GitGuardian Platform Reviews

My use case for the GitGuardian Platform is application security.

My impression of the GitGuardian Platform's capability to detect secrets in real time is actually really amazing, because it lets us protect or block the pipelines in which we deploy new applications so we can acknowledge when a secret is hardcoded in a repository, or when we have already hardcoded secrets within templates in our repos.

We adopted it a year ago, and it has been doing great in our teams, especially for developers. The impression so far has been good.

The severity scoring has helped us in incident management because it is doing the correct job. We got many secrets leaked within our platform and it was making the correct warnings regarding that particular secret, as we had a hardcoded Google Cloud API key. It was marked as a critical severity, so we had the chance to correct it, regenerate that secret and work again on not hardcoding secrets within our code.

GitGuardian's public leak detection significantly enhances our organization's data security by continuously monitoring public repositories. It allows us to proactively identify accidental exposures of sensitive credentials or secrets.

Regarding the exceptions in GitGuardian Platform, we know that within the platform we have a way to accept a path or a directory from a repository, but it is not that visible at the very beginning. You have to figure out where to search for it, and once you have it, it is really good, but it is not that visible at the beginning. This should be made more exposed.

The documentation could be better because it was not that comprehensively documented. When we started working with GitGuardian Platform, it was difficult to find some specific use cases, and we were not aware of that. It might have improved now, but at that time, it was not something we would recommend.

I have been using the GitGuardian Platform for almost a year now.

From 1 to 10, I rate the stability of the GitGuardian Platform a 10, as there are no downtimes.

I would rate the scalability as a 10, since we did not have any problems.

For technical support, I would give a solid 10. They have someone who speaks Spanish, which made it easier for us.

I am comparing it with Advanced Security from GitHub and Cycode.

Two of us were involved in the deployment process.

It took a week to deploy the GitGuardian Platform, just to standardize the process.

Two of us were involved in the deployment process.

Regarding return on investment, we have actually saved time and resources because before having GitGuardian Platform, we had two or three people working in every repository looking for secrets with open-source tools. It took a long time to find secrets or many patterns, and at the time, we had to configure our own patterns to find them. I cannot specify the exact return on investment, but I can surely say that we have saved significant time and resources, particularly in terms of people and automation.

I would compare the GitGuardian Platform to other solutions or vendors on the market as being easier to use, but it is not integrated with the CSM that we are using right now. That is the difference. It is easy to use, but it could be easier.

We are customers in our company's relationship with the vendor.

I work primarily with the CLI, focusing on pipelines and automations rather than the platform itself. The platform has remained almost the same within the year that we have been working with it.

We are not utilizing the automated playbooks yet.

I cannot determine if the pricing is cost-effective.

The vendor can contact me if they have any questions or comments about my review.

I have rated the GitGuardian Platform a 10 out of 10.

I use GitGuardian Platform to ensure that there are no secrets committed, such as hardcoded values, database credentials, API keys, or any secrets that could be exposed to external users of our application. To maintain security and data accuracy, confidential data should not be shared with other platforms. GitGuardian Platform checks our local code first, then it passes through our CI/CD pipeline as well. When we push code to GitHub, it scans and sends a report via Gmail, so we have to fix those security vulnerabilities.

The best features of GitGuardian Platform are that it detects everything being pushed through the repository and scans everything comprehensively. It checks the possibility of exposure, so if there are API keys or database passwords being used, it warns us to either remove, rotate, or replace them, ensuring they should not be present in a GitGuardian Platform scan.

Our company has seen many benefits from using GitGuardian Platform, especially since there have been numerous cyber attacks and security threats in the last two to three years. Our company has remained very safe in this regard because we need to secure our data effectively, being in the insurance reinsurance sector. GitGuardian Platform ensures our data is protected by regularly scanning the repositories and sending us reports on how to fix vulnerabilities, keeping us safe from cyber attacks.

GitGuardian Platform could improve by providing a more user-friendly UI with tips or solutions. With AI advancements, they could offer AI-specific solutions in scanning reports, suggesting fixes for GitGuardian Platform incidents, and even permit automated fixes, which would significantly reduce the developer's workload.

I have been using GitGuardian Platform for the last one year.

Stability and availability of GitGuardian Platform are commendable; it is stable and available.

It is stable because when I push changes, it scans immediately, confirming fixes. There is no downtime during scanning, maintaining stability and availability.

I find support good since we have not needed much help from them. The guidelines provided are sufficient for guiding us on what to fix.

There are many tools in our organization for similar purposes, but GitGuardian Platform is specifically for exposing secrets. We also use Snyk for vulnerability scanning, among others, though I cannot recall all of them.

The decision was made by my organization, not me, so I am not sure about the parameters they considered before choosing GitGuardian Platform.

GitGuardian Platform prioritizes incidents in our workflow through automated validity checks. There are high risk, low risk, and medium risk incidents raised, and the infosec team prioritizes them and approaches us, the developers who pushed those changes, to fix them accordingly.

GitGuardian Platform's public leakage detection influences our company's data security as a precaution. We are not sure if data might be exposed, but taking this precaution by scanning the repositories is crucial. A cyber attacker just needs one piece of data, so we ensure at least that one thing is secured. It is about cyber attack prevention, ensuring all our data remains safe.

It rates the effectiveness of severity in incident management based on the severity of the change. This allows us to address the most important ones first. It checks what has been pushed from the code, raising a high-level vulnerability if database-related passwords are involved and reports it urgently. For low-level issues like hardcoded values for APIs, it is reported accordingly based on priority.

I use GitGuardian Platform's automated playbooks for scanning. Productivity-wise, these playbooks help me know if I am going to push code with secrets. I am aware now, so I intentionally avoid that, ensuring I write good code. It increases my productivity by helping me fix issues proactively. If GitGuardian Platform were not here and vulnerabilities were discovered later, there could be severe consequences. Currently, that impact has been reduced, minimizing our efforts significantly through early precautions.

Our organization is currently innovating on the AI side, which includes creating a custom agent to fix vulnerabilities, similar to GitHub Copilot. This agent automates changes required based on GitGuardian Platform scanning, closing incidents directly. This support reduces our efforts and timelines.

