# Table of Contents
- [GitGuardian[docs] | GitGuardian documentation](#gitguardian-docs-gitguardian-documentation)
- [Glossary | GitGuardian documentation](#glossary-gitguardian-documentation)
- [GitGuardian API | GitGuardian documentation](#gitguardian-api-gitguardian-documentation)
- [GitGuardian Platform | GitGuardian documentation](#gitguardian-platform-gitguardian-documentation)
- [Frequently Asked Questions | GitGuardian documentation](#frequently-asked-questions-gitguardian-documentation)
- [Support | GitGuardian documentation](#support-gitguardian-documentation)
- [Honeytoken | GitGuardian documentation](#honeytoken-gitguardian-documentation)
- [Create your GitGuardian account | GitGuardian documentation](#create-your-gitguardian-account-gitguardian-documentation)
- [Understand the monitored perimeter | GitGuardian documentation](#understand-the-monitored-perimeter-gitguardian-documentation)
- [What is a secret? | GitGuardian documentation](#what-is-a-secret-gitguardian-documentation)
- [Release notes | GitGuardian documentation](#release-notes-gitguardian-documentation)
- [GitGuardian CLI (ggshield) | GitGuardian documentation](#gitguardian-cli-ggshield-gitguardian-documentation)
- [Secrets Detection | GitGuardian documentation](#secrets-detection-gitguardian-documentation)
- [Integrate your first repositories | GitGuardian documentation](#integrate-your-first-repositories-gitguardian-documentation)
- [Workspace settings | GitGuardian documentation](#workspace-settings-gitguardian-documentation)
- [How GitGuardian works | GitGuardian documentation](#how-gitguardian-works-gitguardian-documentation)
- [Secrets incidents | GitGuardian documentation](#secrets-incidents-gitguardian-documentation)
- [Getting started | GitGuardian documentation](#getting-started-gitguardian-documentation)
- [Core concepts | GitGuardian documentation](#core-concepts-gitguardian-documentation)
- [Assess your repositories' health | GitGuardian documentation](#assess-your-repositories-health-gitguardian-documentation)
- [Add and manage users | GitGuardian documentation](#add-and-manage-users-gitguardian-documentation)
- [Overview | GitGuardian documentation](#overview-gitguardian-documentation)
- [Manage your population of honeytokens | GitGuardian documentation](#manage-your-population-of-honeytokens-gitguardian-documentation)
- [Analyze trends and performance | GitGuardian documentation](#analyze-trends-and-performance-gitguardian-documentation)
- [Overview | GitGuardian documentation](#overview-gitguardian-documentation)
- [Account settings | GitGuardian documentation](#account-settings-gitguardian-documentation)
- [Deployment methods | GitGuardian documentation](#deployment-methods-gitguardian-documentation)
- [Self-hosting GitGuardian | GitGuardian documentation](#self-hosting-gitguardian-gitguardian-documentation)
- [Respond to a triggered honeytoken | GitGuardian documentation](#respond-to-a-triggered-honeytoken-gitguardian-documentation)
- [Data retention | GitGuardian documentation](#data-retention-gitguardian-documentation)
- [Understand honeytoken events and trigger mechanism | GitGuardian documentation](#understand-honeytoken-events-and-trigger-mechanism-gitguardian-documentation)
- [Glossary | GitGuardian documentation](#glossary-gitguardian-documentation)
- [Investigate and remediate your first open incident | GitGuardian documentation](#investigate-and-remediate-your-first-open-incident-gitguardian-documentation)
- [Configure your alerts | GitGuardian documentation](#configure-your-alerts-gitguardian-documentation)
- [Pre-Validators and Post-Validators | GitGuardian documentation](#pre-validators-and-post-validators-gitguardian-documentation)
- [Dashboard | GitGuardian documentation](#dashboard-gitguardian-documentation)
- [Secrets Detection Engine | GitGuardian documentation](#secrets-detection-engine-gitguardian-documentation)
- [Introduction | GitGuardian documentation](#introduction-gitguardian-documentation)
- [Authentication | GitGuardian documentation](#authentication-gitguardian-documentation)
- [Service accounts | GitGuardian documentation](#service-accounts-gitguardian-documentation)
- [Personal access tokens | GitGuardian documentation](#personal-access-tokens-gitguardian-documentation)
- [Encrypted Secrets | GitGuardian documentation](#encrypted-secrets-gitguardian-documentation)
- [Integrate a new Slack source | GitGuardian documentation](#integrate-a-new-slack-source-gitguardian-documentation)
- [Usage and quotas | GitGuardian documentation](#usage-and-quotas-gitguardian-documentation)
- [Integrate a new GitHub source | GitGuardian documentation](#integrate-a-new-github-source-gitguardian-documentation)
- [Machine Learning | GitGuardian documentation](#machine-learning-gitguardian-documentation)
- [Integrate a new Jira Cloud source | GitGuardian documentation](#integrate-a-new-jira-cloud-source-gitguardian-documentation)
- [Secrets Analyzers [BETA] | GitGuardian documentation](#secrets-analyzers-beta-gitguardian-documentation)
- [Pagination | GitGuardian documentation](#pagination-gitguardian-documentation)
- [Integrate a new Confluence Cloud source | GitGuardian documentation](#integrate-a-new-confluence-cloud-source-gitguardian-documentation)
- [API Reference | GitGuardian documentation](#api-reference-gitguardian-documentation)
- [Configure real-time alerting and notifications for your perimeter | GitGuardian documentation](#configure-real-time-alerting-and-notifications-for-your-perimeter-gitguardian-documentation)
- [Remediate a leak on public GitHub | GitGuardian documentation](#remediate-a-leak-on-public-github-gitguardian-documentation)
- [Email alerting | GitGuardian documentation](#email-alerting-gitguardian-documentation)
- [Introduction | GitGuardian documentation](#introduction-gitguardian-documentation)
- [Detect code leakage on public GitHub | GitGuardian documentation](#detect-code-leakage-on-public-github-gitguardian-documentation)
- [Create and manage teams | GitGuardian documentation](#create-and-manage-teams-gitguardian-documentation)
- [Jira Cloud | GitGuardian documentation](#jira-cloud-gitguardian-documentation)
- [Incident permissions and sharing | GitGuardian documentation](#incident-permissions-and-sharing-gitguardian-documentation)
- [Support bundle | GitGuardian documentation](#support-bundle-gitguardian-documentation)
- [Transfer workspace ownership | GitGuardian documentation](#transfer-workspace-ownership-gitguardian-documentation)
- [Manage email domain | GitGuardian documentation](#manage-email-domain-gitguardian-documentation)
- [Audit log | GitGuardian documentation](#audit-log-gitguardian-documentation)
- [Generic Private Key | GitGuardian documentation](#generic-private-key-gitguardian-documentation)
- [CyberArk | GitGuardian documentation](#cyberark-gitguardian-documentation)
- [Frequently Asked Questions | GitGuardian documentation](#frequently-asked-questions-gitguardian-documentation)
- [Configure SAML SSO | GitGuardian documentation](#configure-saml-sso-gitguardian-documentation)
- [Integrate a new GitHub Enterprise source | GitGuardian documentation](#integrate-a-new-github-enterprise-source-gitguardian-documentation)
- [Configure email preferences | GitGuardian documentation](#configure-email-preferences-gitguardian-documentation)
- [Integrate a new GitLab source | GitGuardian documentation](#integrate-a-new-gitlab-source-gitguardian-documentation)
- [Plan and usage | GitGuardian documentation](#plan-and-usage-gitguardian-documentation)
- [GitGuardian CLI (ggshield) | GitGuardian documentation](#gitguardian-cli-ggshield-gitguardian-documentation)
- [Python SDK | GitGuardian documentation](#python-sdk-gitguardian-documentation)
- [Secure secrets management | GitGuardian documentation](#secure-secrets-management-gitguardian-documentation)
- [Saved views | GitGuardian documentation](#saved-views-gitguardian-documentation)
- [Honeytoken for self-hosted installations | GitGuardian documentation](#honeytoken-for-self-hosted-installations-gitguardian-documentation)
- [API | GitGuardian documentation](#api-gitguardian-documentation)
- [Deployment jobs | GitGuardian documentation](#deployment-jobs-gitguardian-documentation)
- [Privacy mode | GitGuardian documentation](#privacy-mode-gitguardian-documentation)
- [DSA Private Key | GitGuardian documentation](#dsa-private-key-gitguardian-documentation)
- [Where should you scan for secrets in the SDLC? | GitGuardian documentation](#where-should-you-scan-for-secrets-in-the-sdlc-gitguardian-documentation)
- [Integrate a new Jira Data Center source | GitGuardian documentation](#integrate-a-new-jira-data-center-source-gitguardian-documentation)
- [Collaboration between Application Security and development teams | GitGuardian documentation](#collaboration-between-application-security-and-development-teams-gitguardian-documentation)
- [Integrate a new Azure DevOps Repos source | GitGuardian documentation](#integrate-a-new-azure-devops-repos-source-gitguardian-documentation)
- [Integrate a new Microsoft Teams source (private beta) | GitGuardian documentation](#integrate-a-new-microsoft-teams-source-private-beta-gitguardian-documentation)
- [Integrate a new Confluence Data Center source | GitGuardian documentation](#integrate-a-new-confluence-data-center-source-gitguardian-documentation)
- [PGP Private Key | GitGuardian documentation](#pgp-private-key-gitguardian-documentation)
- [Elliptic Curve Private Key | GitGuardian documentation](#elliptic-curve-private-key-gitguardian-documentation)
- [RSA Private Key | GitGuardian documentation](#rsa-private-key-gitguardian-documentation)
- [Overview | GitGuardian documentation](#overview-gitguardian-documentation)
- [Configuration | GitGuardian documentation](#configuration-gitguardian-documentation)
- [Remediate incidents | GitGuardian documentation](#remediate-incidents-gitguardian-documentation)
- [Getting started | GitGuardian documentation](#getting-started-gitguardian-documentation)
- [Configure SCIM | GitGuardian documentation](#configure-scim-gitguardian-documentation)
- [Microsoft Teams | GitGuardian documentation](#microsoft-teams-gitguardian-documentation)
- [Encrypted Private Key | GitGuardian documentation](#encrypted-private-key-gitguardian-documentation)
- [OpenSSH Private Key | GitGuardian documentation](#openssh-private-key-gitguardian-documentation)
- [Putty Private Key | GitGuardian documentation](#putty-private-key-gitguardian-documentation)
- [Overview | GitGuardian documentation](#overview-gitguardian-documentation)
- [Prioritize incidents | GitGuardian documentation](#prioritize-incidents-gitguardian-documentation)
- [Azure pipelines | GitGuardian documentation](#azure-pipelines-gitguardian-documentation)
- [Base64 Generic high entropy secret | GitGuardian documentation](#base64-generic-high-entropy-secret-gitguardian-documentation)
- [Docker images | GitGuardian documentation](#docker-images-gitguardian-documentation)
- [Pre-commit | GitGuardian documentation](#pre-commit-gitguardian-documentation)
- [Jira Data Center | GitGuardian documentation](#jira-data-center-gitguardian-documentation)
- [Detect secrets in GitHub PRs | GitGuardian documentation](#detect-secrets-in-github-prs-gitguardian-documentation)
- [Detect secrets on developer workstations | GitGuardian documentation](#detect-secrets-on-developer-workstations-gitguardian-documentation)
- [Detect secrets in CI pipelines | GitGuardian documentation](#detect-secrets-in-ci-pipelines-gitguardian-documentation)
- [IP allowlist for workspace access | GitGuardian documentation](#ip-allowlist-for-workspace-access-gitguardian-documentation)
- [GitLab OAuth Application Token | GitGuardian documentation](#gitlab-oauth-application-token-gitguardian-documentation)
---
# GitGuardian[docs] | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
How can we help?
================
Explore our guides to use the GitGuardian Platform
==================================================
Search
Get started
-----------
[### Create your account\
\
Create a GitGuardian account, verify email, and manage account settings.](/platform/getting-started/account-creation)
[### Integrate repositories\
\
Integrate GitGuardian with various VCSs, including GitHub, GitLab, Bitbucket, and Azure Repos, and monitor the codebase.](/platform/getting-started/integrate)
[### Monitor your perimeter\
\
Set up a monitored perimeter in GitGuardian, define its scope, and configure monitoring settings for different types of repositories.](/platform/monitor-perimeter/monitored-perimeter)
Discover our modules
--------------------
[\
\
### Secrets detection\
\
See how GitGuardian detects secrets and sensitive information in code repositories and alerts users of potential security risks.](/secrets-detection/home)
[\
\
### Honeytoken\
\
Create decoy secrets and monitor them for unauthorized use, providing an additional layer of active defense for detecting and preventing supply chain attacks.](/honeytoken/home)
[### Developer tools\
\
GitGuardian CLI\
---------------\
\
(ggshield)\
\
Detect and prevent 350+ types of hardcoded secrets and 70+ IaC misconfigurations before pushing code to the command line.\
\
](/ggshield-docs/home)
Configure
---------
[### Workspace settings\
\
Configure SAML SSO, manage your email domain, review your workspace audit logs, and transfer workspace ownership.](/platform/enterprise-administration/workspace-settings)
[### User account\
\
Manage GitGuardian user accounts, including settings for personal information, notifications, and integrations.](/platform/user-account/account-settings)
[### Self-hosting\
\
Set up and run GitGuardian on your infrastructure. See installation, upgrading, troubleshooting, and optimization tips.](/self-hosting/home)
[### Developer tools\
\
GitGuardian API\
---------------\
\
Use the public GitGuardian API to manage your workspace and incidents programmatically.\
\
](/api-docs/home)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Glossary | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Glossary
========
This document defines common words used to describe our secrets detection engine.
### Detector[](#detector "Direct link to Detector")
A set of rules that will be applied to a document to find one type of secret (e.g.: AWS keys, database URI, Google Key...).
### Generic detector[](#generic-detector "Direct link to Generic detector")
We consider that a detector is generic if we are not able to infer the secret's provider directly. For example the detector looking for a pattern such as `secret={high_entropy_string}` is a generic detector.
### Specific detector[](#specific-detector "Direct link to Specific detector")
A specific detector is a detector designed to find a well identified type of secret such as AWS keys, MySQL URI, Slack token... Specific detectors are often opposed to generic detectors.
### Assignment and assigned variable[](#assignment-and-assigned-variable "Direct link to Assignment and assigned variable")
We refer to an assignment as any statement of the form `{assigned_variable} {assignment_token} {value}`. For example in this statement: `my_variable = "HelloWorld"`, the assigned variable is: `my_variable`.
### Document[](#document "Direct link to Document")
Any text with a filename. Filename is optional.
### Entropy[](#entropy "Direct link to Entropy")
Measure of randomness of a string. An API key should have a high entropy since it is a randomly generated sequence of characters. When mentioning entropy in this documentation, we mean [Shannon entropy](https://en.wikipedia.org/wiki/Entropy_(information_theory))
.
### Filepath / Filename / Extension[](#filepath--filename--extension "Direct link to Filepath / Filename / Extension")
We adopted the following conventions for naming paths. For example `config/secrets.yaml`:
* `yaml` is the extension.
* `secrets.yaml` is the filename.
* `config/secrets.yaml` is the filepath.
### Insight[](#insight "Direct link to Insight")
Additional information on a document or a secret.
### Match[](#match "Direct link to Match")
A string that is part of a secret. A secret can be composed of one or several matches.
### Matcher[](#matcher "Direct link to Matcher")
A detection rule that is applied to a document and outputs matches.
### PostValidator[](#postvalidator "Direct link to PostValidator")
A validation rule applied to a secret candidate (e.g.: validate that all the matches have sufficient entropy).
### Precision[](#precision "Direct link to Precision")
The fraction of secrets detected that are indeed true secrets. We can keep track of this metric with the feedbacks of our customers.
### PreValidator[](#prevalidator "Direct link to PreValidator")
A validation rule applied to a document (e.g.: look for "datadog" in the document).
