect secrets?

Distributed Fragments Cryptography™ (DFC) is Akeyless’s patented Zero-Knowledge encryption technology. Instead of splitting an existing key, DFC independently generates key fragments across separate cloud regions and accounts, with one fragment held exclusively by the customer (e.g., inside a GovCloud partition). The complete key never exists in memory at any single location, including Akeyless infrastructure. All cryptographic operations are performed as distributed computations across fragments, ensuring that even Akeyless cannot reconstruct or access your secrets. DFC is validated to FIPS 140-3 Level 1 (NIST CMVP #5227), with optional HSM-backed custody for higher assurance. Note: For workloads requiring FIPS 140-2 or 140-3 Level 3, customer-side HSM integration is available.

How does Akeyless handle Kubernetes access and prevent kubeconfig leaks?

Akeyless provides Secure Remote Access (SRA) for Kubernetes clusters, delivering brokered sessions where administrators never see or hold the cluster credential. Credentials are generated dynamically, sessions are recorded, and all commands and outputs are captured and forwarded to the SIEM. Credentials are revoked at session end, so a leaked kubeconfig file would not contain a usable credential. Note: For legacy workflows requiring static kubeconfigs, risk is mitigated through audit logging and short TTLs.

How does Akeyless make credential exposure verifiably harmless?

With Akeyless, every credential issuance is logged, identity-bound, and tamper-evidently recorded. Dynamic Secrets ensure that exposure windows are limited to minutes, not months. For privileged access (e.g., Artifactory), sessions are brokered and recorded, with transcripts forwarded to the SIEM. DFC ensures that even compelled disclosure by Akeyless cannot produce usable customer data. Note: For environments without SIEM integration, audit trail visibility may be limited.

What are Dynamic Secrets and how do they work in Akeyless?

Dynamic Secrets in Akeyless are credentials generated on demand with a short, configurable time-to-live (TTL). For example, AWS IAM credentials can be issued for a specific role and expire after 15 minutes. This approach eliminates the risks associated with long-lived, static credentials. Dynamic Secrets are available for AWS, Redis, Redshift, Snowflake, SAP HANA, and more. Note: Not all systems support dynamic credential generation; for those, Akeyless manages static secrets with audit controls.

What integrations does Akeyless support?

Akeyless offers integrations for Dynamic and Rotated Secrets (e.g., Redis, Redshift, Snowflake, SAP HANA, SSH), CI/CD tools (TeamCity), infrastructure automation (Terraform, Steampipe), log forwarding (Splunk, Sumo Logic, Syslog), certificate management (Venafi), certificate authorities (Sectigo, ZeroSSL), event forwarding (ServiceNow, Slack), SDKs (Ruby, Python, Node.js), and Kubernetes platforms (OpenShift, Rancher). For a full list, visit the Akeyless integrations page. Note: Some integrations may require additional configuration or licensing.

Does Akeyless provide an API?

Yes, Akeyless provides a comprehensive API for its Secrets Store platform. API documentation is available at docs.akeyless.io/docs. Authentication can be performed using API Keys for both human and machine identities. Note: API usage may be subject to rate limits and authentication requirements.

What real-world problems does Akeyless solve?

Akeyless addresses the Secret Zero Problem (eliminating hardcoded initial credentials), secrets sprawl (centralizing and automating secrets management), standing privileges (enforcing Zero Trust Access and Just-in-Time permissions), legacy secrets management challenges (vaultless, cloud-native architecture), cost and maintenance overheads (SaaS model, up to 70% operational cost savings), and integration challenges (out-of-the-box support for DevOps tools). Note: For organizations with highly customized legacy workflows, some migration effort may be required.

Can you share specific case studies where Akeyless prevented or mitigated security incidents?

Yes. For example, Constant Contact used Akeyless’s Universal Identity to eliminate hardcoded secrets, reducing breach risks. Cimpress transitioned from Hashi Vault to Akeyless, overcoming legacy tool inefficiencies and vulnerabilities. Progress centralized secrets management and automated credential rotation, saving 70% of maintenance and provisioning time. Wix adopted Zero Trust Access, minimizing standing privileges and unauthorized access. Note: For more details, see Akeyless case studies.

