In software development, securing sensitive information such as credentials, API keys, and other secrets is crucial. Developer platforms like GitHub, CI/CD pipelines like Jenkins CI, and artifact registries like Docker Hub – where developers write, test, package, and ship software, can become a significant source of risk if such secrets are not kept secure. As software development teams handle an ever-increasing range of credentials, there is a greater chance of secrets being exposed, creating an elevated risk of security breaches. Breaches involving leaked secrets can result in losing trust, credibility, and business. That is why it is critical to have a strategy for managing and protecting such sensitive information.

This is not just a security issue - it can also significantly impact productivity. Imagine your team discovered a hard-coded secret that had been accidentally left in the code. The team now needs to rotate the credentials quickly to address the vulnerability. This can be complex and time-consuming, mainly if the credentials are used across multiple applications or services. Your teams are now forced to interrupt their work to address these issues, causing delays and disruptions to their CI/CD pipelines. This can bring teams to a standstill, impacting productivity and causing frustration for everyone involved. To reduce these risks, you need to consider shifting secrets scanning left, and detecting hard-coded secrets earlier in the development process. By identifying and addressing these issues earlier, you can avoid the disruptions and delays that come with managing secrets incidents later.

One of the most effective ways to keep secrets protected from getting exposed in the software supply chain is to automate their detection and implement proper secrets management tools and processes. There are commercial code security solutions like GitGuardian and handfuls of open-source solutions like Gitleaks or TruffleHog. Another possibility is to create your security program on existing open-source tools.

Possible? Yes. Feasible? Yes. Practical? Not much. Bruno Guerreiro Diniz of Datasec

A custom secrets detection solution can seem a cost-effective and flexible option initially. The biggest risks of going down this road are that it requires significant technical expertise, and the planning and integration process can be long and painful.

And how fast can you build and scale something similar to a commercial solution like GitGuardian if you were to start today? We recommend you ponder this question for a moment while we help you realize the scale of the task. This blog post will explore the advantages of using GitGuardian over a custom-built (DIY) solution.

Deployment at scale

If you are a security engineer, you probably have a lot on your plate already – keeping up with the latest threats, triaging and remediating vulnerabilities, staying on top of compliance requirements, and working with engineering teams to de-risk software development as much as possible.

One of the challenges could be implementing a secrets detection and remediation program that works across the entire organization. How do you get all your teams on board? How do you make sure everyone is following best practices? Custom-built solutions can work well for a company, but it requires a fair amount of work to make them scalable and resilient. 

That's where GitGuardian comes in. Our platform allows you to run proof-of-concept exercises and initial pilots to assess workflows. Our platform is designed to scale to meet the needs of enterprise organizations, no matter how many teams, repositories, or contributors you have. Our ultimate goal is to deploy secrets detection for every contributing developer, ensuring that every code commit is secure.

Our platform is also easily set up and highly adaptable, integrating with multiple source control servers, CI/CD systems, package registries, and more. It can monitor multiple code repositories simultaneously and provide real-time alerts when it detects hardcoded secrets. And if your organization has strict data privacy requirements, our platform can be self-hosted on your infrastructure, giving you complete control over your data. With GitGuardian, you can save time and resources that would otherwise be spent designing and deploying your infrastructure. We recommend reading this enterprise deployment case study.

“The initial setup was very straightforward. The deployment time was five minutes. It was the easiest integration I've ever done. We've hooked up other stuff to GitHub before, and it usually involves a few steps. But with GitGuardian, I just generated a token and walked through it. I don't think I even read the documentation. I just found what I wanted to do, made a token, and it connected right up. I wasn't sure if I had done it correctly until I saw it started popping things in there. It was a really easy onboarding process. Its ease of integration showed the maturity of the product or their focus in getting that process right. GitHub has its own rules and it changes a lot. Seeing how solid GitGuardian was gave us confidence in the solution.” Danny, Chief Software Architect at a tech company with 501-1,000 employee

