GitGuardian Platform Reviews

My use case for the GitGuardian Platform is application security.

My impression of the GitGuardian Platform's capability to detect secrets in real time is actually really amazing, because it lets us protect or block the pipelines in which we deploy new applications so we can acknowledge when a secret is hardcoded in a repository, or when we have already hardcoded secrets within templates in our repos.

We adopted it a year ago, and it has been doing great in our teams, especially for developers. The impression so far has been good.

The severity scoring has helped us in incident management because it is doing the correct job. We got many secrets leaked within our platform and it was making the correct warnings regarding that particular secret, as we had a hardcoded Google Cloud API key. It was marked as a critical severity, so we had the chance to correct it, regenerate that secret and work again on not hardcoding secrets within our code.

GitGuardian's public leak detection significantly enhances our organization's data security by continuously monitoring public repositories. It allows us to proactively identify accidental exposures of sensitive credentials or secrets.

Regarding the exceptions in GitGuardian Platform, we know that within the platform we have a way to accept a path or a directory from a repository, but it is not that visible at the very beginning. You have to figure out where to search for it, and once you have it, it is really good, but it is not that visible at the beginning. This should be made more exposed.

The documentation could be better because it was not that comprehensively documented. When we started working with GitGuardian Platform, it was difficult to find some specific use cases, and we were not aware of that. It might have improved now, but at that time, it was not something we would recommend.

I have been using the GitGuardian Platform for almost a year now.

From 1 to 10, I rate the stability of the GitGuardian Platform a 10, as there are no downtimes.

I would rate the scalability as a 10, since we did not have any problems.

For technical support, I would give a solid 10. They have someone who speaks Spanish, which made it easier for us.

I am comparing it with Advanced Security from GitHub and Cycode.

Two of us were involved in the deployment process.

It took a week to deploy the GitGuardian Platform, just to standardize the process.

Two of us were involved in the deployment process.

Regarding return on investment, we have actually saved time and resources because before having GitGuardian Platform, we had two or three people working in every repository looking for secrets with open-source tools. It took a long time to find secrets or many patterns, and at the time, we had to configure our own patterns to find them. I cannot specify the exact return on investment, but I can surely say that we have saved significant time and resources, particularly in terms of people and automation.

I would compare the GitGuardian Platform to other solutions or vendors on the market as being easier to use, but it is not integrated with the CSM that we are using right now. That is the difference. It is easy to use, but it could be easier.

We are customers in our company's relationship with the vendor.

I work primarily with the CLI, focusing on pipelines and automations rather than the platform itself. The platform has remained almost the same within the year that we have been working with it.

We are not utilizing the automated playbooks yet.

I cannot determine if the pricing is cost-effective.

The vendor can contact me if they have any questions or comments about my review.

I have rated the GitGuardian Platform a 10 out of 10.

My main use case for GitGuardian Platform involves CI/CD pipelines and repository monitoring, where I use it to detect secrets like API keys or credentials pushed into code. I worked specifically on preventing sensitive data leaks in our code repositories during development, where there were chances that developers might accidentally commit things like API keys, tokens, or credentials. GitGuardian Platform was integrated with our Git workflows and CI/CD pipelines to automatically scan commits and detect such secrets.

The integration of GitGuardian Platform with our CI/CD pipelines was quite smooth, as it is not very infrastructure-heavy. We connected it to our Git provider at the repository level, allowing it to automatically scan every commit and pull request for secrets. In the CI/CD pipeline, we added it as a security check step where scans would run during builds, especially on PRs, ensuring no sensitive data was introduced before merging. From a QA standpoint, I was involved in validating this integration end-to-end by creating test commits with dummy secrets to ensure the pipeline correctly failed or flagged the issue.

The integration with GitGuardian Platform was automated as a security gate with CI/CD, tested like any other pipeline validation step. Initially, we did see false positives, where non-sensitive strings were flagged as secrets. As a QA team, we worked on validating those scenarios and fine-tuning the rules, allowing specific patterns to reduce noise.

From a QA perspective, GitGuardian Platform offers several standout features, the most important being its secret detection capability, which can detect a wide range of sensitive information, including API keys, tokens, and credentials across multiple repositories, supporting hundreds of secret keys, which is beneficial for validating different scenarios and ensuring high detection coverage. I also found the CI/CD and Git integration valuable, as it integrates easily with tools including GitHub, GitLab, and pipelines, allowing us to add it as a security gate and automate validation within our workflows, making it a mandatory process to pass.

These changes positively affected our team's day-to-day work by providing high detection coverage, which gave us confidence that most types of secrets were being caught early, reducing our reliance on manual checks or code reviews, which were not very reliable. After integrating GitGuardian Platform, the dependency on manual validation decreased significantly, allowing us to focus more on integration and workflow testing instead of writing too many custom validations for secret patterns.

I explored the alerts feature, which is well-structured with clear information about the detected secret, its location, and suggested remediation steps, making it easier for the QA members and developers to quickly understand and fix the issue. Additionally, the webhook and API support provided strong integration with internal tools and assisted in testing workflows programmatically, enabling us to validate alert payloads and automation triggers.

GitGuardian Platform has positively impacted our organization by creating a strong security backbone and improving process efficiency, with one of the biggest outcomes being a significant reduction in sensitive data exposure incidents, as most credentials and tokens are caught at the commit or PR stage, leading to approximately thirty to forty percent reduction in security-related bugs over a few release cycles, which ultimately reduced manual effort.

GitGuardian Platform has stood out positively for me, but there is room for improvement, particularly around false positives. Although detection coverage is strong, there were initial cases where non-sensitive patterns were flagged, requiring tuning and allow-listing, which can be noisy at times. From a QA standpoint, the debugging and traceability could be enhanced by offering clearer insights into why a secret was flagged and how the pattern matched. Additionally, I believe advanced documentation and troubleshooting guides for complex integrations could be more detailed, especially for edge case scenarios.