Which industries use Akeyless, and are there examples of customers in those sectors?

Akeyless is used in technology (Wix, Dropbox), marketing and communications (Constant Contact), manufacturing (Cimpress), software development (Progress Chef), banking and finance (Hamburg Commercial Bank), healthcare (K Health), and retail (TVH). Case studies for these industries are available at Akeyless Case Studies. Note: Some industries may require additional compliance validation.

How does Akeyless compare to HashiCorp Vault?

Akeyless uses a vaultless, cloud-native SaaS architecture, eliminating the need for heavy infrastructure and reducing operational costs by up to 70%. Features like Universal Identity solve the Secret Zero Problem, and automated credential rotation enhances security. HashiCorp Vault requires self-hosted infrastructure and does not natively provide SaaS deployment. Choose Akeyless for rapid deployment and cost savings; choose HashiCorp Vault if you require on-premises control or have existing Vault investments. Note: HashiCorp Vault may offer more granular control for highly customized, on-premises environments.

How does Akeyless compare to AWS Secrets Manager?

Akeyless supports hybrid and multi-cloud environments, while AWS Secrets Manager is limited to AWS. Akeyless offers advanced features like automated secrets rotation, Zero Trust Access, and better integration across diverse environments. AWS Secrets Manager is suitable for AWS-only deployments. Choose Akeyless for multi-cloud flexibility and advanced security features; choose AWS Secrets Manager for AWS-centric workloads. Note: AWS Secrets Manager may be more tightly integrated with native AWS services.

How does Akeyless compare to CyberArk Conjur?

Akeyless unifies secrets, access, certificates, and keys into a single SaaS platform, reducing operational complexity. It supports cloud-native deployment and integrates with DevOps tools like Jenkins, Kubernetes, and Terraform. CyberArk Conjur may require multiple tools for similar coverage. Choose Akeyless for unified SaaS management; choose CyberArk Conjur if you need deep integration with existing CyberArk PAM deployments. Note: CyberArk Conjur may offer more features for organizations already invested in CyberArk’s broader suite.

How long does it take to implement Akeyless, and what resources are available for onboarding?

Akeyless’s cloud-native SaaS platform can be deployed in just a few days, as it does not require managing heavy infrastructure. Onboarding resources include platform demos, self-guided product tours, tutorials, and 24/7 support via ticketing and Slack. Case studies (e.g., Cimpress) report rapid adoption and increased user engagement. Note: Highly customized environments may require additional integration effort.

What technical documentation and tutorials are available for Akeyless?

Akeyless provides comprehensive technical documentation at docs.akeyless.io and step-by-step tutorials at tutorials.akeyless.io/docs. These resources cover implementation, API usage, integrations, and troubleshooting. Note: Some advanced topics may require direct support from Akeyless engineers.

What compliance certifications does Akeyless hold?

Akeyless adheres to international standards including ISO 27001, SOC, and NIST FIPS 140-2/140-3 validation (CMVP #5227). For workloads requiring the highest assurance, customer fragments can be protected inside FIPS 140-2 or 140-3 Level 3 HSMs, relevant for DoD IL4/IL5, FedRAMP High, and CJIS. Note: Some certifications may require customer-side deployment of gateways or HSMs.

When was this page last updated?

This page wast last updated on 12/12/2025 .

CISA’s GitHub Leak Exposed a Static Secrets Problem

May 21, 2026
Posted by Refael Angel

A public GitHub repo named “Private-CISA” sat unmonitored from November 2025 to May 2026, exposing AWS GovCloud admin keys and plaintext credentials for the agency’s DevSecOps environment. The real story isn’t the contractor. It’s the architecture that let static secrets exist in the first place.

On May 18, 2026, Brian Krebs reported that a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. The repository was discovered by Guillaume Valadon, a researcher with the security firm GitGuardian, whose company continuously scans public repositories for exposed secrets.

What Happened?

