We use GitHub as our source code platform. When we shifted from on-premise version control systems, we identified a requirement for capable tooling that could both find secrets that were committed in the past, and prevent and alert on secrets that were being accidentally committed.
GitGuardian Platform
GitGuardianExternal reviews
251 reviews
from
and
External reviews are not included in the AWS star rating for the product.
Improves coding hygiene and uncovers potentially nasty surprises
What is our primary use case?
How has it helped my organization?
GitGuardian gives us a better understanding of what's going on in our source code. Persistent use of the platform has allowed us to highlight areas where we need to improve; eg. providing training so that people know what information should and should not be in GitHub.
We've managed to use this data to improve practices related to where teams store their secrets, and have also been able to use it to understand where we might be lacking tooling.
When a developer commits a secret or there's a particular pattern in a repository, we often ask them about why they did this. They may turn around and say that there's no better option at the moment because we don't have a platform to suit x, y, or z. We can use that information to then drive decisions around whether or not we need to look into improved tooling or patterns that our engineering teams can use to avoid storing secrets in their source code.
What is most valuable?
Automated validity checks are very helpful; we use them to prioritise incidents, as they give us a quick understanding as to which secrets are still valid. They also help us to confirm that token invalidation - which sometimes has to be done by another team or a third party - has worked as expected.
We also utilize some of the automated playbooks, specifically those around automatic incident closure, allowing us to spend less time making sure that the incidents closed by changes to code are getting closed out.
Instantaneous notifications connected to our Slack platform allow us to deal quickly with incidents if and when they occur.
One of the best features of the solution, though, is the ability to use pre-push hooks. Preventing our developers from committing secrets into their source code before they hit the remote GitHub servers is ideal; it can be quite challenging and time consuming to remediate and rotate secrets once pushed to the remote.
The reporting feature has improved quite a bit since we first used it around five years ago, with filters that allow us to set up quick groups of or collections of filters and statuses to determine which secret detections are still unassigned and which are new. It allows us to easily ship those off to the developers involved in those incidents to get them remediated.
What needs improvement?
We'd love to see notification updates in Slack, as the system does not provide feedback on updates to incidents, which can be problematic when developers resolve issues.
ie. if a developer commits code that triggers an incident, the alert comes into Slack, but by the time someone looks at it through the Slack alerting channel, the developer might have gone and already fixed or closed the issue. There's no feedback loop back into the notification channel to show that it's been addressed.
Another thing that would be good to see is some more metrics on the usage of the GitGuardian pre-push hooks. It would be helpful to see which GitHub users have or do not have the pre-push hook capability turned on. That would allow us to chase people and say that we noticed that you're making commits, but you're not using GitGuardian, and encourage them to install ggshield before an accident happens.
For how long have I used the solution?
My experience with the solution started in November 2020, which is approximately four or five years.
What do I think about the stability of the solution?
It's generally quite stable.
There has been a little bit of downtime of late, and it has been reasonably impactful when it's not been scanning. We set up our repositories in GitHub with GitGuardian as a required check.
We had an incident for about four hours last week and another one about a month before that. Prior to that, it's been really stable.
What do I think about the scalability of the solution?
It handles all the repositories and commit activity we have.
How are customer service and support?
I would rate their technical support an eight out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
No
How was the initial setup?
We didn't have to do much. They manage all of the backend for us. All we have to do is integrate it into our GitHub organizations, and doing that is straightforward.
The solution does not require any maintenance.
What about the implementation team?
In-house.
What was our ROI?
It's challenging to quantify, but it has saved us from a bit of panic because we know the state of our source code. It's hard to determine what savings might come from having the tooling or not.
What's my experience with pricing, setup cost, and licensing?
It's fairly priced, as it performs a lot of analysis and is a valuable tool.
Which other solutions did I evaluate?
We have tested it against other solutions, such as TruffleHog, the open-source solution, and found the GitGuardian Platform to be about significantly better in terms of detection capabilities. TruffleHog focuses on secrets that it can validate, but in an Enterprise world with lots of internal tools, APIs and platforms it can miss a lot of secrets.
What other advice do I have?