Fixing vulnerabilities now takes approximately 60% less time. If fixing took ten days, I now do it in six. I am not sure about multi-vault integration because I am just a developer using it to fix my code changes. I am not sure if I am using GitGuardian Platform's Honey Tokens feature. I would rate this product an 8.5 overall.

GitGuardian Platform is a security tool preventing the exposure of secrets. It is particularly valuable as a tool because it doesn't just identify exposed security issues, but works as a platform that gives developers an intuitive and easy way of reacting to and fixing the issues.

GitGuardian Platform captures all the major secret types we care about. It tends to be a bit overzealous in some categories, but it covers all the ones that we want to track and keep an eye on. It has great coverage over those.

GitGuardian Platform has helped save significant time for the security team by eliminating the need to seek out development teams and work with them on exposed secrets, as much of this is now handled proactively. The built-in process for developers interacting with exposed secrets saves them time fixing security problems before returning to their tasks. We can also provide customized remediation guidelines to developers.

Automated validity checks are super critical for us. If something is confirmed as valid in the platform, we know there is some externally accessible value that's exposed somewhere. It's then the top priority for us to engage in. It also gives us a lot of confidence. When the development teams come back and say that they have fixed it, GitGuardian Platform confirms that.

We rely a lot on GitGuardian Platform's self-service functionality so that developers handle incidents without us having to take action. We don't rely on automated severity scoring for incident management. While the severity rating is decent, we focus more on the validity feature and detector categories than on GitGuardian's high-risk ratings. We have customized remediation guidelines by providing specific internal context for handling exposed secrets. We use GitGuardian's integrations with other tracking platforms, but we don't have everything funneled into Jira. We use our own prioritization to see which ones we want to funnel into Jira.

The platform has given us a clear picture of the historical landscape, showing what has been fixed versus what remains hidden in historical data. This clarity has been helpful in planning security measures around issues that don't get self-healed.

We have it scanning our GitHub environments, Atlassian suite (Jira tickets, Confluence), and Slack messages. That gives us a nice coverage across the business.

The validity and self-healing playbook features of GitGuardian Platform is one of the most useful features for us. It automatically reaches out to developers for any leaks, notifying them immediately via email. We have Slack notifications set up, allowing developers to respond, provide feedback about sensitive values, and self-close issues by attesting completion on the platform. A high number of our exposures are remediated by developers before security needs to step in, as the self-healing playbook process engages them automatically. This results in issues being resolved within minutes, saving significant effort from the security team in tracking down or communicating with developers.

The analytics in GitGuardian Platform have a significant opportunity to better reflect the value provided to security teams and demonstrate actual activity occurring. While the self-healing capability and proactive developer actions are important features, the analytics do not provide information around this activity. They only track actions inside the platform when security team members assign themselves to issues and respond. The self-healing activity by developers isn't reflected in the analytics, requiring us to collect this data ourselves. This presents an opportunity for them to better showcase their developer-first remediation mindset.

We have been using GitGuardian Platform for approximately nine months.

It's a stable platform, we don't often have to think about it. The SaaS platform has experienced two significant moments of downtime or instability in the last six months, requiring notices and retrospectives. We also run a self-hosted cluster which has not experienced these issues, though we've faced some challenges upgrading Kubernetes that required support assistance to prevent internal downtime.

It is scalable. I would rate it a nine out of ten for scalability. 

My product security team administrates the platform, with a few other security people accessing it. Access to respond to incidents is deployed for every engineer. Team-based provisioning is not yet supported with SCIM, which makes team-based grouping a hassle, so we do not use it.

I would rate their technical support a nine out of ten.

Positive

We were using a home-grown solution. 

The initial setup of the self-hosted cluster was moderately complex. We faced some issues because of the environment we had. We had to fix some installation errors and bugs in their Helm configuration.

In terms of deployment model, we self-host a cluster out of necessity. We have an internal GitHub Enterprise server. We self-host GitGuardian Platform to connect to that environment. We also use their SaaS version for Slack and Atlassian integrations.

We implemented in-house.

The majority of our incidents for critical detectors and important secret types are remediated automatically or proactively by developers through GitGuardian's notification system, without security team involvement. It saves a lot of time for the security teams and the developers. It probably saves approximately 10 hours per week. Previously, we needed an extra 20% of our time focused on this subject area, which has now been saved because of this platform.

It's competitively priced compared to others. Overall, the secret detection sector is expensive, but we are happy with the value we get.

We evaluated other vendors on the market. The secret detection capabilities of most vendors are basically equivalent, capturing all major types of secrets. The management and administration of findings after scanning is what differentiates vendors. Many alternatives lack strong administration capabilities for security teams after finding detections. GitGuardian's dashboard, self-healing playbooks, and ways for the security team to monitor, track, and deduplicate detections make it easier to manage the program compared to competitors.

I would recommend GitGuardian Platform to other users due to the ease of management for the security team with the dashboard. It offers easy administration of results. The proactive self-service capabilities provided to developers remove the burden from the security team and enable faster remediation of exposed values.

My overall rating for GitGuardian Platform is an eight out of ten.

We use GitHub as our source code platform. When we shifted from on-premise version control systems, we identified a requirement for capable tooling that could both find secrets that were committed in the past, and prevent and alert on secrets that were being accidentally committed.

GitGuardian gives us a better understanding of what's going on in our source code. Persistent use of the platform has allowed us to highlight areas where we need to improve; eg. providing training so that people know what information should and should not be in GitHub. 

We've managed to use this data to improve practices related to where teams store their secrets, and have also been able to use it to understand where we might be lacking tooling. 

When a developer commits a secret or there's a particular pattern in a repository, we often ask them about why they did this. They may turn around and say that there's no better option at the moment because we don't have a platform to suit x, y, or z. We can use that information to then drive decisions around whether or not we need to look into improved tooling or patterns that our engineering teams can use to avoid storing secrets in their source code.

Automated validity checks are very helpful; we use them to prioritise incidents, as they give us a quick understanding as to which secrets are still valid. They also help us to confirm that token invalidation - which sometimes has to be done by another team or a third party - has worked as expected.

We also utilize some of the automated playbooks, specifically those around automatic incident closure, allowing us to spend less time making sure that the incidents closed by changes to code are getting closed out.

