End-to-End Secrets Security: A Quarter of Innovation at GitGuardian

Data breaches are no longer a matter of 'if' but 'when.' This past quarter alone, we saw millions of ClickBalance records exfiltrated, the source code of public sector websites leaked, and 110,000 domains targeted by attackers exploiting misconfigured .env files—often containing hardcoded secrets.
As cyberattacks grow more sophisticated, organizations need adaptable, cutting-edge tools to safeguard their software supply chains. That's where GitGuardian steps in. Our latest product updates empower security teams to detect and remediate secrets before they can be exploited, staying one step ahead of attackers.

Let's explore how GitGuardian's Q3 2024 innovations elevate your security posture.

Expanding your global reach: SaaS Europe zone availability & IP allowlist

Some customers, for instance, multinational financial companies, reported their operations in Europe required data compliance with GDPR while reducing user latency.

By launching the SaaS EU region, GitGuardian meets the increasing global demand for stronger data sovereignty and compliance while hosting data closer to our users. Our belief is simple: customers should control where their data is stored and who can access it. With the SaaS EU region, GitGuardian customers in Europe can rest assured that their sensitive data remains within EU borders, minimizing the risk of non-compliance with GDPR. They will also benefit from an improved latency with hosting based in 🇩🇪 AWS Frankfurt, Germany.

Multinational companies can now securely delegate security operations to European teams, with access limited to trusted local networks.
GitGuardian's IP Allowlist lets you lock down your workspaces by restricting access to trusted IP addresses or ranges. This feature enables granular network control, ensuring that only authorized internal or geographically restricted IPs can access sensitive services. Combined with other Zero Trust principles, this prevents lateral movement in case of a breach and drastically reduces the attack surface. 

With a secure global infrastructure in place, GitGuardian is poised to deliver even greater value through smarter, faster threat detection—especially where it counts most: in your development pipeline.

Smarter threat detection: VS Code Extension, updated detectors, and new detectors page

Our most successful users embrace shift-left security, integrating security directly into the development process—catching vulnerabilities early before they reach production.
We've long advocated for shift-left security, but traditional tools like pre-commit hooks and scanning measures only go so far. Even with the best intentions, developers may occasionally ignore pre-commit warnings or take shortcuts.

GitGuardian’s Visual Studio Code extension seamlessly integrates security into your development workflow. Imagine catching vulnerabilities before they leave your local machine! With real-time detection and guided remediation, security becomes a proactive and natural part of your coding environment.

However, additional detection capabilities would be pointless if we did not regularly update our detectors to meet evolving market needs and ensure we stayed one step ahead of attackers.
We've added new detectors for emerging services like Mistral AI and adjusted patterns when providers, such as Buildkite, update their configurations. But we didn't stop there—our engineers also enhanced the performance of our generic detectors. With the introduction of FP Remover, we've set new industry standards, drastically reducing false positives. Now, your team can focus on real threats without getting bogged down by irrelevant alerts.

With GitGuardian supporting over 450 detectors, the list can be quite extensive and difficult to navigate. To help our users ensure that we meet their enterprise requirements, we have recently created a comprehensive list of all the detectors we support.

Securing collaborative workspaces: secrets detection in Slack, Jira, and Confluence

To our great surprise, one of our customers recently shared with us that their remote security teams are exchanging unencrypted sensitive information through collaboration tools to remediate secrets that have been exposed in their VCS. As recent data breaches have demonstrated, this adds insult to injury. They just moved the exposed secrets somewhere else.

GitGuardian coverage has never been so extensive, yet our teams are continuously working on finding solutions that can detect secrets in the broader range of tools used within organizations and reduce their attack surface. We've expanded our automated detection capabilities to cover the tools your teams use daily—Slack, now with detection through the message history, Jira Cloud and Jira Data Center (the self-hosted version), and Confluence Cloud and Data Center — preventing accidental data leaks before they cause harm.

Avoiding false positives: checking the validity of secrets against your own instances

Organizations operating in highly regulated industries or with strict data privacy policies, such as telecommunication companies, may self-host most of the services their infrastructure relies on. 

With GitGuardian, your team can validate detected exposed secrets against your self-hosted services. Submit your self-hosted service, and GitGuardian will automatically recheck existing and future secret incidents, allowing your team to focus on real threats. For example, customers using a self-hosted GitLab instance may submit the host, and GitGuardian will handle the rest. "GitLab token" secret incidents will be rechecked against your instance to ensure security teams focus their efforts on valid incidents.

Custom remediation & smart notifications: addressing threats proactively

Among our customers, we see large automotive enterprises needing immediate action when a security incident occurs and following up on unresolved threats.

Each organization has unique security practices. So, default remediation guidance may not let companies act fast enough to remediate incidents, even if they implemented git hooks to shift left. But it's at this exact moment that information is most valuable to the developer.
Workspace managers can now provide custom remediation messages specific to using automated secret scanning at the pre-commit, pre-push, and even pre-receive steps of the git workflow. It has never been easier to share internal resources and craft tailored responses that align with companies' internal processes, ensuring incidents are resolved correctly and swiftly.

While dismissing low-risk or false-positive incidents can be tempting, ignoring them without careful review could expose your organization to severe risks. That's why GitGuardian now sends email notifications for ignored incidents, encouraging your team to double-check before a potential vulnerability slips through the cracks. Security teams can also audit closed incidents with a valid secret using Saved views.

There is no one true path to reporting, triaging, and fixing security findings. The market offers many solutions to manage cybersecurity threats, and many teams also build custom software solutions that gather and use the data provided by all their security scanning tools. GitGuardian's output can be exported in the SARIF format, making it easier to aggregate, analyze, and compare results from different scanning tools.

Military-grade security for self-hosted access: DoD Common Access Card

Our public-sector customers must deliver software at startup speed while meeting security mandates. They secure sensitive data with stringent access control to their self-hosted environments. 

GitGuardian now supports Common Access Card (CAC) and Personal Identity Verification (PIV) to meet the strictest security requirements. This ensures compliance with US government standards, as only authorized personnel can access critical systems such as the GitGuardian dashboard, which lists and provides details on security incidents.

Scaling securely with AWS Marketplace partnership

Many of our customers host a large part of their infrastructure on AWS and leverage services of the AWS ecosystem, such as its secrets manager.

GitGuardian is now an AWS Marketplace partner. This allows organizations to easily deploy and integrate our solution within their existing AWS ecosystem, accelerating their growth without sacrificing security.

Elevating your security across every use case

With security threats becoming more sophisticated daily, there's no time to lose. GitGuardian's latest features offer the flexibility, detection capabilities, and control you need to protect your organization.
Implement these new capabilities today to safeguard your code, infrastructure, and sensitive data against increasingly sophisticated threats. Our Customer Success and Solutions Engineering teams are here to help you get started and optimize your security with the industry's leading secrets security solutions.