The GitLab security team is aware of a blog post from Sysdig that describes how attackers scan public repositories to identify exposed credentials in Git config files. To prevent unintentional leaks of credentials, GitLab recommends several best practices for hardening public GitLab projects. One recommended practice is to limit public visibility of GitLab Groups and Projects by setting the default visibility for new projects and groups to private. This can help prevent accidental disclosure of information in a public project that was intended to be private. Another recommended practice is to secure CI secrets by storing them securely using encryption container technologies, such as GCP Secret Manager, AWS KMS, and HashiCorp Vault. GitLab also recommends leveraging its secret detection capabilities to identify, block, or warn users about potential secrets stored in GitLab repositories. All available secret detection methods should be enabled, including secret push protection, pipeline secret detection, and client-side secret detection. If an accidental secret exposure occurs, the exposed credential should be reset and access logs reviewed for evidence of credential misuse or abuse. Additionally, if the leaked secret was a GitLab personal access token or other secret token type, it should be revoked and GitLab logs reviewed for any unauthorized activity associated with the exposed token. By following these best practices, users can help prevent unintentional leaks of their credentials in Git config files or elsewhere in public projects.