### Priority[](#priority "Direct link to Priority")
A rule that prioritizes one secret over another one if they are overlapping. A secret detected by a specific detector always has a higher priority than one detected by a generic detector.
### Recall[](#recall "Direct link to Recall")
The fraction of secrets we were able to detect and classify as such among all secrets that exist. This metric is almost impossible to measure without human labelling.
### Scanner[](#scanner "Direct link to Scanner")
A collection of detectors. In terms of code, this is the entry point to scan a document, and the only way of scanning one.
### Secret[](#secret "Direct link to Secret")
A combination of strings found by a detector in a document. This combination should grant access to a private service.
### Secrets overlapping[](#secrets-overlapping "Direct link to Secrets overlapping")
Two secrets overlap if any of one's matches are partially or completely included in any of the other's secrets matches.
### Validity Check[](#validity-check "Direct link to Validity Check")
A non intrusive call to the concerned service that allows to determine whether a key is valid or invalid. Some validity checks can be used to improve our precision and be sure that we only raise alerts for valid secrets.
#### Was this page helpful?
[](#)
[](#)
* [Detector](#detector)
* [Generic detector](#generic-detector)
* [Specific detector](#specific-detector)
* [Assignment and assigned variable](#assignment-and-assigned-variable)
* [Document](#document)
* [Entropy](#entropy)
* [Filepath / Filename / Extension](#filepath--filename--extension)
* [Insight](#insight)
* [Match](#match)
* [Matcher](#matcher)
* [PostValidator](#postvalidator)
* [Precision](#precision)
* [PreValidator](#prevalidator)
* [Priority](#priority)
* [Recall](#recall)
* [Scanner](#scanner)
* [Secret](#secret)
* [Secrets overlapping](#secrets-overlapping)
* [Validity Check](#validity-check)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# GitGuardian API | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)

###### Developer tools
GitGuardian API
===============
With GitGuardian API, manage your dashboard data & utilize our secrets detection engine. Enables custom reports, programmatic incident management & easy integration into your existing services.
Get started with the GitGuardian API
------------------------------------
[### Authenticate API requests\
\
Learn how to authenticate API requests using an API key (service account or personal access token).](/api-docs/authentication)
[### Create and manage service accounts\
\
Create and manage service accounts for API access. Service accounts represent non-human users for authentication and authorization, for secrets scanning in CI pipelines or batch processing open incidents.](/api-docs/service-accounts)
[### Create and manage personal access tokens\
\
Create and manage personal access tokens for API access. They are used by devs on their local workstations to scan for secrets using GitGuardian CLI (ggshield) in pre-commit or pre-push git hooks.](/api-docs/personal-access-tokens)
Usage of the GitGuardian API
----------------------------
[### Usage and quotas\
\
Study the usage quotas for GitGuardian API. Check your quota usage, and see what happens when you exceed your quota.](/api-docs/usage-and-quotas)
[### API reference\
\
Get detailed information on GitGuardian API endpoints, including how to use them, what parameters are required, and what responses to expect.](/api-docs/api-reference)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# GitGuardian Platform | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
###### GitGuardian
Platform
========
GitGuardian is the code security platform for the DevOps generation. In this section, learn how to set up & use GitGuardian Platform for comprehensive protection of your SDLC.
First steps
===========
Get started
-----------
[### Create your account\
\
Read instructions on how to create a GitGuardian account, sign up, verify your email address, manage account settings etc.](/platform/getting-started/account-creation)
[### Integrate your first repositories\
\
Integrate GitGuardian with internal repos, & configure to monitor the codebase. It covers a wide range of VCSs (GitHub, GitLab, Bitbucket & Azure Repos).](/platform/getting-started/integrate)
[### Assess your repositories’ health\
\
See how GitGuardian performs full historical scan of your repositories to conduct an initial audit. The Perimeter view gives info on interpreting scan results.](/platform/getting-started/first-audit)
Connect with GitGuardian
------------------------
[### Git repositories (VCSs)\
\
Learn how to set up GitGuardian's monitoring for different VCS integrations, including GitHub, GitHub Enterprise, GitLab, Bitbucket, and Azure Repos.](/platform/getting-started/integrate)
[### Dev environments\
\
Discover GitGuardian CLI (ggshield) for secrets & IaC misconfigs scanning throughout your SDLC. Install, use and customize ggshield to fit your specific needs.](/ggshield-docs/home)
[### Alerting tools\
\
See instructions on how to set up and configure various notification integrations, including email alerting, webhooks, Splunk, PagerDuty, Slack, Discord, and Jira.](/platform/monitor-perimeter/alerting-and-notifications#events-and-notification-preferences)
Monitor your perimeter
----------------------
[### Understand the monitored perimeter\
\
Understand how to monitor your perimeter, grasp the scope of the perimeter and see differences between historical scanning and real-time protection.](/platform/monitor-perimeter/monitored-perimeter)
[### Configure real-time alerts and notifications\
\
Learn how to configure and manage alerts, set up alert policies and customize notification settings. It also includes info on how to view and manage alerts.](/platform/monitor-perimeter/alerting-and-notifications)
Modules
-------
[\
\
### Secrets Detection\
\
Detect secrets and sensitive information in code repositories and alert team members of potential security risks.](/secrets-detection/home)
[\
\
### Honeytoken\
\
Generate decoy secrets at scale, monitor for unauthorized use, and boost DevOps pipeline security against supply chain attacks.](/honeytoken/home)
Configuration
=============
Manage your workspace
---------------------
[### Create and manage users\
\
Manage GitGuardian users and roles for effective collaboration. Add and remove users, assign roles and permissions, and manage access control policies.](/platform/collaboration-and-sharing/users)
[### Create and manage teams\
\
Manage teams for seamless collaboration and sharing of secrets incidents. Create teams, add or remove teammates, and assign permissions.](/platform/collaboration-and-sharing/teams)
[### Set incident permissions\
\
Learn about incident permissions and sharing. Assign incident permissions, share incidents internally via "grant access", and externally via "public share link".](/platform/collaboration-and-sharing/incident-permissions-and-sharing)
Enterprise administration
-------------------------
[Configure SAML SSO](/platform/enterprise-administration/saml-sso-configuration)
[Manage email domain](/platform/enterprise-administration/email-domain-management)
[Audit log](/platform/enterprise-administration/audit-log)
[Transfer workspace ownership](/platform/enterprise-administration/transfer-ownership)
Manage your account
-------------------
[Account settings](/platform/user-account/account-settings)
[Plan and usage](/platform/user-account/plan-usage)
[Configure email preferences](/platform/user-account/email-preferences)
GitGuardian API, CLI & SDK
--------------------------
[Dashboard](/platform/gitguardian-suite/dashboard)
[GitGuardian API](/platform/gitguardian-suite/api)
[GitGuardian CLI (ggshield)](/platform/gitguardian-suite/gitguardian-cli-ggshield)
[Python SDK](/platform/gitguardian-suite/python-sdk)
Security & Data privacy
-----------------------
[Data retention](/platform/security-data-privacy/data-retention)
[Privacy mode](/platform/security-data-privacy/privacy-mode)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Frequently Asked Questions | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Frequently Asked Questions
==========================
At any point when reading this FAQ section you can use our [glossary](/secrets-detection/secrets-detection-engine/glossary)
to find some useful definitions.
### How does GitGuardian's detection engine work, roughly speaking?[](#how-does-gitguardians-detection-engine-work-roughly-speaking "Direct link to how-does-gitguardians-detection-engine-work-roughly-speaking")
For an extensive response, you can consult [this page](/secrets-detection/secrets-detection-engine/quick_start)
. GitGuardian's detection engine revolves around the concept of detectors. A detector is a set of instructions that our detection engine will execute on a given input document to catch secrets in it. The flow of instructions is always the same:
* Pre-Validation: discard documents as early as possible if they are of no interest for secrets detection.
* Matching: look for a given pattern.
* Post-Validation: apply some validation steps to select only relevant secrets. All these steps are performed using a combination of regular expressions and heuristics based on contextual information.
### What is the difference between generic and specific detectors?[](#what-is-the-difference-between-generic-and-specific-detectors "Direct link to what-is-the-difference-between-generic-and-specific-detectors")
Simply put, a **specific detector** is designed to find a well identified type of secret whereas a **generic detector** yields secrets that are not associated with a given provider. For a bit more details, you can refer to this [documentation on detectors](/secrets-detection/secrets-detection-engine/detectors/introduction)
.
### Does GitGuardian check the validity of credentials?[](#does-gitguardian-check-the-validity-of-credentials "Direct link to does-gitguardian-check-the-validity-of-credentials")
When possible, **GitGuardian will check the validity of the detected credentials**. To do so, GitGuardian performs the **least intrusive call as possible** to the service. We favor HEAD requests, or GET requests when we cannot. We also select endpoints that do not return any personal information. Once this is done, the secret will be labelled as either:
* valid: the service call was successful and confirms the secret is **valid**.
* invalid: the service call was successful and confirms the secret is **invalid**.
* failed to check: the service call was not successful, so we can't tell whether the secret is valid or not.
There are a few situations which can lead to "failed to check". For example, this happens when the service is internal and thus not reachable from our servers. Another common example is if the service was down at the time we tried to call it. We can't tell whether the secret is valid or invalid so we remain cautious and report the incident.
### Why do some detectors only report incidents for valid secrets?[](#why-do-some-detectors-only-report-incidents-for-valid-secrets "Direct link to why-do-some-detectors-only-report-incidents-for-valid-secrets")
The format of some secrets makes it impossible to create a detector with a good enough precision. This is the case for example if the secret has no prefix, no suffix and no fixed length. Reporting all matching potential secrets would produce too many false positives. To avoid that, we only report the secret if it has been confirmed valid by a check. Detectors for these secrets are marked as "Only valid secrets raise an alert".
### What do you call a false positive exactly in the context of secrets detection?[](#what-do-you-call-a-false-positive-exactly-in-the-context-of-secrets-detection "Direct link to what-do-you-call-a-false-positive-exactly-in-the-context-of-secrets-detection")
In the context of secrets detection, a false positive occurs when our detection engine raises an alert for a secret that is not one and has never been one. For more details on false positives, recall and precision, we highly recommend reading this [blog post](https://blog.gitguardian.com/secrets-detection-accuracy-precision-recall-explained/)
.
### How to properly test GitGuardian detection capabilities?[](#how-to-properly-test-gitguardian-detection-capabilities "Direct link to how-to-properly-test-gitguardian-detection-capabilities")
To properly test our engine, we recommend reading this documentation carefully, and especially looking at detector's examples that will provide you with some good test cases. You can also use this [example repository](https://github.com/GitGuardian/sample_secrets)
to get familiar with our detection engine's behavior. If a secret is not detected by one of our detectors, you can refer to [this question](#did-not-detect)
to get some explanations.
### Why didn't GitGuardian detect my secret?[](#why-didnt-gitguardian-detect-my-secret "Direct link to why-didnt-gitguardian-detect-my-secret")
First of all, we recommend building your test cases by following our detector's [documentation](/secrets-detection/secrets-detection-engine/detectors/supported_credentials)
. For each detector, we provide a set of examples that are detected by our engine. Here are also some possible reasons why we did not raise an alert for your secret:
* The associated detector is checked, and your secret is not valid anymore. In that case, the secret is labelled as invalid and no alert is raised.
* You somehow obfuscated your secret to test our detection capabilities, and that's a good practice. But you may have broken the pattern of the key in the process: make sure you kept an identical length and charset.
* Your secret could not pass our pre-validation steps: for certain detectors we ban markdown files, or we require a given context for the detection to occur. You can refer to the concerned detector's documentation [here](/secrets-detection/secrets-detection-engine/detectors/supported_credentials)
.
* Your secret is not part of the required [assignment](/secrets-detection/secrets-detection-engine/glossary#assignment-and-assigned-variable)
. Look at the detector's examples to see what patterns are detected.
### We’ve seen real credentials in .md files in the past already, why do some of your detectors drop .md files?[](#weve-seen-real-credentials-in-md-files-in-the-past-already-why-do-some-of-your-detectors-drop-md-files "Direct link to weve-seen-real-credentials-in-md-files-in-the-past-already-why-do-some-of-your-detectors-drop-md-files")
At GitGuardian one of our biggest challenges is to achieve a detection with the highest precision and the best recall possible, in other words squaring the circle. To do so, we battle test our algorithms on GitHub's live data feed. We also permanently monitor our detector's performance by looking at explicit feedback from developers or from our checkers, as well as implicit feedback: e.g. secrets removal. Thanks to these feedbacks, we decided to drop markdown files in certain detectors in an effort to reduce alert fatigue and increase our precision. To know which detectors are concerned, you can refer to detectors' pre-validation steps' documentation.
### Are cryptographic keys sensitive objects?[](#are-cryptographic-keys-sensitive-objects "Direct link to are-cryptographic-keys-sensitive-objects")
**Cryptographic Keys**
Cryptographic algorithms are tools used to secure communications over public channels such as the Internet. Based on mathematical hard problems, they are the building blocks of protocols such as TLS (for secure internet browsing via https) or SSH (for secure remote access to servers). The different security features provided by cryptography are authentication, authorization, and encryption. To this end, cryptographic algorithms are bound to cryptographic keys that are used to unlock or lock these functions.
We distinguish two types of keys, symmetric or asymmetric keys:
* A symmetric key is shared between the communicating entities.
* Asymmetric keys are composed of a public and a private key. The public key is distributed to everyone to initiate a communication or a protocol and the private key is used to verify and carry on the communication or the protocol. Having access to someone's symmetric key or asymmetric private key can have devastating consequences. A malicious adversary could then impersonate an entity, tamper its communications, or simply have access to all its secure data.
**How we detect private keys**
After the introduction of the series of IETF RFC [1421](https://tools.ietf.org/html/rfc1421)
, [1422](https://tools.ietf.org/html/rfc1422)
, [1423](https://tools.ietf.org/html/rfc1423)
, and [1424](https://tools.ietf.org/html/rfc1424)
most implementation libraries involving cryptography (such as OpenSSL) use a shared format to store the cryptographic keys called PEM (stands for Privacy-Enhanced Mail). This format has a very structured form, always starting with the same pattern. This is very convenient for detection as it implies a high recall on the different implemented detectors. We based our family of cryptographic key detectors on the particularity of the PEM format to get very efficient and precise detectors. Here are the list of the detectors currently implemented in our suit:
* [Generic private key](/secrets-detection/secrets-detection-engine/detectors/specifics/private_key_generic)
.
* [DSA private key](/secrets-detection/secrets-detection-engine/detectors/specifics/private_key_dsa)
.
* [Elliptic curve private key](/secrets-detection/secrets-detection-engine/detectors/specifics/private_key_elliptic)
.
* [RSA private key](/secrets-detection/secrets-detection-engine/detectors/specifics/private_key_rsa)
.
* [OpenSSH private key](/secrets-detection/secrets-detection-engine/detectors/specifics/private_key_openssh)
.
* [PGP private key](/secrets-detection/secrets-detection-engine/detectors/specifics/private_key_pgp)
.
* [Encrypted private key](/secrets-detection/secrets-detection-engine/detectors/specifics/private_key_encrypted)
.
* [Putty private key](/secrets-detection/secrets-detection-engine/detectors/specifics/putty_private_key)
.
We targeted the main cryptographic algorithms or protocols, which are the most commonly used ones and referenced one by standard entities. For each of those algorithms, we implemented a detector for both the PEM format form and the Base64 encoded version.
**What about public key certificates?** One frequently asked question by the public and our customers is about the sensitivity of a certificate. Public-key certificates are used in TLS protocols in order to establish authenticated and secure communication channels when browsing the web, displayed as https and a green lock on the website. They are in essence just public keys augmented with a signature that everyone can access to (simply click on the lock). As such, they have no sensitivity and the augmented signatures just provide trust to users that this certificate was issued by a trusted party. The trusted party is usually referenced by either the browser or the OS (Linux, Windows, macOS, etc) during installation.
