GitGuardian Platform logo

    GitGuardian Platform

    The end-to-end secrets security platform for enterprises. Scan and fix hardcoded secrets in source code, CI CD pipelines, and productivity tools with GitGuardian code security platform.

    Ratings and reviews

    4.4
    18 ratings
    3 star
    2 star
    1 star
    61%
    39%
    0%
    0%
    0%
    4 AWS reviews
    |
    14 external reviews
    External reviews are from PeerSpot .

    Filters

    Review type

    AWS Marketplace reviews
    External reviews
    Reviews (18)
    Sanket-Shinde

    Secret scanning has protected sensitive data and now streamlines fixing vulnerabilities

    Reviewed on Apr 19, 2026
    Review from a verified AWS customer

    What is our primary use case?

    I use GitGuardian Platform to ensure that there are no secrets committed, such as hardcoded values, database credentials, API keys, or any secrets that could be exposed to external users of our application. To maintain security and data accuracy, confidential data should not be shared with other platforms. GitGuardian Platform checks our local code first, then it passes through our CI/CD pipeline as well. When we push code to GitHub, it scans and sends a report via Gmail, so we have to fix those security vulnerabilities.

    What is most valuable?

    The best features of GitGuardian Platform are that it detects everything being pushed through the repository and scans everything comprehensively. It checks the possibility of exposure, so if there are API keys or database passwords being used, it warns us to either remove, rotate, or replace them, ensuring they should not be present in a GitGuardian Platform scan.

    Our company has seen many benefits from using GitGuardian Platform, especially since there have been numerous cyber attacks and security threats in the last two to three years. Our company has remained very safe in this regard because we need to secure our data effectively, being in the insurance reinsurance sector. GitGuardian Platform ensures our data is protected by regularly scanning the repositories and sending us reports on how to fix vulnerabilities, keeping us safe from cyber attacks.

    What needs improvement?

    GitGuardian Platform could improve by providing a more user-friendly UI with tips or solutions. With AI advancements, they could offer AI-specific solutions in scanning reports, suggesting fixes for GitGuardian Platform incidents, and even permit automated fixes, which would significantly reduce the developer's workload.

    For how long have I used the solution?

    I have been using GitGuardian Platform for the last one year.

    What do I think about the stability of the solution?

    Stability and availability of GitGuardian Platform are commendable; it is stable and available.

    It is stable because when I push changes, it scans immediately, confirming fixes. There is no downtime during scanning, maintaining stability and availability.

    How are customer service and support?

    I find support good since we have not needed much help from them. The guidelines provided are sufficient for guiding us on what to fix.

    Which other solutions did I evaluate?

    There are many tools in our organization for similar purposes, but GitGuardian Platform is specifically for exposing secrets. We also use Snyk for vulnerability scanning, among others, though I cannot recall all of them.

    The decision was made by my organization, not me, so I am not sure about the parameters they considered before choosing GitGuardian Platform.

    What other advice do I have?

    GitGuardian Platform prioritizes incidents in our workflow through automated validity checks. There are high risk, low risk, and medium risk incidents raised, and the infosec team prioritizes them and approaches us, the developers who pushed those changes, to fix them accordingly.

    GitGuardian Platform's public leakage detection influences our company's data security as a precaution. We are not sure if data might be exposed, but taking this precaution by scanning the repositories is crucial. A cyber attacker just needs one piece of data, so we ensure at least that one thing is secured. It is about cyber attack prevention, ensuring all our data remains safe.

    It rates the effectiveness of severity in incident management based on the severity of the change. This allows us to address the most important ones first. It checks what has been pushed from the code, raising a high-level vulnerability if database-related passwords are involved and reports it urgently. For low-level issues like hardcoded values for APIs, it is reported accordingly based on priority.

    I use GitGuardian Platform's automated playbooks for scanning. Productivity-wise, these playbooks help me know if I am going to push code with secrets. I am aware now, so I intentionally avoid that, ensuring I write good code. It increases my productivity by helping me fix issues proactively. If GitGuardian Platform were not here and vulnerabilities were discovered later, there could be severe consequences. Currently, that impact has been reduced, minimizing our efforts significantly through early precautions.

    Our organization is currently innovating on the AI side, which includes creating a custom agent to fix vulnerabilities, similar to GitHub Copilot. This agent automates changes required based on GitGuardian Platform scanning, closing incidents directly. This support reduces our efforts and timelines.

    Fixing vulnerabilities now takes approximately 60% less time. If fixing took ten days, I now do it in six. I am not sure about multi-vault integration because I am just a developer using it to fix my code changes. I am not sure if I am using GitGuardian Platform's Honey Tokens feature. I would rate this product an 8.5 overall.

    reviewer2740785

    Supports application security by detecting a wide range of secrets and allows integration into existing vulnerability management processes

    Reviewed on Jul 16, 2025
    Review from a verified AWS customer

    What is our primary use case?

    My use case for the GitGuardian Platform is application security for our enterprise repository.

    How has it helped my organization?

    The solution has improved our organization. We are still in the rollout, but the users who are utilizing it are very happy, especially about the feature that enables pre-commit hooks in Git that will not raise to the remote repository. This is a very good feature that our developers use very heavily.

    What is most valuable?

    The best features of the GitGuardian Platform are that it finds many different secrets, more than other competitors, and the support from the colleagues is also very good.

    The GitGuardian Platform helps in monitoring and protecting our code repositories from leakage. It helps significantly because we connected our vulnerability management process to this, and the colleagues from vulnerability management have much easier work since we have the GitGuardian Platform installation due to the dedicated incidents or issues which are opened automatically.