Ease of use for security engineers and developers

Developers know how important it is to keep their code secure but don't want to spend hours configuring tools and workflows. Our platform is designed to be user-friendly, with easy-to-follow documentation and a simple interface for overseeing multiple repositories - whether they number in the dozens, hundreds, or even thousands. You can set it up in no time and get started right away. We offer integrations with popular development platforms like GitHub, GitLab, Bitbucket, and Azure DevOps, as well as pre-built integrations with popular CI/CD tools like Jenkins and CircleCI. This means you can integrate our platform into your existing workflows without requiring any significant changes.

Get full visibility over your SDLC with our Perimeter view
Get complete visibility over your SDLC with our Perimeter view.
On the other hand, a custom-built solution may require additional effort and expertise to integrate into existing tools and workflows. You need to invest time and resources in developing, testing, and deploying the solution. This can take months and lead to lost time and productivity. You might need to launch batch scans every week, launch a GitHub app on your own, and set up a cron job to identify newly created repositories. And that's not all. You also need to figure out what happens when repositories get deleted. As time passes, you realize the complexity of managing such solutions.

The key to finding the right solution is finding one that's powerful yet intuitive. Our platform is designed to be intuitive, so you can get started immediately, remediating more incidents in less time without any significant learning curve. For better customer experience, we strive for almost 100% parity between the UI and the underlying API so that for every action or interaction you perform through the UI, the REST API exposes a corresponding endpoint. This allows you to integrate our solution into your existing workflows. You can also export your data if you need to migrate to a different platform or system.

“GitGuardian provides a rich and easy-to-use interface that enables engineers or security teams to jump on issues and manage their remediation. It offers functionality to prevent issues from creeping in.”
Andy, Senior Security Engineer at an insurance company with 201-500 employees

Comprehensive detection coverage

Our secret detection engine consists of a large collection of independent detectors - more than 350 - that are constantly being updated by our dedicated Secrets team. Our engine has been battle tested at scale on public GitHub. We keep improving the precision and accuracy of our detectors to ensure that you're getting the best possible protection. Our platform can detect a wide range of secrets - specific, generic, or even custom patterns to cover secrets specific to your organization.

Our collection of detectors
Our collection of detectors

And the best part? We provide comprehensive coverage for detecting secrets across different types of files, programming languages, and platforms such as GitHub, GitLab, Bitbucket, and Azure DevOps. You can hook up your GitGuardian workspace to these repositories at the instance, organization, and collection levels and monitor all existing and new repositories. And no worries about size - our perimeter can accommodate repositories up to 12 GB. We're in the process of increasing this limit to 60 GB to accommodate larger repositories better. Moreover, our coverage extends beyond repositories. We can detect secrets in different environments, such as cloud infrastructure and Docker container images.

With a custom-built solution, you need to make tradeoffs regarding the number of patterns that can be identified confidently. This may involve focusing on a smaller set of key patterns, which can be detected accurately while acknowledging that this approach may not identify all potentially sensitive data. We have seen companies with custom solutions run full repository scans daily or weekly. Sometimes these scans take longer than expected. To compensate for this, they launch the next scan before the previous one has finished, resulting in technical debt or issues with the architectural design. This can be challenging to navigate, highlighting the importance of a streamlined and efficient system to manage repository scans.

Moreover, from our experience, internal tools built on specific open-source secret scanners report many false positives, which can contribute to alert fatigue among security and engineering teams. ‍Our engine performs secret validity checks, presence checks, and contextual code analysis to filter out false positives. With our platform, you'll have peace of mind knowing that our engine is constantly being updated and improved to keep you protected.