#### Was this page helpful?
[](#)
[](#)
* [](#how-does-gitguardians-detection-engine-work-roughly-speaking)
How does GitGuardian's detection engine work, roughly speaking?
* [](#what-is-the-difference-between-generic-and-specific-detectors)
What is the difference between generic and specific detectors?
* [](#does-gitguardian-check-the-validity-of-credentials)
Does GitGuardian check the validity of credentials?
* [](#why-do-some-detectors-only-report-incidents-for-valid-secrets)
Why do some detectors only report incidents for valid secrets?
* [](#what-do-you-call-a-false-positive-exactly-in-the-context-of-secrets-detection)
What do you call a false positive exactly in the context of secrets detection?
* [](#how-to-properly-test-gitguardian-detection-capabilities)
How to properly test GitGuardian detection capabilities?
* [](#why-didnt-gitguardian-detect-my-secret)
Why didn't GitGuardian detect my secret?
* [](#weve-seen-real-credentials-in-md-files-in-the-past-already-why-do-some-of-your-detectors-drop-md-files)
We’ve seen real credentials in .md files in the past already, why do some of your detectors drop .md files?
* [](#are-cryptographic-keys-sensitive-objects)
Are cryptographic keys sensitive objects?
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Support | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Support
=======
We are here to assist you and welcome your feedback on our features. Feel free to reach out at [support@gitguardian.com](mailto:support@gitguardian.com)
. Additionally, you can submit any ideas or feature requests directly on our [Product Portal](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
.
#### References[](#references "Direct link to References")
* [Learning center](https://www.gitguardian.com/secrets-detection)
* [Blog](https://blog.gitguardian.com/)
* [White paper](https://www.gitguardian.com/whitepapers/secrets-detection)
* [Open source](https://github.com/GitGuardian)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Honeytoken | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
###### Modules
Honeytoken
==========
With the GitGuardian Honeytoken module, generate decoy credentials at scale and track for unauthorized usage. Improve DevOps pipeline security, detect supply chain attacks, and lure attackers to reveal themselves using our early warning system.
[Join us for a concise 20-minute live demo of GitGuardian Honeytoken](https://app.livestorm.co/gitguardian/live-product-demo-gitguardian-honeytoken)
with our in-house experts Dwayne McDaniel and Jason Miller.

Get started
-----------
[### Discover our honeytokens’ benefits\
\
Read about honeytokens, their use for detecting supply chain breaches and code leaks, and their easy deployment throughout your pipeline.](/honeytoken/core-concepts)
[### Create and deploy your first honeytoken\
\
Learn how to get started with step-by-step instructions for creating and testing a honeytoken.](/honeytoken/getting-started)
[### Configure your honeytokens’ alerts\
\
See how to set up your email notifications, and custom webhooks to monitor the triggering of honeytokens or any new events.](/honeytoken/configure-alerts)
Popular
-------
[### Manage your honeytokens\
\
See where to filter, view and manage your honeytoken events. Know where to edit the honeytokens’ info and view their detailed logs.](/honeytoken/manage)
[### Understand honeytoken events and trigger mechanism\
\
Understand how honeytokens get triggered and learn how to enrich and manage your events with IP rules.](/honeytoken/understand-events)
[### Respond to triggered honeytokens\
\
Your honeytoken has been triggered? See how to reset or revoke them after your investigation.](/honeytoken/respond)
What’s new
----------
[### Deployment jobs\
\
Use deployment jobs to efficiently disseminate honeytokens in code repositories integrated with GitGuardian.](/honeytoken/deploy-honeytokens/deployment-jobs)
[### Detect code leakage on public GitHub\
\
Learn how GitGuardian detects leaked honeytokens on public GitHub and tags them as publicly exposed.](/honeytoken/code-leakage)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Create your GitGuardian account | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Create your GitGuardian account
===============================
Getting started with GitGuardian Internal Monitoring is easy. All you need is a GitGuardian account and repositories to scan for hardcoded secrets.
Step 1. Create your account[](#step-1-create-your-account "Direct link to Step 1. Create your account")
---------------------------------------------------------------------------------------------------------
Go to [https://dashboard.gitguardian.com](https://dashboard.gitguardian.com/auth/signup?utm_source=website&utm_medium=docs&utm_campaign=getting-started)
and choose one of the following options.

### Option 1. Using GitHub's social login[](#option-1-using-githubs-social-login "Direct link to Option 1. Using GitHub's social login")
Signing up via your GitHub account is the fastest way to get started with GitGuardian.
1. Click `Sign up with GitHub`
2. Follow the instructions on GitHub to set up the [GitGuardian GitHub App](https://github.com/marketplace/gitguardian)
. You can choose to give GitGuardian access to all your repositories or to a selection of repositories, this can be modified later from your GitHub account.
### Option 2. Using email and password[](#option-2-using-email-and-password "Direct link to Option 2. Using email and password")
1. Fill the sign up form
2. You will receive an email in order to confirm your email address. Follow the instructions in this email to finish creating your account.
### Option 3. Using SSO[](#option-3-using-sso "Direct link to Option 3. Using SSO")
If you are joining an existing workspace managed by your organization, you can also create an account and sign in using SSO. Go to [https://dashboard.gitguardian.com/auth/sso](https://dashboard.gitguardian.com/auth/sso?utm_source=website&utm_medium=docs&utm_campaign=getting-started)
and complete the form with your **professional email address** or **company domain** to be redirected to your organization's workspace.
#### Was this page helpful?
[](#)
[](#)
* [Step 1. Create your account](#step-1-create-your-account)
* [Option 1. Using GitHub's social login](#option-1-using-githubs-social-login)
* [Option 2. Using email and password](#option-2-using-email-and-password)
* [Option 3. Using SSO](#option-3-using-sso)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Understand the monitored perimeter | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Understand the monitored perimeter
==================================
Overview[](#overview "Direct link to Overview")
-------------------------------------------------
Your perimeter is simply anywhere you are storing your shared code repositories. This includes shared repository hosting like GitHub, GitLab, Bitbucket or Azure Repos.
Your [perimeter page](https://dashboard.gitguardian.com/perimeter?sort_health=_&sort_ic=_&sort_source=false)
has two main objectives:
1. Identify which of your sources are at risk
2. Ensure that your entire perimeter is well protected by GitGuardian

For effective navigation in the perimeter table, users can leverage [Saved views](/platform/collaboration-and-sharing/saved-views)
to switch between different sets of filters. The feature includes non-editable GitGuardian views such as "All sources," "Critical sources," "Scanning issues", "With open secret incidents", "Without honeytoken".
At the bottom of the right-hand side panel, the **scope section** gives you a quick summary of the different integrations (VCS types) that have been integrated with GitGuardian, alongside a breakdown of sources per integration.

Differences between historical scanning and real-time protection[](#differences-between-historical-scanning-and-real-time-protection "Direct link to Differences between historical scanning and real-time protection")
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Real-time monitoring[](#real-time-monitoring "Direct link to Real-time monitoring")
The first protection and the most effective one for secrets remediation is the **real-time monitoring**.
As you may have read in our [How GitGuardian works section](/platform/core-concepts/how-gitguardian-works)
, real-time monitoring means that every single push event (and its commits) is scanned for secrets as soon as they arrive on your VCS server (post-receive hooks).
We then **alert you instantly**, which will save you time in the remediation process. Indeed, **the longer a secret is exposed, the harder the remediation gets.**
On the right-hand side panel, we indicate **the percentage of sources covered**, based on the number of sources you integrated with GitGuardian. Note that some sources may not be eligible to be monitored because of plan restrictions.
Note that the table of sources displayed on the Perimeter page only contains sources that are monitored in real-time. The sources that are not selected in the integration settings page are not displayed.

For performance reasons, we limit the number of commits scanned per push event. By default, this limit is 1,000 scanned commits/push event, but this can be customized per workspace on demand.
### Historical scanning[](#historical-scanning "Direct link to Historical scanning")
The second type of protection offered is the ability to **scan the commit history** of all the sources you integrated with GitGuardian.

Size limitations apply to historical scans, depending on your plan:
* Free: you can scan sources up to 1GB,
* Business and trial: you can scan sources up to 12 GB.
info
For performance reasons, if a historical scan is requested for a repository that has had no new commits on any branch since the last historical scan, GitGuardian will skip the scan to avoid reprocessing the entire history. However, if the tokenscanner version has changed since the last historical scan—with GitGuardian having introduced new detectors—the scan will proceed, even if there are no new commits.
#### Potential Errors During Historical Scanning and Their Resolutions[](#potential-errors-during-historical-scanning-and-their-resolutions "Direct link to Potential Errors During Historical Scanning and Their Resolutions")
| Reason | Error Message | Steps to Resolve |
| --- | --- | --- |
| DMCA takedown | The source is unavailable due to a [DMCA](https://docs.github.com/en/site-policy/content-removal-policies/dmca-takedown-policy)
takedown. | Contact the source owner to discuss the DMCA takedown. |
| Access to the repository is disabled | The source has been disabled. | Reach out to the source owner to request re-enabling access to the repository. |
| Account has been disabled | The source’s account has been disabled. | Contact the source owner to resolve the account issues and regain access. |
| Access to repository restricted by IP | The source’s account has a configured IP allow list. | Contact the source owner to review and adjust the IP allow list. |
| Repository not found | The source could not be found. Please retry and contact the source owner if it persists. | Double-check the repository URL and retry. Contact the source owner if the issue persists. |
| Clone operation stuck or too slow | The connection to the server is slow or stuck. | Contact the VCS administrator to investigate server connection issues. |
| VCS not ready or responded with an error | The server did not respond after multiple attempts. | Reach out to the VCS administrator to ensure the server is operational and retry the scan. |
| Repository disabled in GitLab project | The git repository in the GitLab project has been disabled. | Enable the “repository” functionality in the settings of the GitLab project. |
| The repository has been deleted | The target repository has been deleted. | Contact the VCS administrator to confirm and address the deletion of the repository. |
| VCS authentication error | The authentication to the VCS has failed. | Verify authentication token under Settings > Integrations and contact the VCS administrator if needed. |
| Rate limit error | The rate limit has been exceeded. | Wait for the rate limit to reset or contact the VCS administrator for a resolution. |
| Too Large | The historical scan failed because it exceeded the authorized size limit. | Contact GitGuardian [support](mailto:support@gitguardian.com)
to discuss options for scanning larger repositories. For self-hosted environments, consider adjusting the `repo_scan_size_limit` in the [preferences](/self-hosting/management/application-management/preferences#policy)
within the [Admin area](/self-hosting/management/application-management/admin-area#settings)
. |
| Timeout | The historical scan failed due to a timeout error because it exceeded the authorized time limit for an individual scan. | Contact GitGuardian [support](mailto:support@gitguardian.com)
for troubleshooting and to potentially extend the scan time limit. For self-hosted environments, consider adjusting the `repo_scan_time_limit_in_sec` in the [preferences](/self-hosting/management/application-management/preferences#policy)
within the [Admin area](/self-hosting/management/application-management/admin-area#settings)
. |
| Timeout Pending | The historical scan failed due to a timeout error because it exceeded the authorized time limit for a bulk scan. Please contact our [support](mailto:support@gitguardian.com)
. | Contact GitGuardian support to address bulk scan timeouts and explore alternative solutions. For self-hosted environments, consider adjusting the `repo_scan_pending_limit_in_hours` in the [preferences](/self-hosting/management/application-management/preferences#policy)
within the [Admin area](/self-hosting/management/application-management/admin-area#settings)
. |
| Scan worker error | The scan failed due to an internal worker error, often caused by memory limitations. | Please reach out to our [support team](mailto:support@gitguardian.com)
. If you are running GitGuardian in a self-hosted environment, consider increasing the memory allocation for workers to resolve the issue. Additionally, generate a [Support Bundle](/self-hosting/troubleshoot/support)
for further troubleshooting purposes. |
| Engine error | The scan failed due to an internal engine error. | Please reach out to our [support team](mailto:support@gitguardian.com)
. If you are running GitGuardian on a self-hosted environment, generate a [Support Bundle](/self-hosting/troubleshoot/support)
for troubleshooting purposes. |
| Process received SIGKILL | The scan process was forcibly terminated (SIGKILL). | Please reach out to our [support team](mailto:support@gitguardian.com)
. If you are running GitGuardian on a self-hosted environment, generate a [Support Bundle](/self-hosting/troubleshoot/support)
for troubleshooting purposes. |
| Unknown | The scan failed due to an unknown error. | Please reach out to our [support team](mailto:support@gitguardian.com)
. If you are running GitGuardian on a self-hosted environment, generate a [Support Bundle](/self-hosting/troubleshoot/support)
for troubleshooting purposes. |
Historical scanning is also available for Slack. You can scan the entire history of your monitored public and private Slack channels. Conversations and archived channels are not supported.
Note that historical scanning is subject to the Slack's API rate limiting. We can scan up to 10.000 messages/min per Slack workspace.
Historical Scan reports of Slack and VCS are sent separately.
Source status[](#source-status "Direct link to Source status")
----------------------------------------------------------------
### Monitored source[](#monitored-source "Direct link to Monitored source")
A source is considered as monitored when the GitGuardian platform is listening for any activity on that source.
This is the outcome of:
* successfully integrating GitGuardian with the source
* and having a plan that supports its monitoring.
Monitored sources are listed on the [Perimeter page](https://dashboard.gitguardian.com/perimeter)
.
### No longer monitored source[](#no-longer-monitored-source "Direct link to No longer monitored source")
A source is considered as no longer monitored when the GitGuardian is no longer listening to any activity on that source.
This may be the result of
* uninstalling GitGuardian from the source,
* or excluding the source from the monitored perimeter,
* or a change in your plan that no longer supports this source.
A source that is no longer monitored presents a risk, as no occurrence will be created after a secret has been published in it. Such a source is identified with a striked shield icon next to it. 
No longer monitored sources are no longer listed on the [Perimeter page](https://dashboard.gitguardian.com/perimeter)
.
### Deleted source[](#deleted-source "Direct link to Deleted source")
A source is considered deleted only when GitGuardian receives evidence of its actual deletion. This means that we don't consider a source deleted just because it has been removed from GitGuardian, but rather only when it has been truly erased. Eg: the repository is deleted on GitHub.
Such a source is identified with a bin icon next to it. 
Deleted sources are no longer listed on the [Perimeter page](https://dashboard.gitguardian.com/perimeter)
.
Source visibility[](#source-visibility "Direct link to Source visibility")
----------------------------------------------------------------------------
A source is defined by a visibility scope. Depending of the installed instance, a source can be:
* `public`: anyone with access to the Internet can view the contents of this source. Your secret is publicly exposed and presents a higher security risk.
* `internal` (specific to GitLab): internal GitLab projects can be viewed by any authenticated user except external users. Such a GitLab project is identified by a shield icon next to it.
* `private`: Only authorized users with access to the source can view its contents. Such a source is identified by a lock icon next to it.

Source criticality[](#source-criticality "Direct link to Source criticality")
-------------------------------------------------------------------------------
The source criticality feature enables you to assess and assign a level of importance to your monitored sources, helping you prioritize your incidents effectively. This feature allows you to categorize them as low, medium, high, or critical, or leave it unfilled, based on the potential severity of a security incident's impact. Its value depends on the business context of your source, which will be determined by factors such as the nature of the handled data and its connection to resources in a production environment.

How can I add new sources to my protected perimeter?[](#how-can-i-add-new-sources-to-my-protected-perimeter "Direct link to How can I add new sources to my protected perimeter?")