Regarding additional improvements needed for GitGuardian Platform, better customization and control over detection rules would help, as real-world projects often require defining custom patterns or adjusting sensitivity levels based on specific use cases. Additionally, improved reporting and dashboards with more customizable reports that can be shared with stakeholders showing trends, resolution times, and risk levels clearly would enhance visibility and allow our work and GitGuardian Platform's performance to be reflected in meetings.

I have been using GitGuardian Platform for approximately six months.

From a stability standpoint, GitGuardian Platform has proven to be quite stable and reliable. We did not face frequent downtime or disruptions in its core services, such as secret detection or CI/CD scanning, and it consistently worked as expected in our pipelines and Git integrations.

GitGuardian Platform is quite scalable and has performed well, especially as the number of repositories and commits increased over time. Being a cloud-based SaaS platform, scalability is managed by the vendor, but our experience shows that we were able to onboard multiple repositories and integrate it across different teams without performance degradation, maintaining consistent scan and alerting mechanisms even as code activity increased.

Although I have not had a chance to speak directly with customer support, I have heard that they are quite responsive and helpful for standard queries or configuration questions.

Before adopting GitGuardian Platform, we did not have a dedicated automated solution for secret detection. We mainly handled this through manual code reviews and some basic custom scripts.

We have seen a clear return on investment with GitGuardian Platform in terms of risk reduction and team efficiency, particularly tracking the number of secrets detected early in the development lifecycle, with around ninety percent of exposed secrets caught at the commit or PR stage, significantly reducing the risk of them reaching production. Additionally, we observed a thirty to forty percent reduction in security-related defects logged in later testing stages, and the effort required from developers and QA has noticeably reduced since we no longer need to manually review code or write custom checks for sensitive data due to this automation.

We have seen a clear return on investment with GitGuardian Platform in terms of risk reduction and team efficiency, particularly tracking the number of secrets detected early in the development lifecycle, with around ninety percent of exposed secrets caught at the commit or PR stage, significantly reducing the risk of them reaching production. Additionally, we observed a thirty to forty percent reduction in security-related defects logged in later testing stages, and the effort required from developers and QA has noticeably reduced since we no longer need to manually review code or write custom checks for sensitive data due to this automation.

Prior to choosing GitGuardian Platform, we evaluated several options, one of the main ones being TruffleHog, which is popular for detecting secrets in repositories. Although it is powerful, it is more of an open-source tool requiring additional setup and lacking the centralized management and visibility that GitGuardian Platform provides, which led us to proceed with GitGuardian Platform instead.

My advice to others looking into using GitGuardian Platform is to plan the integration early in your CI/CD and Git workflow, as it works best when embedded right from the PR and commit stage. Adopting a shift-left approach creates the most impact, which is crucial for QA. Additionally, be prepared for some initial tuning and false positive handling, as it generates noise at first, so it is good to allocate time for that setup phase. Finally, treat GitGuardian Platform not just as a security tool but as part of the overall quality and release pipeline, as it directly impacts CI/CD stability and release. The key is early integration, proper tuning, and treating it as part of our engineering funnel. I would rate this solution a nine out of ten.

I use GitGuardian Platform to ensure that there are no secrets committed, such as hardcoded values, database credentials, API keys, or any secrets that could be exposed to external users of our application. To maintain security and data accuracy, confidential data should not be shared with other platforms. GitGuardian Platform checks our local code first, then it passes through our CI/CD pipeline as well. When we push code to GitHub, it scans and sends a report via Gmail, so we have to fix those security vulnerabilities.

The best features of GitGuardian Platform are that it detects everything being pushed through the repository and scans everything comprehensively. It checks the possibility of exposure, so if there are API keys or database passwords being used, it warns us to either remove, rotate, or replace them, ensuring they should not be present in a GitGuardian Platform scan.

Our company has seen many benefits from using GitGuardian Platform, especially since there have been numerous cyber attacks and security threats in the last two to three years. Our company has remained very safe in this regard because we need to secure our data effectively, being in the insurance reinsurance sector. GitGuardian Platform ensures our data is protected by regularly scanning the repositories and sending us reports on how to fix vulnerabilities, keeping us safe from cyber attacks.

GitGuardian Platform could improve by providing a more user-friendly UI with tips or solutions. With AI advancements, they could offer AI-specific solutions in scanning reports, suggesting fixes for GitGuardian Platform incidents, and even permit automated fixes, which would significantly reduce the developer's workload.

I have been using GitGuardian Platform for the last one year.

Stability and availability of GitGuardian Platform are commendable; it is stable and available.

It is stable because when I push changes, it scans immediately, confirming fixes. There is no downtime during scanning, maintaining stability and availability.

I find support good since we have not needed much help from them. The guidelines provided are sufficient for guiding us on what to fix.

There are many tools in our organization for similar purposes, but GitGuardian Platform is specifically for exposing secrets. We also use Snyk for vulnerability scanning, among others, though I cannot recall all of them.

The decision was made by my organization, not me, so I am not sure about the parameters they considered before choosing GitGuardian Platform.

GitGuardian Platform prioritizes incidents in our workflow through automated validity checks. There are high risk, low risk, and medium risk incidents raised, and the infosec team prioritizes them and approaches us, the developers who pushed those changes, to fix them accordingly.

GitGuardian Platform's public leakage detection influences our company's data security as a precaution. We are not sure if data might be exposed, but taking this precaution by scanning the repositories is crucial. A cyber attacker just needs one piece of data, so we ensure at least that one thing is secured. It is about cyber attack prevention, ensuring all our data remains safe.