Instantaneous notifications connected to our Slack platform allow us to deal quickly with incidents if and when they occur.

One of the best features of the solution, though, is the ability to use pre-push hooks. Preventing our developers from committing secrets into their source code before they hit the remote GitHub servers is ideal; it can be quite challenging and time consuming to remediate and rotate secrets once pushed to the remote.

The reporting feature has improved quite a bit since we first used it around five years ago, with filters that allow us to set up quick groups of or collections of filters and statuses to determine which secret detections are still unassigned and which are new. It allows us to easily ship those off to the developers involved in those incidents to get them remediated.

We'd love to see notification updates in Slack, as the system does not provide feedback on updates to incidents, which can be problematic when developers resolve issues. 

ie. if a developer commits code that triggers an incident, the alert comes into Slack, but by the time someone looks at it through the Slack alerting channel, the developer might have gone and already fixed or closed the issue. There's no feedback loop back into the notification channel to show that it's been addressed. 

Another thing that would be good to see is some more metrics on the usage of the GitGuardian pre-push hooks. It would be helpful to see which GitHub users have or do not have the pre-push hook capability turned on. That would allow us to chase people and say that we noticed that you're making commits, but you're not using GitGuardian, and encourage them to install ggshield before an accident happens.

My experience with the solution started in November 2020, which is approximately four or five years.

It's generally quite stable.

There has been a little bit of downtime of late, and it has been reasonably impactful when it's not been scanning. We set up our repositories in GitHub with GitGuardian as a required check. 

We had an incident for about four hours  last week and another one about a month before that. Prior to that, it's been really stable. 

It handles all the repositories and commit activity we have.

I would rate their technical support an eight out of ten.

Positive

No

We didn't have to do much. They manage all of the backend for us. All we have to do is integrate it into our GitHub organizations, and doing that is straightforward.

The solution does not require any maintenance.

In-house.

It's challenging to quantify, but it has saved us from a bit of panic because we know the state of our source code. It's hard to determine what savings might come from having the tooling or not.

It's fairly priced, as it performs a lot of analysis and is a valuable tool.

We have tested it against other solutions, such as TruffleHog, the open-source solution, and found the GitGuardian Platform to be about significantly better in terms of detection capabilities. TruffleHog focuses on secrets that it can validate, but in an Enterprise world with lots of internal tools, APIs and platforms it can miss a lot of secrets.

The new multi-vault feature looks useful; we are planning to connect it up to AWS Secrets Manager and HashiCorp Vault. 

My use case for the GitGuardian Platform is application security for our enterprise repository.

The solution has improved our organization. We are still in the rollout, but the users who are utilizing it are very happy, especially about the feature that enables pre-commit hooks in Git that will not raise to the remote repository. This is a very good feature that our developers use very heavily.

The best features of the GitGuardian Platform are that it finds many different secrets, more than other competitors, and the support from the colleagues is also very good.

The GitGuardian Platform helps in monitoring and protecting our code repositories from leakage. It helps significantly because we connected our vulnerability management process to this, and the colleagues from vulnerability management have much easier work since we have the GitGuardian Platform installation due to the dedicated incidents or issues which are opened automatically.

The alerting capabilities and threat intelligence features of the GitGuardian Platform are managed by another team; we only host the platform.

The audit logs and compliance reports from GitGuardian are very helpful because, in the past, we needed to do it manually by scanning the repos. Now with GitGuardian Platform, we have a really good overview of what is open, what is closed, and how critical the issues are.

The areas that have room for improvement involve the missing feature to add custom detectors for the GitGuardian Platform, which would help us check if internal secrets are still valid or not.

I assess the accuracy of the detection from the GitGuardian Platform as very good because we don't have many false positives, which means the quality is very good. The only thing we want to have are some additional detectors which help us to prioritize, especially since enterprise secrets are found, but they cannot verify if they are valid or not.

I have been using the GitGuardian Platform for one and a half years.

The stability of the GitGuardian Platform is excellent. We don't have any problems with the stability of the system at all.

The scalability of the GitGuardian Platform is excellent.

The technical support from the GitGuardian Platform deserves a rating of nine out of ten.

The deployment of the GitGuardian Platform is very easy because it's a Helm chart which is very easy to install for us. The deployment took several days.

I have no information about pricing, but since they won the request for quotation, I believe it's a good price.

We created a technical evaluation and checked against other providers, though I don't remember the names. The GitGuardian Platform has the best technical capabilities, and our procurement handles the pricing part.

The GitGuardian Platform is used worldwide in our environment.

Currently, we have approximately 1,300 licenses for the GitGuardian Platform, but we will increase to 2,000 next year.

The solution requires maintenance from our side only for user management, which is normal for each application.

I cannot quantify how much time or resources the GitGuardian Platform saves us because this is spread across all teams worldwide.

I would recommend the GitGuardian Platform to other users because the integration with GitHub and Azure DevOps is very easy, and you also have the possibility to use it locally on your IDE. This is a very good solution.

I rate the GitGuardian Platform a nine out of ten because room for improvement is always possible, but it's really good.

We initially integrated GitGuardian Platform into our organization in 2023 into our GitHub repository. We implemented it because we did not want our secret credentials to be exposed to the internet or to a third party such as GitHub. It flags when credentials have been exposed so we can remediate and fix them. GitGuardian Platform was what my tech lead suggested we use, and we had to incorporate it into our repositories. We use the Platform version.

What I appreciate the most about GitGuardian Platform is its efficiency when triggering our pipeline and notifying us if secrets have been exposed, such as APIs, variables, our database, or anything being exposed. Currently, we have numerous repositories and pushes that happen in our repo. It would be humanly impossible for us to manually search for these secrets. GitGuardian Platform can do this automatically. All we need to do is wait for an email notification that indicates a secret has been exposed. It points out the repository that has the secret exposed, and we can fix it. This saves us the time of manual review.

The main disadvantage I feel they should improve upon is that apart from flagging credential issues or secrets, they could incorporate something else to make it more dynamic. If their product focuses majorly on secrets leaking, similar to Amazon Macie, they could expand their capabilities. Amazon Macie primarily flags secrets being exposed over the internet.