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Version Control Systems[](#version-control-systems "Direct link to Version Control Systems")
* [GitHub integration](/platform/monitor-perimeter/vcs-integrations/github)
* [GitHub Enterprise integration](/platform/monitor-perimeter/vcs-integrations/github-enterprise)
* [Gitlab integration](/platform/monitor-perimeter/vcs-integrations/gitlab)
* [Bitbucket Cloud integration](/platform/monitor-perimeter/vcs-integrations/bitbucket-cloud)
* [Bitbucket Data Center/Server integration](/platform/monitor-perimeter/vcs-integrations/bitbucket)
* [Azure DevOps Repos integration](/platform/monitor-perimeter/vcs-integrations/azure-repos)
### Messaging & ChatOps[](#messaging--chatops "Direct link to Messaging & ChatOps")
* [Slack integration](/platform/monitor-perimeter/messaging-integrations/slack)
* [Microsoft Teams integration](/platform/monitor-perimeter/messaging-integrations/microsoft-teams)
### Ticketing[](#ticketing "Direct link to Ticketing")
* [Jira Cloud integration](/platform/monitor-perimeter/ticketing-integrations/jira-cloud)
* [Jira Data Center integration](/platform/monitor-perimeter/ticketing-integrations/jira-data-center)
### Documentation[](#documentation "Direct link to Documentation")
* [Confluence Cloud integration](/platform/monitor-perimeter/documentation-integrations/confluence-cloud)
* [Confluence Data Center integration](/platform/monitor-perimeter/documentation-integrations/confluence-data-center)
Troubleshooting connectivity problems[](#troubleshooting-connectivity-problems "Direct link to Troubleshooting connectivity problems")
----------------------------------------------------------------------------------------------------------------------------------------
Most often, connectivity problems arise because a firewall, proxy server, corporate network, or other network is configured in a way that blocks GitGuardian.
In case you need to authorize incoming/outgoing connections to/from the SAAS application, this paragraph provides the necessary information.
### Allowing GitGuardian's IP addresses[](#allowing-gitguardians-ip-addresses "Direct link to Allowing GitGuardian's IP addresses")
GitGuardian serves the application from the following IP addresses:
* 44.231.207.147/32
* 44.224.13.10/32
* 35.163.105.95/32
* 54.212.233.107/32
* 35.83.131.170/32
* 35.161.89.114/32
These IP addresses are used for:
* VCS integrations (eg: GitHub, GitLab)
* Messaging integrations (eg: Slack, Microsoft Teams)
* Ticketing integrations (eg: Jira Cloud, Jira Data Center)
* Documentation integrations (eg: Confluence Cloud, Confluence Data Center)
* Alerting integrations (eg: Slack)
### Allowing GitGuardian's domains[](#allowing-gitguardians-domains "Direct link to Allowing GitGuardian's domains")
The following domains are used to expose the application:
* dashboard.gitguardian.com
* hook.gitguardian.com
* api.gitguardian.com
Note: HTTP is only used to redirect to HTTPS.
#### Was this page helpful?
[](#)
[](#)
* [Overview](#overview)
* [Differences between historical scanning and real-time protection](#differences-between-historical-scanning-and-real-time-protection)
* [Real-time monitoring](#real-time-monitoring)
* [Historical scanning](#historical-scanning)
* [Source status](#source-status)
* [Monitored source](#monitored-source)
* [No longer monitored source](#no-longer-monitored-source)
* [Deleted source](#deleted-source)
* [Source visibility](#source-visibility)
* [Source criticality](#source-criticality)
* [How can I add new sources to my protected perimeter?](#how-can-i-add-new-sources-to-my-protected-perimeter)
* [Version Control Systems](#version-control-systems)
* [Messaging & ChatOps](#messaging--chatops)
* [Ticketing](#ticketing)
* [Documentation](#documentation)
* [Troubleshooting connectivity problems](#troubleshooting-connectivity-problems)
* [Allowing GitGuardian's IP addresses](#allowing-gitguardians-ip-addresses)
* [Allowing GitGuardian's domains](#allowing-gitguardians-domains)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# What is a secret? | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
What is a secret?
=================
In everyday language, a secret can be any sensitive data that we want to keep private. When discussing secrets in the context of software development, secrets generally refer to digital authentication credentials that grant access to systems or data. These are most commonly API keys, usernames and passwords, or security certificates.
Secrets exist in the context of applications that are no longer standalone monoliths. Applications nowadays rely on thousands of independent building blocks: cloud infrastructure, databases, third-party APIs and services such as Stripe, Slack, HubSpot…
Secrets tie together the different building blocks of a single application by authenticating each component against one another.
What do secrets look like?[](#what-do-secrets-look-like "Direct link to What do secrets look like?")
------------------------------------------------------------------------------------------------------
Secrets are typically high entropy strings which means that they are strings or text that are very random in value. Some API keys can be pre or post fix which means they share the same characters at the start or at the end of the string but most secrets aren’t and are just a highly randomized value that contains different types of character.
### Examples[](#examples "Direct link to Examples")
Below is an example of a **specific secret**, a GitHub personal access token:
- text: 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 apikey: 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
As you can notice the secret is prefixed with the `ghp` string. Below is another example of a secret, this time a **generic** one in the form of a Base64 basic auth string:
- text: | "Authorization": "Basic aW50ZXJuc2hpcDpjZGk=" username: aW50ZXJuc2hpcD # decodes to `internship` password: pjZGk # decodes to `cdi`
#### Was this page helpful?
[](#)
[](#)
* [What do secrets look like?](#what-do-secrets-look-like)
* [Examples](#examples)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Release notes | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Release notes
=============
### January 13, 2025[](#january-13-2025 "Direct link to January 13, 2025")
####  Secrets Detection[](#secrets-icon--secrets-detection "Direct link to secrets-icon--secrets-detection")
* **Bitbucket Cloud integration**: Bitbucket Cloud integration is now available. You can monitor your Bitbucket Cloud repositories for secrets detection.
####  Platform[](#platform-icon--platform "Direct link to platform-icon--platform")
* **Microsoft Teams Alerts for Security Incidents**: We now support real-time GitGuardian notifications in Microsoft Teams. This feature includes:
* automatic alerts sent directly to your chosen Teams channels whenever a security incident is detected,
* secure notifications without exposing sensitive data, linking to the GitGuardian dashboard for full details. More information is available in the [documentation](/platform/monitor-perimeter/notifiers-integrations/microsoft-teams)
.
* **Jira Data Center issue tracking integration**: We now support Jira Data Center integration for issue tracking. This feature includes:
* automatic creation of a Jira issue as soon as a new incident is triggered,
* management of Jira custom fields,
* and an auto-resolve feature that marks the incident as resolved in your dashboard when the issue is closed in Jira. More information available in the [documentation](/platform/monitor-perimeter/issue-tracking-integrations/jira-data-center)
.
####  Bug fixes[](#bugs-icon--bug-fixes "Direct link to bugs-icon--bug-fixes")
* **Users**: Resolved an issue where user deletion was prevented due to the presence of saved views associated with the user.
* **Azure repos integration**: Ensured proper detection and syncing of deleted organizations in GitGuardian when using tokens with all-organization access.
### December 23, 2024[](#december-23-2024 "Direct link to December 23, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-1 "Direct link to secrets-icon--secrets-detection-1")
* **Secrets detection engine upgrade to version 2.129.1:**
* Added 1 detector:
* [GitLab OAuth Application Token](/secrets-detection/secrets-detection-engine/detectors/specifics/gitlab_oauth_application_token)
* Modified 4 detectors:
* [Base64 Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/base64_generic_high_entropy_secret)
* [GitGuardian Test Token Checked](/secrets-detection/secrets-detection-engine/detectors/specifics/gitguardian_test_token_checked)
* [MSSQL Credentials](/secrets-detection/secrets-detection-engine/detectors/specifics/mssql_credentials)
* [Zendesk Token](/secrets-detection/secrets-detection-engine/detectors/specifics/zendesk_token)
####  Bug fixes[](#bugs-icon--bug-fixes-1 "Direct link to bugs-icon--bug-fixes-1")
* **Check runs**: Updated messages to note flagged secrets lack commit references and remain compromised once leaked.
* **Validity check**: Fixed an issue where the tooltip incorrectly indicated a token was valid for all endpoints when it was valid for only one.
* **Jira issue tracking**: Fixed issue where line feeds (\\n) were not properly translated to hardBreak nodes, ensuring correct spacing in Jira tickets.
### December 12, 2024[](#december-12-2024 "Direct link to December 12, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-2 "Direct link to secrets-icon--secrets-detection-2")
* **Secrets detection engine upgrade to version 2.128.0:**
* Added 4 detectors:
* [Jenkins API token](/secrets-detection/secrets-detection-engine/detectors/specifics/jenkins_api_token)
* [chpasswd Username Password](/secrets-detection/secrets-detection-engine/detectors/generics/username_password)
* [Nessus Agent Key](/secrets-detection/secrets-detection-engine/detectors/specifics/nessus_agent_key)
* [Statsig Server Secret Key](/secrets-detection/secrets-detection-engine/detectors/specifics/statsig_server_key)
* Modified 1 detector:
* [FTP credentials assignment](/secrets-detection/secrets-detection-engine/detectors/specifics/ftp_credentials)
####  Platform[](#platform-icon--platform-1 "Direct link to platform-icon--platform-1")
* **Navigation**: The menu has been redesigned with a collapsible left sidebar for a cleaner, more organized experience.
* **VCS integration**: Workspace Managers can now disable automatic repository monitoring in GitGuardian, giving you more control when adding new repositories to your perimeter. For an example, see [GitHub integration](/platform/monitor-perimeter/vcs-integrations/github#automatic-repository-monitoring)
.
####  Bug fixes[](#bugs-icon--bug-fixes-2 "Direct link to bugs-icon--bug-fixes-2")
* **Health Check**: Fixed issue where health checks were run for all GitHub installations. Now only the first installation is checked.
### December 5, 2024[](#december-5-2024 "Direct link to December 5, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-3 "Direct link to secrets-icon--secrets-detection-3")
* **Check runs**: Business workspaces now have the option to improve their code security by enabling GitGuardian check runs on their GitHub forked repositories. Learn more [here](/secrets-detection/secrets-detection-in-sdlc/detect-secrets-in-real-time-in-github#forked-repositories)
.
* **Secret pattern exclusion**: This feature allows users to define patterns and therefore hide any secret matching the pattern defined. Secret pattern can be applied to all repositories or a defined set of repositories. It provides greater control over exclusion rules, allowing for **more precise management of incidents**. [Learn more](https://docs.gitguardian.com/secrets-detection/detect/customize-detection#secret-pattern-exclusion)
.
####  Platform[](#platform-icon--platform-2 "Direct link to platform-icon--platform-2")
* **User management**: SCIM integration allows user deprovisioning in GitGuardian based on changes in your Identity Provider (IdP). User accounts can be automatically deactivated or deleted when removed from your IdP. User and team provisioning will be supported in a future update. For setup details, refer to [our documentation](/platform/enterprise-administration/scim-configuration)
.
* **Jira Cloud Issue tracking integration**: Introduced a template selection dropdown for manual ticket creation.
####  Bug fixes[](#bugs-icon--bug-fixes-3 "Direct link to bugs-icon--bug-fixes-3")
* **Performance**: Fixed an issue that occasionally caused "504 Gateway Timeout" errors when retrieving memberships.
### November 18, 2024[](#november-18-2024 "Direct link to November 18, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-4 "Direct link to secrets-icon--secrets-detection-4")
* **Secrets detection engine upgrade to version 2.126.0:**
* Added 4 detectors:
* [X-API-Key Secret](/secrets-detection/secrets-detection-engine/detectors/generics/x_api_key)
* [Azure Functions App Key Header](/secrets-detection/secrets-detection-engine/detectors/specifics/azure_functions_app_key)
* [Azure Functions App Key Query Parameter](/secrets-detection/secrets-detection-engine/detectors/specifics/azure_functions_app_key)
####  Platform[](#platform-icon--platform-3 "Direct link to platform-icon--platform-3")
* **API**: A new parameter, `send_email: true|false`, is now available on endpoints that trigger an email notification, such as when [an invitation is created](https://api.gitguardian.com/docs#tag/Invitations/operation/create-invitations)
. This allows you to determine whether an email should be sent when using these endpoints. By default, if the parameter is not specified, the email will be sent.
* **Health Check**: Distribute health checks over time rather than executing them simultaneously. This reduces system load, avoids bottlenecks, and enhances monitoring accuracy.
* **GitLab integration**: Give the ability to configure an instance-level GitLab integration using a read-only admin token. However, since the token lacks permissions for creating system hooks, manual setup is required. [Learn more](/platform/monitor-perimeter/vcs-integrations/gitlab#integrate-your-gitlab-instance-with-system-hooks)
.
####  Bug fixes[](#bugs-icon--bug-fixes-4 "Direct link to bugs-icon--bug-fixes-4")
* **Historical Scans**:
* Fixed UI count on the perimeter page so that "sources successful" now shows the total count of monitored sources, regardless of failed or unscanned sources.
* Standardized the date format for start and end dates in the status tooltip.
* Corrected the repo size display in the status tooltip.
* **Incidents**: Notify team leaders only when a valid secret is intentionally ignored.
### November 4, 2024[](#november-4-2024 "Direct link to November 4, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-5 "Direct link to secrets-icon--secrets-detection-5")
* **Secrets detection engine upgrade to version 2.125.0:**
* Added 4 detectors:
* [Cloudflare Tunnel Credentials](/secrets-detection/secrets-detection-engine/detectors/specifics/cloudflare_tunnel)
* [InfluxDB Token](/secrets-detection/secrets-detection-engine/detectors/specifics/influxdb_token)
* [InfluxDB Token with Host](/secrets-detection/secrets-detection-engine/detectors/specifics/influxdb_token_with_host)
* [Rails Master Key Assignment](/secrets-detection/secrets-detection-engine/detectors/specifics/rails_master_key)
####  Platform[](#platform-icon--platform-4 "Direct link to platform-icon--platform-4")
* **API**: All [Sources endpoints](https://api.gitguardian.com/docs#tag/Sources)
now require specific scopes for access. The new `sources:read` scope is required for all GET endpoints to retrieve source information, while the `sources:write` scope is required for the PATCH endpoint to update a source's attributes, monitoring status, and business criticality.
* **Settings**: To improve navigation on the [settings page](https://dashboard.gitguardian.com/workspace/settings/workspace/general)
, we’ve introduced two new dedicated sections:
* **Integrations**: Organized by source and destination for easier access.
* **Secrets**: Consolidates items previously found under the "Secrets Detection".
### October 28, 2024[](#october-28-2024 "Direct link to October 28, 2024")
####  Platform[](#platform-icon--platform-5 "Direct link to platform-icon--platform-5")
* **ServiceNow Issue tracking integration**: This new issue tracking integration allows to create ServiceNow issues from GitGuardian incidents. The feature includes the following:
* possibility to create a ServiceNow issue directly from a GitGuardian incident;
* possibility to automate the creation of a ServiceNow issue for any new Gitguardian incident;
* auto-resolve setting to mark the incident as resolved in your dashboard when the issue is closed in ServiceNow.
Follow [our documentation](/platform/monitor-perimeter/issue-tracking-integrations/servicenow)
to configure the integration.
### October 21, 2024[](#october-21-2024 "Direct link to October 21, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-6 "Direct link to secrets-icon--secrets-detection-6")
* **Secrets detection engine upgrade to version 2.124.1:**
* Added 1 detector:
* [BitBucket App Password](/secrets-detection/secrets-detection-engine/detectors/specifics/bitbucket_app_password)
* Modified 5 detectors:
* [Generic CLI Option Secret](/secrets-detection/secrets-detection-engine/detectors/generics/generic_cli_secret)
* [MongoDB CLI Credentials](/secrets-detection/secrets-detection-engine/detectors/specifics/mongodb_credentials)
* [MySQL CLI Credentials](/secrets-detection/secrets-detection-engine/detectors/specifics/mysql_credentials)
* [PostgreSQL CLI Credentials](/secrets-detection/secrets-detection-engine/detectors/specifics/postgresql_credentials)
* [Redis CLI Password](/secrets-detection/secrets-detection-engine/detectors/specifics/redis_server_password)
####  Platform[](#platform-icon--platform-6 "Direct link to platform-icon--platform-6")
* **Check runs**: GitHub's custom properties can now be leveraged to override the GitGuardian global configuration of check runs. This allows customization at both the repository and organization levels. For more details, please refer to our [dedicated documentation](/secrets-detection/secrets-detection-in-sdlc/detect-secrets-in-real-time-in-github#going-further-customizing-check-runs-on-a-per-repository-basis)
* **Historical Scan**:
* New "Bulk Historical Scans Management" page for easy tracking, filtering, and detailed insights on all scans.
