We utilize GitGuardian to scan for secrets within our codebase. Our implementation includes pre-receive and pre-commit hooks, dashboard scans, and CI/CD integration within GitLab.
GitGuardian Platform
GitGuardianExternal reviews
251 reviews
from
and
External reviews are not included in the AWS star rating for the product.
GitGuardian's automated features enhance productivity by allowing us to delegate tasks and concentrate on governance.
What is our primary use case?
How has it helped my organization?
Secret detection is pivotal for development security, ensuring no secrets exist in packages, libraries, dependencies, or code. Even with a locked-down application, explicit permissions could grant easy access to the environment and connected resources. GitGuardian serves as an essential tool for every development team.
GitGuardian aids in prioritizing remediation efforts by promptly notifying us of reported issues. This informs our approach; we prioritize valid reports over invalid ones or those that failed checks. Automation plays a significant role, swiftly addressing invalid reports and saving valuable time.
The solution aligns with our shift-left strategy, empowering developers with security responsibilities through pre-receive hooks that act as security controls. Developers can quickly identify secrets, enhancing security awareness at the development level.
GitGuardian significantly reduces manual work through automation, streamlining incident resolution processes and allowing proactive measures like permissions revocation. While not fully automated, leveraging automated solutions has notably increased productivity, enabling us to focus more on governance and essential tasks.
Our secret detection capabilities have improved dramatically with GitGuardian. Initially facing over 10,000 incidents, we reduced them to 2,700, marking a 60 to 70 percent increase in detection efficiency.
Validation features save considerable time by eliminating the need for manual verification, allowing us to focus on remediation. While accuracy varies based on use cases, we've encountered only a handful of false positives, with the false positive rate correlating strongly with the number of secrets present.
What is most valuable?
GitGuardian offers a range of features that align perfectly with our requirements. With internal policies in place to prevent secret exposure, especially concerning our code hosted on GitLab, GitGuardian's pre-receive hook stands out as a crucial feature. By activating this hook on the remotes, it effectively blocks commits from being pushed to the repository, ensuring that secrets never reach GitLab and remain protected from exposure.
The tool provides comprehensive coverage, including classic technologies such as SMTP credentials, along with Slack tokens and AWS secrets in our specific use case. Its ability to manage various types of secrets, including database connections, APIs, and RSA keys, streamlines our workflow by consolidating detection efforts. This consolidation saves us considerable time, eliminating the need for back-and-forth verification with the team. Once a valid issue is identified, we can promptly escalate it to the team for remediation
What needs improvement?
The GitGuardian hook and dashboard scanners are essential components that should seamlessly integrate to provide comprehensive security coverage. However, we've encountered instances where discrepancies arise, with the dashboard scan detecting issues not reflected on the hook. This inconsistency requires fine-tuning to ensure efficient detection and resolution, as we aim to avoid unnecessary time wastage.
Moreover, the historical scan feature could benefit from improvement. Occasionally, it fails to efficiently track changes in updated histories, leading to delays in data history updates. This can be frustrating, especially when the reported secret remains unchanged or changed in history. Addressing this issue is crucial to alleviate the burden on the team and streamline our workflow. We hope to see enhancements in this aspect from GitGuardian.
For how long have I used the solution?
I have used GitGaurdian for two years.
What do I think about the stability of the solution?
Earlier, we had some challenges and problems with the dashboard crashing, but there have been many improvements since then. We haven't seen any crashes lately.
What do I think about the scalability of the solution?
The scalability depends on the deployment model. Our engineers understand how to deploy the solution directly. We have two environments: production and dev. We haven't seen any major hassles, and it doesn't impact the development workflow.
How are customer service and support?
I rate GitGuardian support nine out of ten. GitGuardian support has been great. They respond fast. If something requires investigation, they also resolve the issue quickly. Recently, we had to upgrade because of a bug. They were happy to help us.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I used Trufflehog at a previous company. It's hard to compare the two. Both have their strengths and weaknesses. I've used a couple of the other solutions, and GitGuardian stands out.
How was the initial setup?
It was straightforward. We had deployed it on EKS with nodes for dashboard and other aspects of the app.
What about the implementation team?
It was a joint effort. Their support engineers were very skillful and did provide all required help.
What's my experience with pricing, setup cost, and licensing?
Every company has a budget to spend on security tools, so it depends on what you want to spend on security at each stage in their maturity walk. You can have a vulnerability in your code with a firewall in front, but you don't want an application exposing secrets. An attacker knows how to crawl your application and extract information. It depends on how much you want to prioritize the cleanness of your code from a secrets perspective.
Which other solutions did I evaluate?
We looked at a few other products but primarily chose GitGuardian because of the price. It also has some advantages regarding dashboard maturity and the number of available integrations. We also like the auto-validation and the way the pre-commit hook works. It was also a lot easier to implement GitGuardian.
