When Grégory Maitrallain, Solution Architect at Orange Business, addressed security professionals at Les Assises de la Cybersécurité, he brought a unique perspective to one of the thorniest problems in modern software development: managing secrets sprawl across thousands of repositories and thousands of developers.

As someone who bridges both development and security, Grégory's insights reveal what makes Orange Business's secrets security journey compelling. This is a story about working with developers, not against them, to solve a problem that was growing faster than traditional approaches could handle.

The Challenge: Secrets Security at Enterprise Scale

Orange Business has over 3,000 developers working across hundreds of projects. They face secrets management challenges at a scale most organizations can only imagine.

Industry research shows developers inadvertently expose 2-3 secrets per year on average. Without proper controls, an organization at Orange Business's scale could face thousands of potential exposures annually. And secrets aren't just hiding in Git repositories. They are scattered across lots of other tools and systems like Teams, Confluence, Jira, and container registries.

"We needed to understand the scope of the problem first," Grégory explains. "We had Vault solutions in place for projects, but we didn't know what was happening when projects weren't using it. We needed visibility."

The Open Source Experiment: Valuable Lessons Learned

Like many organizations, Orange Business started with GitLeaks, the popular open-source secrets scanner. 

But as they scaled the solution across diverse projects, cracks began to appear.

"The problem we had with GitLeaks was that we had to get the projects to use it, and we can't do it for them," Grégory recalls. "It requires communication, ensuring they do it, which is quite complicated."

The real breaking point came when they looked at the results across different projects. The variance was staggering:

  • Project Beta (with experienced teams): GitLeaks performed reasonably well
  • Project Alpha (large codebase, less GitLeaks expertise): 17,000 secrets detected

For Project Alpha, the results were unusable. "They just said, 'We're not doing this,'" Grégory notes. "It was too overwhelming."

The problem wasn't just volume. It was false positives. Teams needed deep expertise to configure GitLeaks correctly for each project context. And even when configured well, there was no lifecycle management, no prioritization, and no clear path to remediation.

The Regulatory Catalyst: NIS 2 and the 2028 Deadline

While Orange Business was addressing these technical challenges, they were also looking ahead to evolving regulatory requirements. The NIS 2 Directive introduced clear requirements: secrets must be managed and encrypted.

Rather than waiting until deadlines approached, Orange Business took a proactive stance. "At the scale of a large enterprise, we wanted to ensure our secrets management approach would meet regulatory standards well ahead of future requirements," Grégory explains.

This forward-thinking approach, combining technical needs with compliance readiness, shaped their evaluation criteria for enterprise solutions.

The GitGuardian Difference: When 17,000 Becomes 1

In 2022, Orange Business ran a proof of concept with GitGuardian. In 2024, they conducted a comprehensive comparison between GitLeaks and GitGuardian across multiple projects with varying characteristics.

The results were dramatic.

Remember Project Alpha, where GitLeaks detected 17,000 secrets? When the same codebase was scanned with GitGuardian, 1 secret was detected. And it was valid.

While manually reviewing all 17,000 findings wasn't feasible, validation on comparable smaller repositories confirmed GitGuardian maintained detection accuracy with minimal false negatives. The difference was the elimination of noise, not missed secrets.

"That's immediately much more manageable," Grégory says.

Across the board, GitGuardian consistently delivered:

  • False positive rate under 5% enabling developer trust and adoption
  • 500+ secret type detectors covering both specific secrets (like AWS keys) and generic high-entropy strings
  • Automated prioritization based on validity and severity
  • Complete lifecycle management from detection through remediation
  • Enterprise governance with centralized visibility and distributed remediation

Why Accuracy Matters More Than You Think

Grégory emphasized one point repeatedly during his presentation: the 5% false positive threshold isn't just a nice-to-have metric. It's the difference between developer adoption and developer rejection.

"If a developer gets an alert when they commit or push, and 80% of the time it's a false positive, it immediately becomes something they'll ignore. It becomes a nuisance and noise. And that's unacceptable."

This insight gets to the heart of why prevention matters:

"The prevention part is the game changer on this problem of secret leaks, because a secret that is not exposed is a secret that poses no security risk for you, and it's also a secret that requires no remediation effort behind it. That's really where it's decided."

Why Prevention Beats Remediation

During their implementation, Orange Business discovered something that fundamentally changed their approach:

"Once a secret is pushed to Git, to GitLab more specifically, and probably GitHub as well, you cannot remove it. You can modify it, you can remove it from a Git repository. However, the references will remain in the database in GitLab, in GitHub, and you can always consult them afterwards."

So even if you delete a secret from your repository, the database references persist. Anyone with access can still retrieve historical commits.

"This makes prevention even more important," Grégory emphasizes, "because once the secret is pushed to a repository, remediation is very costly and you can't really make it disappear."