    The alerting capabilities and threat intelligence features of the GitGuardian Platform are managed by another team; we only host the platform.

    The audit logs and compliance reports from GitGuardian are very helpful because, in the past, we needed to do it manually by scanning the repos. Now with GitGuardian Platform, we have a really good overview of what is open, what is closed, and how critical the issues are.

    What needs improvement?

    The areas that have room for improvement involve the missing feature to add custom detectors for the GitGuardian Platform, which would help us check if internal secrets are still valid or not.

    I assess the accuracy of the detection from the GitGuardian Platform as very good because we don't have many false positives, which means the quality is very good. The only thing we want to have are some additional detectors which help us to prioritize, especially since enterprise secrets are found, but they cannot verify if they are valid or not.

    For how long have I used the solution?

    I have been using the GitGuardian Platform for one and a half years.

    What do I think about the stability of the solution?

    The stability of the GitGuardian Platform is excellent. We don't have any problems with the stability of the system at all.

    What do I think about the scalability of the solution?

    The scalability of the GitGuardian Platform is excellent.

    How are customer service and support?

    The technical support from the GitGuardian Platform deserves a rating of nine out of ten.

    What about the implementation team?

    The deployment of the GitGuardian Platform is very easy because it's a Helm chart which is very easy to install for us. The deployment took several days.

    What's my experience with pricing, setup cost, and licensing?

    I have no information about pricing, but since they won the request for quotation, I believe it's a good price.

    Which other solutions did I evaluate?

    We created a technical evaluation and checked against other providers, though I don't remember the names. The GitGuardian Platform has the best technical capabilities, and our procurement handles the pricing part.

    What other advice do I have?

    The GitGuardian Platform is used worldwide in our environment.

    Currently, we have approximately 1,300 licenses for the GitGuardian Platform, but we will increase to 2,000 next year.

    The solution requires maintenance from our side only for user management, which is normal for each application.

    I cannot quantify how much time or resources the GitGuardian Platform saves us because this is spread across all teams worldwide.

    I would recommend the GitGuardian Platform to other users because the integration with GitHub and Azure DevOps is very easy, and you also have the possibility to use it locally on your IDE. This is a very good solution.

    I rate the GitGuardian Platform a nine out of ten because room for improvement is always possible, but it's really good.

    Kingsley Zikora

    Efficiently manages sensitive data but needs improvement in credential differentiation

    Reviewed on Jul 07, 2025
    Review from a verified AWS customer

    What is our primary use case?

    We initially integrated GitGuardian Platform into our organization in 2023 into our GitHub repository. We implemented it because we did not want our secret credentials to be exposed to the internet or to a third party such as GitHub. It flags when credentials have been exposed so we can remediate and fix them. GitGuardian Platform was what my tech lead suggested we use, and we had to incorporate it into our repositories. We use the Platform version.

    What is most valuable?

    What I appreciate the most about GitGuardian Platform is its efficiency when triggering our pipeline and notifying us if secrets have been exposed, such as APIs, variables, our database, or anything being exposed. Currently, we have numerous repositories and pushes that happen in our repo. It would be humanly impossible for us to manually search for these secrets. GitGuardian Platform can do this automatically. All we need to do is wait for an email notification that indicates a secret has been exposed. It points out the repository that has the secret exposed, and we can fix it. This saves us the time of manual review.

    What needs improvement?

    The main disadvantage I feel they should improve upon is that apart from flagging credential issues or secrets, they could incorporate something else to make it more dynamic. If their product focuses majorly on secrets leaking, similar to Amazon Macie, they could expand their capabilities. Amazon Macie primarily flags secrets being exposed over the internet.

    For example, we use Dependabot for code review. Dependabot helps us follow best practices such as code quality and code analysis, as we cannot manually check 10,000 lines of code to ensure they follow structural standards. If GitGuardian Platform could incorporate code analysis into their system, not just for secrets alone, it would make them more dynamic.

    This would allow users to have just one tool instead of multiple third-party tools running in GitHub. It would reduce management overhead as you wouldn't have to manage multiple tools.

    For how long have I used the solution?

    I have been using GitGuardian Platform in my career for almost two years now.

    What do I think about the stability of the solution?

    For my organization, GitGuardian Platform has been stable. Since installation, we haven't had to optimize it, and I am unsure about new versions. It has been functioning effectively, and its performance is satisfactory. The only limitation is that it performs just one task. While it is efficient at credential flagging, it could offer more functionality.

    What do I think about the scalability of the solution?

    Regarding scalability, in my organization, we have about 44 repositories running, and GitGuardian Platform has been able to handle these repositories efficiently. I am uncertain about its capability to handle 100 repositories. For our organization, which is just four years old and not a large platform with numerous features, it functions adequately with our 44 repositories.

    Some tools can function properly until demand increases or usage reaches a certain extent, at which point they might start deteriorating. For instance, with our GitHub account, we had to pay for more capacity usage. I am unsure if GitGuardian Platform has similar limitations on the number of repositories it can handle. However, for our current 44 repositories, it has been working exceptionally.

    How are customer service and support?

    I have never contacted any technical support or customer support through phone or ticket system. We have never experienced any issues with it. It effectively helps us with credentials security and has been performing satisfactorily.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    I have not compared GitGuardian Platform with any alternatives in my organization. For GitHub repositories credentials, we use GitGuardian Platform. For AWS, we use Amazon Macie because we run our infrastructure on Amazon Web Services. We use Macie to protect our credentials from being exposed.

    How was the initial setup?

    The initial deployment and installation was very easy for us.

    What about the implementation team?

    For this deployment, my tech lead handled the implementation. We were on a call with him while he deployed it. It required only one person to complete the setup.

    What was our ROI?

