šŸ“Š NEW! Voice of Practitioners 2024: The State of Secrets in AppSec

READ REPORT

šŸ“Š NEW! Voice of Practitioners 2024: The State of Secrets in AppSec

READ REPORT

Are You Exposed

on Public GitHub?

Discover how many secrets your developers have leaked on public GitHub, both company-related and personal.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
GitGuardian Logo

GitGuardian is auditing {{ derivedDomainName }} public GitHub ā€Øattack surface posture

YOUR AUDIT ISN'T AVAILABLE YET.

{{ derivedDomainName }}

By submitting this form, I agree to GitGuardianā€™s Privacy Policy

Thank you! You will soon receive your detailed audit at {{userEmail}}
Oops! Something went wrong while submitting the form.

Evaluate your GitHub attack surface due to secrets leaks

Right into your inbox. No sales call needed!

By submitting this form, I agree to GitGuardianā€™s Privacy Policy

Thank you! You will soon receive your detailed audit at {{userEmail}}
Oops! Something went wrong while submitting the form.

šŸ”® YOU HAVE {{ triesLeft }} OF {{ triesTotal }} SCANS LEFT TODAY.

Trusted by security leaders and enterprises worldwide

Congratulations!

You've taken the first step towards a healthier GitHub security posture.

After a comprehensive analysis, GitGuardian gave {{derivedDomainName }} a score of {{ score }}. We didn't find any hardcoded secrets within your scope.
{{devs}}

Active developers in perimeter

Number of developers who used an email address from your domain (e.g., random_user@{{derivedDomainName}}) to commit on GitHub. This also includes developers from your parent company and any existing subsidiaries. If that's the case, we encourage you to request a detailed audit, and we can adjust it to focus only on the domains you specify.

{{commits}}

Commits scanned

{{secrets}}

secrets leaked

{{validSecrets}}

valid secrets

To provide you with high-precision alerts, GitGuardian tries to verify the validity of secrets through non-intrusive API calls made to the host, if and when possible. If a secret is labeled "valid," it means it can still be exploited and should be revoked and rotated. More info

Improvement Needed!

Your GitHub attack surface posture is good but could use some enhancements.

After a comprehensive analysis, GitGuardian gave {{derivedDomainName}} a score of {{ score }}. Even if your company ranks below the 25th percentile compared to similar-sized companies, we found hardcoded secrets within your scope that require attention.

{{devs}}

Active developers in perimeter

Number of developers who used an email address from your domain (e.g., random_user@{{derivedDomainName}}) to commit on GitHub. This also includes developers from your parent company and any existing subsidiaries. If that's the case, we encourage you to request a detailed audit, and we can adjust it to focus only on the domains you specify.

{{commits}}

Commits scanned

{{secrets}}

secrets leaked

{{validSecrets}}

valid secrets

To provide you with high-precision alerts, GitGuardian tries to verify the validity of secrets through non-intrusive API calls made to the host, if and when possible. If a secret is labeled "valid," it means it can still be exploited and should be revoked and rotated. More info

Work to Do!

You've taken the first step towards a healthier GitHub security posture.

After a comprehensive analysis, GitGuardian gave {{ derivedDomainName }} a score of {{ score }}. You're in the 25th to 50th percentile among companies of similar size in our study. We found a significant amount of hardcoded secrets within your scope that require attention.

{{devs}}

Active developers in perimeter

Number of developers who used an email address from your domain (e.g., random_user@{{derivedDomainName}}) to commit on GitHub. This also includes developers from your parent company and any existing subsidiaries. If that's the case, we encourage you to request a detailed audit, and we can adjust it to focus only on the domains you specify.

{{commits}}

Commits scanned

{{secrets}}

secrets leaked

{{validSecrets}}

valid secrets

To provide you with high-precision alerts, GitGuardian tries to verify the validity of secrets through non-intrusive API calls made to the host, if and when possible. If a secret is labeled "valid," it means it can still be exploited and should be revoked and rotated. More info

Warning!

Your GitHub attack surface posture needs considerable attention and improvements.

After a comprehensive analysis, GitGuardian gave {{ derivedDomainName }} a score of {{ score }}. You're in the 50th to 75th percentile among similarly sized companies in our study. We found a high number of hardcoded secrets potentially exposing your organisation. This requires your attention.
{{devs}}

Active developers in perimeter

Number of developers who used an email address from your domain (e.g., random_user@{{derivedDomainName}}) to commit on GitHub. This also includes developers from your parent company and any existing subsidiaries. If that's the case, we encourage you to request a detailed audit, and we can adjust it to focus only on the domains you specify.