* Simplify source management with a new filter for instances (e.g., production/staging).
* **Members**: You now have the option to deactivate a member instead of deleting them. For more details, refer to our [documentation](/platform/collaboration-and-sharing/users#delete-or-deactivate-members)
.
####  Bug fixes[](#bugs-icon--bug-fixes-5 "Direct link to bugs-icon--bug-fixes-5")
* **Validity check**: Fixed GitLab checker wrongly marking some secrets as valid by improving token validation (impacting custom host validity checks).
* **Perimeter**: Fixed inaccurate historical scanning statistics displayed on the side panel of the perimeter page.
### October 17, 2024[](#october-17-2024 "Direct link to October 17, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-7 "Direct link to secrets-icon--secrets-detection-7")
* **Filepath exclusion**: File path exclusions are now **applicable to one or more repositories**. By targeting file path exclusions to specific repositories, users can significantly reduce the number of irrelevant incidents, enabling more **accurate incident management**. [Learn more](https://docs.gitguardian.com/secrets-detection/detect/customize-detection#filepath-exclusions)
.
### October 14, 2024[](#october-14-2024 "Direct link to October 14, 2024")
####  Platform[](#platform-icon--platform-7 "Direct link to platform-icon--platform-7")
* **Analytics Charts**: A new page is available in the Analytics menu. This new feature is available for all business users. Analytics Charts is a powerful feature designed to help you **visualize** and understand your **incidents over time**. Whether you are a developer, security lead, or manager, Analytics Charts provides valuable tools to track progress, measure performance, and make informed decisions. **Access the [Analytics Charts](https://dashboard.gitguardian.com/advanced-analytics)
**.
### October 7, 2024[](#october-7-2024 "Direct link to October 7, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-8 "Direct link to secrets-icon--secrets-detection-8")
* **Secrets detection engine upgrade to version 2.122:** Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.
* Added 3 detectors:
* [Atlassian Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/atlassian_access_token)
* [Bitbucket Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/bitbucket_access_token)
* [Mistral AI API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/mistralai_apikey)
* Modified 1 detector:
* [Base64 Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/base64_generic_high_entropy_secret)
* **VSCode extension**: We are excited to announce the release of GitGuardian CLI (ggshield) as a VS Code extension! Files are now automatically scanned upon saving, with detected secrets highlighted in your code and listed as warnings. Additionally, custom remediation messages are provided within your IDE to guide you in resolving any issues efficiently. [Download from the marketplace](https://marketplace.visualstudio.com/items?itemName=gitguardian-secret-security.gitguardian)
### September 23, 2024[](#september-23-2024 "Direct link to September 23, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-9 "Direct link to secrets-icon--secrets-detection-9")
* **Jira Data Center integration**: Jira Data Center integration is now supported for real-time secret detection and honeytoken detection.
####  Platform[](#platform-icon--platform-8 "Direct link to platform-icon--platform-8")
* **Saved views**: Saved views can now be created in the Honeytoken module.
####  Bug fixes[](#bugs-icon--bug-fixes-6 "Direct link to bugs-icon--bug-fixes-6")
* **Personal access token**: Resolved a bug to ensure the lifetime of a newly generated personal access token is strictly less than the [maximum permissible duration](https://docs.gitguardian.com/platform/enterprise-administration/workspace-settings#enforce-a-maximum-lifetime-for-api-personal-access-tokens)
.
### September 9, 2024[](#september-9-2024 "Direct link to September 9, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-10 "Direct link to secrets-icon--secrets-detection-10")
* **Confluence Data Center integration**: Confluence Data Center integration is now supported for real-time secret detection and honeytoken detection.
* **Slack integration**: Slack integration is now supported for scanning the full history of your public and private Slack channels to detect leaked secrets.
####  Platform[](#platform-icon--platform-9 "Direct link to platform-icon--platform-9")
* **IP allowlist**: Managers can now restrict access to the dashboard and API to specified IP addresses or ranges for enhanced security. This feature is available only for Business accounts. Refer to our [documentation](/platform/enterprise-administration/ip-allowlist)
for more details.
* **Historical Scan**: Streamline source management with new filters for failure reasons and last scan date.
####  Bug fixes[](#bugs-icon--bug-fixes-7 "Direct link to bugs-icon--bug-fixes-7")
* **Historical Scan**: Improved handling of pending states and fixed an issue where sources were reaching the timeout limit.
### August 26, 2024[](#august-26-2024 "Direct link to August 26, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-11 "Direct link to secrets-icon--secrets-detection-11")
**Secrets detection engine upgrade to v2.120:** Enhance recall and coverage while expanding the range of detectable secrets with updated detectors.
* Added 2 detectors:
* [Generic Password YAML](/secrets-detection/secrets-detection-engine/detectors/generics/generic_password)
* [Buildkite API Token V2](/secrets-detection/secrets-detection-engine/detectors/specifics/buildkite_api_token)
* Modified 6 detectors:
* [Generic Database Assignment](/secrets-detection/secrets-detection-engine/detectors/generics/generic_database_assignment)
* [Base64 Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/base64_generic_high_entropy_secret)
* [Generic Password](/secrets-detection/secrets-detection-engine/detectors/generics/generic_password)
* [Username Password](/secrets-detection/secrets-detection-engine/detectors/generics/username_password)
* [DigitalOcean Spaces Keys](/secrets-detection/secrets-detection-engine/detectors/specifics/digitalocean_spaces_token)
* [reCAPTCHA Key](/secrets-detection/secrets-detection-engine/detectors/specifics/recaptcha_key)
**Note concerning the reCAPTCHA Key detector**: Due to changes in the behavior of some Google APIs, we are no longer able to ensure the validity of reCaptcha keys. As this detector could be quite "noisy" the validity of the keys was a mandatory prerequisite in the detection flow and this can no longer be the case. We have however improved this detector to be as efficient as possible.
####  Bug fixes[](#bugs-icon--bug-fixes-8 "Direct link to bugs-icon--bug-fixes-8")
* **Jira Cloud Issue tracking integration**: Fixed an issue where the assignee dropdown in Jira template creation was incomplete for projects with a large number of assignees due to pagination limits.
### August 14, 2024[](#august-14-2024 "Direct link to August 14, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-12 "Direct link to secrets-icon--secrets-detection-12")
* **Secrets detection engine upgrade to version 2.117:** Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.
* Added 2 detectors: [Serpapi Token](/secrets-detection/secrets-detection-engine/detectors/specifics/serpapi_token)
and [Tavily API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/tavily_api_key)
* Modified 1 detector: [GitLab Token](/secrets-detection/secrets-detection-engine/detectors/specifics/gitlab_token)
* **Validity check**: Business workspaces that self-host service providers can now perform validity checks. They can specify the host against which to run a check in the configuration of separate secret detectors. For example you can perform a validity check for a GitLab token secret against your own GitLab instance. For more details, refer to [our dedicated documentation](/secrets-detection/remediate/investigate-incidents#customize-validity-checks)
.
####  Platform[](#platform-icon--platform-10 "Direct link to platform-icon--platform-10")
* **GitGuardian CLI (ggshield) custom remediation message**: Admins can now customize remediation messages at pre-commit, pre-push or pre-receive stages and provide to developers useful guidance on how to use internal Vaults etc ... See documentation [here](/ggshield-docs/reference/secret/custom-remediation-messages)
.
* **Saved views**: You can now save your most frequently used filters as views for quicker access. Learn more about about saved views [here](/platform/collaboration-and-sharing/saved-views)
.
* **Historical Scan Enhancements**: These enhancements provide better visibility and management of the scanning process. They include progress estimation for both individual and bulk scans, along with comprehensive scan status details such as size, duration, start/end dates, number of commits, branches, queue duration, and more.
* **Health Check**: Let managers manually start health checks from the GitGuardian dashboard so they can address any failed checks immediately without waiting for the next scheduled run.
* **Teams**: Get simplified team management with a clear designation of team leaders. Changing "can\_manage|cannot\_manage team permissions" to a "team leader" boolean attribute to designate the team owner. ⚠️ The `team_permissions` field has been deprecated and replaced by the `is_team_leader` field in our [API](https://api.preprod.gitguardian.com/docs#tag/Team-Memberships/operation/list-team-memberships)
for the endpoints `/v1/teams/{team_id}/team_memberships` and `/v1/teams/{team_id}/team_invitations`.
### July 29, 2024[](#july-29-2024 "Direct link to July 29, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-13 "Direct link to secrets-icon--secrets-detection-13")
* **False Positive Remover v1**: Our first internal machine learning model halves false positives, ensuring data security and privacy without third-party dependencies. This in-house capability is now available to all Business and Enterprise accounts.
####  Platform[](#platform-icon--platform-11 "Direct link to platform-icon--platform-11")
* **GitLab integration**: Upon installing a new integration for GitLab Community Edition, it is now possible to skip the historical scan (to launch it manually later).
####  Bug fixes[](#bugs-icon--bug-fixes-9 "Direct link to bugs-icon--bug-fixes-9")
* **Microsoft Teams integration**: Fixed an issue impacting real-time secret detection in Microsoft Teams channels.
### July 15, 2024[](#july-15-2024 "Direct link to July 15, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-14 "Direct link to secrets-icon--secrets-detection-14")
* **Microsoft Teams integration**: Microsoft Teams integration is now supported for real-time secret detection and honeytoken detection.
* **Secrets detection engine upgrade to version 2.116:** Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.
Added 1 detector
* [JetBrains TeamCity config value](/secrets-detection/secrets-detection-engine/detectors/specifics/jetbrains_teamcity_config_value)
Modified 3 generic detectors
* [Base64 Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/base64_generic_high_entropy_secret)
* [Base64 Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/base64_generic_high_entropy_secret)
* [Generic Password](/secrets-detection/secrets-detection-engine/detectors/generics/generic_password)
Modified 78 specific detectors
We have enhanced our approach to searching for the prefix linked to the secret, considering more complex scenarios. This allows us to improve recall.
* [Adafruit IO API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/adafruit_io_apikey)
* [Airtable API Key v2](/secrets-detection/secrets-detection-engine/detectors/specifics/airtable_apikey)
* [Alchemy API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/alchemy_apikey)
* [Amazon MWS Token](/secrets-detection/secrets-detection-engine/detectors/specifics/amazon_mws_token)
* [Checkout.com Sandbox API Secret Key](/secrets-detection/secrets-detection-engine/detectors/specifics/checkout_secret_key)
* [CircleCI Personal Token](/secrets-detection/secrets-detection-engine/detectors/specifics/circleci_personal_token)
* [Claude API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/claude_api_key)
* [Clojars Deploy Token](/secrets-detection/secrets-detection-engine/detectors/specifics/clojars_deploy_token)
* [Cloudinary API key URL](/secrets-detection/secrets-detection-engine/detectors/specifics/cloudinary_api_keys)
* [Contentful Content Management API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/contentful_content_management_apikey)
* [DigitalOcean OAuth Application Token V1](/secrets-detection/secrets-detection-engine/detectors/specifics/digitalocean_oauth_application_token_v1)
* [DigitalOcean Personal Access Token V1](/secrets-detection/secrets-detection-engine/detectors/specifics/digitalocean_personal_token_v1)
* [DigitalOcean Refresh Token V1](/secrets-detection/secrets-detection-engine/detectors/specifics/digitalocean_refresh_token_v1)
* [Discord Webhook URL](/secrets-detection/secrets-detection-engine/detectors/specifics/discord_webhook_url)
* [Docker Swarm Join Token](/secrets-detection/secrets-detection-engine/detectors/specifics/docker_swarm_join_token)
* [Docker Swarm Unlock Key](/secrets-detection/secrets-detection-engine/detectors/specifics/docker_swarm_unlock_key)
* [EasyPost API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/easypost_api_key)
* [Firebase Cloud Messaging API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/fcm_api_key)
* [Figma Personal Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/figma_personal_access_token)
* [Flutterwave API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/flutterwave_api_key)
* [Frame IO Token](/secrets-detection/secrets-detection-engine/detectors/specifics/frame_io_token)
* [GitHub fine-grained personal access token](/secrets-detection/secrets-detection-engine/detectors/specifics/github_access_token)
* [GitHub Oauth Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/github_access_token)
* [GitHub Personal Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/github_access_token)
* [GitHub Server-to-server Token](/secrets-detection/secrets-detection-engine/detectors/specifics/github_access_token)
* [GitHub User-to-server Token](/secrets-detection/secrets-detection-engine/detectors/specifics/github_access_token)
* [GitLab Token](/secrets-detection/secrets-detection-engine/detectors/specifics/gitlab_token)
* [Grafana Cloud API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/grafana_token)
* [Grafana Service Account Token](/secrets-detection/secrets-detection-engine/detectors/specifics/grafana_service_account_token)
* [Groq API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/groq_api_key)
* [Heartland API key](/secrets-detection/secrets-detection-engine/detectors/specifics/heartland_apikey)
* [Langchain API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/langchain_api_key)
* [Linear API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/linear_api_key)
* [Base64 Midtrans API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/midtrans_apikey)
* [Notion Integration Token](/secrets-detection/secrets-detection-engine/detectors/specifics/notion_integration_token)
* [npm Token Prefixed](/secrets-detection/secrets-detection-engine/detectors/specifics/npm_token)
* [Nylas API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/nylas_api_key)
* [OpenAI Project API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/openai_project_apikey)
* [Paystack Key](/secrets-detection/secrets-detection-engine/detectors/specifics/paystack_key)
* [Plaid Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/plaid_access_token)
* [PlanetScale OAuth Token](/secrets-detection/secrets-detection-engine/detectors/specifics/planetscale_token)
* [Postman API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/postman_api_key)
* [PubNub Publish Key](/secrets-detection/secrets-detection-engine/detectors/specifics/pubnub_publish_key)
* [Readme API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/readme_apikey)
* [Riot Games API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/riot_games_apikey)
* [RubyGems.org API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/rubygems_apikey)
* [Samsara API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/samsara_apikey)
* [SendinBlue Key v3](/secrets-detection/secrets-detection-engine/detectors/specifics/sendinblue_key)
* [Sentry Org Auth Token](/secrets-detection/secrets-detection-engine/detectors/specifics/sentry_org_auth_token)
* [Sentry User Auth Token v2](/secrets-detection/secrets-detection-engine/detectors/specifics/sentry_token)
* [Shippo API token](/secrets-detection/secrets-detection-engine/detectors/specifics/shippo_api_token)
* [Shopify Generic App Token](/secrets-detection/secrets-detection-engine/detectors/specifics/shopify_generic_app_token)
* [Shopify Private App Token](/secrets-detection/secrets-detection-engine/detectors/specifics/shopify_private_app_token)
* [Slack App Token](/secrets-detection/secrets-detection-engine/detectors/specifics/slack_app_token)
* [Slack Configuration Refresh Token](/secrets-detection/secrets-detection-engine/detectors/specifics/slack_configuration_refresh_token)
* [Slack Configuration Token](/secrets-detection/secrets-detection-engine/detectors/specifics/slack_configuration_token)
* [Slack User Token](/secrets-detection/secrets-detection-engine/detectors/specifics/slack_user_token)
* [Sourcegraph Access Token v3](/secrets-detection/secrets-detection-engine/detectors/specifics/sourcegraph_token)
* [Sourcegraph Enterprise subscription Token](/secrets-detection/secrets-detection-engine/detectors/specifics/sourcegraph_enterprise_subscription_token)
* [Sourcegraph License Key Token](/secrets-detection/secrets-detection-engine/detectors/specifics/sourcegraph_license_key_token)
* [Sourcegraph Access Token v2](/secrets-detection/secrets-detection-engine/detectors/specifics/sourcegraph_token)
* [Sourcegraph User Gateway Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/sourcegraph_user_gateway_access_token)
* [Sqreen Token](/secrets-detection/secrets-detection-engine/detectors/specifics/sqreen_token)
* [Square Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/square_token)
* [Stripe Webhook Secret](/secrets-detection/secrets-detection-engine/detectors/specifics/stripe_webhook_secret)
* [Tailscale API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/tailscale_api_key)
* [Tailscale OAuth Key](/secrets-detection/secrets-detection-engine/detectors/specifics/tailscale_oauth_key)
* [Tailscale Pre-Authentication Key](/secrets-detection/secrets-detection-engine/detectors/specifics/tailscale_pre_auth_key)
* [Tailscale SCIM Key](/secrets-detection/secrets-detection-engine/detectors/specifics/tailscale_scim_key)
* [Tailscale Webhook Key](/secrets-detection/secrets-detection-engine/detectors/specifics/tailscale_webhook_key)
* [Typeform API Token](/secrets-detection/secrets-detection-engine/detectors/specifics/typeform_api_token)
* [Ubidots Token](/secrets-detection/secrets-detection-engine/detectors/specifics/ubidots_token)
* [Vercel Blob Token](/secrets-detection/secrets-detection-engine/detectors/specifics/vercel_blob_token)
* [WakaTime API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/wakatime_apikey)
* [WePay token](/secrets-detection/secrets-detection-engine/detectors/specifics/wepay_token)
* [Yandex Predictor API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/yandex_predictor_api_key)
* [Zillow Key](/secrets-detection/secrets-detection-engine/detectors/specifics/zillow_key)
* [Zuplo API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/zuplo_apikey)
* **Incidents**: When an incident is ignored with a secret still valid, an email notification is sent to the team manager(s) or to the workspace manager. N.B: this feature is available in the business plan.