    It does not require any maintenance on our end as it has been working autonomously. I am unaware of new versions, but what we have been using has not required maintenance.

    What's my experience with pricing, setup cost, and licensing?

    I am not involved with the pricing of GitGuardian Platform, as the tech lead handled those aspects. Initially, I thought it was an open-source tool. There are private and public versions available. The private version requires payment, but for the public version we use, we did not make any payments.

    Which other solutions did I evaluate?

    I have not compared GitGuardian Platform with any alternatives in my organization. For GitHub repositories credentials, we use GitGuardian Platform. For AWS, we use Amazon Macie because we run our infrastructure on Amazon Web Services. We use Macie to protect our credentials from being exposed.

    What other advice do I have?

    I will rate GitGuardian Platform a seven out of ten. The reason for this rating is that I wish they could have an agent embedded into their system that helps to identify real credentials from mock credentials, as this sometimes causes false alarms.

    We are users of the product with no partnerships with GitGuardian Platform. They can contact me regarding any questions about this review. I am open to anything that benefits the community and makes everything better.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Amazon Web Services (AWS)
    Ney Roman

    Facilitates efficient secret management and improves development processes

    Reviewed on Jun 23, 2025
    Review from a verified AWS customer

    What is our primary use case?

    My use case for the GitGuardian Platform is application security.

    What is most valuable?

    My impression of the GitGuardian Platform's capability to detect secrets in real time is actually really amazing, because it lets us protect or block the pipelines in which we deploy new applications so we can acknowledge when a secret is hardcoded in a repository, or when we have already hardcoded secrets within templates in our repos.

    We adopted it a year ago, and it has been doing great in our teams, especially for developers. The impression so far has been good.

    The severity scoring has helped us in incident management because it is doing the correct job. We got many secrets leaked within our platform and it was making the correct warnings regarding that particular secret, as we had a hardcoded Google Cloud API key. It was marked as a critical severity, so we had the chance to correct it, regenerate that secret and work again on not hardcoding secrets within our code.

    GitGuardian's public leak detection significantly enhances our organization's data security by continuously monitoring public repositories. It allows us to proactively identify accidental exposures of sensitive credentials or secrets.

    What needs improvement?

    Regarding the exceptions in GitGuardian Platform, we know that within the platform we have a way to accept a path or a directory from a repository, but it is not that visible at the very beginning. You have to figure out where to search for it, and once you have it, it is really good, but it is not that visible at the beginning. This should be made more exposed.

    The documentation could be better because it was not that comprehensively documented. When we started working with GitGuardian Platform, it was difficult to find some specific use cases, and we were not aware of that. It might have improved now, but at that time, it was not something we would recommend.

    For how long have I used the solution?

    I have been using the GitGuardian Platform for almost a year now.

    What do I think about the stability of the solution?

    From 1 to 10, I rate the stability of the GitGuardian Platform a 10, as there are no downtimes.

    What do I think about the scalability of the solution?

    I would rate the scalability as a 10, since we did not have any problems.

    How are customer service and support?

    For technical support, I would give a solid 10. They have someone who speaks Spanish, which made it easier for us.

    Which solution did I use previously and why did I switch?

    I am comparing it with Advanced Security from GitHub and Cycode.

    How was the initial setup?

    Two of us were involved in the deployment process.

    It took a week to deploy the GitGuardian Platform, just to standardize the process.

    What about the implementation team?

    Two of us were involved in the deployment process.

    What was our ROI?

    Regarding return on investment, we have actually saved time and resources because before having GitGuardian Platform, we had two or three people working in every repository looking for secrets with open-source tools. It took a long time to find secrets or many patterns, and at the time, we had to configure our own patterns to find them. I cannot specify the exact return on investment, but I can surely say that we have saved significant time and resources, particularly in terms of people and automation.

    Which other solutions did I evaluate?

    I would compare the GitGuardian Platform to other solutions or vendors on the market as being easier to use, but it is not integrated with the CSM that we are using right now. That is the difference. It is easy to use, but it could be easier.

    What other advice do I have?

    We are customers in our company's relationship with the vendor.

    I work primarily with the CLI, focusing on pipelines and automations rather than the platform itself. The platform has remained almost the same within the year that we have been working with it.

    We are not utilizing the automated playbooks yet.

    I cannot determine if the pricing is cost-effective.

    The vendor can contact me if they have any questions or comments about my review.

    I have rated the GitGuardian Platform a 10 out of 10.

    reviewer2721312

    Custom detectors streamline workflow and real-time detection enhances security

    Reviewed on Jun 11, 2025
    Review provided by PeerSpot

    What is our primary use case?

    Our current use cases for GitGuardian Platform involve monitoring external and internal GitHub and GitLab, Bitbucket, and other code repositories that it supports for secrets.

    What is most valuable?

    The newest addition that we appreciate about GitGuardian Platform is the ability to create a custom detector, which we built and worked with the team, and that works very effectively.

    GitGuardian Platform performs the capability to detect secrets in real time exceptionally, as it activates from the commit and can detect it immediately.

    We utilize GitGuardian Platform's automated validity checks in some cases, and they seem to work effectively. We are still experimenting with them.

    The multi-vault integration plays a key role in our secrets management strategy because we have multiple different vaults, and that works effectively.

    What needs improvement?

    GitGuardian Platform does what it is designed to do, but it still generates many false positives.

    We utilize the automated playbooks from GitGuardian Platform, and we are enhancing them. We will probably stop using some of them, but we are building off of them. The one piece they do not include is contacting the person's manager or copying them, which we feel is necessary to prevent insider threat and other issues, but they do not have access to our hierarchy of employees.