“It has helped decrease false positives. GitGuardian helped us to be much more accurate because we used to use a tool we had built internally but it did not work very well. So we decided to go with GitGuardian and the accuracy is very nice. In addition, it has helped increase our secrets detection rate. Before we used this solution, we were doing manual research and that was not very effective. GitGuardian has increased our detection rate by a factor of 10 at least.” Theo Cusnir, Application Security Engineer at Payfit

Automated incident triage, response, and developer-driven remediation

Today, detection is a commodity, and most secret scanning solutions leave security teams to fend for themselves in the face of secrets sprawl.

But what if remediation could be implemented at scale instead? Our platform is designed to automate every step of the incident response management and remediation process, helping you quickly remove or rotate sensitive data from your code repositories before they become major issues.

When incidents occur, the process of forwarding them to the app development team can sometimes be a messy affair. We have seen companies resort to generating CSV reports and sending them to the repository owner, leaving them to solve the problems on their own. This approach leads to issues, especially when it comes to rotating credentials. Just because a credential has been removed from the codebase does not mean it has been rotated. It's still valid and could still be available on backups of the VCS instance. 

Therefore, companies need to have a more streamlined approach to managing incidents and rotating credentials to ensure the security of their systems. Here, the collaboration between security and development teams is key, so we onboard developers onto the platform with RBAC and Teams, collect their feedback, and encourage communication through our product. Our platform gives you an aggregated view of the incident data in a rich user interface. You can also use automated alerting, ticketing, access granting, severity scoring, incident investigation, and auto-resolve invalid incidents. Our platform lets you define the custom remediation steps every developer or security engineer should take to remediate incidents directly in the GitGuardian workspace based on your organization's internal processes.

Take a deeper look at your incidents
Take a deeper look at your incidents.

One thing to consider when building your solution is whether the Sec team creates the various integrations or it falls to the developers to handle themselves. There is the risk of flooding the security team with non-actionable alerts. It's essential to balance ensuring that the security team is notified when necessary while avoiding unnecessary alerts that could cause confusion and waste valuable time. We offer the flexibility to configure real-time alerting and notifications that push incident alerts to your preferred channel, such as Slack, Discord, or JIRA. Our alerts can easily be integrated using event-based custom webhooks that any custom web service can consume. These integrations and features help bring all stakeholders closer to the remediation process.

Our approach can save you significant time and effort compared to manual incident response and remediation, particularly in large-scale secrets incidents or vulnerabilities. With a custom-built solution, centralizing incidents from multiple repositories, putting in a process to investigate them thoroughly, determining if they are valid, reporting leaks, managing, tracking incidents, and creating your controls to check if secrets are remediated can be a lengthy and resource-intensive process.

“GitGuardian has helped to increase our security team's productivity. Now, we don't need to call the developers all the time and ask what they are working on. I feel the solution bridged the gap between our team and the developers, which is great. I feel that we need that in our company, since some of the departments are just doing whatever and you don't know what they are doing. I think GitGuardian does a good job of bridging the gap. It saves us about 10 hours per week.” Edvinas Urbasius, IT Security Specialist, SOC analyst at a wholesaler/distributor with 10,001+ employees

Prevention on developer workstations

Developers work around the clock, pouring their hearts into crafting the code to deliver good-quality products. But as they work tirelessly, sometimes it's easy to forget necessary precautions and hardcode secrets. We empower developers to prioritize security and incorporate it throughout the software development lifecycle. With ggshield, the GitGuardian CLI, developers can prevent secrets and IaC misconfigurations from being committed to your source code repositories. This tool gives developers real-time feedback and alerts them while writing code in their IDE or creating a pull/merge request. Pre-commit hooks have proved to be the most effective means of safeguarding our customers’ sensitive credentials. This means that developers can catch hard-coded secrets or IaC misconfigurations before they even enter your codebase, ensuring that the sensitive information remains secure.

When it comes to custom-built solutions, it's essential to consider how security measures such as pre-receive hooks may impact the development process. While global pre-receive hooks can effectively detect potential security issues, we have seen them creating delays and frustration for developers due to high false positives. Sometimes, there is no way to bypass the blocking scan until the security team approves it. To address this, companies consider alternative approaches, such as server-side detection, but provide non-actionable information to those responsible for fixing issues. 