For example, we use Dependabot for code review. Dependabot helps us follow best practices such as code quality and code analysis, as we cannot manually check 10,000 lines of code to ensure they follow structural standards. If GitGuardian Platform could incorporate code analysis into their system, not just for secrets alone, it would make them more dynamic.

This would allow users to have just one tool instead of multiple third-party tools running in GitHub. It would reduce management overhead as you wouldn't have to manage multiple tools.

I have been using GitGuardian Platform in my career for almost two years now.

For my organization, GitGuardian Platform has been stable. Since installation, we haven't had to optimize it, and I am unsure about new versions. It has been functioning effectively, and its performance is satisfactory. The only limitation is that it performs just one task. While it is efficient at credential flagging, it could offer more functionality.

Regarding scalability, in my organization, we have about 44 repositories running, and GitGuardian Platform has been able to handle these repositories efficiently. I am uncertain about its capability to handle 100 repositories. For our organization, which is just four years old and not a large platform with numerous features, it functions adequately with our 44 repositories.

Some tools can function properly until demand increases or usage reaches a certain extent, at which point they might start deteriorating. For instance, with our GitHub account, we had to pay for more capacity usage. I am unsure if GitGuardian Platform has similar limitations on the number of repositories it can handle. However, for our current 44 repositories, it has been working exceptionally.

I have never contacted any technical support or customer support through phone or ticket system. We have never experienced any issues with it. It effectively helps us with credentials security and has been performing satisfactorily.

Neutral

I have not compared GitGuardian Platform with any alternatives in my organization. For GitHub repositories credentials, we use GitGuardian Platform. For AWS, we use Amazon Macie because we run our infrastructure on Amazon Web Services. We use Macie to protect our credentials from being exposed.

The initial deployment and installation was very easy for us.

For this deployment, my tech lead handled the implementation. We were on a call with him while he deployed it. It required only one person to complete the setup.

It does not require any maintenance on our end as it has been working autonomously. I am unaware of new versions, but what we have been using has not required maintenance.

I am not involved with the pricing of GitGuardian Platform, as the tech lead handled those aspects. Initially, I thought it was an open-source tool. There are private and public versions available. The private version requires payment, but for the public version we use, we did not make any payments.

I have not compared GitGuardian Platform with any alternatives in my organization. For GitHub repositories credentials, we use GitGuardian Platform. For AWS, we use Amazon Macie because we run our infrastructure on Amazon Web Services. We use Macie to protect our credentials from being exposed.

I will rate GitGuardian Platform a seven out of ten. The reason for this rating is that I wish they could have an agent embedded into their system that helps to identify real credentials from mock credentials, as this sometimes causes false alarms.

We are users of the product with no partnerships with GitGuardian Platform. They can contact me regarding any questions about this review. I am open to anything that benefits the community and makes everything better.

Our current use cases for GitGuardian Platform involve monitoring external and internal GitHub and GitLab, Bitbucket, and other code repositories that it supports for secrets.

The newest addition that we appreciate about GitGuardian Platform is the ability to create a custom detector, which we built and worked with the team, and that works very effectively.

GitGuardian Platform performs the capability to detect secrets in real time exceptionally, as it activates from the commit and can detect it immediately.

We utilize GitGuardian Platform's automated validity checks in some cases, and they seem to work effectively. We are still experimenting with them.

The multi-vault integration plays a key role in our secrets management strategy because we have multiple different vaults, and that works effectively.

GitGuardian Platform does what it is designed to do, but it still generates many false positives.

We utilize the automated playbooks from GitGuardian Platform, and we are enhancing them. We will probably stop using some of them, but we are building off of them. The one piece they do not include is contacting the person's manager or copying them, which we feel is necessary to prevent insider threat and other issues, but they do not have access to our hierarchy of employees.

We are not using the honeytokens feature of GitGuardian Platform.

Regarding improvements, there are two things we are working on with them. They have added charts, which is a new feature, but it is still not accurate. It has taken 4 to 5 months and it is fairly slow. We are looking for better metrics and audit data, wanting more features such as knowing which users are creating the most secrets or committing the most secrets, what repository, what directory, and who is not checking in secrets, which repo, user, or directory has not had any secrets committed. We want more metrics around both good and bad to see how we are performing.

I have been using GitGuardian Platform for 5 years at the company, and my team has been using it for 3 years.

There has not been any instability with GitGuardian Platform; it performs reliably.

Currently, what GitGuardian Platform is doing works effectively. It is quick and meets our needs. If we added more, I do not think that would really impact performance, so the scalability in that aspect is fine. I know they are trying to branch out and look for secrets in other types of tools, but I am not sure if we are going to use them for that or if that would impact performance or stability either.

I have contacted technical support previously, but we usually work through our customer representative directly, and they create the tickets for us.

We have one employee that primarily works on the deployment and configuration of GitGuardian Platform, and that took approximately a couple of weeks working directly with them. After that, she spends about an hour in there a week, so it requires minimal effort on our side.

GitGuardian Platform requires very little maintenance on our end—just making sure the keys are connected and ensuring people are following through.

I have not used any alternatives to GitGuardian Platform in this specific scope, as I have not found one that fully integrates into as many different code repositories. We have used a couple of tool-specific ones, but GitGuardian Platform is the only one we have used that works across multiple platforms.

We purchased GitGuardian Platform for a compliance checkbox because we needed to monitor secrets in our code repositories. We saw benefits immediately after implementation, but the reason my team took it over after a couple of years is that the original team did not really go beyond a compliance checkbox. We started seeing benefits in year 3 as we built out a workflow to contact the developers who committed code with secrets and get them to review and approve or revoke the process.

In terms of how GitGuardian Platform Public Leakage Detection influences our data security, it helps us with our known developers, but it is fairly limited. It has to go to another developer who has to make it public or they have to put codes in there, so it works in the right scenario, but there are scenarios where it still misses.

We do not really look at the automated security severity scoring in Incident Management. We still are getting false positives and others, so we are concentrating more on that versus any severity rating.

The pricing for GitGuardian Platform is fair, though slightly high.

We are customers of GitGuardian Platform; we do not have any partnerships or official partnerships, nor are we resellers.