    We are not using the honeytokens feature of GitGuardian Platform.

    Regarding improvements, there are two things we are working on with them. They have added charts, which is a new feature, but it is still not accurate. It has taken 4 to 5 months and it is fairly slow. We are looking for better metrics and audit data, wanting more features such as knowing which users are creating the most secrets or committing the most secrets, what repository, what directory, and who is not checking in secrets, which repo, user, or directory has not had any secrets committed. We want more metrics around both good and bad to see how we are performing.

    For how long have I used the solution?

    I have been using GitGuardian Platform for 5 years at the company, and my team has been using it for 3 years.

    What do I think about the stability of the solution?

    There has not been any instability with GitGuardian Platform; it performs reliably.

    What do I think about the scalability of the solution?

    Currently, what GitGuardian Platform is doing works effectively. It is quick and meets our needs. If we added more, I do not think that would really impact performance, so the scalability in that aspect is fine. I know they are trying to branch out and look for secrets in other types of tools, but I am not sure if we are going to use them for that or if that would impact performance or stability either.

    How are customer service and support?

    I have contacted technical support previously, but we usually work through our customer representative directly, and they create the tickets for us.

    How was the initial setup?

    We have one employee that primarily works on the deployment and configuration of GitGuardian Platform, and that took approximately a couple of weeks working directly with them. After that, she spends about an hour in there a week, so it requires minimal effort on our side.

    GitGuardian Platform requires very little maintenance on our end—just making sure the keys are connected and ensuring people are following through.

    Which other solutions did I evaluate?

    I have not used any alternatives to GitGuardian Platform in this specific scope, as I have not found one that fully integrates into as many different code repositories. We have used a couple of tool-specific ones, but GitGuardian Platform is the only one we have used that works across multiple platforms.

    What other advice do I have?

    We purchased GitGuardian Platform for a compliance checkbox because we needed to monitor secrets in our code repositories. We saw benefits immediately after implementation, but the reason my team took it over after a couple of years is that the original team did not really go beyond a compliance checkbox. We started seeing benefits in year 3 as we built out a workflow to contact the developers who committed code with secrets and get them to review and approve or revoke the process.

    In terms of how GitGuardian Platform Public Leakage Detection influences our data security, it helps us with our known developers, but it is fairly limited. It has to go to another developer who has to make it public or they have to put codes in there, so it works in the right scenario, but there are scenarios where it still misses.

    We do not really look at the automated security severity scoring in Incident Management. We still are getting false positives and others, so we are concentrating more on that versus any severity rating.

    The pricing for GitGuardian Platform is fair, though slightly high.

    We are customers of GitGuardian Platform; we do not have any partnerships or official partnerships, nor are we resellers.

    I rate GitGuardian Platform 8 out of 10.

    Ari Kalfus

    Proactive self-service capabilities remove the burden of the security team and enable faster remediation

    Reviewed on May 21, 2025
    Review provided by PeerSpot

    What is our primary use case?

    GitGuardian Platform is a security tool preventing the exposure of secrets. It is particularly valuable as a tool because it doesn't just identify exposed security issues, but works as a platform that gives developers an intuitive and easy way of reacting to and fixing the issues.

    How has it helped my organization?

    GitGuardian Platform captures all the major secret types we care about. It tends to be a bit overzealous in some categories, but it covers all the ones that we want to track and keep an eye on. It has great coverage over those.

    GitGuardian Platform has helped save significant time for the security team by eliminating the need to seek out development teams and work with them on exposed secrets, as much of this is now handled proactively. The built-in process for developers interacting with exposed secrets saves them time fixing security problems before returning to their tasks. We can also provide customized remediation guidelines to developers.

    Automated validity checks are super critical for us. If something is confirmed as valid in the platform, we know there is some externally accessible value that's exposed somewhere. It's then the top priority for us to engage in. It also gives us a lot of confidence. When the development teams come back and say that they have fixed it, GitGuardian Platform confirms that.

    We rely a lot on GitGuardian Platform's self-service functionality so that developers handle incidents without us having to take action. We don't rely on automated severity scoring for incident management. While the severity rating is decent, we focus more on the validity feature and detector categories than on GitGuardian's high-risk ratings. We have customized remediation guidelines by providing specific internal context for handling exposed secrets. We use GitGuardian's integrations with other tracking platforms, but we don't have everything funneled into Jira. We use our own prioritization to see which ones we want to funnel into Jira.

    The platform has given us a clear picture of the historical landscape, showing what has been fixed versus what remains hidden in historical data. This clarity has been helpful in planning security measures around issues that don't get self-healed.

    We have it scanning our GitHub environments, Atlassian suite (Jira tickets, Confluence), and Slack messages. That gives us a nice coverage across the business.

    What is most valuable?

    The validity and self-healing playbook features of GitGuardian Platform is one of the most useful features for us. It automatically reaches out to developers for any leaks, notifying them immediately via email. We have Slack notifications set up, allowing developers to respond, provide feedback about sensitive values, and self-close issues by attesting completion on the platform. A high number of our exposures are remediated by developers before security needs to step in, as the self-healing playbook process engages them automatically. This results in issues being resolved within minutes, saving significant effort from the security team in tracking down or communicating with developers.

    What needs improvement?

    The analytics in GitGuardian Platform have a significant opportunity to better reflect the value provided to security teams and demonstrate actual activity occurring. While the self-healing capability and proactive developer actions are important features, the analytics do not provide information around this activity. They only track actions inside the platform when security team members assign themselves to issues and respond. The self-healing activity by developers isn't reflected in the analytics, requiring us to collect this data ourselves. This presents an opportunity for them to better showcase their developer-first remediation mindset.

    For how long have I used the solution?