Finding the right balance between security and efficiency is key to achieving effective security measures that are well-received by everyone involved.

“The ability to automatically scan source code and detect leaked secrets. GitGuardian has enabled us to add additional security control to our CI/CD pipeline, and enabled us to shift further left in the SDLC by implementing pre-commit hooks for Developers to test their code before it is committed.” Security practitioner in the F&B industry with 1,001+ employees

See this tutorial on Using ggshield Throughout The Software Development Lifecycle - A Developer's View of GitGuardian.

Expert support

Secrets sprawl is plaguing most companies today. Tackling this problem is complex and cumbersome; companies often need help figuring out where to start. We don't just provide a platform to address secrets sprawl - we also offer assistance and expertise. We want you to get the most out of our platform, so we offer documentation, quickstarts, a knowledge base, and free customer support to help you every step of the way. Our dedicated team of security experts is also available to answer your questions and provide guidance on how to use the tool best. Our team can help you accelerate onboarding during the initial pilot, have a smooth setup and deployment process, devise remediation workflows, and discuss product-related questions.

On the other hand, a custom-built solution requires you to maintain and update the tool yourself, which can be difficult if you lack the necessary expertise.
“GitGuardian's support is amazing. They helped us to set it up properly all the way. And whenever we give them feedback, they take it into consideration, if it is a new feature. And if it is a bug, they work on it and fix it. The support is superb.” Abbas Haidar, Head of InfoSec at a tech services company with 51-200 employees

Time and Cost Efficiency

Your developers are on a tight deadline to complete a project, and every second counts.

Creating a custom-built solution to detect and manage secrets can be a time-consuming and expensive endeavor on top of this. Not only does it require a significant investment of time and effort to maintain and customize, but it also demands expertise to develop an effective tool in the first place that can scan through thousands of lines of code and identify secrets. It needs constant maintenance and monitoring.

This is why buying an out-of-the-box solution like GitGuardian can often be more efficient. It integrates into your development workflow and comes with automation and updates built-in, reducing the total cost of ownership. We help your security engineers work more efficiently and effectively. By automating tedious and time-consuming tasks, our solution frees up your security engineers to focus on more strategic and higher-value work. You can also let your developers leave the worries of managing a custom-built solution behind and concentrate on delivering quality code within tight deadlines.

“It has also helped to increase our security team's productivity. We have around 110 repositories and if we had to remove something one-by-one it would be very hard, but with this solution, we can do so from all of them at the same time, which saves us months—not even days—but months. Similarly, our mean time to remediation has gone from months to days.”  
Emre Ceevik, Devops Engineer, a comms service provider with 11-50 employees

A Question of Build or Buy

Ultimately, the decision to build or buy a security solution comes down to individual circumstances, with DIY solutions falling into the "build" category. There are great complexities, challenges, and considerations you must make when deciding to build an in-house secrets detection solution. Even if you were to start building your solution today, there is no guarantee that you would be able to prevent all secrets from being hard-coded in the meantime. The risk of exposure would remain until your DIY solution is fully developed and deployed. So before undertaking the task, you should consult and weigh the available options, including open-source alternatives such as TruffleHog or Gitleaks and commercial solutions such as GitGuardian.

If you already have a DIY solution, the points above clearly show you should move to a proven solution like ours. After all, in these challenging economic times, you need to make every dollar count when it comes to your security budget. You want to invest in solutions that will help you achieve maximum results while minimizing the time and resources required. This is where GitGuardian can be a game-changer for your security team, allowing you to get more done with the same number of resources. With our platform, you can maximize your security engineers' productivity while keeping your security budget under control, and your developers can focus on what they do best - building great software.

Extra resources

Read how SAP tried to build an internal secret scanning solution and failed
Review other GitGuardian case studies
See our documentation