It rates the effectiveness of severity in incident management based on the severity of the change. This allows us to address the most important ones first. It checks what has been pushed from the code, raising a high-level vulnerability if database-related passwords are involved and reports it urgently. For low-level issues like hardcoded values for APIs, it is reported accordingly based on priority.

I use GitGuardian Platform's automated playbooks for scanning. Productivity-wise, these playbooks help me know if I am going to push code with secrets. I am aware now, so I intentionally avoid that, ensuring I write good code. It increases my productivity by helping me fix issues proactively. If GitGuardian Platform were not here and vulnerabilities were discovered later, there could be severe consequences. Currently, that impact has been reduced, minimizing our efforts significantly through early precautions.

Our organization is currently innovating on the AI side, which includes creating a custom agent to fix vulnerabilities, similar to GitHub Copilot. This agent automates changes required based on GitGuardian Platform scanning, closing incidents directly. This support reduces our efforts and timelines.

Fixing vulnerabilities now takes approximately 60% less time. If fixing took ten days, I now do it in six. I am not sure about multi-vault integration because I am just a developer using it to fix my code changes. I am not sure if I am using GitGuardian Platform's Honey Tokens feature. I would rate this product an 8.5 overall.

GitGuardian Platform is a security tool preventing the exposure of secrets. It is particularly valuable as a tool because it doesn't just identify exposed security issues, but works as a platform that gives developers an intuitive and easy way of reacting to and fixing the issues.

GitGuardian Platform captures all the major secret types we care about. It tends to be a bit overzealous in some categories, but it covers all the ones that we want to track and keep an eye on. It has great coverage over those.

GitGuardian Platform has helped save significant time for the security team by eliminating the need to seek out development teams and work with them on exposed secrets, as much of this is now handled proactively. The built-in process for developers interacting with exposed secrets saves them time fixing security problems before returning to their tasks. We can also provide customized remediation guidelines to developers.

Automated validity checks are super critical for us. If something is confirmed as valid in the platform, we know there is some externally accessible value that's exposed somewhere. It's then the top priority for us to engage in. It also gives us a lot of confidence. When the development teams come back and say that they have fixed it, GitGuardian Platform confirms that.

We rely a lot on GitGuardian Platform's self-service functionality so that developers handle incidents without us having to take action. We don't rely on automated severity scoring for incident management. While the severity rating is decent, we focus more on the validity feature and detector categories than on GitGuardian's high-risk ratings. We have customized remediation guidelines by providing specific internal context for handling exposed secrets. We use GitGuardian's integrations with other tracking platforms, but we don't have everything funneled into Jira. We use our own prioritization to see which ones we want to funnel into Jira.

The platform has given us a clear picture of the historical landscape, showing what has been fixed versus what remains hidden in historical data. This clarity has been helpful in planning security measures around issues that don't get self-healed.

We have it scanning our GitHub environments, Atlassian suite (Jira tickets, Confluence), and Slack messages. That gives us a nice coverage across the business.

The validity and self-healing playbook features of GitGuardian Platform is one of the most useful features for us. It automatically reaches out to developers for any leaks, notifying them immediately via email. We have Slack notifications set up, allowing developers to respond, provide feedback about sensitive values, and self-close issues by attesting completion on the platform. A high number of our exposures are remediated by developers before security needs to step in, as the self-healing playbook process engages them automatically. This results in issues being resolved within minutes, saving significant effort from the security team in tracking down or communicating with developers.

The analytics in GitGuardian Platform have a significant opportunity to better reflect the value provided to security teams and demonstrate actual activity occurring. While the self-healing capability and proactive developer actions are important features, the analytics do not provide information around this activity. They only track actions inside the platform when security team members assign themselves to issues and respond. The self-healing activity by developers isn't reflected in the analytics, requiring us to collect this data ourselves. This presents an opportunity for them to better showcase their developer-first remediation mindset.

We have been using GitGuardian Platform for approximately nine months.

It's a stable platform, we don't often have to think about it. The SaaS platform has experienced two significant moments of downtime or instability in the last six months, requiring notices and retrospectives. We also run a self-hosted cluster which has not experienced these issues, though we've faced some challenges upgrading Kubernetes that required support assistance to prevent internal downtime.

It is scalable. I would rate it a nine out of ten for scalability. 

My product security team administrates the platform, with a few other security people accessing it. Access to respond to incidents is deployed for every engineer. Team-based provisioning is not yet supported with SCIM, which makes team-based grouping a hassle, so we do not use it.

I would rate their technical support a nine out of ten.

Positive

We were using a home-grown solution. 

The initial setup of the self-hosted cluster was moderately complex. We faced some issues because of the environment we had. We had to fix some installation errors and bugs in their Helm configuration.

In terms of deployment model, we self-host a cluster out of necessity. We have an internal GitHub Enterprise server. We self-host GitGuardian Platform to connect to that environment. We also use their SaaS version for Slack and Atlassian integrations.

We implemented in-house.

The majority of our incidents for critical detectors and important secret types are remediated automatically or proactively by developers through GitGuardian's notification system, without security team involvement. It saves a lot of time for the security teams and the developers. It probably saves approximately 10 hours per week. Previously, we needed an extra 20% of our time focused on this subject area, which has now been saved because of this platform.

It's competitively priced compared to others. Overall, the secret detection sector is expensive, but we are happy with the value we get.

We evaluated other vendors on the market. The secret detection capabilities of most vendors are basically equivalent, capturing all major types of secrets. The management and administration of findings after scanning is what differentiates vendors. Many alternatives lack strong administration capabilities for security teams after finding detections. GitGuardian's dashboard, self-healing playbooks, and ways for the security team to monitor, track, and deduplicate detections make it easier to manage the program compared to competitors.