    We have been using GitGuardian Platform for approximately nine months.

    What do I think about the stability of the solution?

    It's a stable platform, we don't often have to think about it. The SaaS platform has experienced two significant moments of downtime or instability in the last six months, requiring notices and retrospectives. We also run a self-hosted cluster which has not experienced these issues, though we've faced some challenges upgrading Kubernetes that required support assistance to prevent internal downtime.

    What do I think about the scalability of the solution?

    It is scalable. I would rate it a nine out of ten for scalability.

    My product security team administrates the platform, with a few other security people accessing it. Access to respond to incidents is deployed for every engineer. Team-based provisioning is not yet supported with SCIM, which makes team-based grouping a hassle, so we do not use it.

    How are customer service and support?

    I would rate their technical support a nine out of ten.

    Which solution did I use previously and why did I switch?

    We were using a home-grown solution.

    How was the initial setup?

    The initial setup of the self-hosted cluster was moderately complex. We faced some issues because of the environment we had. We had to fix some installation errors and bugs in their Helm configuration.

    In terms of deployment model, we self-host a cluster out of necessity. We have an internal GitHub Enterprise server. We self-host GitGuardian Platform to connect to that environment. We also use their SaaS version for Slack and Atlassian integrations.

    What about the implementation team?

    We implemented in-house.

    What was our ROI?

    The majority of our incidents for critical detectors and important secret types are remediated automatically or proactively by developers through GitGuardian's notification system, without security team involvement. It saves a lot of time for the security teams and the developers. It probably saves approximately 10 hours per week. Previously, we needed an extra 20% of our time focused on this subject area, which has now been saved because of this platform.

    What's my experience with pricing, setup cost, and licensing?

    It's competitively priced compared to others. Overall, the secret detection sector is expensive, but we are happy with the value we get.

    Which other solutions did I evaluate?

    We evaluated other vendors on the market. The secret detection capabilities of most vendors are basically equivalent, capturing all major types of secrets. The management and administration of findings after scanning is what differentiates vendors. Many alternatives lack strong administration capabilities for security teams after finding detections. GitGuardian's dashboard, self-healing playbooks, and ways for the security team to monitor, track, and deduplicate detections make it easier to manage the program compared to competitors.

    What other advice do I have?

    I would recommend GitGuardian Platform to other users due to the ease of management for the security team with the dashboard. It offers easy administration of results. The proactive self-service capabilities provided to developers remove the burden from the security team and enable faster remediation of exposed values.

    My overall rating for GitGuardian Platform is an eight out of ten.

    Glenn McDonald

    Improves coding hygiene and uncovers potentially nasty surprises

    Reviewed on May 21, 2025
    Review provided by PeerSpot

    What is our primary use case?

    We use GitHub as our source code platform. When we shifted from on-premise version control systems, we identified a requirement for capable tooling that could both find secrets that were committed in the past, and prevent and alert on secrets that were being accidentally committed.

    How has it helped my organization?

    GitGuardian gives us a better understanding of what's going on in our source code. Persistent use of the platform has allowed us to highlight areas where we need to improve; eg. providing training so that people know what information should and should not be in GitHub.

    We've managed to use this data to improve practices related to where teams store their secrets, and have also been able to use it to understand where we might be lacking tooling.

    When a developer commits a secret or there's a particular pattern in a repository, we often ask them about why they did this. They may turn around and say that there's no better option at the moment because we don't have a platform to suit x, y, or z. We can use that information to then drive decisions around whether or not we need to look into improved tooling or patterns that our engineering teams can use to avoid storing secrets in their source code.

    What is most valuable?

    Automated validity checks are very helpful; we use them to prioritise incidents, as they give us a quick understanding as to which secrets are still valid. They also help us to confirm that token invalidation - which sometimes has to be done by another team or a third party - has worked as expected.

    We also utilize some of the automated playbooks, specifically those around automatic incident closure, allowing us to spend less time making sure that the incidents closed by changes to code are getting closed out.

    Instantaneous notifications connected to our Slack platform allow us to deal quickly with incidents if and when they occur.

    One of the best features of the solution, though, is the ability to use pre-push hooks. Preventing our developers from committing secrets into their source code before they hit the remote GitHub servers is ideal; it can be quite challenging and time consuming to remediate and rotate secrets once pushed to the remote.

    The reporting feature has improved quite a bit since we first used it around five years ago, with filters that allow us to set up quick groups of or collections of filters and statuses to determine which secret detections are still unassigned and which are new. It allows us to easily ship those off to the developers involved in those incidents to get them remediated.

    What needs improvement?

    We'd love to see notification updates in Slack, as the system does not provide feedback on updates to incidents, which can be problematic when developers resolve issues.

    ie. if a developer commits code that triggers an incident, the alert comes into Slack, but by the time someone looks at it through the Slack alerting channel, the developer might have gone and already fixed or closed the issue. There's no feedback loop back into the notification channel to show that it's been addressed.

    Another thing that would be good to see is some more metrics on the usage of the GitGuardian pre-push hooks. It would be helpful to see which GitHub users have or do not have the pre-push hook capability turned on. That would allow us to chase people and say that we noticed that you're making commits, but you're not using GitGuardian, and encourage them to install ggshield before an accident happens.

    For how long have I used the solution?

    My experience with the solution started in November 2020, which is approximately four or five years.

    What do I think about the stability of the solution?

    It's generally quite stable.

    There has been a little bit of downtime of late, and it has been reasonably impactful when it's not been scanning. We set up our repositories in GitHub with GitGuardian as a required check.

    We had an incident for about four hours last week and another one about a month before that. Prior to that, it's been really stable.