* **Weekly email recap**: From now on, a new section is displayed in the weekly email recap displaying the number of ignored incident with a secret still valid in the last week. N.B.: this feature is available in the business plan.
####  SCA[](#sca-icon--sca "Direct link to sca-icon--sca")
* **.NET Support**: Scans dependencies for C#, F#, and Visual Basic, broadening the language support.
* **Improved Java Support**: Transitive dependencies are now scanned in Maven, providing more comprehensive security coverage.
####  Platform[](#platform-icon--platform-12 "Direct link to platform-icon--platform-12")
* **Historical Scan**:
* Skip [historical scan](/platform/monitor-perimeter/monitored-perimeter#historical-scanning)
of unchanged repositories since the last scan to save time and resources.
* Filter and sort repositories by scan duration on the Perimeter page for better management.
* Introduced `pending_timeout` status in the [API](https://api.gitguardian.com/docs#tag/Sources/operation/list-sources)
to differentiate between scans failing due to timeouts (`timeout`) and those in the queue (`pending_timeout`).
* **API Enhancements**: User feedback on secret incidents is now accessible via the API, providing better incident management and insights. This information is included in the `feedback_list` field within the [secret incidents' payload](https://api.gitguardian.com/docs#tag/Secret-Incidents/operation/list-incidents)
* **Settings**: The data storage location region is now visible in your workspace settings.
####  Bug fixes[](#bugs-icon--bug-fixes-10 "Direct link to bugs-icon--bug-fixes-10")
* **Check runs**: Addition of an optional `Skip` action for [check runs on forked repositories](/secrets-detection/secrets-detection-in-sdlc/detect-secrets-in-real-time-in-github#working-with-forked-repositories)
that detect secrets, preventing a complete blockage for developers.
### June 24, 2024[](#june-24-2024 "Direct link to June 24, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-15 "Direct link to secrets-icon--secrets-detection-15")
* **Incident details**: Addition of a 'per page' selector on the occurrences table.
####  Platform[](#platform-icon--platform-13 "Direct link to platform-icon--platform-13")
* **Members**: Renamed 'role' to 'access level' for clarity.
⚠️ The `role` field has been deprecated and replaced by the `access_level` field in our [API](https://api.gitguardian.com/docs)
for the endpoints `/v1/members` and `/v1/invitations`.
### June 17, 2024[](#june-17-2024 "Direct link to June 17, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-16 "Direct link to secrets-icon--secrets-detection-16")
* **Secrets detection engine upgrade to version 2.115:** Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.
* 4 detectors added: [Sentry Org Auth Token](/secrets-detection/secrets-detection-engine/detectors/specifics/sentry_org_auth_token)
, [Sentry User Auth Token v2](/secrets-detection/secrets-detection-engine/detectors/specifics/sentry_token#details-for-sentry-user-auth-token-v2)
, [Slack Configuration Refresh Token](/secrets-detection/secrets-detection-engine/detectors/specifics/slack_configuration_refresh_token)
, [Slack Configuration Token](/secrets-detection/secrets-detection-engine/detectors/specifics/slack_configuration_token)
* 5 detectors updated: [Equinix Authentication Token](/secrets-detection/secrets-detection-engine/detectors/specifics/equinix_authentication_token)
, [Sentry User Auth Token v1](/secrets-detection/secrets-detection-engine/detectors/specifics/sentry_token)
, [Signifyd API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/signifyd_apikey)
, [Slack Bot Token](/secrets-detection/secrets-detection-engine/detectors/specifics/slackbot_token)
, [Slack User Token](/secrets-detection/secrets-detection-engine/detectors/specifics/slack_user_token)
####  Bug fixes[](#bugs-icon--bug-fixes-11 "Direct link to bugs-icon--bug-fixes-11")
* **Filepath exclusion**: Correct a bug that causes the `*` character in the exclusion pattern to match at least one character when it should match zero or more characters.
### June 10, 2024[](#june-10-2024 "Direct link to June 10, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-17 "Direct link to secrets-icon--secrets-detection-17")
* **Confluence Cloud integration**: Confluence Cloud integration is now supported for real-time secret detection and honeytoken detection.
### June 4, 2024[](#june-4-2024 "Direct link to June 4, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-18 "Direct link to secrets-icon--secrets-detection-18")
* **Secrets detection engine upgrade to version 2.114:** Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.
* 9 detectors added: [ASP.NET Decryption Key](/secrets-detection/secrets-detection-engine/detectors/specifics/aspnet_decryption_key)
, [ASP.NET Validation Key](/secrets-detection/secrets-detection-engine/detectors/specifics/aspnet_validation_key)
, [Langchain API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/sourcegraph_license_key_token)
, [OpenAI Project API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/openai_project_apikey)
, [OpenAI Service Account](/secrets-detection/secrets-detection-engine/detectors/specifics/openai_service_account)
, [Sourcegraph Enterprise Subscription Token](/secrets-detection/secrets-detection-engine/detectors/specifics/sourcegraph_enterprise_subscription_token)
, [Sourcegraph License Key Token](/secrets-detection/secrets-detection-engine/detectors/specifics/sourcegraph_license_key_token)
, [Sourcegraph User Gateway Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/sourcegraph_user_gateway_access_token)
, [WakaTime API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/wakatime_apikey)
* 4 detectors updated: [Sentry Token](/secrets-detection/secrets-detection-engine/detectors/specifics/sentry_token)
, [Generic Database assignment](/secrets-detection/secrets-detection-engine/detectors/generics/generic_database_assignment)
, [Generic FTP Assignment](/secrets-detection/secrets-detection-engine/detectors/specifics/ftp_credentials)
, [Generic Username Password](/secrets-detection/secrets-detection-engine/detectors/generics/username_password)
* **Incidents**: Periodic secret validity checks enabled for ignored incidents. See documentation [here](/secrets-detection/remediate/investigate-incidents)
.
* **Filepath exclusions**: When adding a new rule, show how many new secret incidents will be hidden by the new filepath exclusion, without recalculating existing hidden incidents.
####  Platform[](#platform-icon--platform-14 "Direct link to platform-icon--platform-14")
* **GitLab integration**: When a GitLab webhook is found disabled, GitGuardian now attempts to reactivate it automatically (by sending a test payload) before triggering an error message.
* **Health Check**: Send email notifications when a integration health check fails. For further details, refer to the [Configure email preferences](/platform/user-account/email-preferences)
page. Note that the notification is not enabled by default for existing accounts and must be turned on manually.
####  SCA[](#sca-icon--sca-1 "Direct link to sca-icon--sca-1")
* Introduction of the Malicious Package detection, to make sure we protect every organization from packages designed to be harmful.
* Highlight Dependency Confusion risk on private dependencies that were not publicly registered, to help organizations lower their exposure to Dependency Confusion attacks.
### May 27, 2024[](#may-27-2024 "Direct link to May 27, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-19 "Direct link to secrets-icon--secrets-detection-19")
* **Incidents details**: merge commit authors from GitHub are now identified. It is not retroactive.
* **API**: [new endpoint](https://api.gitguardian.com/docs#tag/Secret-Incidents/operation/list-sources-incidents)
to query the secret incidents of a source.
####  Bug fixes[](#bugs-icon--bug-fixes-12 "Direct link to bugs-icon--bug-fixes-12")
* **API**: fix a problem causing conflicting information between the UI and the API regarding team permissions.
* **Historical scan**: attribute automatic historical scans of new repositories to "GitGuardian Bot" in audit logs.
### May 20, 2024[](#may-20-2024 "Direct link to May 20, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-20 "Direct link to secrets-icon--secrets-detection-20")
* **Secrets detection engine**: upgrade to version 2.113 with the addition of 5 new detectors ([Nylas API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/nylas_api_key)
,[Sourcegraph Access Token v3](/secrets-detection/secrets-detection-engine/detectors/specifics/sourcegraph_token#details-for-sourcegraph-access-token-v3)
, [Duplo Cloud API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/duplocloud_apikey)
,[Fernet Key](/secrets-detection/secrets-detection-engine/detectors/specifics/fernet_key)
, [Vercel Blob Token](/secrets-detection/secrets-detection-engine/detectors/specifics/vercel_blob_token)
) and the improvement of 10 detectors ([Base64 Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/base64_generic_high_entropy_secret)
, [Generic Database Assignment](/secrets-detection/secrets-detection-engine/detectors/generics/generic_database_assignment)
, [Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret)
, [PostgreSQL CLI Credentials](/secrets-detection/secrets-detection-engine/detectors/specifics/postgresql_credentials#details-for-postgres-cli)
, [Postgres assignment attached port](/secrets-detection/secrets-detection-engine/detectors/specifics/postgresql_credentials#details-for-postgres-assignment-attached-port)
, [PostgreSQL Pgpass Credentials](/secrets-detection/secrets-detection-engine/detectors/specifics/postgresql_credentials#details-for-postgres-pgpass)
, [PostgreSQL URI](/secrets-detection/secrets-detection-engine/detectors/specifics/postgresql_credentials#details-for-postgres-uri)
, [Sourcegraph Access Token v2](/secrets-detection/secrets-detection-engine/detectors/specifics/sourcegraph_token)
, [Yelp API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/yelp_api_key)
, [Google Gemini API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/google_bard_api_key)
).
####  Platform[](#platform-icon--platform-15 "Direct link to platform-icon--platform-15")
* **Health Check**:
* introduce tracking for the last execution and last successful execution times.
* implement periodic health checks to run every hour. This is a Business-only feature.
####  Bug fixes[](#bugs-icon--bug-fixes-13 "Direct link to bugs-icon--bug-fixes-13")
* **Custom webhook**: fix a bug sending notifications for deactivated secret detectors.
### May 13, 2024[](#may-13-2024 "Direct link to May 13, 2024")
####  Bug fixes[](#bugs-icon--bug-fixes-14 "Direct link to bugs-icon--bug-fixes-14")
* **Jira Cloud Issue tracking integration**: fix an issue where Jira automatic configurations remained invisible to 'member' role users within the 'All Incidents' team, ensuring uniform visibility across teams.
### May 6, 2024[](#may-6-2024 "Direct link to May 6, 2024")
####  Platform[](#platform-icon--platform-16 "Direct link to platform-icon--platform-16")
* **API**: the `workspace_id` is now included in the [payload of API tokens](https://api.gitguardian.com/docs#operation/self-retrieve-api-token)
.
* **Historical scan**: improve historical scan status overview on the perimeter page side bar.
####  Bug fixes[](#bugs-icon--bug-fixes-15 "Direct link to bugs-icon--bug-fixes-15")
* **Bitbucket Data Center integration**:
* fix an issue where uninstalling a Bitbucket project inadvertently occurred when a token was removed, despite other valid tokens being present.
* enhance logging mechanisms surrounding Bitbucket token operations for better troubleshooting.
* **Check runs**: display accurate error message when a check run fails due to rate limiting.
### April 29, 2024[](#april-29-2024 "Direct link to April 29, 2024")
####  Bug fixes[](#bugs-icon--bug-fixes-16 "Direct link to bugs-icon--bug-fixes-16")
* **API**: correct a bug that allowed members to view sources they should not have been able to access when using the [`/sources` endpoint](https://api.gitguardian.com/docs#operation/list-sources)
.
* **Check runs**: fix a bug that is causing related incident IDs to be missing in the check run summary.
### April 23, 2024[](#april-23-2024 "Direct link to April 23, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-21 "Direct link to secrets-icon--secrets-detection-21")
* **Secrets detection engine**: upgrade to version 2.111 with the addition of 3 new detectors ([Grafana Cloud API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/grafana_token)
, [Groq API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/groq_api_key)
, [Nx Cloud Token](/secrets-detection/secrets-detection-engine/detectors/specifics/nx_cloud_token)
) and the improvement of 1 detector ([Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret)
)
####  Platform[](#platform-icon--platform-17 "Direct link to platform-icon--platform-17")
* **Filters**: the history of AI queries can now be deleted.
####  Bug fixes[](#bugs-icon--bug-fixes-17 "Direct link to bugs-icon--bug-fixes-17")
* **GitLab integration**: when re-enabling a disabled webhook in GitLab, the error on the GitGuardian dashboard is now cleared automatically within 20 minutes.
* **Filters**: the "per-page" selection for each table is now persisted.
### April 16, 2024[](#april-16-2024 "Direct link to April 16, 2024")
####  Platform[](#platform-icon--platform-18 "Direct link to platform-icon--platform-18")
* **Vault integration**: CyberArk, a leader in privileged access management, helps secure, manage, and monitor privileged accounts and credentials. This integration leverages CyberArk to securely manage secrets and automate secret rotation, enhancing security alongside GitGuardian's leak detection capabilities. Refer to our [documentation](/platform/monitor-perimeter/vault-integrations/cyberark)
for more details.
### April 15, 2024[](#april-15-2024 "Direct link to April 15, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-22 "Direct link to secrets-icon--secrets-detection-22")
* **Secrets detection engine**: [Generic CLI Secret](/secrets-detection/secrets-detection-engine/detectors/generics/generic_cli_secret)
and [Generic Database Assignment](/secrets-detection/secrets-detection-engine/detectors/generics/generic_database_assignment)
detectors are now supported and active by default for data sources other than VCS.
* **Secrets detection engine**: upgrade to version 2.110 with the addition of 4 new detectors ([Dropbox Key](/secrets-detection/secrets-detection-engine/detectors/specifics/dropbox_key)
, [Midtrans API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/midtrans_apikey)
, [Sanity Token](/secrets-detection/secrets-detection-engine/detectors/specifics/sanity_token)
, [Zuplo API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/zuplo_apikey)
) and the improvements of 3 detectors ([Artifactory Token](/secrets-detection/secrets-detection-engine/detectors/specifics/artifactory_token)
, [GoCardless API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/gocardless_api_key)
, [Plivo Auth Tokens](/secrets-detection/secrets-detection-engine/detectors/specifics/plivo_auth_tokens)
).