I rate GitGuardian Platform 8 out of 10.

We use the GitGuardian Platform for internal security monitoring. Initially, we employed it to identify any secrets from our internal repositories that might have been accidentally exposed publicly and then expanded our use of GitGuardian to remove secrets from our private repositories, also.

Our company has grown through acquisitions. To address this complexity, we've integrated GitGuardian with our development teams. This allows them to identify secrets within any repository so they can be quickly remediated, ultimately enhancing the security of our codebase.

GitGuardian helps us prioritize remediation quickly. The alerting component is helpful because it lets people know immediately when something suspicious appears. Additionally, the code context feature is valuable as it shows developers exactly where the issue occurs in their code. They can even click a link to jump directly to that location in GitHub. These features significantly speed up the process for developers to identify and remove vulnerabilities.

GitGuardian effectively supports a shift-left security strategy. This is because it integrates directly with the code repository, allowing for near real-time feedback on potential security issues before code is merged into production branches. This early detection is highly valuable. Furthermore, GitGuardian's command-line interface provides another layer of convenience. Developers can proactively search for and address security concerns before pushing their code.

GitGuardian improves collaboration between our developers and security teams on remediation efforts. The centralized dashboard is tremendously helpful for managing across a multitude of teams and hundreds of engineers. It allows me to see the progress of each team. This visibility makes it much easier to communicate with them. For instance, I can identify teams that might need assistance or recognize those that are successfully reducing vulnerabilities.

GitGuardian has dramatically improved our ability to detect secrets by shedding light on previously hidden vulnerabilities.

Our security productivity has increased significantly. Simply by making this information readily available to developers, we've empowered them to take action. Previously, this wasn't easy, especially when dealing with inherited legacy code. Developers often wouldn't know where these secrets were hidden within the codebase. This improved visibility has made security issues much more actionable for our developers.

With over 6,000 repositories, GitGuardian's automation capabilities have saved us many months of research.

GitGuardian has reduced our mean time to remediation. This ability to track security issues and communicate proactively with teams undoubtedly means we can also remediate them faster.

Recently, a new feature was added that I had been requesting for a while, and I'm super excited about it! This feature allows us to filter incidents by team within the available filters. This is incredibly helpful because before, we could only search for individual repositories. Some of our teams have hundreds of repositories, so filtering by team saves a lot of time and effort.

The ability to create teams is also valuable for a large organization like ours. Some vendors struggle to provide enough user organization layers, but GitGuardian excels in this area.

The core incident management features are also fantastic. For example, alerting people via email about new incidents is crucial for staying on top of things. Additionally, the dashboard allows users to mark the status of secrets, providing a convenient location to review everything.

Another area where GitGuardian shines is the breadth of secret types it covers. They can identify a vast number of secrets out-of-the-box, with minimal false positives. This means they effectively distinguish real secrets from irrelevant data, saving us time and effort. I also appreciate the context provided for developers. When they investigate secrets, they can see exactly where those secrets reside in the code, allowing for quick fixes.

While they do offer some basic reporting, more comprehensive reporting would be beneficial in the long run. This would allow me to demonstrate the value of the product over time to continue to effectively budget for this subscription, especially as they add features that may come at an additional cost. I appreciate the improvements made to reporting over the past year, but continued development in this area will be appreciated.

We have encountered occasional difficulties with the Single Sign-On process. There is room for improvement in its current implementation. It works, but was not quite as smooth as the rest of the GitGuardian experience.

I have been using the GitGuardian Platform for one year.

GitGuardian is stable. I have not had any problems.

GitGuardian scales incredibly well. We bombarded them with a massive number of repositories, and they ingested everything much faster than I anticipated. This allowed for a swift evaluation process. Their ability to handle large deployments is evident, and I'm confident they support companies even bigger than ours.

The technical support team responded quickly and was able to resolve my issues the following day. There were no problems with their service.

Positive

Before implementing the GitGuardian platform, we lacked a solution to identify secrets in our code. This created a significant security blindspot for us.

The initial setup was straightforward. However, we did need to establish the initial connection between the repositories. This process went fairly smoothly overall. While connecting the repositories on GitHub was easy, it was a bit trickier on the Azure side. So, some preparatory work was required there. Once that was done, the internal monitoring setup was complete and went quickly. Additionally, we had to set up teams and invite members, but this also went quickly.

The deployment took a couple of days. The repository connections (6,000+ repositories) took an hour or two to fully populate. One person was required for the deployment. 

The implementation was completed in-house.

GitGuardian is not inexpensive. It's one of the more expensive tools in our portfolio, especially considering its focused functionality. However, while it may not offer a wide range of features, it acts as a form of critical security insurance. It safeguards our most vulnerable points, and a data breach can lead to legal repercussions that can be very costly for years to come. In that light, the cost is warranted and rational.

After considering several options, we determined that GitGuardian was the most robust solution for our organization's needs.

We evaluated several open-source solutions for secret detection. We also considered other security tools with similar capabilities but found that those not specifically focused on secret detection fell short. These tools often treated secret detection as an afterthought, resulting in limited effectiveness. While they might identify some basic secrets, they lacked the depth and comprehensiveness of GitGuardian. This is why we decided to invest in a dedicated secrets detection tool.

I would rate the GitGuardian Platform 10 out of 10.

Concerning maintenance, there may be a rare exception that we need to enter into the platform when new repos are added, but these have been very infrequent. The tool requires very little ongoing maintenance, beyond what teams need to triage.

While there are open-source secret detection tools available, they can be limited. GitGuardian, with its dedicated development team, offers a more comprehensive solution. Their support, including responsive sales reps and customer service, ensures you get the help you need to keep your system secure. Open-source solutions often lack this level of dedicated support, which can leave you troubleshooting issues on your own. For critical security needs, the additional features and support offered by GitGuardian are a worthwhile investment.

It's critical to our application development security program to have a robust secrets management solution. This is especially important when we have a large development team. In such an environment, the risk of human error increases, often due to unintentional mistakes. People might forget things, miss something during development due to time pressure, and so on. However, even a single mistake can have serious consequences. Therefore, careful management of secrets is essential. It safeguards our relationships with vendors, protects our internal data, and offers numerous other benefits.