    What do I think about the scalability of the solution?

    It handles all the repositories and commit activity we have.

    How are customer service and support?

    I would rate their technical support an eight out of ten.

    Which solution did I use previously and why did I switch?

    No

    How was the initial setup?

    We didn't have to do much. They manage all of the backend for us. All we have to do is integrate it into our GitHub organizations, and doing that is straightforward.

    The solution does not require any maintenance.

    What about the implementation team?

    In-house.

    What was our ROI?

    It's challenging to quantify, but it has saved us from a bit of panic because we know the state of our source code. It's hard to determine what savings might come from having the tooling or not.

    What's my experience with pricing, setup cost, and licensing?

    It's fairly priced, as it performs a lot of analysis and is a valuable tool.

    Which other solutions did I evaluate?

    We have tested it against other solutions, such as TruffleHog, the open-source solution, and found the GitGuardian Platform to be about significantly better in terms of detection capabilities. TruffleHog focuses on secrets that it can validate, but in an Enterprise world with lots of internal tools, APIs and platforms it can miss a lot of secrets.

    What other advice do I have?

    The new multi-vault feature looks useful; we are planning to connect it up to AWS Secrets Manager and HashiCorp Vault.

    Tyler Oelking

    Helps increase productivity and identify and prioritize security incidents

    Reviewed on May 02, 2024
    Review provided by PeerSpot

    What is our primary use case?

    Our developers use the GitGuardian platform to securely access and manage secrets within their repositories. This allows them to identify and address any potential security risks.

    How has it helped my organization?

    GitGuardian's detection capabilities are good.

    The accuracy of detections and the false positive rate are good.

    It has improved the abilities of our developers and security team.

    The playbooks help to identify and prioritize security incidents.

    GitGuardian helped us increase our secret detection rate.

    GitGuardian helped to increase our security team's productivity. It allows us to find the secrets and their repository faster. As the security team is focusing on one app to audit it, we also look at the GitGuardian findings for that app, and that is easier than looking for the secrets manually.

    What is most valuable?

    The most valuable feature is the general incident reporting system. It provides informative data with good filtering and reporting options.

    What needs improvement?

    We'd like to request a new GitGuardian feature that automates user onboarding and access control for code repositories. Ideally, when a user contributes to a repository, they would be automatically added to GitGuardian and granted access to view that specific repository. This would eliminate the need for manual user creation and permission assignment within the platform.

    For how long have I used the solution?

    I have been using the GitGuardian Platform for one and a half years.

    What do I think about the stability of the solution?

    The GitGuardian Platform is stable.

    What do I think about the scalability of the solution?

    The GitGuardian Platform can deploy at scale.

    What's my experience with pricing, setup cost, and licensing?

    The pricing for GitGuardian is fair.

    What other advice do I have?

    I would rate the GitGuardian Platform eight out of ten.

    Getting started with GitGuardian required some preliminary setup on our part. This involved configuring both our on-premise GitHub Enterprise server and the GitGuardian application itself, granting the application access to the enterprise server.

    GitGuardian requires around two hours per week of maintenance. We have our scripts that add users to the tool as needed. So we have a script that looks at our GitHub server talks to that API, and uses the information from that to add users to GitGuardian. And we have to maintain those because sometimes just like with any code, we have to make sure that process is still working.

    GitGuardian's onboarding process and customer success teams were helpful.

    I recommend GitGuardian as an easy-to-use tool that tackles a major security risk often overlooked by companies. This platform can significantly improve your software development lifecycle.

    While detecting hidden functionality within a security program for application development isn't the highest priority, it does hold some value. If resources allow, it's worth considering incorporating methods to identify such secrets.

    Organizations considering the GitGuardian Platform should establish clear action points for employees who will be using the tool. This ensures everyone understands how to leverage GitGuardian effectively within their workflow.

    reviewer2395164

    Impressive detection capabilities, fantastic UI, and incredibly knowledgeable support team

    Reviewed on Apr 26, 2024
    Review provided by PeerSpot

    What is our primary use case?

    We brought in GitGuardian Internal Monitoring to review all of our code within GitHub so that we can identify and fix any exposed secrets.

    How has it helped my organization?

    I have been very impressed with the breadth of its detection capabilities. I did a proof of concept with a couple of other common tools for the same kind of thing, and I found GitGuardian to be the best. It finds everything that I would expect it to find. It found more than I thought we would find, so I am very happy with the detection.

    I am very happy with the number of specific detectors and keys that it can find for Google, AWS, Twitter, Facebook, etc. It has a lot of specific detectors for different categories, but it also has quite a lot of automatic validity checking, so it can tell whether your Twitter keys or AWS keys are active and or have been revoked. If they are revoked, it is not a problem. Validity checking is fantastic.

    GitGuardian Platform's accuracy is incredibly high. There are a couple of categories of generic secrets that I can find. When you turn those on, you end up with quite a few false positives. With the specific detection categories, the false positive rate is incredibly low, but when you turn on the generic categories, it goes up a bit. I am very happy with the number of things that it does find, instead of focusing on true positives versus false positives.

    It has not helped to decrease false positives because we did not have a tool in the first place, so we did not have any false positives. We have not decreased our rate at all.

    GitGuardian Platform has absolutely helped to quickly prioritize remediation. The severity or criticality that the tool automatically assigns has been very helpful. The built-in validity checking has also been helpful. Whenever you have keys that are marked as valid within the tool, you know that they are high priority and need to be resolved sooner than the ones that are not marked as valid.