This technical reality reinforced Orange Business's commitment to a prevention-first strategy, complemented by proper secret rotation and access controls when issues do occur.

The Three-Layer Defense: Building Security That Developers Accept

Armed with these insights, Orange Business designed a three-layer approach that balances security effectiveness with developer experience:

GitGuardian scans code on the developer's machine before it's committed. This is the earliest possible intervention point. True shift-left security.

"The advantage is that it doesn't leave their workstation," Grégory explains. "It's really the earliest point. We're truly doing shift-left."

While optional, the adoption has been encouraging. "Despite limited communication, we're already seeing projects that have taken ownership of this solution and implemented it locally," he notes.

Layer 2: GitLab Pre-Receive Hook (Mandatory)

This is the enforcement layer. When developers push code to GitLab, GitGuardian scans it and blocks commits containing secrets.

But Orange Business didn't just flip a switch. They ran a two-month phased rollout, activating the pre-receive hook on specific days to gather feedback and identify integration issues.

"We work with developers, not against them," Grégory emphasizes. "It's important to have these tests."

Developers can bypass the block when needed (for test values or false positives). But every bypassed secret still creates an incident on the GitGuardian dashboard, ensuring full visibility. This balance allows developers to maintain workflow velocity while giving security teams the oversight they need.

The pre-receive hook reduced the secrets stored in Gitlab by 80% since it has been activated

Layer 3: Post-Commit Scanning (Continuous)

The third layer provides continuous monitoring and catches anything that slips through, whether through bypasses or edge cases.

"It detects what it says and says what it does," Grégory says approvingly. "That's a good thing."

The Results: When Developers Actually Fix Their Code

The impact of all this was immediately visible in Orange Business's metrics.

But here's what's remarkable: the reduction in secret incidents wasn't just because secrets were being blocked. Developers were proactively fixing their code.

"Projects that had detection and potentially pushed secrets before, and had detection after, corrected their code," Grégory explains. "If they hadn't done it, we would have had the same stats before and after pre-receive."

This behavior change reveals something important about developer intent:

"This isn't a desire to do sloppy work. It's really that either they didn't realize it, or it was something that appeared in their code and left on its own. So they correct it. And that's quite positive."

Beyond Code: Expanding the Security Perimeter

While 70% of secrets are found in code repositories, Orange Business isn't stopping there. They're expanding GitGuardian scanning across the organization. They're evaluating additional sources for future implementation.

  • Documentation systems (Confluence, Jira)
  • Communication platforms (Teams, Mattermost)
  • Container registries
  • Drive storage
  • Application logs

"There are often cases where people include credentials in support tickets or documentation to explain what's not working," Grégory notes. "We need comprehensive coverage across all these systems."

The challenge is organizational complexity.

Like many large enterprises, coordinating security initiatives across multiple business units requires alignment at the group level.

Lessons for Other Enterprises

Orange Business's journey offers valuable lessons for any organization facing secrets sprawl:

1. Prevention Is Your Best Investment

Given that secrets can't truly be removed from Git history, catching them before commit is exponentially more valuable than remediation.

2. Developer Experience Determines Adoption

Tools with high false positive rates will be ignored. The 5% false positive threshold is critical for maintaining developer trust.

3. Phased Rollouts Build Confidence

The gradual activation over two months allowed Orange Business to gather feedback, refine processes, and demonstrate that they were working with developers.

4. Enterprise Features Matter

At scale, you need centralized visibility, distributed remediation, audit trails, segregation between projects, and compliance reporting. Not just detection.

5. Accuracy Enables Scale

When alerts are accurate and actionable, security teams can focus on genuine risks rather than spending time investigating false positives.

A Final Word from the Trenches

Grégory's closing remarks at Les Assises captured the essence of Orange Business's approach:

"We work with developers, not against them. It's important to have their feedback."

This philosophy of treating developers as partners rather than security risks is what makes Orange Business's implementation successful. Combined with tools that respect developer workflows while enforcing security standards, it's a model that other enterprises can learn from.

As regulatory deadlines evolve and secrets sprawl continues to grow, one thing is clear: the organizations that succeed will be those that make security invisible to developers doing the right thing, and impossible for those who aren't.

About Orange Business

Orange Business is the enterprise division of Orange Group, one of Europe's largest telecommunications operators, providing IT and integration services to global enterprises. With over 3,000 developers working across hundreds of projects, Orange Business operates at a scale that demands enterprise-grade security solutions.

Orange Business joins a growing list of major telecommunications providers, including Bouygues Telecom, Deutsche Telekom, and a top US Telco, and several leading telco equipment vendors that have chosen GitGuardian for secrets security.

Interested in learning how GitGuardian can help your organization tackle secrets and NHI sprawl at scale? Contact us to discuss your specific challenges.