I recommend open source for other things but not secrets detection. There's an inherent vulnerability to an open source solution that could leave your secrets exposed.
What other advice do I have?
I rate GitGuardian Internal Monitoring nine out of ten. Before deployment, it's crucial to thoroughly understand your environment. For users of public cloud services, ensuring compatibility with GitGuardian's features is essential to maximize benefits. While the SaaS solution offers simplicity, our air-gapped internal deployment had minor restrictions on available features. Despite this, we opted to continue with GitGuardian as it satisfied our core needs.
Understanding your environment and version control system is paramount. Determine your implementation approach, considering options like starting with dashboard scans rather than hooks, which I don't recommend initially. Beginning with dashboard scans on your version control system, such as GitHub, and conducting historical scans is advisable. As teams become more acquainted with the tool, gradual implementation of more advanced features like hooks can be considered.
Pushing code too fast
What do you like best about the product?
When you work on your code, you want to make sure is pushed securely in Github. However, when you push it, sometimes you forget some parameters that may be maliciuos to the app security. That's when GitGuardina comes in: thanks to their alerts, I am able to monitor and fix unappropiate code pushed into Github
What do you dislike about the product?
The drawbacks though are that the information you pushed, sometimes very sensitive, are not clear on how are exposed on GitGuardian. Well, at least by my side, I am not aware if it is encrypted or not.
What problems is the product solving and how is that benefiting you?
It ensures that credentials are not exposed publicly on GitGuardian. Therefore, it alerts you immediately so that you can take measures on the mistake you've made.
I would recommend GitGuarding
What do you like best about the product?
I would recommend GitGuardian as it is completely satisfying all my needs for github projects. When i push some commits and forget about hiding some important data with .gitignore. Git guardian tells me about this and also quickly resolves this kind of situation
What do you dislike about the product?
For my needs, i am fully satisfied with git guardian.
What problems is the product solving and how is that benefiting you?
All kind of problems related to forgetting of hiding some data in my commits.
the Secret Keeper
What do you like best about the product?
Whenever I published any code that contains sensitive token or credentials, it detected right way and sent me an email about that. It is the most wonderful task that might slip way from mind if I don't give enough attention
What do you dislike about the product?
It does not well integrate into telegram, discord or such messaging platforms. Also, it could not detect an AWS token if the variable name is not obvious.
What problems is the product solving and how is that benefiting you?
. I am a sole developer, so I usually don't review my code after pushing (as I myself wrote the code and checked the code, I kinda feel confident). But, it is not uncommon for me to forget that my access tokens are publicly accessible via my code. But, voila!!!! Git gurdian is here to assist me
CORN
What do you like best about the product?
Security is the best for better use in all
What do you dislike about the product?
If the cost is an issue, I will review the usage in the future.
What problems is the product solving and how is that benefiting you?
For now, the GitGuardian is good for security in data.
Easy to use and connect to your GitHub account.
What do you like best about the product?
Even with the free plan, GitGuardian scans secrets (tokens, passwords, etc), offering a basic layer of security and preventing accidental leaks, allowing you to explore your incidents and offering you to take some actions to nullify threats!
What do you dislike about the product?
I couldn't find how to remove resolved threats from the table of incidents.
What problems is the product solving and how is that benefiting you?
I use it for my pet projects which might include sensitive information as well. GitGuardian prevents accidental leaks in time through immediate emails with alerts.
Proactive Protection
What do you like best about the product?
One of the standout features of GitGuardian that i like is its proactive approach to data security. Because it continuously scans code repositories in real-time, it has really helped me to detect potential security threats before they escalate into data breaches.
What do you dislike about the product?
I have not had any disappointments with GitGuardian, everything is going well.
What problems is the product solving and how is that benefiting you?
GitGuardian has helped me to mitigate the risks associated with data exposure in code repositories, it has helped me in terms of data protection especially sensitive information like API-KEYS, passwords and many more.
Experience of using Git Gaurdian
What do you like best about the product?
It gives me an alert every time any sensitive issue takes place with my account,so it's very helpful for every developer.
What do you dislike about the product?
I think until know I didn't find anything issue with GitGuardian.
What problems is the product solving and how is that benefiting you?
It's helping me by detecting my secret credentials every time when they are exposed publicly.
Gitguardian is very helpful. it helps to keep secret a secret!
What do you like best about the product?
It scans for any vulnerability and warns which helps to keep our applications secure.
What do you dislike about the product?
It can't remove anything which is a good thing. Sometimes I get false alarm too(if we use dummy tokens)
What problems is the product solving and how is that benefiting you?
By providing warnings about any insecure keys or tokens that are shared, this feature helps to maintain the security of the code.
Excellent
What do you like best about the product?
Security is very important and GitGuardian guarantees that.
What do you dislike about the product?
At this moment, I haven't found anything I didn't like.
What problems is the product solving and how is that benefiting you?
Secures my projects
showing 91 - 100