My recommendation is to prioritize setting up SSO as first step, before onboarding any other users, if you're planning to implement it. Do it first. That was the only real challenge we faced; trying to get it working later created some complications. The actual setup process of getting GitGuardian to scan our repositories was straightforward and fast.

We brought in GitGuardian Internal Monitoring to review all of our code within GitHub so that we can identify and fix any exposed secrets.

I have been very impressed with the breadth of its detection capabilities. I did a proof of concept with a couple of other common tools for the same kind of thing, and I found GitGuardian to be the best. It finds everything that I would expect it to find. It found more than I thought we would find, so I am very happy with the detection.

I am very happy with the number of specific detectors and keys that it can find for Google, AWS, Twitter, Facebook, etc. It has a lot of specific detectors for different categories, but it also has quite a lot of automatic validity checking, so it can tell whether your Twitter keys or AWS keys are active and or have been revoked. If they are revoked, it is not a problem. Validity checking is fantastic.

GitGuardian Platform's accuracy is incredibly high. There are a couple of categories of generic secrets that I can find. When you turn those on, you end up with quite a few false positives. With the specific detection categories, the false positive rate is incredibly low, but when you turn on the generic categories, it goes up a bit. I am very happy with the number of things that it does find, instead of focusing on true positives versus false positives.

It has not helped to decrease false positives because we did not have a tool in the first place, so we did not have any false positives. We have not decreased our rate at all.

GitGuardian Platform has absolutely helped to quickly prioritize remediation. The severity or criticality that the tool automatically assigns has been very helpful. The built-in validity checking has also been helpful. Whenever you have keys that are marked as valid within the tool, you know that they are high priority and need to be resolved sooner than the ones that are not marked as valid.

We have significantly reduced our potential risk exposure of secrets. In the past nine months, by using GitGuardian, we have been able to identify and resolve a large number of secrets within our code, which reduces the risk if our code were to become public. It has greatly reduced our security risk. It has reduced the potential risk of exposure of secrets by about 75%. We have not only been able to resolve existing issues; we are also more likely to prevent these issues from occurring with improved security culture and the features within the tool.

GitGuardian Platform efficiently supports our shift-left strategy. It provides a command line interface, which can link with the shift left with your standard development processes. Whenever developers are writing code and trying to commit and push that up to GitHub, the command line interface can be integrated into that to prevent secrets from getting into GitHub. It can help go almost as far left as possible.

GitGuardian Platform has greatly improved awareness, and it has reduced the number of secrets that end up in our code. There has been a two-layer impact where it has helped people think about this as an issue and it has also helped them stop doing it even if they are not thinking about it.

GitGuardian Platform has improved our ability to collaborate. We work closely with the development teams to identify the issues, investigate the issues, and troubleshoot and resolve those issues. Due to the way the tool works, it has helped us gather people into teams and work with them so that we can help resolve the findings.

We have one or two of the playbooks automatically enabled. So far, I find them very helpful. The main one so far is that the secrets will automatically resolve when they are revoked, which is incredibly useful. For example, whenever someone goes into the AWS platform to revoke AWS keys, they do not have to go into GitGuardian. It automatically detects that they have been revoked and closes the issue. It is a lot less work than having to go into two different tools and more. There are a couple of playbooks we have for the CLI, so whenever we ignore issues via CLI because something might be a false positive or something might only be a testing key, it will auto-resolve within the UI. The playbooks make it easier to avoid using the UI, but you do not have to. It is one of the catch-22 situations. There is UI, but they are enabling you to not even have to check it in the first place. Playbooks have reduced 50% to 60% of manual work. If developers accidentally commit active keys, they do not have to go in. They do what they need to do to resolve the keys. They do not need to think about it again.

GitGuardian Platform has increased our security team's productivity by about 50%. When we previously had noticed keys, it would have been manual. It would only have been occasionally when I was looking through the code and found the keys. I would have had to reach out to developers and discuss that. It has definitely greatly increased our productivity because we can now automate sending out tickets and assigning them to the right teams. A couple of clicks can send out the information for someone to look into rather than having to message them and try to discuss it with their team. It is a lot more automated.

It is hard to measure the increase in secrets detection rate because previously, we did not have any solution, so we were not detecting anything. After implementing GitGuardian, we can now see what we have got.

Similarly, it is hard to measure the reduction in the mean time to remediation as we did not have something before. It was more manual before. There is probably a 70% reduction because, previously, if I found an issue, I would reach out to our team and spend a while discussing it with them, whereas now, we can just send out a Jira ticket. They can log in and have a look. There is a lot less discussion back and forth.

There is quite a lot to like. Its user interface is fantastic, and being able to sort the incidents by whether they are valid or for a certain repository or a certain user has been very beneficial in helping investigate what has been found. 

The CLI provided by the tool is fantastic for preventing the secrets from getting into GitHub in the first place. The more you use the CLI, the less you use the user interface.

Automated Jira tickets would be fantastic. At the moment, I believe we have to go in and click to create a Jira ticket. It would be nice to automate.

I believe there is a feature on the road map for better handling of issues that have over one occurrence. It is difficult to investigate when there are a large number of secrets. It is hard to know where they are and what to do. These two things would be nice.

I have been using GitGuardian Internal Monitoring for about nine months.

It is a stable solution. I have not noticed any issues with performance, downtime, or anything like that. I would rate it a ten out of ten for stability.

It is scalable. All it requires is someone with GitHub admin permissions. We can integrate as many repos and sources as we want. I would rate it a ten out of ten for scalability.

We have 316 users using this solution. We plan to increase its usage. There are a couple of features in GitGuardian. There is a feature where CLI integrates with your development process for pre-commits. We plan on testing and rolling out that feature so that every developer has pre-committed automatically enabled on their machine. The idea is that it will basically prevent any secrets from getting into GitHub. Another, a lot more minor, feature is GitHub pull requests. Every time there is a pull request, the GitGuardian bot will comment on it if there are secrets. There is an option to block the pull request when secrets are found. We plan to implement that as well.