I would recommend GitGuardian Platform to other users due to the ease of management for the security team with the dashboard. It offers easy administration of results. The proactive self-service capabilities provided to developers remove the burden from the security team and enable faster remediation of exposed values.

My overall rating for GitGuardian Platform is an eight out of ten.

We use GitHub as our source code platform. When we shifted from on-premise version control systems, we identified a requirement for capable tooling that could both find secrets that were committed in the past, and prevent and alert on secrets that were being accidentally committed.

GitGuardian gives us a better understanding of what's going on in our source code. Persistent use of the platform has allowed us to highlight areas where we need to improve; eg. providing training so that people know what information should and should not be in GitHub. 

We've managed to use this data to improve practices related to where teams store their secrets, and have also been able to use it to understand where we might be lacking tooling. 

When a developer commits a secret or there's a particular pattern in a repository, we often ask them about why they did this. They may turn around and say that there's no better option at the moment because we don't have a platform to suit x, y, or z. We can use that information to then drive decisions around whether or not we need to look into improved tooling or patterns that our engineering teams can use to avoid storing secrets in their source code.

Automated validity checks are very helpful; we use them to prioritise incidents, as they give us a quick understanding as to which secrets are still valid. They also help us to confirm that token invalidation - which sometimes has to be done by another team or a third party - has worked as expected.

We also utilize some of the automated playbooks, specifically those around automatic incident closure, allowing us to spend less time making sure that the incidents closed by changes to code are getting closed out.

Instantaneous notifications connected to our Slack platform allow us to deal quickly with incidents if and when they occur.

One of the best features of the solution, though, is the ability to use pre-push hooks. Preventing our developers from committing secrets into their source code before they hit the remote GitHub servers is ideal; it can be quite challenging and time consuming to remediate and rotate secrets once pushed to the remote.

The reporting feature has improved quite a bit since we first used it around five years ago, with filters that allow us to set up quick groups of or collections of filters and statuses to determine which secret detections are still unassigned and which are new. It allows us to easily ship those off to the developers involved in those incidents to get them remediated.

We'd love to see notification updates in Slack, as the system does not provide feedback on updates to incidents, which can be problematic when developers resolve issues. 

ie. if a developer commits code that triggers an incident, the alert comes into Slack, but by the time someone looks at it through the Slack alerting channel, the developer might have gone and already fixed or closed the issue. There's no feedback loop back into the notification channel to show that it's been addressed. 

Another thing that would be good to see is some more metrics on the usage of the GitGuardian pre-push hooks. It would be helpful to see which GitHub users have or do not have the pre-push hook capability turned on. That would allow us to chase people and say that we noticed that you're making commits, but you're not using GitGuardian, and encourage them to install ggshield before an accident happens.

My experience with the solution started in November 2020, which is approximately four or five years.

It's generally quite stable.

There has been a little bit of downtime of late, and it has been reasonably impactful when it's not been scanning. We set up our repositories in GitHub with GitGuardian as a required check. 

We had an incident for about four hours  last week and another one about a month before that. Prior to that, it's been really stable. 

It handles all the repositories and commit activity we have.

I would rate their technical support an eight out of ten.

Positive

No

We didn't have to do much. They manage all of the backend for us. All we have to do is integrate it into our GitHub organizations, and doing that is straightforward.

The solution does not require any maintenance.

In-house.

It's challenging to quantify, but it has saved us from a bit of panic because we know the state of our source code. It's hard to determine what savings might come from having the tooling or not.

It's fairly priced, as it performs a lot of analysis and is a valuable tool.

We have tested it against other solutions, such as TruffleHog, the open-source solution, and found the GitGuardian Platform to be about significantly better in terms of detection capabilities. TruffleHog focuses on secrets that it can validate, but in an Enterprise world with lots of internal tools, APIs and platforms it can miss a lot of secrets.

The new multi-vault feature looks useful; we are planning to connect it up to AWS Secrets Manager and HashiCorp Vault. 

My use case for the GitGuardian Platform is application security for our enterprise repository.

The solution has improved our organization. We are still in the rollout, but the users who are utilizing it are very happy, especially about the feature that enables pre-commit hooks in Git that will not raise to the remote repository. This is a very good feature that our developers use very heavily.

The best features of the GitGuardian Platform are that it finds many different secrets, more than other competitors, and the support from the colleagues is also very good.

The GitGuardian Platform helps in monitoring and protecting our code repositories from leakage. It helps significantly because we connected our vulnerability management process to this, and the colleagues from vulnerability management have much easier work since we have the GitGuardian Platform installation due to the dedicated incidents or issues which are opened automatically.

The alerting capabilities and threat intelligence features of the GitGuardian Platform are managed by another team; we only host the platform.

The audit logs and compliance reports from GitGuardian are very helpful because, in the past, we needed to do it manually by scanning the repos. Now with GitGuardian Platform, we have a really good overview of what is open, what is closed, and how critical the issues are.

The areas that have room for improvement involve the missing feature to add custom detectors for the GitGuardian Platform, which would help us check if internal secrets are still valid or not.

I assess the accuracy of the detection from the GitGuardian Platform as very good because we don't have many false positives, which means the quality is very good. The only thing we want to have are some additional detectors which help us to prioritize, especially since enterprise secrets are found, but they cannot verify if they are valid or not.

I have been using the GitGuardian Platform for one and a half years.

The stability of the GitGuardian Platform is excellent. We don't have any problems with the stability of the system at all.

The scalability of the GitGuardian Platform is excellent.

The technical support from the GitGuardian Platform deserves a rating of nine out of ten.

The deployment of the GitGuardian Platform is very easy because it's a Helm chart which is very easy to install for us. The deployment took several days.

