Secrets are one of the biggest blind spots in software development. When a secret is exposed, it’s fully exposed—there’s no in-between. A single leaked API key, exposed token, or hardcoded password can lead to catastrophic breaches. It’s no surprise that GitHub is launching its new Secret Risk Assessment,—secrets security is a center-stage concern.

At GitGuardian, we welcome this initiative. Secret Security deserves the spotlight. We’ve been leading this charge for years. We’ve been providing comprehensive secrets security, addressing both public and internal risks for the largest companies in the world. While GitHub’s latest move is a step in the right direction, organizations need a more comprehensive and enterprise-ready approach to keep their secrets safe.

You can start to experience that difference with GitGuardian’s Secrets Risk Assessment.

GitHub's Secret Risk Assessment: A Partial View of a Larger Problem

GitHub Advanced Security (GHAS) was recently restructured into two modules:

• GitHub Code Security (for static analysis and software composition analysis)
• GitHub Secret Protection (focused on detecting secrets in repositories)

This separation signals how crucial secret security has become. To encourage adoption, GitHub has also introduced a Secret Risk Assessment—a one-time scan for all paid plans to help users identify some exposed secrets and enable protection.

It’s a positive step, but GitHub’s assessment primarily scans GitHub repositories within the organization, missing two major sources of leaks: first, developers’ personal repositories, and second, other data sources such as Slack, Jira, and other collaboration tools, which are often overlooked sources of secrets.

GitGuardian understands the need for a comprehensive view of your secrets' security posture. To provide clarity and enable a focused approach, we offer dashboards for internal and public risks. This allows you to:

Gain a clearer understanding: By separating these distinct risk areas, you can more easily digest the information and prioritize your security efforts. Public risks are far more time-sensitive and often addressed by a SOC team.

Focus on specific areas of concern: Internal and public risks often require different remediation strategies and may be relevant to different teams within your organization.

Gain Visibility into Public Exposures

GitGuardian’s Public Risk assessment delivers a real-time, laser-focused view of your company's secrets leaking on public GitHub. We leverage our unique 6-year knowledge base of publicly exposed secrets to give you the edge in protecting your assets.

Here’s what you get:

See your public exposure:

• Get analytics on your company’s public GitHub footprint.
• View the number of leaked secrets tied to your organization.
• Analyze the breakdown of detected secret types.

Deep dive into your risk profile:

• Analytics on developer activity, showing how many developers are linked to your organization.
• Number of commits scanned, giving you insight into the scale of risk.
• Detected secrets timeline, so you can track exposure over time.
• Severity breakdown, identifying critical leaks like cloud credentials and database passwords.
• Valid secrets

Investigate and take action:

• View a curated list of high-impact leaks detected in public repositories.
• Use the same remediation tools available in the GitGuardian platform, including commenting on incidents, severity classification, and incident-sharing capabilities.
• Other detected leaks remain hidden, with the option to contact us for full access to your company’s complete exposure.

This free assessment is designed to help organizations immediately understand their public secrets risks and transition into the full GitGuardian experience. 

Get My Secrets Risk Assessment 

Gain Visibility into Internal Exposures

GitGuardian’s internal risk analytics provide a comprehensive view of secrets exposure within your organization's systems and workflows.

For organizations that want to go beyond the public risk assessment, you can get:

Unmatched coverage: While GitHub Secrets Scanning primarily focuses on secrets within its own repositories, GitGuardian, on the other hand, scans all your source code management tools (GitHub, GitLab, Bitbucket, and more) and other critical data sources such as Slack, Jira, and Teams. In today's enterprise environment, code lives everywhere, and your security should too.  

Deeper detection: GitGuardian is built for enterprise-grade security and specializes in detecting a wider range of secrets, including database credentials, private keys, and cloud access tokens. Our advanced detection algorithms allow us to detect both specific and generic secrets while minimizing false positives, ensuring only real threats are flagged.

Faster remediation: Finding a secret is just the first step—fixing it quickly is what matters. GitGuardian provides clear remediation guidance and automated workflows to help developers secure their secrets without rewriting entire commit histories. Our Push-to-Vault feature even helps organizations safely insert unvaulted secrets where they belong.

Ready to See for Yourself?

GitGuardian has a proven track record of helping enterprise organizations secure their secrets. If you're serious about protecting your secrets and NHIs (Non-Human Identities), it's time to explore a solution that goes beyond the basics. Start with our free Secrets Risks Assessment and then discover the full power of our platform.