####  SCA[](#sca-icon--sca-2 "Direct link to sca-icon--sca-2")
* Add the last modification date of the dependency files to the SCA incidents along with the dedicated filter.
####  Bug fixes[](#bugs-icon--bug-fixes-18 "Direct link to bugs-icon--bug-fixes-18")
* **GitLab integration**: fix an issue where the installation status was incorrectly displaying as 'no longer monitored' in the tooltip, despite being actively monitored.
### April 10, 2024[](#april-10-2024 "Direct link to April 10, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-23 "Direct link to secrets-icon--secrets-detection-23")
* **Jira Cloud issue tracking integration**: introduction of a new version of our Jira Cloud integration for issue tracking. It now offers
* automatic creation of a Jira issue as soon as a new incident is triggered,
* management of Jira custom fields,
* and an auto-resolve feature that marks the incident as resolved in your dashboard when the issue is closed in Jira Cloud. More information available in the [documentation](/platform/monitor-perimeter/issue-tracking-integrations/jira-cloud)
.
### April 8, 2024[](#april-8-2024 "Direct link to April 8, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-24 "Direct link to secrets-icon--secrets-detection-24")
* **Secrets detection engine**: upgrade to version 2.109 with the addition of 2 new detectors ([Azure Open AI API key](/secrets-detection/secrets-detection-engine/detectors/specifics/azure_open_ai_api_key)
, [Kubernetes Docker Secret](/secrets-detection/secrets-detection-engine/detectors/specifics/kubernetes_docker_secret)
) and the improvement of 4 detectors ([GitLab Token](/secrets-detection/secrets-detection-engine/detectors/specifics/gitlab_token)
, [Google API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/google_api_key)
, [Okta Keys](/secrets-detection/secrets-detection-engine/detectors/specifics/okta_keys)
, [Slack Bot Token](/secrets-detection/secrets-detection-engine/detectors/specifics/slackbot_token)
)
####  Honeytoken[](#honeytoken-icon--honeytoken "Direct link to honeytoken-icon--honeytoken")
* Context creation strategies for honeytoken deployment jobs now allow to choose only dynamic contexts.
####  Platform[](#platform-icon--platform-19 "Direct link to platform-icon--platform-19")
* **Incidents details**: introduction of a secret identity card on each secret incident detail page.
* **Privacy mode**: this ([mode](/platform/security-data-privacy/privacy-mode)
) allows to obfuscate secrets and other sensitive information on the GitGuardian UI.
####  Bug fixes[](#bugs-icon--bug-fixes-19 "Direct link to bugs-icon--bug-fixes-19")
* **Incidents**: resolve a bug triggered by secret incidents detected by custom detectors, causing the incidents list to fail to load.
* **Check runs**:
* improve error collection on check runs.
* fix an issue where GitHubNotFound errors prevented the completion of check runs.
### April 2, 2024[](#april-2-2024 "Direct link to April 2, 2024")
####  SCA[](#sca-icon--sca-3 "Direct link to sca-icon--sca-3")
* Shifting left metrics available in SCA analytics to demonstrate the impact of ggshield’s use in CI.
### March 25, 2024[](#march-25-2024 "Direct link to March 25, 2024")
####  SCA[](#sca-icon--sca-4 "Direct link to sca-icon--sca-4")
* add support for PHP dependencies.
* add the EPSS score to the incidents along with its dedicated filter.
####  Bug fixes[](#bugs-icon--bug-fixes-20 "Direct link to bugs-icon--bug-fixes-20")
* **Incidents**: resolve a loading error encountered when utilizing the "occurrences count" filter.
* **Audit log**: correct the logs related to the creation and removal of teammates through the API.
* **GitLab integration**:
* fix GitLab installation check task issue affecting system hook installations.
* fix an issue with sending emails to users who are no longer token owners within the GitLab installation.
### March 18, 2024[](#march-18-2024 "Direct link to March 18, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-25 "Direct link to secrets-icon--secrets-detection-25")
* **Secrets detection engine**: upgrade to version 2.108 with the addition of 3 new detectors ([Snowflake API credentials](/secrets-detection/secrets-detection-engine/detectors/specifics/snowflake_credentials)
, [Replicate User Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/replicate_user_access_token)
, [Workato API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/workato_api_key)
) and the improvement of 3 detectors ([Rails Master Key](/secrets-detection/secrets-detection-engine/detectors/specifics/rails_master_key)
, [Generic password](/secrets-detection/secrets-detection-engine/detectors/generics/generic_password)
, [Generic High Entropy secret](/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret)
)
* **Incidents**: it is now possible to filter on Occurrences count.
* **Check runs**: skip actions are now aligned with the ignored reasons (false positive, test credential, low risk). Tags (`Tagged as [false positive|test credential|low risk] in check runs`) are added to the corresponding secret incident when this action is taken.
* **API**: the breakdown of secret incidents by severity is displayed in the payload of the sources.
####  Bug fixes[](#bugs-icon--bug-fixes-21 "Direct link to bugs-icon--bug-fixes-21")
* **Bitbucket Data Center integration**: improve handling of token revocation to prevent issues when a repository changes ownership.
### March 11, 2024[](#march-11-2024 "Direct link to March 11, 2024")
####  SCA[](#sca-icon--sca-5 "Direct link to sca-icon--sca-5")
* **SCA**: add support for PHP dependencies.
####  Bug fixes[](#bugs-icon--bug-fixes-22 "Direct link to bugs-icon--bug-fixes-22")
* **Health Check**: improve health check error messages by differentiating between SaaS and self-hosted environments and utilizing non-HTTP status-like codes.
* **Incident details**: fix an issue on the git patch restricted visibility feature that was preventing members from seeing the patch they were involved in based on email matching.
* **Jira integration**: fix an issue that was hindering the assignment on JIRA tickets upon creation.
### March 4, 2024[](#march-4-2024 "Direct link to March 4, 2024")
####  Platform[](#platform-icon--platform-20 "Direct link to platform-icon--platform-20")
* **GitHub and GitHub Enterprise integration**: the integration settings have been updated with actions to easily configure write permissions essential for [Honeytoken deployment jobs](/honeytoken/deploy-honeytokens/deployment-jobs)
. Learn more with our documentation for [GitHub](/platform/monitor-perimeter/vcs-integrations/github#grant-code-write-permissions-with-the-gitguardianwrite-github-app)
or [GitHub Enterprise](/platform/monitor-perimeter/vcs-integrations/github-enterprise#grant-gitguardian-code-write-permissions)
.
* **Incidents**: tags are exposed in the [**All occurrences** CSV report](/secrets-detection/tracking-performance/export-data)
.
####  Bug fixes[](#bugs-icon--bug-fixes-23 "Direct link to bugs-icon--bug-fixes-23")
* **GitLab integration**:
* fix an issue where the GitLab instance URL was incorrectly displayed instead of the GitLab token name.
* remove the "Check Again" button from the health check for users on the Free plan.
### February 26, 2024[](#february-26-2024 "Direct link to February 26, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-26 "Direct link to secrets-icon--secrets-detection-26")
* **Jira Cloud integration**: Jira Cloud integration is now supported for real-time secret detection and honeytoken detection.
* **Secret SLAs**: add the "First detected" date in incidents details and the associated filter in the Secret incident dashboard.
### February 19, 2024[](#february-19-2024 "Direct link to February 19, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-27 "Direct link to secrets-icon--secrets-detection-27")
* **Secrets detection engine**: upgrade to version 2.106 with the improvement of 3 detectors ([Generic Password](/secrets-detection/secrets-detection-engine/detectors/generics/generic_password)
, [Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret)
, [Base64 Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/base64_generic_high_entropy_secret)
).
####  Honeytoken[](#honeytoken-icon--honeytoken-1 "Direct link to honeytoken-icon--honeytoken-1")
* **Honeytoken deployment jobs**: automate the deployment of honeytokens in your code repositories from GitLab, GitHub and GitHub Enterprise! This is a business-only feature. Read more about Deployment jobs in [our documentation](/honeytoken/deploy-honeytokens/deployment-jobs)
.
### February 13, 2024[](#february-13-2024 "Direct link to February 13, 2024")
####  Platform[](#platform-icon--platform-21 "Direct link to platform-icon--platform-21")
* **Check runs**: improve causes of errors transparency and timeouts in the check run summary.
####  IaC[](#iac-icon--iac "Direct link to iac-icon--iac")
* **IaC Security**: shifting left metrics available in IaC analytics to demonstrate the impact of ggshield’s use in CI.
####  Bug fixes[](#bugs-icon--bug-fixes-24 "Direct link to bugs-icon--bug-fixes-24")
* **Bitbucket Data Center integration**: correct failure message and re-check button when the Bitbucket integration stops working.
* **Historical scan**: fix an issue with missing audit logs for historical scans.
* **GitHub integration**: performance improvement when a lot of repositories are added at the same time.
### February 6, 2024[](#february-6-2024 "Direct link to February 6, 2024")
####  Bug fixes[](#bugs-icon--bug-fixes-25 "Direct link to bugs-icon--bug-fixes-25")
* **Bitbucket integration:**
* fix an issue which revoke the access token when the project only has read permission.
* syncing installs with a new token now correctly retains projects linked to the old token, preventing unintended deletion of all projects.
### January 29, 2024[](#january-29-2024 "Direct link to January 29, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-28 "Direct link to secrets-icon--secrets-detection-28")
* **Secrets detection engine**: upgrade to version 2.105 with the addition of 1 new detector ([Square Token](/secrets-detection/secrets-detection-engine/detectors/specifics/square_token)
).
####  Platform[](#platform-icon--platform-22 "Direct link to platform-icon--platform-22")
* **Incidents**: exporting CSV secret incidents now allows changing the separator used, comma (default) or tab. More details in the [Export data](/secrets-detection/tracking-performance/export-data#csv-report)
section of the documentation.
* **Check runs**: the incident status is displayed in the GitHub check run details.
### January 22, 2024[](#january-22-2024 "Direct link to January 22, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-29 "Direct link to secrets-icon--secrets-detection-29")
* **Secrets detection engine**: upgrade to version 2.104 with the addition of 2 new detectors ([Bunny.net API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/bunny_net_api_key)
, [Hugging Face user access token](/secrets-detection/secrets-detection-engine/detectors/specifics/hugging_face_user_access_token)
) and the improvement of 4 detectors ([Beamer API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/beamer_apikey)
, [NuGet API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/nuget_api_key)
, [Paypal OAuth2 Keys](/secrets-detection/secrets-detection-engine/detectors/specifics/paypal_oauth2_keys)
, [Twitter Tokens](/secrets-detection/secrets-detection-engine/detectors/specifics/twitter_access_keys)
).
* **Secrets detection**: for a better recall experience, all detectors are now activated by default on every new workspace and on existing workspaces under the Free plan. 3 detectors used to be deactivated by default: [Generic Password](/secrets-detection/secrets-detection-engine/detectors/generics/generic_password)
, [Username password](/secrets-detection/secrets-detection-engine/detectors/generics/username_password)
and [Base64 Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/base64_generic_high_entropy_secret)
.
####  Platform[](#platform-icon--platform-23 "Direct link to platform-icon--platform-23")
* **SSO**: the option 'Force SSO' applies to owners as well when enabled. More details in the [Force SSO](/platform/enterprise-administration/saml-sso-configuration#force-sso)
section of the documentation.
* **Azure repos integration**: improvement of the billing metrics. You now must check the `Graph:Read` scope in your Personal Access Token. More information in our [VCS integrations documentation](/platform/monitor-perimeter/vcs-integrations/azure-repos#create-a-personal-access-token)
.
####  Bug fixes[](#bugs-icon--bug-fixes-26 "Direct link to bugs-icon--bug-fixes-26")
* **GitHub integration**: disable repositories are now marked as such when searching GitHub integrations.
* **GitLab integration (group hooks)**: we now detect and notify by email and raise a healthcheck error when a GitLab group hook was disabled by GitLab, causing the monitoring not to work anymore.
### January 15, 2024[](#january-15-2024 "Direct link to January 15, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-30 "Direct link to secrets-icon--secrets-detection-30")
* **Secrets detection engine**: upgrade to version 2.103 with the addition of 4 new detectors ([CircleCI Project Token](/secrets-detection/secrets-detection-engine/detectors/specifics/circleci_project_token)
, [Claude API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/claude_api_key)
, [Grafana Service Account Token With Host](/secrets-detection/secrets-detection-engine/detectors/specifics/grafana_service_account_token_with_host)
, [Klaviyo API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/klaviyo_api_key)
) and the improvement of 4 detectors ([CircleCI Personal Token](/secrets-detection/secrets-detection-engine/detectors/specifics/circleci_personal_token)
, [Django Secret Key](/secrets-detection/secrets-detection-engine/detectors/specifics/django_secret_key)
, [Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret)
, [Heroku Platform Key](/secrets-detection/secrets-detection-engine/detectors/specifics/heroku_platform_key)
).
### January 9, 2024[](#january-9-2024 "Direct link to January 9, 2024")
####  Secrets Detection[](#secrets-icon--secrets-detection-31 "Direct link to secrets-icon--secrets-detection-31")
* **Slack integration**: [Slack integration](/platform/monitor-perimeter/messaging-integrations/slack)
is now supported for real-time secret detection and honeytoken detection.
* **Incident details**: update of the default remediation workflow.
* **Secret incidents**: addition of 2 new columns (`element_url`, `author_name`) in the CSV report of secret occurrences to support other data sources.
* **API**: addition of `hsml_hash` in the payload of [secret incidents](https://api.gitguardian.com/docs#operation/list-incidents)
. The `hsml_hash` is used to discover the potential public leaks of your secrets using [**Has My Secret Leaked**](/ggshield-docs/reference/hmsl/overview)
.
####  IaC[](#iac-icon--iac-1 "Direct link to iac-icon--iac-1")
* **IaC Security**: addition of a new tag named `Ignored using ggshield` to highlight incidents ignored using ggshield.
* **IaC Security**: addition of a new playbook for auto ignoring incidents that are ignored using ggshield. This is a Business-only feature and can be deactivated.
####  Platform[](#platform-icon--platform-24 "Direct link to platform-icon--platform-24")
* **Check runs**: the preview of the "How to remediate" instructions in markdown is enhanced when you customize them.
* **Custom detectors**: improve error messages for invalid regex when requesting a custom detector.
####  Bug fixes[](#bugs-icon--bug-fixes-27 "Direct link to bugs-icon--bug-fixes-27")
* **GitLab integration**: fix an issue where revoked tokens weren't detected as such if not actively used by a configured GitLab group.
* **Force SSO activation**: fix an issue where authentication page “Force SSO Toggle” enabled “By default to all incident team” toggle as well.
### December 11, 2023[](#december-11-2023 "Direct link to December 11, 2023")
####  Secrets Detection[](#secrets-icon--secrets-detection-32 "Direct link to secrets-icon--secrets-detection-32")
* **Secrets detection engine**: upgrade to version 2.102 with the addition of 8 new detectors ([Base64 AWS IAM Keys](/secrets-detection/secrets-detection-engine/detectors/specifics/base64_aws_iam)
, [Base64 AWS SES Keys](/secrets-detection/secrets-detection-engine/detectors/specifics/base64_aws_iam)
, [Readme API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/readme_apikey)
, [Tailscale API key](/secrets-detection/secrets-detection-engine/detectors/specifics/tailscale_api_key)
, [Tailscale oauth key](/secrets-detection/secrets-detection-engine/detectors/specifics/tailscale_oauth_key)
, [Tailscale pre-auth key](/secrets-detection/secrets-detection-engine/detectors/specifics/tailscale_pre_auth_key)
, [Tailscale SCIM key](/secrets-detection/secrets-detection-engine/detectors/specifics/tailscale_scim_key)
, [Tailscale webhook key](/secrets-detection/secrets-detection-engine/detectors/specifics/tailscale_webhook_key)
) and the improvement of 1 detector ([Vercel API Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/vercel_api_access_token)
).