Their technical support so far has been fantastic. Anytime I raise a ticket, it is resolved and answered very quickly. I am very impressed. Their support is incredibly knowledgeable. Whenever I have questions about detection or remediation, they are very detailed in their answers, and they clearly know a lot about the tool.

Our experience has been fantastic with the purchase, the onboarding, and the customer success team. Everything has been straightforward. Everyone so far has been nice, friendly, and helpful. When there were any hurdles, they helped me resolve them straight away. I would rate their support a ten out of ten.

Positive

We did not use any similar solution before. It was a manual process. We did not monitor anything. We just occasionally noticed things to be resolved. It was a manual process.

To implement it, the only thing required from our side was having someone with admin permissions to enable the installation. It was minimal from our side.

It does not require any maintenance from our side.

It required just one person with GitHub admin privileges. I clicked a few buttons, and then he went in and approved it, and that was it.

It has definitely saved us a lot of time. To be able to view everything important and narrow our focus to resolve issues has sped up our development process and decreased our security risk.

I am only aware of the base price. I do not know what happened with our purchasing team in discussions with GitGuardian. I was not privy to the overall contract, but in terms of the base MSRP price, I found it reasonable.

We reviewed three or four main secret detection products available. We reviewed GitHub Advanced Security and BluBracket.

We chose GitGuardian for a number of reasons. Its user interface is absolutely fantastic. Being able to filter instances has been the main thing. It helps us to focus and narrow down our remediation efforts.

There is also the ability to create teams and assign developers and teams to only see what they are responsible for. There are a number of other products, but they are missing that feature of narrowing visibility. We wanted a tool that the security team could set up and the developers could log in to use. A lot of the other tools on the market are only for the security team. It would have been more manual on our side to reach out to teams to get them to resolve things. This way, we can add users to teams, assign them the repositories that they maintain, and they can work away by themselves.

To a security colleague at another company who is using an open-source secrets detection solution, I would be happy to recommend GitGuardian. I have been setting up and using the tool. I can happily, personally, and professionally recommend this tool to others.

In my opinion, secret detection is incredibly important to a security program for application development. It is critical to our company's obligation and security process. Without it, you do not know what secrets could be leaked, so once you implement it, you know where you stand and you know what you need to do. You can resolve as well as prevent these things.

I would definitely recommend doing a proof of concept to make sure it fits your use case. I would be more than happy to recommend it. There would not be any caveats. Go ahead and test it out. If it fits exactly what you need, go for it.

Overall, I would rate GitGuardian Platform a ten out of ten. I am very happy with what we are able to do with it and how it works.

We are using GitGuardian Internal Monitoring on our GitHub Enterprise repositories to make sure that our developers are not introducing any secrets into the code. Those secrets could be things like database passwords, connection strings, or AWS credentials. We use it when they commit code to our GitHub internal repositories.

We want to make sure that none of our secrets get committed and GitGuardian is doing a great job identifying them. It has the ability to scan our repositories and identify older commits that have secrets, meaning in code that was committed even four or five years ago, and that has gone unnoticed until we implemented GitGuardian.

Most of our dev teams have a GitGuardian CLI installed on their local machines. Even before a commit gets to GitHub, the CLI identifies secrets within the code and doesn't allow the commit to go ahead. That drastically reduced the number of secrets being committed.

We use Azure DevOps for our CICD and GitGuardian helps support a shift-left strategy. There is all the pipeline-related code that is checked into the repositories and secrets tend to creep into that code, such as RAML files and environment secrets. GitGuardian helps us identify those secrets when they are committed. Not all our dev teams are using GitGuardian's CLI—we are trying to get them to adopt it 100 percent, but we're not there yet—and there are occasions where someone is testing out a pipeline and, by mistake, they don't declare the secrets properly in the code that is being checked into Azure. We get notified and, immediately, the teams work to remove those secrets.

Historically, in our organization, people have been committing AWS secrets, such as access IDs and secret code into our GitHub repositories, because they were testing out something. It could be that they were doing a PoC, and not implementing a full-blown secrets manager where they store and pull the secrets from. After implementing GitGuardian, we were notified of these secrets immediately. And even though they were doing PoCs, we were able to get them revoked immediately, which means removing the secrets from AWS as well as the code and issuing new secrets.

We were also able to help the teams to use AWS Secrets Manager or the Vault to store their secrets. GitGuardian actually provides sample code snippets, which are pretty decent, for pulling secrets from AWS Secrets Manager or Vault.

In addition, the solution has increased our secrets detection rate by almost 100 percent. Pretty much any secret that gets committed is identified and the team is notified. We have almost 100 percent coverage and that is pretty robust.

When it comes to our security team's productivity, because our processes are being monitored by GitGuardian, we don't have to run any scripts or scans or out-of-the-box solutions. We don't worry about secrets being leaked or introduced into our repositories. We rely on the product to keep us aware of our secrets management in our repositories and that enables our security team to focus on other security-related tasks. They don't have to spend a lot of time worrying about how to detect issues and, instead, depend on GitGuardian. They have confidence in the ability of the product to identify the types of secrets that our people are committing. They are definitely being flagged.

Now, we may be spending a couple of hours and a week addressing incidents that come up or addressing the old ones that are still being tracked for remediation. We had around 500 secrets management incidents when we fully implemented GitGuardian. We are now down to 20 or 30, which are old but still need remediation. Those old secrets have been revoked, but they are still sitting in our GitHub history. We need to reach out to GitHub support to get those taken out, replace those repositories, and run garbage collection on them.

And because identification of the secrets being introduced is almost instant, the pull request doesn't go through, and Slack alerts are immediately sent out. As a result, the mean time to remediation is within a day, if not even sooner. These secrets are mainly dummy secrets that people are using for testing code. But we don't want even those to be introduced. The idea is to have teams use secrets management services like AWS Secrets Manager or Vault from the get-go. We are close to 90 percent utilization of AWS Secrets Manager or Vault to store secrets because of GitGuardian Internal Monitoring.

We mainly depend on its ability to identify secrets and we also use the entire workflow of secrets management. That means we're able not only to identify secrets, but we can reach out to the owners of those repositories by opening up an incident ticket within GitGuardian. It actually creates an incident ticket for us. We can now go end-to-end after a secret has been identified, to track down who owns the repository and who is responsible for cleaning it up. We can also monitor what actions they are taking, such as revoking the secrets and ultimately closing out an incident, making sure that commit no longer has any secrets.

