✅ %ndet%+ types of specific and generic secrets supported with high accuracy level.

✅ Checks the validity of %nvck%+ types of exposed secrets.

++ Documentation displays a ~100 types of secrets detectors, 35 of which are a base64 encoded version of an existing detector (duplicate). This information isn’t available within the Blubracket dashboard itself.

❌ Not able to detect real time intrusion in your software supply chain.

Regular expressions result in fewer false alerts. Additionally, known patterns make it simpler to verify if the secret is true or false or whether this is a test or example key.

Learn more about how GitGuardian detects secrets.

++ Yes, based on the combination of entropy checks and contextual analysis of the presumed secret (pre/post-filters).

++ GitGuardian currently supports %ngdet%+ types of generic secrets.

++ Documentation makes no specific separation between specific and generic detectors. We counted less than 10 types of generic secrets supported.

In order to capture a considerably wider variety of secret types, high entropy should be employed.

Learn more about how GitGuardian detects secrets.

++ Yes, supported with the use of regular expressions (in SaaS/Self-hosted versions).

✅ Yes

To find company-specific secrets that are not picked up by the default patterns, you should be able to define your own patterns.

Learn how to create custom detectors.

++ Detectors can be individually activated/deactivated from the UI, in the workspace settings.

❌ No, detectors are not even displayed in the product itself. Users need to go back and forth between dashboard and documentation.

We recommend keeping all detectors active to avoid missing any hardcoded secrets.

Learn how to configure GitGuardian’s detectors.

++ 22 file names raise policy break alerts.

❌ No

There is a very lengthy list of extensions that potentially hold secrets due to the numerous programming languages, frameworks, and coding standards that are used globally.

Learn which file types contain sensitive information.

++ 14 extensions raise policy break alerts.

❌ No

Secrets are frequently discovered in file extensions together with environment variables and configuration data. Learn more.

++ Yes, excluding paths is possible through the UI. GitGuardian recommends a set of exclusions (e.g. test directories) and enables users to test filepaths against the active exclusion list.

❌ Not supported, creating a high potential for false positives

The ability to reduce the number of incidents and concentrate solely on those that matter most is critical to scaling your secrets detection and remediation program.

++ Secrets scanning is possible for local Git repositories or repositories managed through GitHub, GitHub Enterprise, GitLab, Azure DevOps, and Bitbucket Server/Data Center.

✅ Secrets scanning is possible for local Git repositories or repositories managed through GitHub, GitHub Enterprise, GitLab, Bitbucket Server/Data Center and Cloud.

Your repositories contain secrets and sensitive data, such as user passwords or other security flaws, making it possible for anybody with access to the image to obtain that secret and perhaps exploit it to gain access to other systems.

Learn more on why secrets inside Git are a problem

++ Yes, Docker images can be scanned with the GitGuardian CLI, ggshield, using a specific command. The Dockerfile, build arguments, and the image's layers' filesystem are scanned for secrets.

❌ Not supported

Your Docker image can wind up containing a private SSH key, an AWS access token, or a password.

Learn more about the secrets we found on Docker Hub.

🟠 The GitGuardian REST API and CLI, ggshield, support scanning all types of text input for secrets. GitGuardian can provide wrappers (code snippets) to extract and load data from observability tools or CI/CD logs.

-- No native integrations are currently offered but Blubracket’s REST API for Secret Scanning can be used for this purpose.

Sensitive data may unintentionally leak from your server logs when services unintentionally output sensitive data.

++ Yes, we are currently supporting the scan of %external sources scanned for secrets%.

-- No native integrations are currently offered but BluBracket’s REST API for Secret Scanning can be used for this purpose.

Sensitive data may unintentionally be leaked in other productivity tools used by developers.

++ Yes

❌ Not supported, integrations need to be done on an individual basis at the org level.

++ Yes, native GitHub App at the organization level (one-click integration).

+- Supported through the use of Personal Access Tokens. A GitHub App option is offered but it needs to be created by the customers themselves.

++ Yes, upon integration of a GitHub Enterprise organization, admins can choose to - give access to select repositories - provide access to all repositories (present and future repositories).

✅ Yes, upon integration of a GitHub Enterprise organization, admins can choose to:
- give access to select repositories.
- give access to all repositories (present and future repositories).

++ Yes, native GitHub App available. Admins can:
- give access to select repositories
- give access to all repositories (present and future repositories).

✅ Yes, however, there isn’t a native GitHub App. Through the Personal Access Token settings, admins can choose to:
- give access to select repositories.
- give access to all repositories (present and future repositories).

++ Yes, a native integration is available. GitGuardian needs a Personal Access Token with an Admin scope.

✅ Yes, through the use of a Personal Access Token.

++ Yes, a native integration is available. GitGuardian needs a Personal Access Token with an Admin scope to establish a webhook with the VCS for historical and real-time scanning.

✅ Yes, through the use of a Personal Access Token.

++ Yes, a native integration is available. GitGuardian needs a Personal Access Token with an Admin scope to set up a webhook with the VCS for historical and real-time scanning.