I have no information about pricing, but since they won the request for quotation, I believe it's a good price.

We created a technical evaluation and checked against other providers, though I don't remember the names. The GitGuardian Platform has the best technical capabilities, and our procurement handles the pricing part.

The GitGuardian Platform is used worldwide in our environment.

Currently, we have approximately 1,300 licenses for the GitGuardian Platform, but we will increase to 2,000 next year.

The solution requires maintenance from our side only for user management, which is normal for each application.

I cannot quantify how much time or resources the GitGuardian Platform saves us because this is spread across all teams worldwide.

I would recommend the GitGuardian Platform to other users because the integration with GitHub and Azure DevOps is very easy, and you also have the possibility to use it locally on your IDE. This is a very good solution.

I rate the GitGuardian Platform a nine out of ten because room for improvement is always possible, but it's really good.

We initially integrated GitGuardian Platform into our organization in 2023 into our GitHub repository. We implemented it because we did not want our secret credentials to be exposed to the internet or to a third party such as GitHub. It flags when credentials have been exposed so we can remediate and fix them. GitGuardian Platform was what my tech lead suggested we use, and we had to incorporate it into our repositories. We use the Platform version.

What I appreciate the most about GitGuardian Platform is its efficiency when triggering our pipeline and notifying us if secrets have been exposed, such as APIs, variables, our database, or anything being exposed. Currently, we have numerous repositories and pushes that happen in our repo. It would be humanly impossible for us to manually search for these secrets. GitGuardian Platform can do this automatically. All we need to do is wait for an email notification that indicates a secret has been exposed. It points out the repository that has the secret exposed, and we can fix it. This saves us the time of manual review.

The main disadvantage I feel they should improve upon is that apart from flagging credential issues or secrets, they could incorporate something else to make it more dynamic. If their product focuses majorly on secrets leaking, similar to Amazon Macie, they could expand their capabilities. Amazon Macie primarily flags secrets being exposed over the internet.

For example, we use Dependabot for code review. Dependabot helps us follow best practices such as code quality and code analysis, as we cannot manually check 10,000 lines of code to ensure they follow structural standards. If GitGuardian Platform could incorporate code analysis into their system, not just for secrets alone, it would make them more dynamic.

This would allow users to have just one tool instead of multiple third-party tools running in GitHub. It would reduce management overhead as you wouldn't have to manage multiple tools.

I have been using GitGuardian Platform in my career for almost two years now.

For my organization, GitGuardian Platform has been stable. Since installation, we haven't had to optimize it, and I am unsure about new versions. It has been functioning effectively, and its performance is satisfactory. The only limitation is that it performs just one task. While it is efficient at credential flagging, it could offer more functionality.

Regarding scalability, in my organization, we have about 44 repositories running, and GitGuardian Platform has been able to handle these repositories efficiently. I am uncertain about its capability to handle 100 repositories. For our organization, which is just four years old and not a large platform with numerous features, it functions adequately with our 44 repositories.

Some tools can function properly until demand increases or usage reaches a certain extent, at which point they might start deteriorating. For instance, with our GitHub account, we had to pay for more capacity usage. I am unsure if GitGuardian Platform has similar limitations on the number of repositories it can handle. However, for our current 44 repositories, it has been working exceptionally.

I have never contacted any technical support or customer support through phone or ticket system. We have never experienced any issues with it. It effectively helps us with credentials security and has been performing satisfactorily.

Neutral

I have not compared GitGuardian Platform with any alternatives in my organization. For GitHub repositories credentials, we use GitGuardian Platform. For AWS, we use Amazon Macie because we run our infrastructure on Amazon Web Services. We use Macie to protect our credentials from being exposed.

The initial deployment and installation was very easy for us.

For this deployment, my tech lead handled the implementation. We were on a call with him while he deployed it. It required only one person to complete the setup.

It does not require any maintenance on our end as it has been working autonomously. I am unaware of new versions, but what we have been using has not required maintenance.

I am not involved with the pricing of GitGuardian Platform, as the tech lead handled those aspects. Initially, I thought it was an open-source tool. There are private and public versions available. The private version requires payment, but for the public version we use, we did not make any payments.

I have not compared GitGuardian Platform with any alternatives in my organization. For GitHub repositories credentials, we use GitGuardian Platform. For AWS, we use Amazon Macie because we run our infrastructure on Amazon Web Services. We use Macie to protect our credentials from being exposed.

I will rate GitGuardian Platform a seven out of ten. The reason for this rating is that I wish they could have an agent embedded into their system that helps to identify real credentials from mock credentials, as this sometimes causes false alarms.

We are users of the product with no partnerships with GitGuardian Platform. They can contact me regarding any questions about this review. I am open to anything that benefits the community and makes everything better.

Our current use cases for GitGuardian Platform involve monitoring external and internal GitHub and GitLab, Bitbucket, and other code repositories that it supports for secrets.

The newest addition that we appreciate about GitGuardian Platform is the ability to create a custom detector, which we built and worked with the team, and that works very effectively.

GitGuardian Platform performs the capability to detect secrets in real time exceptionally, as it activates from the commit and can detect it immediately.

We utilize GitGuardian Platform's automated validity checks in some cases, and they seem to work effectively. We are still experimenting with them.

The multi-vault integration plays a key role in our secrets management strategy because we have multiple different vaults, and that works effectively.

GitGuardian Platform does what it is designed to do, but it still generates many false positives.

We utilize the automated playbooks from GitGuardian Platform, and we are enhancing them. We will probably stop using some of them, but we are building off of them. The one piece they do not include is contacting the person's manager or copying them, which we feel is necessary to prevent insider threat and other issues, but they do not have access to our hierarchy of employees.

We are not using the honeytokens feature of GitGuardian Platform.