The new multi-vault feature looks useful; we are planning to connect it up to AWS Secrets Manager and HashiCorp Vault.
good to be notified of key leaking in the project
What do you like best about the product?
promptly inform of any key leaking after pushing my code
What do you dislike about the product?
it only becomes visible to me when something bad happens. I hope it can automize the solution after detection
What problems is the product solving and how is that benefiting you?
detect any leaking key
Great application - saved my butt a few times
What do you like best about the product?
It's proactive and helpful. Easy to use. Great app.
What do you dislike about the product?
would it be possible for gitguardian to fix my repo, at my request, to remove secrets from my repo (including commit history in which secrets were inadvertently commited)?
What problems is the product solving and how is that benefiting you?
I have accidentally committed secret tokens to git a couple of times. It caught the issue and made me aware. It's been a while, though.
Good advice on security issues concerning passwords etc.
What do you like best about the product?
Very quick response to issues on GitHub projects.
Detailed explanation of the issue.
Detailed explanation of the issue.
What do you dislike about the product?
Soometimes I think, GitGuardian is not right.
E.g. some infomation is stored in .env files, like passwords or STMP access. This is often not wrong in my mind.
E.g. some infomation is stored in .env files, like passwords or STMP access. This is often not wrong in my mind.
What problems is the product solving and how is that benefiting you?
At the moment, G2 is helping to show potential issues, however most of the time, I considered that as not a high risk issue.
Great for Catching Secrets, But Needs a Privacy Option
What do you like best about the product?
GitGuardian does a fantastic job at what it’s meant to do—catching secret leaks in your code. I’ve been really impressed with how well it scans my repos and flags potential security issues. It’s definitely something that gives me peace of mind knowing my code is being looked after.
What do you dislike about the product?
There’s no option to exclude private repos from the scans, which feels a bit overkill for me. My private repos are just for my own projects, not shared with anyone, so I really don’t need them to be scanned.
What problems is the product solving and how is that benefiting you?
GitGuardian is solving the issue of accidentally exposing secrets like API keys and credentials in my code. It’s super helpful because it scans my repos automatically and catches things I might have missed.
For a robust check on preventing data leakage and ensuring secure operations
What do you like best about the product?
Ease of Integration with github.
Ease of Use
Ease of Use
What do you dislike about the product?
To address data leakage and ensure secure operations without revealing sensitive information
What problems is the product solving and how is that benefiting you?
Secure code review is a critical aspect of ensuring the robustness and resilience of software applications
Vigilant security bot
What do you like best about the product?
I am thankful for Git Gaurdian, it automatically detected api keys I had left in my code, which by mistake I committed.
Therefore this is a good tool if we want to make sure, no body accidentally pushes sensitive data
Therefore this is a good tool if we want to make sure, no body accidentally pushes sensitive data
What do you dislike about the product?
I don't get dislike as of now, sometimes, it highlights false positive, but that is okay.
What problems is the product solving and how is that benefiting you?
It checks no one is accidentally pushing sensitive api keys etc
Great to think my secrets are safe!
What do you like best about the product?
One of the most practical aspects is that we may sometimes overlook the configuration settings or the values of environment variables, but now, that's no longer a concern. GitGurdian will take care of that. And it's very very easy to integrate and the features it has are well rounded. And the support from the team is also sensibly quick and responsive.
What do you dislike about the product?
There isn't anything specific, but I believe the user interface could be more intuitive.
What problems is the product solving and how is that benefiting you?
Security constraints are often overlooked, but GitGuardian has addressed this issue for us by providing a way to resolve and escalate concerns to senior staff for review.
Very apt
What do you like best about the product?
It's notifications letting me know what issues might arise from my code in relation to security breaches and things of that nature.
What do you dislike about the product?
There is nothing I can say for that I dislike about gitguardian
What problems is the product solving and how is that benefiting you?
Helping me secure my API KEYS better
GitGuardian for Master's Project
What do you like best about the product?
I have been using GitGuardian for my college Project. First and foremost UX is really good and intuitive. My project is around security so I am aware of the necessity of that and GitGuardian is an appropriate alternative to other open source products. I faced a problem initally and i found enough support to help me around.
What do you dislike about the product?
They could work on a more refined payment plan. This will give more flexibity to all category of developers.
What problems is the product solving and how is that benefiting you?
I have been working on creating a product to provide better enterprise search solutions and this has been helping there.
showing 11 - 20