What is most valuable?
What is our primary use case?
We use it to detect if our engineers are leaking secrets on public GitHub repositories. If any Payfit employee is leaking secrets in their own repositories or, in the Payfit repositories, they will be flagged by either the GitGuardian internal solution or the public one.
How has it helped my organization?
Overall, it has given us more trust in our engineers and in our global security. We know that if someone is leaking something critical or a secret, it will be detected pretty fast by GitGuardian and we will be alerted in minutes. It has helped us be more relaxed about those situations.
Its false positive rate is also really low. With the Public Monitoring solution, we have not had any false positives. With the Internal Monitoring solution, we have had a few, but that has been completely manageable. We can see them directly when checking the dashboard. It has definitely helped decrease false positives. In fact, GitGuardian helped us to be much more accurate because we used to use a tool we had built internally but it did not work very well. So we decided to go with GitGuardian and the accuracy is very nice.
In addition, it has definitely helped increase our secrets detection rate. Before we used this solution, we were doing manual research and that was not very effective. GitGuardian has increased our detection rate by a factor of 10 at least. And our mean time to remediation has been decreased because we are warned pretty fast when there is a leak.
It's also nice because it finds personal secrets of our developers. We have had a few situations where we detected a secret that was leaked in a personal repository of one of our engineers. The secret was not one from our company, it was the employee's. We warned them about this and they were pretty happy.
What is most valuable?
One thing I really like about it is the fact that we can add search words or specific payloads inside the tool, and GitGuardian will look into GitHub and alert us if any of these words is found in a repository. For example, if I put "Payfit" in the tool, I will be alerted every time someone is committing with that word in the code. It's really useful for internal domain names, to detect if someone is leaking internal code. With this capability in the tool, we have good surveillance over our potential blind spots.
It can detect a leak in 10 minutes. We had an experience with one of our engineers who had leaked a secret, and 10 minutes afterward we had a warning from GitGuardian about the leak. It's very effective. We looked at the commit date and the current date with hours and minutes and we could see that the commit had been made 10 minutes ago. As a result, we are sure it is pretty fast.
Another feature, one that helps prioritize remediation, is that you can filter the findings by criticality. That definitely helps us to prioritize which secrets we should rotate and delete.
What needs improvement?
I would like to see improvement in some of the user interface features. Some things are not that easy to use. The most impactful is the occurrences feature. When one secret is leaked in multiple files or multiple repositories, it will appear on the dashboard. But when you click on that secret, all the occurrences will appear on the page. It would be better to have one secret per occurrence, directly, so that we don't have to click to get to the list of all the occurrences.
For how long have I used the solution?
I have been using GitGuardian Public Monitoring for about eight months.
What do I think about the stability of the solution?
The stability is pretty good. We have not had any outages.
What do I think about the scalability of the solution?
The scalability is nice because their infrastructure is pretty powerful. They are able to monitor all our repositories and, with all the GitHub repositories they have to monitor for all their customers, it's working really fast and well.
We have 130 people using the solution, mostly engineers, but there are some project managers who use it as well.
How are customer service and support?
We had regular contact with their technical support for onboarding meetings and the like. They were very helpful. They asked us for our feedback a lot and asked if we had any ideas for improving the tool. And they have provided features for us based on our feedback.
Which solution did I use previously and why did I switch?
How was the initial setup?
What about the implementation team?
What was our ROI?
Our ROI is in the fact that we have detected a lot of secrets that were publically leaked, as well as secrets in our repositories that were not in the vault.
What's my experience with pricing, setup cost, and licensing?
It's a bit expensive, but it works well. You get what you pay for. You get something that is fully managed with a lot of features, and a tool that is very efficient.
Which other solutions did I evaluate?
We looked at other options. We looked at open-source solutions such as TruffleHog and Gitleaks, but they were not as effective as GitGuardian and they did not have any alerting feature, which was very important for us.
What other advice do I have?
My advice would be to compare this solution with open-source solutions. If you're not convinced about GitGuardian, benchmark it with other tools. Open-source tools are nice because most of the time they're free, if you don't take the support. But if you compare GitGuardian with other solutions, you will see that the efficiency is really not the same.
If a colleague in security said to me that secrets detection is not a priority, I would say that's a mistake. Most of the big security problems come from either social engineering attacks or credential stuffing. So it's really important to know that your engineers and your employees are going to leak secrets. That's life. Most of the time, it's due to mistakes. But if it happens, we need to act on it, and a solution such as GitGuardian is a really nice way to monitor and really efficiently detect these leaks.
Secrets detection is important to a security program for application development, especially if your company is growing and you have a lot of engineers. The more engineers there are, the more there is potential for leaks to happen.
There is no maintenance of the solution on our side, except for putting the GitHub API token inside Gitguardian so that it has access to our repositories to detect potential secrets.
Which deployment model are you using for this solution?