We are thrilled to announce that the GitGuardian App has become the most installed application on GitHub's Marketplace. We are proud to have passed this milestone, with over 418K developers and organizations trusting GitGuardian to detect secrets in their shared repositories. GitGuardian is now protecting over 12.7M individual repositories.

We have been the number one installed security application for some time, but now we have become the single most utilized app across all categories. We believe that this is driven by developers and project owners recognizing the real threats that secrets sprawl can bring and the enormity of the problem.

Beyond just the number of installations, we are most excited to be trusted by so many developers and projects to help keep them safe and their secrets secret. 

GitGuardian is the most popular app in the marketplace

What does the GitGuardian App do?

The GitGuardian App is how developers connect their repositories on GitHub with the GitGuardian platform. This native integration takes only a few seconds and can be configured to cover all the repositories you own or a specified set of those projects. 

Once installed, it allows GitGuardian to automatically scan any new commits pushed to selected repositories for leaked credentials and secrets. It will also run a historical scan on all commits made before its installation to detect any past leaks and give users a full overview of their repositories’ health.

Powering GitHub Check Runs in Pull Requests

GitGuardian's GitHub App also powers GitHub Check Runs on pull requests for monitored repositories. GitGuardian secret scans run on each individual commit that makes up the pull request, and not only the final state of the code in the pull request, detecting secrets even if they’re added in one commit and removed in another, alerting developers directly in GitHub before merges. 

This allows the individual developer to be notified directly in the GitHub interface when an incident is detected by GitGuardian. This early notification allows for quick remediation and ensures that shared branches remain secrets-free as it moves through the later stages of the software development lifecycle.

GitGuardian Security Check triggered by a GitHub Check Run

Free for Open Source, personal projects, and small teams

We are committed to helping developers, ops, and security professionals around the world secure their source code. This is why we make GitGuardian's Secret Detection for repositories free to use for

  • Open Source projects
  • Individual developers
  • Small teams with less than 25 developers

We are monitoring millions of public repositories, thanks to the app, and we are very happy to say that over 227k of those repositories have been forked. We are glad to know that maintainers of these codebases are doing their best to keep credentials from sprawling in plaintext as people fork the project to exercise their open-source rights to modify and run the code as they see fit.  We are dedicated to helping projects of all sizes remain secret-free.

Millions more of the repos we are scanning in real time for plaintext credentials are owned by individual developers and very small teams. We firmly stand behind the idea that everyone is entitled to great code security no matter where they are along their secrets management maturity journey. We are excited that so many people have decided to trust us to help keep their secrets away from their codebases. 

Caption: Number of GitHub installations - By year

Good Samaritan program

The adoption of the app has also been driven by the GitGuardian Good Samaritan program.  GitGuardian automatically scans every new public commit that reaches GitHub. If we find any other secrets, it is in the best interest of the security of the internet overall to make the committer aware this has happened. Many of our users hear about us for the first time through this program when they accidentally push a plaintext credential. We send over 1.8 million such emails a year, asking nothing in return.

Heidi Suukaulio on LinkedIn -  Yesterday I fucked up–and I mean spectacularly. I was working on the full stack course for the University of Helsinki, and decided to update the names of the working directories on GitHub. Of course this broke the .gitignore file, and, on the next commit and push I pushed all of the files containing the database credentials straight to the Internet, publicly.  Without the slight help from the GitGuardian I probably wouldn't have even noticed the mistake. Fast forward, one hour of intense googling and I was able to change the passwords, remove the files and clean my git history. Luckily this was only a database for the course exercise, however, I learned that mistakes do happen even when one thinks they've been careful enough. And the even more important thing is that I know now how to rewrite git history.

Working together to secure our code on GitHub

To err is human, and many people pushing code to GitHub will one day accidentally share something they should not. GitGuardian is here to help make sure you catch these accidents quickly and remediate them before attackers can gain a foothold. If you have not already installed the GitGuardian App to monitor your repositories on GitHub, we invite you to do so now. It is a very simple process.

  1. Sign up for a GitGuardian account
  2. Visit https://github.com/marketplace/gitguardian
  3. Click install
  4. Verify which repos you want GitGuardian to monitor
  5. Check your GitGuardian dashboard for your historical scan report and start remediating any incidents
  6. Move ahead more relaxed, knowing that GitGuardian is now monitoring your repositories for secrets. 

We hope to help every developer and open source project on the internet stay safe and keep those plaintext credentials out of the codebase.