We tested out the secret identification using thousands of samples and some of them were purely false positives. GitGuardian was able to identify 85 to 90 percent of the false positives. We are fairly confident when we see a secret reported. Of course, we always verify them before we chase down teams to fix them.

We have defined our teams and their members so the teams are typically associated with the repositories on GitHub. Whenever a secret is identified, those team members are immediately notified by GitGuardian via an email and a Slack message, thanks to integration with Slack. In addition, the application security team also gets the information in the Slack message and we can keep track of the remediation efforts.

I would like to see more fine-grained access controls when tickets are assigned for incidents. I would like the ability to provide more controls to the team leads or the product managers so that they can drive what we, the AppSec team, are doing. They should have the ability to close out tickets and we would review them. 

Right now, we cannot give them that control because if they close out a ticket, we won't have the visibility into them unless we build something with the APIs that GitGuardian provides. 

The UI has matured quite a bit since we started using it, and they have introduced new features, such as the teams feature. That was introduced three or four months ago. We put in the requests for such features. There are a few more requests that we think would make the product even better, and one of them is that fine-grained access control so that we have additional roles we can assign to other teams. That would help things to be more of a self-service model.

I have been using GitGuardian Internal Monitoring for almost two years.

Very rarely does GitGuardian go down or the monitoring fail or we have issues with the APIs. It's available 95 percent of the time. There have been a few times when we were notified that the service would be down because of maintenance. Like with any product, there are maintenance windows, which are not a problem. But I don't recall more than one or two instances of the internal monitoring not being available when we expected it to be.

We have a lot of repositories and we have not had a problem with GitGuardian monitoring all of them and doing what it is supposed to do. Deploying it at scale is pretty much seamless. You don't have to do anything special once you have onboarded it. GitGuardian has the ability to scan all the repositories in your GitHub Enterprise account, if that is what you choose to do. 

There are no performance issues. We have around 800 or 900 active repositories and 400 that are archived. We have quite a big code base to cover but there are no additional tasks needed to scale it as your number of repositories increases.

We have contacted their support about a few enhancements. In addition, we came across a couple of UI bugs where the stylesheet didn't render properly and the information we were looking for was overlapped by some other UI elements. But they were very quick fixes. 

We also had some rate-limiting issues with the APIs and they were fixed early on in our engagement.

They are very responsive and have a fairly quick turnaround time. We have developed quite a good rapport, not only with the customer support team but with their support engineers as well. 

Initially, we had calls once a month and now we have calls about once a quarter. They get on a call with us to find out if we have any pain points or new feature requests.

Positive

To start using GitGuardian there is some groundwork that needs to be done. You start off with a few repositories and do a trial to get an understanding of how the UI works. You have to give permissions to GitGuardian to access your internal depositories and then organize the repositories around team structure. Those are the housekeeping tasks that need to be done to onboard with GitGuardian.

Initially, to get the program up and running, we relied on GigGuardian's playbooks quite a bit, and we do refer to them whenever the need arises. When you're starting off with GitGuardian and secrets management, GitGuardian lays out the basics of why it is a bad idea to have your secrets committed to internal or external repositories and the dangers associated with that practice. They outline baby steps to start taking control of secrets being committed. 

They also give you good guidelines on how to use ggshield, which is their CLI product, as well as the web UI, and how to organize your teams and repositories around GitGuardian. 

For AppSec teams, playbooks give you the ability to control what the repository owners are capable of through permissions. For example, you don't want all team members to have permission to repress incidents that are identified. We'd rather have them as collaborators or viewers. They can view the incident and fix it, while the AppSec team can actually suppress the incident and use the functionalities of the management console within GitGuardian. All these features are part of its playbooks. They're a good resource.

The playbooks helped us to understand how the product works and what we needed. They helped my team to implement GitGuardian in the most effective manner, such as how to use the product better to manage workflows.

In terms of maintenance of GitGuardian, there is none required on our side.

We looked at a few other solutions before we started to work with GitGuardian and what we found was that it provides the best solution for secrets management. We have a few other products that we use within our systems, products that also provide secrets management, but they don't come anywhere close to GitGuardian's ability to detect secrets, track them, and ultimately, get rid of them. GitGuardian is the leader in this space. Many times, what we identify in GitGuardian is not identified by those products.

I would tell a security colleague, using an open-source secrets detection solution at another company, to take a good look at GitGuardian. It definitely helps not only manage secrets but also the entire workflow around secrets management, from detection to remediation. It helps put best practices in place. It would save them quite a bit of time, rather than using an open-source solution. Open source is okay for some features, but you don't have all the tools you need for full-blown secrets management in the organization. That's what you get when you use GitGuardian.

Secrets detection is as important, if not more important, to a security program as having a firewall and a vulnerability management program. Your secrets are the easiest way for bad actors to access your environment, without doing any work at all. You need to lock down what type of information is being committed to both your open-source and internal repositories to ensure that no secrets are being committed. And if you have any secrets that were committed in the past, you need to identify them and make sure they are removed and, if possible, reach out to the organization, like GitHub, and work with their support teams to clean up the history as much as possible. Secrets committed in your repositories are keys to your organization's infrastructure.

We have been retraining our teams to not commit even false or dummy secrets into the repository. It's fine for them to do a test but we don't want to have to deal with false positives. Getting distracted by even 10 percent of false positives is not fun. Rebasing the commits is a pain. That retraining, to not use even dummy secrets, has worked for us to reduce the number of secrets being committed.

In addition, we had a number of brown bag sessions with our dev teams over the course of several months, where we would demo what secrets we found on GitHub repositories and how GitGuardian is helping us identify them. The idea was to make them more aware that this tool is monitoring all the repositories and every commit is being scanned. But the goal was to ensure that secrets don't even get to the point of being committed. And when someone mistakenly commits a secret, they immediately inform us. Dev teams are now trained not to do it, but if something happens by mistake, they are immediately on top of it to revoke it themselves and inform us. We have everything recorded on GitGuardian, but proactive action is being taken.