Regarding improvements, there are two things we are working on with them. They have added charts, which is a new feature, but it is still not accurate. It has taken 4 to 5 months and it is fairly slow. We are looking for better metrics and audit data, wanting more features such as knowing which users are creating the most secrets or committing the most secrets, what repository, what directory, and who is not checking in secrets, which repo, user, or directory has not had any secrets committed. We want more metrics around both good and bad to see how we are performing.

I have been using GitGuardian Platform for 5 years at the company, and my team has been using it for 3 years.

There has not been any instability with GitGuardian Platform; it performs reliably.

Currently, what GitGuardian Platform is doing works effectively. It is quick and meets our needs. If we added more, I do not think that would really impact performance, so the scalability in that aspect is fine. I know they are trying to branch out and look for secrets in other types of tools, but I am not sure if we are going to use them for that or if that would impact performance or stability either.

I have contacted technical support previously, but we usually work through our customer representative directly, and they create the tickets for us.

We have one employee that primarily works on the deployment and configuration of GitGuardian Platform, and that took approximately a couple of weeks working directly with them. After that, she spends about an hour in there a week, so it requires minimal effort on our side.

GitGuardian Platform requires very little maintenance on our end—just making sure the keys are connected and ensuring people are following through.

I have not used any alternatives to GitGuardian Platform in this specific scope, as I have not found one that fully integrates into as many different code repositories. We have used a couple of tool-specific ones, but GitGuardian Platform is the only one we have used that works across multiple platforms.

We purchased GitGuardian Platform for a compliance checkbox because we needed to monitor secrets in our code repositories. We saw benefits immediately after implementation, but the reason my team took it over after a couple of years is that the original team did not really go beyond a compliance checkbox. We started seeing benefits in year 3 as we built out a workflow to contact the developers who committed code with secrets and get them to review and approve or revoke the process.

In terms of how GitGuardian Platform Public Leakage Detection influences our data security, it helps us with our known developers, but it is fairly limited. It has to go to another developer who has to make it public or they have to put codes in there, so it works in the right scenario, but there are scenarios where it still misses.

We do not really look at the automated security severity scoring in Incident Management. We still are getting false positives and others, so we are concentrating more on that versus any severity rating.

The pricing for GitGuardian Platform is fair, though slightly high.

We are customers of GitGuardian Platform; we do not have any partnerships or official partnerships, nor are we resellers.

I rate GitGuardian Platform 8 out of 10.

We use the GitGuardian Platform for internal security monitoring. Initially, we employed it to identify any secrets from our internal repositories that might have been accidentally exposed publicly and then expanded our use of GitGuardian to remove secrets from our private repositories, also.

Our company has grown through acquisitions. To address this complexity, we've integrated GitGuardian with our development teams. This allows them to identify secrets within any repository so they can be quickly remediated, ultimately enhancing the security of our codebase.

GitGuardian helps us prioritize remediation quickly. The alerting component is helpful because it lets people know immediately when something suspicious appears. Additionally, the code context feature is valuable as it shows developers exactly where the issue occurs in their code. They can even click a link to jump directly to that location in GitHub. These features significantly speed up the process for developers to identify and remove vulnerabilities.

GitGuardian effectively supports a shift-left security strategy. This is because it integrates directly with the code repository, allowing for near real-time feedback on potential security issues before code is merged into production branches. This early detection is highly valuable. Furthermore, GitGuardian's command-line interface provides another layer of convenience. Developers can proactively search for and address security concerns before pushing their code.

GitGuardian improves collaboration between our developers and security teams on remediation efforts. The centralized dashboard is tremendously helpful for managing across a multitude of teams and hundreds of engineers. It allows me to see the progress of each team. This visibility makes it much easier to communicate with them. For instance, I can identify teams that might need assistance or recognize those that are successfully reducing vulnerabilities.

GitGuardian has dramatically improved our ability to detect secrets by shedding light on previously hidden vulnerabilities.

Our security productivity has increased significantly. Simply by making this information readily available to developers, we've empowered them to take action. Previously, this wasn't easy, especially when dealing with inherited legacy code. Developers often wouldn't know where these secrets were hidden within the codebase. This improved visibility has made security issues much more actionable for our developers.

With over 6,000 repositories, GitGuardian's automation capabilities have saved us many months of research.

GitGuardian has reduced our mean time to remediation. This ability to track security issues and communicate proactively with teams undoubtedly means we can also remediate them faster.

Recently, a new feature was added that I had been requesting for a while, and I'm super excited about it! This feature allows us to filter incidents by team within the available filters. This is incredibly helpful because before, we could only search for individual repositories. Some of our teams have hundreds of repositories, so filtering by team saves a lot of time and effort.

The ability to create teams is also valuable for a large organization like ours. Some vendors struggle to provide enough user organization layers, but GitGuardian excels in this area.

The core incident management features are also fantastic. For example, alerting people via email about new incidents is crucial for staying on top of things. Additionally, the dashboard allows users to mark the status of secrets, providing a convenient location to review everything.

Another area where GitGuardian shines is the breadth of secret types it covers. They can identify a vast number of secrets out-of-the-box, with minimal false positives. This means they effectively distinguish real secrets from irrelevant data, saving us time and effort. I also appreciate the context provided for developers. When they investigate secrets, they can see exactly where those secrets reside in the code, allowing for quick fixes.

While they do offer some basic reporting, more comprehensive reporting would be beneficial in the long run. This would allow me to demonstrate the value of the product over time to continue to effectively budget for this subscription, especially as they add features that may come at an additional cost. I appreciate the improvements made to reporting over the past year, but continued development in this area will be appreciated.