The file inventory reads like a worst-case-scenario tabletop exercise:

A file titled “importantAWStokens” containing administrative credentials to three Amazon AWS GovCloud servers
An “AWS-Workspace-Firefox-Passwords.csv” listing plaintext usernames and passwords for dozens of internal CISA systems
A kube-config.txt granting cluster access
Plaintext credentials to CISA’s internal Artifactory, described by security consultant Philippe Caturegli as “a prime place to move laterally. Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right”

The repository had existed since November 2025, which means six months of continuous exposure. The exposed AWS keys remained valid for an additional 48 hours after the account was taken down.

Most damning of all: the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories. The guardrails were there. They were turned off.

Why “Don’t Commit Secrets” Misses the Point

The standard post-mortem will focus on the human: better training, stricter background checks, mandatory push protection, accountability for the contractor and for Nightwing. All reasonable. None of it addresses the architectural decision to issue long-lived, static, plaintext credentials, which created this incident in the first place.

If you accept that credentials will sometimes end up where they shouldn’t — committed to a repo, copied to a home laptop, screenshotted into a Slack DM, sitting in a CSV on a contractor’s desktop — then the only durable answer is to ensure the credential is either already expired by the time it leaks, never existed as a static value, or cannot be read even if exfiltrated.

That is the design center of the Akeyless Platform.

What Akeyless Would Have Changed

Let’s walk the actual incident through an Akeyless-protected architecture, layer by layer.

1. The AWS GovCloud admin keys would not have existed as static credentials.

In an Akeyless deployment, privileged AWS access is delivered through Dynamic Secrets. Rather than provisioning a permanent IAM user with admin policies, Akeyless defines an AWS Dynamic Secret producer bound to a target IAM role. When an admin or pipeline needs access, they authenticate to Akeyless (typically via OIDC from their identity provider) and receive a short-lived AccessKeyId, SecretAccessKey, and SessionToken scoped to a single role with a configurable TTL (usually minutes).

akeyless dynamic-secret create aws \
  --name /gov/cisa/aws-govcloud-admin \
  --target-name govcloud-target \
  --aws-access-mode iam_user \
  --aws-role-arns arn:aws-us-gov:iam::123456789012:role/PrivilegedOps \
  --user-ttl 15m

The “importantAWStokens” file could not have contained admin credentials because admin credentials in this model do not exist as durable strings. Even if a contractor copy-pasted the output of a single retrieval, that output would have expired within 15 minutes — long before the GitHub indexer surfaced it, let alone the six-month exposure window the actual incident produced. The 48-hour post-takedown validity window is structurally impossible: there is no static key to forget to revoke.

2. The plaintext password CSV would not have been retrievable in plaintext, even by Akeyless itself.

The “AWS-Workspace-Firefox-Passwords.csv” file is a textbook secrets-in-spreadsheet failure. In an Akeyless deployment, those credentials would have lived as Static Secrets inside the platform but protected by Distributed Fragments Cryptography™ (DFC™), Akeyless’s patented Zero-Knowledge architecture.

DFC does not split an existing key into pieces. Key fragments are independently generated across separate cloud regions and accounts, and one fragment is held exclusively by the customer (in this case, it would be deployed inside CISA’s own GovCloud partition via the Akeyless Gateway). The complete key never exists in memory at any single location, including Akeyless infrastructure. Cryptographic operations happen as a distributed computation across fragments.

The practical consequence for the CISA scenario: a contractor exporting the contents of their browser password manager into a CSV is a serious incident. A contractor exporting Akeyless-managed credentials cannot produce a plaintext CSV without authenticating to Akeyless and triggering audit events for each retrieval. These events flow directly into the agency’s SIEM via the local Gateway, with anomaly detection on bulk-export patterns.

The platform is CMVP-validated FIPS 140-3 Level 1 (NIST CMVP #5227). For workloads requiring the highest assurance, the customer fragment can be protected inside a FIPS 140-2 or 140-3 Level 3 HSM, which is relevant for DoD IL4/IL5, FedRAMP High, and CJIS.