    We have significantly reduced our potential risk exposure of secrets. In the past nine months, by using GitGuardian, we have been able to identify and resolve a large number of secrets within our code, which reduces the risk if our code were to become public. It has greatly reduced our security risk. It has reduced the potential risk of exposure of secrets by about 75%. We have not only been able to resolve existing issues; we are also more likely to prevent these issues from occurring with improved security culture and the features within the tool.

    GitGuardian Platform efficiently supports our shift-left strategy. It provides a command line interface, which can link with the shift left with your standard development processes. Whenever developers are writing code and trying to commit and push that up to GitHub, the command line interface can be integrated into that to prevent secrets from getting into GitHub. It can help go almost as far left as possible.

    GitGuardian Platform has greatly improved awareness, and it has reduced the number of secrets that end up in our code. There has been a two-layer impact where it has helped people think about this as an issue and it has also helped them stop doing it even if they are not thinking about it.

    GitGuardian Platform has improved our ability to collaborate. We work closely with the development teams to identify the issues, investigate the issues, and troubleshoot and resolve those issues. Due to the way the tool works, it has helped us gather people into teams and work with them so that we can help resolve the findings.

    We have one or two of the playbooks automatically enabled. So far, I find them very helpful. The main one so far is that the secrets will automatically resolve when they are revoked, which is incredibly useful. For example, whenever someone goes into the AWS platform to revoke AWS keys, they do not have to go into GitGuardian. It automatically detects that they have been revoked and closes the issue. It is a lot less work than having to go into two different tools and more. There are a couple of playbooks we have for the CLI, so whenever we ignore issues via CLI because something might be a false positive or something might only be a testing key, it will auto-resolve within the UI. The playbooks make it easier to avoid using the UI, but you do not have to. It is one of the catch-22 situations. There is UI, but they are enabling you to not even have to check it in the first place. Playbooks have reduced 50% to 60% of manual work. If developers accidentally commit active keys, they do not have to go in. They do what they need to do to resolve the keys. They do not need to think about it again.

    GitGuardian Platform has increased our security team's productivity by about 50%. When we previously had noticed keys, it would have been manual. It would only have been occasionally when I was looking through the code and found the keys. I would have had to reach out to developers and discuss that. It has definitely greatly increased our productivity because we can now automate sending out tickets and assigning them to the right teams. A couple of clicks can send out the information for someone to look into rather than having to message them and try to discuss it with their team. It is a lot more automated.

    It is hard to measure the increase in secrets detection rate because previously, we did not have any solution, so we were not detecting anything. After implementing GitGuardian, we can now see what we have got.

    Similarly, it is hard to measure the reduction in the mean time to remediation as we did not have something before. It was more manual before. There is probably a 70% reduction because, previously, if I found an issue, I would reach out to our team and spend a while discussing it with them, whereas now, we can just send out a Jira ticket. They can log in and have a look. There is a lot less discussion back and forth.

    What is most valuable?

    There is quite a lot to like. Its user interface is fantastic, and being able to sort the incidents by whether they are valid or for a certain repository or a certain user has been very beneficial in helping investigate what has been found.

    The CLI provided by the tool is fantastic for preventing the secrets from getting into GitHub in the first place. The more you use the CLI, the less you use the user interface.

    What needs improvement?

    Automated Jira tickets would be fantastic. At the moment, I believe we have to go in and click to create a Jira ticket. It would be nice to automate.

    I believe there is a feature on the road map for better handling of issues that have over one occurrence. It is difficult to investigate when there are a large number of secrets. It is hard to know where they are and what to do. These two things would be nice.

    For how long have I used the solution?

    I have been using GitGuardian Internal Monitoring for about nine months.

    What do I think about the stability of the solution?

    It is a stable solution. I have not noticed any issues with performance, downtime, or anything like that. I would rate it a ten out of ten for stability.

    What do I think about the scalability of the solution?

    It is scalable. All it requires is someone with GitHub admin permissions. We can integrate as many repos and sources as we want. I would rate it a ten out of ten for scalability.

    We have 316 users using this solution. We plan to increase its usage. There are a couple of features in GitGuardian. There is a feature where CLI integrates with your development process for pre-commits. We plan on testing and rolling out that feature so that every developer has pre-committed automatically enabled on their machine. The idea is that it will basically prevent any secrets from getting into GitHub. Another, a lot more minor, feature is GitHub pull requests. Every time there is a pull request, the GitGuardian bot will comment on it if there are secrets. There is an option to block the pull request when secrets are found. We plan to implement that as well.

    How are customer service and support?

    Their technical support so far has been fantastic. Anytime I raise a ticket, it is resolved and answered very quickly. I am very impressed. Their support is incredibly knowledgeable. Whenever I have questions about detection or remediation, they are very detailed in their answers, and they clearly know a lot about the tool.

    Our experience has been fantastic with the purchase, the onboarding, and the customer success team. Everything has been straightforward. Everyone so far has been nice, friendly, and helpful. When there were any hurdles, they helped me resolve them straight away. I would rate their support a ten out of ten.

    Which solution did I use previously and why did I switch?

    We did not use any similar solution before. It was a manual process. We did not monitor anything. We just occasionally noticed things to be resolved. It was a manual process.

    How was the initial setup?

    To implement it, the only thing required from our side was having someone with admin permissions to enable the installation. It was minimal from our side.

    It does not require any maintenance from our side.

    What about the implementation team?

    It required just one person with GitHub admin privileges. I clicked a few buttons, and then he went in and approved it, and that was it.

    What was our ROI?

    It has definitely saved us a lot of time. To be able to view everything important and narrow our focus to resolve issues has sped up our development process and decreased our security risk.

    What's my experience with pricing, setup cost, and licensing?

    I am only aware of the base price. I do not know what happened with our purchasing team in discussions with GitGuardian. I was not privy to the overall contract, but in terms of the base MSRP price, I found it reasonable.