✅ Yes, through the use of a Personal Access Token.

++ Yes, a native integration is available. GitGuardian needs a Personal Access Token with an Admin scope to set up a webhook with the VCS for historical and real-time scanning.

✅ Yes, through the use of a Personal Access Token.

++ Yes, a native integration is available. GitGuardian needs a Personal Access Token with an Admin scope to set up a webhook with the VCS.

++ Yes, a native integration is available. GitGuardian needs a Personal Access Token with an Admin scope to set up a webhook with the VCS.

++ Yes, full repository history scan can be launched on-demand. Scanning is performed across all branches and for the entire history up to the initial commit.

✅ Yes, full repository history scan can be launched on-demand. Scanning is performed across all branches and for the entire history up to the initial commit.

Hardcoded secrets can hide deep in the commit history across various branches, not only the latest revision of the code.

++ Yes, supported through the GitGuardian CLI, ggshield.

✅ Supported through Blubracket CLI app

Pre-commit hooks put the onus on developers to keep their code free from secrets before contributing to the team’s codebase. The cost of remediation at this stage is low. Learn how to set up a pre-commit hook with GitGuardian.

++ Yes, supported through the GitGuardian CLI, ggshield.

✅ Supported through Blubracket CLI app

Pre-push hooks put the onus on developers to keep their code free from secrets before contributing to the team’s codebase.

++ Yes, supported through the GitGuardian CLI, ggshield.

In addition, a 'break-glass' option is provided to avoid blocking developer workflow in case test credentials or false positives are raised.

❌ Not supported

Pre-receive hooks are the most effective tool to prevent secrets from reaching your codebase.

✅ Yes, supported with the native VCS integrations (GitHub, GitLab, Bitbucket and Azure DevOps). Historical and continuous protection.

✅ Yes, supported with the native VCS integrations (GitHub, GitLab, and Bitbucket)

Learn more about how Git hooks can be useful in a secure development.

++ Yes, the GitGuardian CLI, ggshield, runs natively with 8 different providers in total: GitHub Actions, GitLab CI/CD, Bitbucket pipelines, Azure pipelines, Jenkins CI, CircleCI, Drone CI, and Travis CI.

❌ Not supported natively, Blubracket’s REST API can be used for this purpose.

It is important to raise awareness around the problem of hardcoded secrets and align Dev, Sec, and Ops with Automated Security Testing (AST) in pipelines.

Learn how to use GitGuardian's secrets detection in your CI workflows.

++ In GitHub, secrets scanning check runs can be triggered on pull requests on repositories monitored by GitGuardian. The behavior can be configured to block merging PRs containing secrets.

✅ Yes

Pull request or merge request scanning brings secrets detection to environments developers are familiar with, such as the GitHub or GitLab UI.

++ Unified view of incidents across all monitored sources found via the native VCS integrations.

✅ Aggregated view of incidents across all monitored sources (VCS > organizations > repositories).

It facilitates the collection of relevant data for big-picture analysis.

++ Rich UI/centralized dashboard for Security and Incident Response teams.

❌ Overall poor UI and UX. In the incidents index view, there’s no possibility to search for specific incidents, repositories, or developers. It’s also difficult to filter high-risk incidents for prioritization and remediation workflows.

To accurately assess the code security posture of an enterprise, security professionals require visibility across complex, sprawling environments.

++ Developers can get access to incidents via the GitGuardian UI, with a scoped view on incidents shared with them.

++ An external page can be generated for the developers to view individual incident details, fill out a feedback form and possibly remediate the incident on their own with our advice.

❌ Not supported in Blubracket community edition. Developers can be given access to the workspace but there’s no ACL setting to limit their permissions. All incidents can be viewed by any member of the workspace.

Developers can view and handle their incidents most effectively with the help of intuitive dashboards.

✅ In addition to data such as the commit sha, date, author, secrets type, location (repository, file name, line) and validity, GitGuardian provides contextual tags such as "from a historical scan", "sensitive file", "test file", "exposed publicly", "leaked publicly", "regression", "default branch", etc. 

+- Provided incident data is minimal and restricted to secret type, commit sha, date, author, and location.

Incident data helps you in prioritizing and investigating incidents better by giving additional context.

++ GitGuardian scores the severity of incidents: "Low", "Medium", "High" or "Critical" following default rules or user-defined rules.

❌ Not supported

Severity scoring will assist in identifying and prioritizing issues for quicker resolution.

++ For certain secrets, GitGuardian can perform non-intrusive checks to verify their validity. When revoked, secrets will be marked as no longer valid, effectively providing proof of remediation.

++ GitGuardian can also verify the presence of the secrets in the commits and provide proof of deletion after all evidence of the secret is removed.

❌ Not supported

Users should be able to check the validity of each incident and determine whether the leaked secret is still present or has been entirely erased from the commit history. Learn how to verify if an exposed secret was removed from the commit history.

++ GitGuardian groups all occurrences of the same secret leak across files, repositories, and organizations.