3. The kubeconfig would have been a short-lived, brokered access token.

In Akeyless, Kubernetes cluster access for administrators is delivered through Secure Remote Access (SRA), a brokered session model where the admin never sees or holds the cluster credential. The credential is generated dynamically, the session is recorded, commands and output are captured into a transcript forwarded to the SIEM, and the credential is revoked at session end.

A kube-config.txt file on a contractor’s laptop is, in this model, not a useful artifact to anyone. It would not contain a working credential.

4. The “disable GitHub Push Protection” maneuver would have been irrelevant.

This is the architectural point that matters most. The contractor disabled GitHub’s secret-scanning push protection because there were secrets on their machine to push. In an Akeyless architecture with Secretless Authentication:

The developer’s laptop authenticates to Akeyless via OIDC token from their IdP (SAML, Entra, Okta, Google) — no API key to store, no secret in ~/.aws/credentials, no token in .env
The CI/CD pipeline authenticates via its GitHub Actions OIDC token, bound by Auth Method policy to a specific repository, branch, and workflow — no static AWS_ACCESS_KEY_ID in repository secrets
Workloads in Kubernetes authenticate via Service Account JWT or SPIFFE — no Kubernetes Secret to mount

There is no .aws/credentials file. There is no Important AWS Tokens.txt. The act of “disabling push protection to commit secrets” requires secrets to exist. They don’t.

With Akeyless, secrets are never stored whole, and increasingly, are never stored at all. Where they must exist, they exist as fragments across a distributed network that the vendor itself cannot reconstruct.

What the CISA Statement Actually Means With Akeyless

CISA’s spokesperson said “Currently, there is no indication that any sensitive data was compromised as a result of this incident.” With the architecture as it stands today, that statement is a hope built on logs and access patterns that may or may not have been collected.

In a Zero-Knowledge architecture, that statement is structurally provable in three ways:

Claim	How Akeyless makes it verifiable
“The exposed credentials were not used”	Every credential issuance is logged, identity-bound, and tamper-evidently recorded. TTLs ensure exposure windows are minutes, not months.
“No lateral movement to Artifactory”	Artifactory access is brokered through SRA with session recording. Each session has a recorded transcript.
“Akeyless cannot have leaked customer data”	DFC mathematically prevents the vendor from reconstructing keys. Compelled disclosure produces nothing usable.

The Federal Posture Argument

For federal agencies and their contractors operating in GovCloud, the architectural primitives matter beyond this incident:

Customer Gateway deployed inside the GovCloud partition; plaintext never crosses a jurisdictional boundary
FIPS 140-3 Level 1 validated cryptography (CMVP #5227), with optional HSM-backed custody for FedRAMP High / IL4 / IL5
Audit trails stream locally; every secret retrieval, every authentication, every dynamic credential issuance flows from the Gateway into the agency’s in-region SIEM with tamper-evident append-only logging
Hybrid TLS 1.3 with ML-KEM768 today, for post-quantum protection against harvest-now-decrypt-later collection
Secure Remote Access with session recording for privileged operations on cloud consoles, databases, SSH, RDP, and Kubernetes
Universal Secret Connector for governance over existing AWS Secrets Manager, HashiCorp Vault, and Azure Key Vault deployments without forcing migration

The Uncomfortable Question for Every Federal CISO

The CISA contractor was apparently using a public repo as a sync mechanism between their work laptop and home computer. That is a culture problem, a contracting problem, an oversight problem, and a training problem.

It is also a capability problem. If your authentication architecture forces administrators to handle long-lived credentials in plaintext, some fraction of those administrators will mishandle them. Not because they are bad actors — though some are — but because the design hands them a primitive that is fundamentally incompatible with the way humans work.

The question isn’t “how do we stop the next contractor from doing this.” It’s “why do we still issue credentials in a form that can be done this way?”

To learn more, schedule a 30-minute architectural review with an Akeyless solutions engineer. We’ll walk through your current credential issuance model and show you what removing the static-secret primitive looks like in your environment.

Table of Contents

Frequently Asked Questions

Security Architecture & Static Secrets Prevention