Challenges
Solution
Results
What is most valuable?
Key quote
What’s next
What is our primary use case?
We use GitHub as our source code platform. When we shifted from on-premise version control systems, we identified a requirement for capable tooling that could both find secrets that were committed in the past, and prevent and alert on secrets that were being accidentally committed.
How has it helped my organization?
GitGuardian gives us a better understanding of what's going on in our source code. Persistent use of the platform has allowed us to highlight areas where we need to improve; eg. providing training so that people know what information should and should not be in GitHub.
What is most valuable?
Automated validity checks are very helpful; we use them to prioritise incidents, as they give us a quick understanding as to which secrets are still valid. They also help us to confirm that token invalidation - which sometimes has to be done by another team or a third party - has worked as expected.
What needs improvement?
We'd love to see notification updates in Slack, as the system does not provide feedback on updates to incidents, which can be problematic when developers resolve issues.
For how long have I used the solution?
My experience with the solution started in November 2020, which is approximately four or five years.
What do I think about the stability of the solution?
It's generally quite stable.
What do I think about the scalability of the solution?
It handles all the repositories and commit activity we have.
How are customer service and support?
I would rate their technical support an eight out of ten.
Which solution did I use previously and why did I switch?
No
How was the initial setup?
We didn't have to do much. They manage all of the backend for us. All we have to do is integrate it into our GitHub organizations, and doing that is straightforward.
What about the implementation team?
In-house.
What was our ROI?
It's challenging to quantify, but it has saved us from a bit of panic because we know the state of our source code. It's hard to determine what savings might come from having the tooling or not.
What's my experience with pricing, setup cost, and licensing?
It's fairly priced, as it performs a lot of analysis and is a valuable tool.
Which other solutions did I evaluate?
We have tested it against other solutions, such as TruffleHog, the open-source solution, and found the GitGuardian Platform to be about significantly better in terms of detection capabilities. TruffleHog focuses on secrets that it can validate, but in an Enterprise world with lots of internal tools, APIs and platforms it can miss a lot of secrets.
What other advice do I have?
The new multi-vault feature looks useful; we are planning to connect it up to AWS Secrets Manager and HashiCorp Vault.
.svg)