❌ Not supported

You can lessen alert fatigue. There is no need to triage/resolve each and every occurrence separately.

++ Incident handling with "Triggered", "Assigned", "Resolved" and "Ignored" statuses. Two outcomes are possible: incidents can be resolved or ignored.

✅ Yes

This will assist organizations in swiftly identifying incidents and mitigating their negative impact.

++ Incidents can be assigned to a team member (a security engineer or a developer) to handle the incident.

Defining incident assignees makes sure that the incident gets a timely and appropriate response.

++ Default remediation guidelines and recommendations are displayed in the UI. The guidelines can also be customized.

You have some remediation guidelines by default. But as each organization has its own context and remediation policies, you will have the ability to customize the remediation guidelines.

Learn how to create custom remediation guidelines.

++ Incident remediation playbooks like sharing incidents with involved developers, collecting feedback, and closing incidents when they are re-checked as invalid can be automated.

❌ Not supported

The time savings, particularly at the enterprise scale, can be significant. Playbooks keep your teams productive and focused!

Learn more about how to prioritize, investigate and remediate hardcoded secrets incidents at scale.

++ A detailed timeline is provided with an extensive activity log of all performed events (status changes, feedback notes, access sharing, and much more).

❌ Unavailable

Timelines help security teams keep track of all of the actions performed on the incident.

++ Developers can get access to incidents via:
• GitGuardian workspace, scoped view on incidents shared with them;
• A link to an external page can be generated for the developers to view individual incident details, fill a feedback form and possibly remediate the incident on their own.

❌ Not supported

Because developers are key to taming secrets sprawl, AppSec teams must provide them with instant access to and ownership of their hardcoded secrets incidents.

Learn how to bring Dev, Sec, and Ops together for tackling secret sprawl.

++ Yes. When ignoring incidents, it is possible to flag findings as false positives, low-risk credentials, or test credentials.

✅ Yes

Pull request or merge request scanning brings secrets detection to environments developers are familiar with, such as the GitHub or GitLab UI.

++ New occurrences of a resolved incident can be configured to re-open the incident and trigger new alerts or deliver silent notifications.

❌ Not supported

If new secrets were added or rotated secrets broke existing app functionality, you need to reopen the incident.

++ Yes

Serious incidents are immediately identified. Alerts may be directed to the right developers more rapidly for remediation.

++ Yes, to prevent alert fatigue, only one email is sent for multiple occurrences of the same incident.

✅ Yes

The problem of secret leaks has developers at the forefront. It is crucial to notify the developer in charge of the incident via their commit email.

‍Learn what's included in GitGuardian email alerts.

++ Yes

✅ Yes

Teams, processes, and tools should be integrated to increase efficiency and effectiveness for all users by ensuring that alerts are received at the appropriate time and location and that no alert is missed.

++ Yes

✅ Yes.

By integrating your code security platform and ticketing/messaging tool, you can address critical incidents and expedite remediation.

++ Yes

Stay in the know with event-driven alerts when new incidents are raised or when actions are performed on open incidents.

++ Yes, enriched analytics to assess security posture over time and remediation performance.

+️- A few charts are provided but the underlying data cannot be filtered for any analysis of the security posture.

Analytics help you assess security posture over time, and remediation performance.

++ All data is exportable in .csv (including historical incidents) or in JSON format using the REST API.

✅ Incident data is exportable in .csv

Your Dev can review the incident data and filter it further based on their needs.

++ SaaS & On-premises (self-hosted)

+- SaaS only

SaaS is less expensive and easier to scale, while on-premises offers more visibility.

See how an enterprise customer deployed a secrets detection program.

++ Yes, fully compatible with any SAML 2.0 provider.

✅ Yes

Because users only log in once per day and utilize a single set of credentials, it decreases the number of attack surfaces.

See the setup procedures for different IdPs.

++ Yes, the available roles "Workspace Owner", "Manager" (admin), "Member" and "Restricted" are designed for fine-grained access control down to the occurrence level. Teams management available.

❌ Not supported

It's a wonderful approach to bring in every developer, scale up incident remediation, and deal with orphan incidents.

Learn how RBAC can help fix hardcoded credentials faster.

++ Detailed activity logs of all actions triggered on the dashboard or through the REST API.

✅ Yes

Audit logs include precise historical data that can be used to retrace an incident's timeline.

See how to access Gitguardian audit logs.

++ GitGuardian’s public REST API can be used to realize all sorts of actions on your workspace and incidents (retrieve, assign, update status, and share secrets incidents, and more).

This API provides you with access to all of the incident data, including tasks.

++ A dedicated team of Solutions and DevOps Engineers will be made available to help you rollout secrets detection and remediation for your organization (included in the licensing model, at no additional cost).

In order to use a product effectively, a solid onboarding program aids in your ability to comprehend and experience the value it offers.

It is always advantageous to have support professionals who are completely committed to fixing any technical issues you may encounter.

Read more in-depth articles on GitGuardian Blog.