{{commits}}

Commits scanned

{{secrets}}

secrets leaked

{{validSecrets}}

valid secrets

To provide you with high-precision alerts, GitGuardian tries to verify the validity of secrets through non-intrusive API calls made to the host, if and when possible. If a secret is labeled "valid," it means it can still be exploited and should be revoked and rotated. More info

Critical!

Your GitHub attack surface posture is at risk and needs urgent attention.

After a comprehensive analysis, GitGuardian gave {{ derivedDomainName }} a score of {{ score }}. Your company ranks above the 75th percentile compared to similar-sized companies. The number of hardcoded secrets within your scope is among the highest ever recorded by GitGuardian. This potentially exposing your organisation. This requires your immediate attention.
{{devs}}

Active developers in perimeter

Number of developers who used an email address from your domain (e.g., random_user@{{derivedDomainName}}) to commit on GitHub. This also includes developers from your parent company and any existing subsidiaries. If that's the case, we encourage you to request a detailed audit, and we can adjust it to focus only on the domains you specify.

{{commits}}

Commits scanned

{{secrets}}

secrets leaked

{{validSecrets}}

valid secrets

To provide you with high-precision alerts, GitGuardian tries to verify the validity of secrets through non-intrusive API calls made to the host, if and when possible. If a secret is labeled "valid," it means it can still be exploited and should be revoked and rotated. More info

Get more data

Data included in the audit

Understand your public GitHub attack surface better with metrics tied to {{derivedDomainName}}Ā from our complimentary in-depth audit report.

Understand your public GitHub attack surface better with metrics from our complimentary in-depth audit report.

Public GitHub Attack Surface Score

From A to E the public GitHub attack surface score measures the overall state of your domain regarding secrets sprawl.

Commits scanned

All activity on GitHub is linked to a commit email. We can tie such commit emails to GitHub accounts, and hence monitor that accountŹ¼s activity.

Active developers in your perimeter

Developers who mentioned your company name on their GitHub profile, or use their company email address when pushing code publicly on GitHub.

Secrets leaked publicly on GitHub

Secrets are digital authentication credentials granting access to systems or data. These are most commonly API keys or usernames and passwords.

Valid secrets publicly available on GitHub

Secrets that can still be exploited by persons with malicious intent.

Secrets breakdown by category

Percentage of secrets leaks for each category (eg. Private key, Version control platform, Cloud provider, Messaging system, Data storage, etc.).

Direct mentions of your company in commits

Commits that mention your company domain in the committed code.

Developers involved in at least one secret leak

Developers from your perimeter who have leaked at least one secret.

Secrets contained in a sensitive file

Secrets that were published inside a file that is sensitive in itself, such as a configuration file.

Public events

A Public Event occurs when a private repository is made public. Such an event is sensitive as it discloses the entire history of a repository, where sensitive data could be found.

Secrets erased from GitHub

Secrets that can no longer be found on GitHub, but have been leaked and can be found in GitHub archives.

Evaluate your GitHub attack surface due to secrets leaks

Right into your inbox. No sales call needed!

By submitting this form, I agree to GitGuardianā€™s Privacy Policy

Thank you! You will soon receive your detailed audit at {{userEmail}}
Oops! Something went wrong while submitting the form.

How GitGuardian generates the audit

Our secrets detection engine has been running in production since 2017, analyzing billions of commits coming from GitHub. The algorithms and detectors constantly train against a dataset of %dscb% billions commits. The latest State of Secrets Sprawl 2024 reveals 12.8 million new secrets occurrences were exposed on GitHub in 2023. And we are able to tell you how many leaks are tied to your company by first identifying your developers active on GitHub.

Even if your organization doesn't engage in open source, your developers or subcontractors may inadvertently leak sensitive information on their personal GitHub repositories. This includes corporate secrets or source code, posing a significant risk.

FAQs

  • How is the score calculated?

    The audit generates a score ranging from A to E. This score factors in the volume of hardcoded secrets detected, the number of leakers (developers who have leaked at least one secret), and the number of developers within your scope over the past three years. Companies are grouped by their number of developers, allowing for a fair comparison.

  • Do you also detect zombie leaks in the commit history?

    Yes, we came up with this term after a surprising (though not entirely unexpected) discovery: when repository owners find a sensitive leak, they often respond by either deleting the repository or making it private, thinking this will cut off public access to the sensitive information.

    The problem is, this approach can create a major security risk for them or their organization: it can lead to what we call a "zombie leak".

  • Can you give me some examples of secrets tied to my organization?

    Yes, after we send you the detailed audit directly to your inbox (no sales call necessary), our team can provide examples of critical secrets tied to your organization.