    Which other solutions did I evaluate?

    We reviewed three or four main secret detection products available. We reviewed GitHub Advanced Security and BluBracket.

    We chose GitGuardian for a number of reasons. Its user interface is absolutely fantastic. Being able to filter instances has been the main thing. It helps us to focus and narrow down our remediation efforts.

    There is also the ability to create teams and assign developers and teams to only see what they are responsible for. There are a number of other products, but they are missing that feature of narrowing visibility. We wanted a tool that the security team could set up and the developers could log in to use. A lot of the other tools on the market are only for the security team. It would have been more manual on our side to reach out to teams to get them to resolve things. This way, we can add users to teams, assign them the repositories that they maintain, and they can work away by themselves.

    What other advice do I have?

    To a security colleague at another company who is using an open-source secrets detection solution, I would be happy to recommend GitGuardian. I have been setting up and using the tool. I can happily, personally, and professionally recommend this tool to others.

    In my opinion, secret detection is incredibly important to a security program for application development. It is critical to our company's obligation and security process. Without it, you do not know what secrets could be leaked, so once you implement it, you know where you stand and you know what you need to do. You can resolve as well as prevent these things.

    I would definitely recommend doing a proof of concept to make sure it fits your use case. I would be more than happy to recommend it. There would not be any caveats. Go ahead and test it out. If it fits exactly what you need, go for it.

    Overall, I would rate GitGuardian Platform a ten out of ten. I am very happy with what we are able to do with it and how it works.

    reviewer2394306

    Integrates well with our shift-left strategy

    Reviewed on Apr 24, 2024
    Review provided by PeerSpot

    What is our primary use case?

    The GitGuardian Platform is primarily used for dependency checks within our development process. This allows us to create a catalog of all dependencies used throughout our code repositories.

    How has it helped my organization?

    We've been impressed with the detection capabilities of the GitGuardian Platform. In fact, it's performing very well compared to other solutions we've evaluated that meet FDA compliance standards. To this end, we're currently in the midst of a trial period with GitGuardian to further assess its effectiveness for our needs.

    While GitGuardian is a powerful solution, it's important to consider false positives. Some tools overwhelm users with alerts for unimportant issues, creating a flood of low-severity incidents. This can lead to alert fatigue and make it harder to identify critical problems. In my experience, GitGuardian strikes a good balance between accuracy and false positives, earning it a rating of eight out of ten.

    GitGuardian significantly improves our ability to prioritize remediation efforts. Previously, without automatic detection, incidents could take anywhere from one day to a month to fix after being discovered manually. Now, thanks to GitGuardian's alert system, we're notified of new incidents immediately, allowing us to address them quickly – typically within a couple of hours. This ensures that the most critical issues are prioritized and resolved swiftly.

    It integrates well with our shift-left strategy. This means it identifies and addresses security vulnerabilities early in the development process, before they can impact our production environment. A good security solution shouldn't disrupt production. If implementing GitGuardian had caused any issues in production, it wouldn't be a suitable choice for our needs.

    The use of GitGuardian impacted our developers' and security team's ability to work together on resolving security issues. Our current system routes all new incident alerts directly to both teams. Ideally, upon identifying a clear security issue, we would engage with developers to collaboratively determine the appropriate solution and prioritize based on both severity and urgency.

    GitGuardian has helped increase our secrets detection rate.

    GitGuardian has significantly boosted our security team's productivity. We've transitioned from manual secret scanning in our repositories to an automated system, making automation the key improvement. This shift has saved the security team valuable time, reducing the time spent per incident by a couple of hours.

    The only preparation we had to do to start using GitGuardian was to integrate it into our GitHub account.

    In application development security, detecting secrets is one of the most crucial practices. A single exposed secret can inflict enormous damage on a company.

    What is most valuable?

    The most valuable feature is its ability to automate both downloading the repository and generating a Software Bill of Materials directly from it. This allows us to efficiently obtain the complete SBOM, including all dependencies, for either a new repository or a previously selected one.

    What needs improvement?

    One of our current challenges is that the GitGuardian platform identifies encrypted secrets and statements as sensitive information even though they're secured. This leads to unnecessary incidents being flagged, causing problems for our workflow. To address this, a context-based secret scanning feature would be a valuable improvement. This functionality would allow the platform to understand the context of the data before flagging it as a secret, reducing the number of false positives.

    For how long have I used the solution?

    I have been using the GitGuardian Platform for six months.

    What do I think about the stability of the solution?

    I would rate the stability of the GitGuardian Platform ten out of ten.

    What do I think about the scalability of the solution?

    GitGuardian meets our scaling needs.

    How are customer service and support?

    I'm impressed with the technical support team. We have bi-weekly meetings where we discuss any issues, and whenever I need something, I've received a response within a few hours.

    The customer success team is another group I truly value meeting with. Their focus aligns directly with the challenges we face. They are incredibly responsive, and if we ever need clarification on anything, they get back to us within a couple of days. Additionally, the onboarding documentation on their website, along with the videos they produce on YouTube, are more than sufficient for getting developers up to speed.

    Which other solutions did I evaluate?

    In addition to GitGuardian Platform, we are also evaluating GitHub Dependabot and Snyk. One of the key features that impressed us with GitGuardian Platform is its ability to automatically create incidents for security vulnerabilities. This is particularly helpful because it allows us to prioritize these incidents based on their CVSS score, ensuring we address the most critical issues first.

    What other advice do I have?

    I would rate the GitGuardian Platform nine out of ten.

    Our GitGuardian users are developers.

    No maintenance is required from our end.

    I recommend GitGuardian because the setup is easy.