What are Honeytokens?

GitGuardian Honeytoken creates decoy credentials called honeytokens that do not grant access to customer resources or data. Instead, they act as tripwires that reveal information about the attacker, such as IP Address, User Agent, and Location.

Our honeytokens are indistinguishable from real secrets to attackers. They are designed to be triggered by secret scanners like TruffleHog or Gitleaks, which are often misused by hackers. If a hacker uses a secret scanner to search for developer secrets, they will trigger the honeytoken and alert the security team of a potential security incident.

Why Should You Use Honeytokens?

There are several reasons why you should use honeytokens in the software development life cycle (SDLC) and software supply chain:

  1. Early breach detection: Honeytokens act as an alarm system, allowing you to detect security breaches early on and prevent damage.
  2. Strengthened supply chain security: Honeytokens help identify if a vendor in the supply chain has been compromised, allowing you to strengthen security and prevent further damage.
  3. Clear visibility of monitored codebase: Honeytokens provide a clear view of where they have been deployed, ensuring they were deployed correctly and not duplicated.
  4. Easy deployment at scale: Honeytokens can be created, deployed, and managed on a large scale, securing multiple code repositories simultaneously.
  5. Code leakage detection: Honeytokens help detect if code has been leaked on public platforms, saving time and resources and preventing data loss.

You can read more in this blog post:

Honeytoken: Your Ally to Detect Supply Chain Intrusions.
What if you could detect intrusions and code leaks in your software supply chain? Introducing GitGuardian Honeytoken, the solution that protects your software supply chain against potential intrusions on SCM systems, CI/CD pipelines, software artifact registries, and more.

How to Create GitGuardian Honeytokens

Step 1: Go to your GitGuardian dashboard > Honeytoken

The Honeytoken module is only available upon request. If you haven't done it already, request access through the Honeytoken tab in your GitGuardian dashboard. Currently, only users with a "Manager" role on the GitGuardian workspace can use the Honeytoken module. In the future, more roles will be able to create and manage honeytokens.
Create first honeytoken

Step 2: Create your honeytoken — click on "Create my first honeytoken" and provide a name and optional description. The description can include specific details about where and how the honeytoken will be placed. Additionally, you can use labels to categorize your honeytoken in a structured manner. Then click "Create my honeytoken."

Currently, only one type of honeytoken is available: AWS key. More honeytoken types are planned in the future.

Congratulations! Your honeytoken creation has been confirmed, and you have received your honeytoken key.

Step 3: Test your honeytoken — copy the aws sts get-caller-identity command displayed in the information box and paste it into your terminal to trigger the honeytoken:

You need to have the AWS CLI installed on your system.
Test honeytoken

Step 4: Verify your honeytoken data — you can check by verifying the status on the dashboard, along with Events data (Timestamp, IP address, User-agent, and Action performed). Additionally,  you should have received an email.

Step 5: Reset your honeytoken — resetting the honeytoken changes its status back to Active, allowing it to be triggered again on future attempts. After resetting, your honeytoken is as good as new!


In a real-life scenario, if you confirm that a triggered honeytoken corresponds to a security incident, you should rather revoke the honeytoken after investigating and taking the necessary measures to protect your environment.

Step 6: Place your honeytoken — you are now ready to start using the honeytoken to protect any system. You can also further configure your alerts to receive instant notifications through custom webhooks, allowing you to customize your alerting workflow.

Important tip: We recommend deploying each honeytoken in a unique place. If it appears in several places, then if it gets triggered, you would not be able to identify for sure which asset is compromised.

If an attacker encounters these AWS credentials, they will likely try to use them. In consequence, you would be immediately notified of the unauthorized access attempt.

With just a few lines of code, you can now effectively deceive attackers!

Where Should You Place Honeytokens?

Here are some examples of where you can place honeytokens:

  • Source control systems (git repositories): Commit them in your repositories to detect compromised codebases. Check our guide for more information:
How to Secure Your SCM Repositories with GitGuardian Honeytokens
Protect your code and secure your repositories with honeytokens. Learn how to create and add these digital traps to your SCM repositories and how GitGuardian helps you stay alert to potential threats. Read on for best practices and tips to make the most out of honeytokens.
  • CI/CD pipelines: Hide them in your CI/CD tools to detect compromised pipelines:
How to Secure Your CI/CD Pipelines with GitGuardian Honeytokens
Discover how honeytokens, digital decoys designed to detect unauthorized access, can strengthen the security of your CI/CD pipelines. In this guide, we offer step-by-step instructions for integrating them into popular pipelines like Jenkins, GitLab, and AWS CodePipeline.
  • Container registries: Expose them in Docker images or other internal packages.
How to Secure Your Container Registries With GitGuardian’s Honeytoken
Discover how to enhance the security of your container registries using honeytokens. Learn the steps to secure Docker Registry, GitHub Container Registry, and GitLab Container Registry with honeytokens. Strengthen your DevOps pipeline and protect your valuable assets.
  • Other productivity tools: Plant them in project management tools like Jira, Linear, Asana, Confluence, or messaging tools like Slack.