We have encountered occasional difficulties with the Single Sign-On process. There is room for improvement in its current implementation. It works, but was not quite as smooth as the rest of the GitGuardian experience.

I have been using the GitGuardian Platform for one year.

GitGuardian is stable. I have not had any problems.

GitGuardian scales incredibly well. We bombarded them with a massive number of repositories, and they ingested everything much faster than I anticipated. This allowed for a swift evaluation process. Their ability to handle large deployments is evident, and I'm confident they support companies even bigger than ours.

The technical support team responded quickly and was able to resolve my issues the following day. There were no problems with their service.

Positive

Before implementing the GitGuardian platform, we lacked a solution to identify secrets in our code. This created a significant security blindspot for us.

The initial setup was straightforward. However, we did need to establish the initial connection between the repositories. This process went fairly smoothly overall. While connecting the repositories on GitHub was easy, it was a bit trickier on the Azure side. So, some preparatory work was required there. Once that was done, the internal monitoring setup was complete and went quickly. Additionally, we had to set up teams and invite members, but this also went quickly.

The deployment took a couple of days. The repository connections (6,000+ repositories) took an hour or two to fully populate. One person was required for the deployment. 

The implementation was completed in-house.

GitGuardian is not inexpensive. It's one of the more expensive tools in our portfolio, especially considering its focused functionality. However, while it may not offer a wide range of features, it acts as a form of critical security insurance. It safeguards our most vulnerable points, and a data breach can lead to legal repercussions that can be very costly for years to come. In that light, the cost is warranted and rational.

After considering several options, we determined that GitGuardian was the most robust solution for our organization's needs.

We evaluated several open-source solutions for secret detection. We also considered other security tools with similar capabilities but found that those not specifically focused on secret detection fell short. These tools often treated secret detection as an afterthought, resulting in limited effectiveness. While they might identify some basic secrets, they lacked the depth and comprehensiveness of GitGuardian. This is why we decided to invest in a dedicated secrets detection tool.

I would rate the GitGuardian Platform 10 out of 10.

Concerning maintenance, there may be a rare exception that we need to enter into the platform when new repos are added, but these have been very infrequent. The tool requires very little ongoing maintenance, beyond what teams need to triage.

While there are open-source secret detection tools available, they can be limited. GitGuardian, with its dedicated development team, offers a more comprehensive solution. Their support, including responsive sales reps and customer service, ensures you get the help you need to keep your system secure. Open-source solutions often lack this level of dedicated support, which can leave you troubleshooting issues on your own. For critical security needs, the additional features and support offered by GitGuardian are a worthwhile investment.

It's critical to our application development security program to have a robust secrets management solution. This is especially important when we have a large development team. In such an environment, the risk of human error increases, often due to unintentional mistakes. People might forget things, miss something during development due to time pressure, and so on. However, even a single mistake can have serious consequences. Therefore, careful management of secrets is essential. It safeguards our relationships with vendors, protects our internal data, and offers numerous other benefits.

My recommendation is to prioritize setting up SSO as first step, before onboarding any other users, if you're planning to implement it. Do it first. That was the only real challenge we faced; trying to get it working later created some complications. The actual setup process of getting GitGuardian to scan our repositories was straightforward and fast.

We brought in GitGuardian Internal Monitoring to review all of our code within GitHub so that we can identify and fix any exposed secrets.

I have been very impressed with the breadth of its detection capabilities. I did a proof of concept with a couple of other common tools for the same kind of thing, and I found GitGuardian to be the best. It finds everything that I would expect it to find. It found more than I thought we would find, so I am very happy with the detection.

I am very happy with the number of specific detectors and keys that it can find for Google, AWS, Twitter, Facebook, etc. It has a lot of specific detectors for different categories, but it also has quite a lot of automatic validity checking, so it can tell whether your Twitter keys or AWS keys are active and or have been revoked. If they are revoked, it is not a problem. Validity checking is fantastic.

GitGuardian Platform's accuracy is incredibly high. There are a couple of categories of generic secrets that I can find. When you turn those on, you end up with quite a few false positives. With the specific detection categories, the false positive rate is incredibly low, but when you turn on the generic categories, it goes up a bit. I am very happy with the number of things that it does find, instead of focusing on true positives versus false positives.

It has not helped to decrease false positives because we did not have a tool in the first place, so we did not have any false positives. We have not decreased our rate at all.

GitGuardian Platform has absolutely helped to quickly prioritize remediation. The severity or criticality that the tool automatically assigns has been very helpful. The built-in validity checking has also been helpful. Whenever you have keys that are marked as valid within the tool, you know that they are high priority and need to be resolved sooner than the ones that are not marked as valid.

We have significantly reduced our potential risk exposure of secrets. In the past nine months, by using GitGuardian, we have been able to identify and resolve a large number of secrets within our code, which reduces the risk if our code were to become public. It has greatly reduced our security risk. It has reduced the potential risk of exposure of secrets by about 75%. We have not only been able to resolve existing issues; we are also more likely to prevent these issues from occurring with improved security culture and the features within the tool.

GitGuardian Platform efficiently supports our shift-left strategy. It provides a command line interface, which can link with the shift left with your standard development processes. Whenever developers are writing code and trying to commit and push that up to GitHub, the command line interface can be integrated into that to prevent secrets from getting into GitHub. It can help go almost as far left as possible.

GitGuardian Platform has greatly improved awareness, and it has reduced the number of secrets that end up in our code. There has been a two-layer impact where it has helped people think about this as an issue and it has also helped them stop doing it even if they are not thinking about it.

GitGuardian Platform has improved our ability to collaborate. We work closely with the development teams to identify the issues, investigate the issues, and troubleshoot and resolve those issues. Due to the way the tool works, it has helped us gather people into teams and work with them so that we can help resolve the findings.

We have one or two of the playbooks automatically enabled. So far, I find them very helpful. The main one so far is that the secrets will automatically resolve when they are revoked, which is incredibly useful. For example, whenever someone goes into the AWS platform to revoke AWS keys, they do not have to go into GitGuardian. It automatically detects that they have been revoked and closes the issue. It is a lot less work than having to go into two different tools and more. There are a couple of playbooks we have for the CLI, so whenever we ignore issues via CLI because something might be a false positive or something might only be a testing key, it will auto-resolve within the UI. The playbooks make it easier to avoid using the UI, but you do not have to. It is one of the catch-22 situations. There is UI, but they are enabling you to not even have to check it in the first place. Playbooks have reduced 50% to 60% of manual work. If developers accidentally commit active keys, they do not have to go in. They do what they need to do to resolve the keys. They do not need to think about it again.

GitGuardian Platform has increased our security team's productivity by about 50%. When we previously had noticed keys, it would have been manual. It would only have been occasionally when I was looking through the code and found the keys. I would have had to reach out to developers and discuss that. It has definitely greatly increased our productivity because we can now automate sending out tickets and assigning them to the right teams. A couple of clicks can send out the information for someone to look into rather than having to message them and try to discuss it with their team. It is a lot more automated.

It is hard to measure the increase in secrets detection rate because previously, we did not have any solution, so we were not detecting anything. After implementing GitGuardian, we can now see what we have got.

Similarly, it is hard to measure the reduction in the mean time to remediation as we did not have something before. It was more manual before. There is probably a 70% reduction because, previously, if I found an issue, I would reach out to our team and spend a while discussing it with them, whereas now, we can just send out a Jira ticket. They can log in and have a look. There is a lot less discussion back and forth.

There is quite a lot to like. Its user interface is fantastic, and being able to sort the incidents by whether they are valid or for a certain repository or a certain user has been very beneficial in helping investigate what has been found. 

The CLI provided by the tool is fantastic for preventing the secrets from getting into GitHub in the first place. The more you use the CLI, the less you use the user interface.

Automated Jira tickets would be fantastic. At the moment, I believe we have to go in and click to create a Jira ticket. It would be nice to automate.

I believe there is a feature on the road map for better handling of issues that have over one occurrence. It is difficult to investigate when there are a large number of secrets. It is hard to know where they are and what to do. These two things would be nice.

I have been using GitGuardian Internal Monitoring for about nine months.

It is a stable solution. I have not noticed any issues with performance, downtime, or anything like that. I would rate it a ten out of ten for stability.

It is scalable. All it requires is someone with GitHub admin permissions. We can integrate as many repos and sources as we want. I would rate it a ten out of ten for scalability.

We have 316 users using this solution. We plan to increase its usage. There are a couple of features in GitGuardian. There is a feature where CLI integrates with your development process for pre-commits. We plan on testing and rolling out that feature so that every developer has pre-committed automatically enabled on their machine. The idea is that it will basically prevent any secrets from getting into GitHub. Another, a lot more minor, feature is GitHub pull requests. Every time there is a pull request, the GitGuardian bot will comment on it if there are secrets. There is an option to block the pull request when secrets are found. We plan to implement that as well.

Their technical support so far has been fantastic. Anytime I raise a ticket, it is resolved and answered very quickly. I am very impressed. Their support is incredibly knowledgeable. Whenever I have questions about detection or remediation, they are very detailed in their answers, and they clearly know a lot about the tool.

Our experience has been fantastic with the purchase, the onboarding, and the customer success team. Everything has been straightforward. Everyone so far has been nice, friendly, and helpful. When there were any hurdles, they helped me resolve them straight away. I would rate their support a ten out of ten.

Positive

We did not use any similar solution before. It was a manual process. We did not monitor anything. We just occasionally noticed things to be resolved. It was a manual process.

To implement it, the only thing required from our side was having someone with admin permissions to enable the installation. It was minimal from our side.

It does not require any maintenance from our side.

It required just one person with GitHub admin privileges. I clicked a few buttons, and then he went in and approved it, and that was it.

It has definitely saved us a lot of time. To be able to view everything important and narrow our focus to resolve issues has sped up our development process and decreased our security risk.

I am only aware of the base price. I do not know what happened with our purchasing team in discussions with GitGuardian. I was not privy to the overall contract, but in terms of the base MSRP price, I found it reasonable.

We reviewed three or four main secret detection products available. We reviewed GitHub Advanced Security and BluBracket.

We chose GitGuardian for a number of reasons. Its user interface is absolutely fantastic. Being able to filter instances has been the main thing. It helps us to focus and narrow down our remediation efforts.

There is also the ability to create teams and assign developers and teams to only see what they are responsible for. There are a number of other products, but they are missing that feature of narrowing visibility. We wanted a tool that the security team could set up and the developers could log in to use. A lot of the other tools on the market are only for the security team. It would have been more manual on our side to reach out to teams to get them to resolve things. This way, we can add users to teams, assign them the repositories that they maintain, and they can work away by themselves.

To a security colleague at another company who is using an open-source secrets detection solution, I would be happy to recommend GitGuardian. I have been setting up and using the tool. I can happily, personally, and professionally recommend this tool to others.

In my opinion, secret detection is incredibly important to a security program for application development. It is critical to our company's obligation and security process. Without it, you do not know what secrets could be leaked, so once you implement it, you know where you stand and you know what you need to do. You can resolve as well as prevent these things.

I would definitely recommend doing a proof of concept to make sure it fits your use case. I would be more than happy to recommend it. There would not be any caveats. Go ahead and test it out. If it fits exactly what you need, go for it.

Overall, I would rate GitGuardian Platform a ten out of ten. I am very happy with what we are able to do with it and how it works.