####  IaC[](#iac-icon--iac-2 "Direct link to iac-icon--iac-2")
* **IaC Security**: Azure Repos integration is now supported for monitoring your IaC misconfigurations.
### November 27, 2023[](#november-27-2023 "Direct link to November 27, 2023")
#### Features[](#features "Direct link to Features")
* **Azure Repos integration**: the monitoring of your Azure Repos repositories is now done in real-time. Refer to [the documentation](/platform/monitor-perimeter/vcs-integrations/azure-repos)
for more details.
* **Filters**: a new way of filtering pages, more streamlined and intuitive.
* **Jira Cloud integration**: jira issues can now be created without assigning them to anyone.
* **Source criticality**: a new parameter at the source level to help users prioritize their Secret, SCA, and IaC incidents. Refer to [the documentation](/platform/monitor-perimeter/monitored-perimeter#source-criticality)
for more details.
* **SCA & IaC grant access**: access can now be granted to Members on specific SCA and IaC incidents.
* **IP allow-listing for Honeytoken**: it is now possible to add IP ranges to an allow-list, ensuring events from these IPs won’t trigger the honeytokens. Learn more about [IP rules](/honeytoken/understand-events#using-ip-rules-to-enrich-and-manage-events)
.
* **Secrets detection engine**: upgrade to version 2.101 with the addition of 1 new detector ([Airtable API Key v2](/secrets-detection/secrets-detection-engine/detectors/specifics/airtable_apikey)
) and the improvement of 4 detectors ([Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret)
, [New Relic API Service Key](/secrets-detection/secrets-detection-engine/detectors/specifics/newrelic_api_service_key)
, [GitLab Enterprise Token](/secrets-detection/secrets-detection-engine/detectors/specifics/gitlab_enterprise_token)
, [GitHub App Keys](/secrets-detection/secrets-detection-engine/detectors/specifics/github_app_keys)
).
#### Bug fixes[](#bug-fixes "Direct link to Bug fixes")
* **API**: fix `/secret_detectors`[endpoint](https://api.gitguardian.com/docs#operation/list-secret-detectors)
to filter out detectors that have been administratively disabled by GitGuardian.
### November 15, 2023[](#november-15-2023 "Direct link to November 15, 2023")
#### Features[](#features-1 "Direct link to Features")
* **Incident details**: listing of places where secrets have been publicly leaked.
* **Secrets detection engine**: upgrade to version 2.100 with the addition of 2 new detectors ([Sourcegraph Token](/secrets-detection/secrets-detection-engine/detectors/specifics/sourcegraph_token)
, [Cohere API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/cohere_apikey)
) and the improvement of 2 detectors ([Jira Token](/secrets-detection/secrets-detection-engine/detectors/specifics/jira_token)
, [Atlassian Oauth2 Keys](/secrets-detection/secrets-detection-engine/detectors/specifics/atlassian_oauth2)
).
#### Bug fixes[](#bug-fixes-1 "Direct link to Bug fixes")
* **GitHub integration: handling of GitHub app ownership transfer**: It is now possible to change ownership without deleting the self-hosted application.
* **Incidents: filtered results in CSV export**: CSV export keeps the filters applied.
* **GitHub integration**: improvement of checkruns to support the GitHub Merge Queue feature.
### October 30, 2023[](#october-30-2023 "Direct link to October 30, 2023")
#### Features[](#features-2 "Direct link to Features")
* **IaC Security**: introduction of a new "Source Criticality" field and filter to help prioritization of IaC incidents (for IaC beta testers only). Note that the Source Criticality must first be defined in the Perimeter page.
* **Teams**: users can now filter the incidents and the perimeter pages based on their teams. Managers have the flexibility to filter any team, while Members can only filter their own teams.
* **Secrets detection engine**: upgrade to version 2.99.1 with the addition of 2 new detectors ([Google Bard](/secrets-detection/secrets-detection-engine/detectors/specifics/google_bard_api_key)
, [Webflow API token](/secrets-detection/secrets-detection-engine/detectors/specifics/webflow_api_token)
) and the improvement of 4 detectors ([Microsoft Azure Storage Account key](/secrets-detection/secrets-detection-engine/detectors/specifics/microsoft_azure_storage_account_key)
, [SSH credentials](/secrets-detection/secrets-detection-engine/detectors/specifics/ssh_credentials)
, [Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret)
, [Generic password](/secrets-detection/secrets-detection-engine/detectors/generics/generic_password)
).
#### Bug fixes[](#bug-fixes-2 "Direct link to Bug fixes")
* **Azure repos integration**: installation status now persistently remains until completed during user navigation.
* **Azure repos integration**: removing a token no longer causes a crash in other installation.
* **Bitbucket Data Center integration**: prevents connection errors from revoking a Bitbucket token, letting instances go through maintenance without needing to re-enter their token afterwards.
### October 16, 2023[](#october-16-2023 "Direct link to October 16, 2023")
#### Features[](#features-3 "Direct link to Features")
* **Incident details**: git patches of occurrences can now have restricted visibility to only the teams and developers involved with the occurrence, thanks to a [workspace setting](/platform/enterprise-administration/workspace-settings)
.
* **Incident details**: if the git patch of an occurrence is too large, a link to the Version Control System is displayed instead.
* **API**: [New endpoint](https://api.gitguardian.com/docs#operation/list-team-incidents)
to retrieve secret incidents of a team.
* **IaC Security**: introduction of new remediation analytics accessible on the platform (for IaC beta testers only).
* **ggshield**: ggshield auth login flow now asks you to confirm scopes.
#### Bug fixes[](#bug-fixes-3 "Direct link to Bug fixes")
* **Teams**: fix a bug that caused incidents belonging to an unmonitored repository to still be visible to the team.
### October 3, 2023[](#october-3-2023 "Direct link to October 3, 2023")
#### Features[](#features-4 "Direct link to Features")
* **Historical scan**: addition of some details in the status tooltip, including scan duration and number of commits and branches scanned. For failed scans, the tooltip now also displays the reason for the failure.
* **API**: a rate limiting is now applied. Refer to [our documentation](/api-docs/usage-and-quotas)
for more details.
* **Secrets detection engine**: upgrade to version 2.98 with the addition of four new detectors ([Aiven](/secrets-detection/secrets-detection-engine/detectors/specifics/aiven_api_key)
, [Infracost API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/infracost_api_key)
, [Rollbar API Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/rollbar_api_token)
, [Vercel API](/secrets-detection/secrets-detection-engine/detectors/specifics/vercel_api_access_token)
) and the improvement of 2 detectors ([Okta Keys](/secrets-detection/secrets-detection-engine/detectors/specifics/okta_keys)
, [Username Password](/secrets-detection/secrets-detection-engine/detectors/generics/username_password)
).
### September 28, 2023[](#september-28-2023 "Direct link to September 28, 2023")
#### Features[](#features-5 "Direct link to Features")
* **Incidents**: addition of the `Publicly leaked` tag to secret incidents that have been leaked outside of your perimeter on public GitHub. Refer to [our documentation](/secrets-detection/remediate/investigate-incidents)
for more details.
### September 21, 2023[](#september-21-2023 "Direct link to September 21, 2023")
#### Features[](#features-6 "Direct link to Features")
* **Incident details**: a limit of 1000 occurrences per incident is now in place.
* **Onboarding**: addition of links redirecting to the `Get Started` page in the notifications when the first scan is complete.
* **Secrets detection engine**: upgrade to version 2.97.
* **Alerting integrations**: alerting integrations are now available at team level. More information in our [teams documentation](/platform/collaboration-and-sharing/teams)
.
#### Bug fixes[](#bug-fixes-4 "Direct link to Bug fixes")
* **Check runs**: fix neutral check runs being created on workspaces with check runs disabled.
* **Notifications**: fix Linkedin link in email footer.
### September 4, 2023[](#september-4-2023 "Direct link to September 4, 2023")
#### Bug fixes[](#bug-fixes-5 "Direct link to Bug fixes")
* **Custom detectors**: update the message when a custom detector request cannot be edited due to its current status.
* **Incident details**: fix a bug causing the absence of an expiration date on public share links generated by the Auto-healing playbook.
* **Health check**: prevent UI from crashing on unknown Health check error code.
* **API**: fix timeout issues on the `/occurrences/secrets` endpoint when using a date filter.
* **SSO**: fix conflict happening when signing up via SSO while having a pending invitation.
### August 22, 2023[](#august-22-2023 "Direct link to August 22, 2023")
#### Features[](#features-7 "Direct link to Features")
* **IaC Security**: addition of a waiting list for joining the IaC beta program.
* **IaC Security**: introduction of monitoring and remediation IaC features on GitGuardian's platform.
* **IaC Security**: introduction of new ggshield pre-commit, pre-push, pre-receive and ci IaC subcommands.
* **Secrets detection engine**: upgrade to version 2.96 with the addition of two new detectors ([Generic Terraform Variable Secret](/secrets-detection/secrets-detection-engine/detectors/generics/generic_terraform_variable)
, [CARTO API Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/carto_jwt)
) and the improvement of 2 detectors ([Generic Password](/secrets-detection/secrets-detection-engine/detectors/generics/generic_password)
, [Base64 Basic Authentication](/secrets-detection/secrets-detection-engine/detectors/generics/base64_basic_auth)
).
### August 7, 2023[](#august-7-2023 "Direct link to August 7, 2023")
#### Features[](#features-8 "Direct link to Features")
* **Incidents**: addition of a waiting list for the upcoming feature of secret detection in data sources other than VCS.
* **Incident details**: the public sharing is now a [workspace setting](/platform/enterprise-administration/workspace-settings)
.
* **Secrets detection engine**: upgrade to version 2.95 with the addition of two new detectors ([Databricks Authentication Token With Hostname](/secrets-detection/secrets-detection-engine/detectors/specifics/databricks_token_with_hostname)
, [Hashicorp Vault Token](/secrets-detection/secrets-detection-engine/detectors/specifics/hashicorp_vault_token)
).
#### Bug fixes[](#bug-fixes-6 "Direct link to Bug fixes")
* **Incidents**: fix the sorting of incidents by severity when some severities are automatically set.
* **Incidents**: fix wrong occurrence count on incident page.
* **Incidents**: the tooltip displaying the sources is now displayed correctly.
* **Custom webhook**: fix duplicate notifications being sent when setting incident severity using a bulk action.
* **API**: fix invalid link in personal access token expiration email notification.
### July 25, 2023[](#july-25-2023 "Direct link to July 25, 2023")
#### Bug fixes[](#bug-fixes-7 "Direct link to Bug fixes")
* **Custom webhook**: fix notifications for when a bulk action is performed. Previously, only one notification would be sent for the first incident affected by the bulk action. However, now notifications are sent for each incident that is modified by the bulk action.
### July 24, 2023[](#july-24-2023 "Direct link to July 24, 2023")
#### Features[](#features-9 "Direct link to Features")
* **Incident details**: the public sharing toggle has been moved to the "Grant access" modal, which has been renamed to the "Share" modal. For a more detailed explanation, please refer to our [collaboration and sharing documentation](/platform/collaboration-and-sharing/incident-permissions-and-sharing)
.
* **Incidents**: add an explanation tooltip to the "Default branch" tag.
* **Integrations**: modification of the Integrations and Settings/Integrations pages.
* **Secrets detection engine**: upgrade to version 2.94 with the addition of four new detectors ([Azure Active Directory API Keys](/secrets-detection/secrets-detection-engine/detectors/specifics/azure_active_directory_api_keys)
, [Docusign API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/docusign_api_key)
, [Pinecone API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/pinecone_api_key)
, [Pinecone API Key and environment](/secrets-detection/secrets-detection-engine/detectors/specifics/pinecone_api_keys)
) and the improvement of two detectors ([Generic Password](/secrets-detection/secrets-detection-engine/detectors/generics/generic_password)
, [Coveralls Personal Token](/secrets-detection/secrets-detection-engine/detectors/specifics/coveralls_personal_token)
).
#### Bug fixes[](#bug-fixes-8 "Direct link to Bug fixes")
* **Personal access tokens**: personal access tokens can now be searched by name, and ordering by name now works correctly.
### July 10, 2023[](#july-10-2023 "Direct link to July 10, 2023")
#### Features[](#features-10 "Direct link to Features")
* **Incident details**: filters have been added to the occurrences table.
* **Honeytokens**: addition of country flag next to the IP address in the events table.
* **Honeytokens**: new IP tagging feature: it is now possible to create custom rules to assign tags to honeytoken events based on their IP address. Use this to recognize events originating from known IP addresses, such as those internal to your organization. For more information, check out the documentation [here](/honeytoken/understand-events#using-ip-rules-to-enrich-and-manage-events)
.
* **API**: new [endpoints](https://api.gitguardian.com/docs#tag/Labels)
to manage labels for honeytokens.
* **Secrets detection engine**: upgrade to version 2.93 with some detection improvements.
#### Bug fixes[](#bug-fixes-9 "Direct link to Bug fixes")
* **API**: fix an error preventing the [creation of an invitation](https://api.gitguardian.com/docs#operation/create-invitations)
when the role was not specified.
#### Deprecation[](#deprecation "Direct link to Deprecation")
* **Custom webhook v1**: the feature has been replaced by the event-based custom webhooks. More information in the documentation [here](https://docs.gitguardian.com/platform/monitor-perimeter/notifiers-integrations/custom-webhook)
.
### June 26, 2023[](#june-26-2023 "Direct link to June 26, 2023")
#### Features[](#features-11 "Direct link to Features")
* **Incidents**: addition of the `Default branch` tag to secret incidents that occurred on the default git branch of a repository.
* **Secrets detection engine**: upgrade to version 2.92 with the addition of two new detectors ([AWS SES Keys](/secrets-detection/secrets-detection-engine/detectors/specifics/aws_ses_keys)
, [Forest Admin API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/forestadmin_api_key)
) and the improvement of six detectors ([Atlassian Oauth2 Keys](/secrets-detection/secrets-detection-engine/detectors/specifics/atlassian_oauth2)
, [Contentful Content Delivery API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/contentful_content_delivery_apikey)
, [Etsy Developer Key](/secrets-detection/secrets-detection-engine/detectors/specifics/etsy_developer_key)
, [GitLab Token](/secrets-detection/secrets-detection-engine/detectors/specifics/gitlab_token)
, [HubSpot API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/hubspot_apikey)
, [MS Team webhook](/secrets-detection/secrets-detection-engine/detectors/specifics/outlook_team_webhook)
).
* **API**: managers of workspaces under the Business plan can now enforce a maximum lifetime for personal access tokens generated on their workspace.
#### Bug fixes[](#bug-fixes-10 "Direct link to Bug fixes")
* **PagerDuty Integration**: title update in PagerDuty incidents to eliminate confusion regarding the number of occurrences.
### June 12, 2023[](#june-12-2023 "Direct link to June 12, 2023")
#### Features[](#features-12 "Direct link to Features")
* **Incident details**: feedback about the incident can now be submitted in a standardized way through a form that is available on the incident's page. Refer to [this page](/secrets-detection/remediate/remediate-incidents)
for more information on how to use this form effectively and involve your developer population during the remediation process.
* **Incidents**: addition of new filter to select the incidents that are publicly shared.
* **Teams**: team owners with the Member role can now invite brand new users to the workspace when adding teammates to their team. This is a Business-only feature and can be deactivated. For more details, please refer to [this page](/platform/enterprise-administration/workspace-settings)
.
* **Grant access**: users with `Full access` incident permissions can now invite brand new users to the workspace when granting access to an incident. This is a Business-only feature and can be deactivated. For more details, please refer to [this page](/platform/enterprise-administration/workspace-settings)
.
* **Honeytoken**: a new button "How to test your honeytoken" has been added to make it easier to test the trigger and alerting mechanism.
* **Honeytoken**: clicking on the honeytoken `Publicly exposed` tag now opens a modal that shows all the public commits where the honeytoken was discovered by GitGuardian.
* **Honeytoken**: it is now possible to filter events based on their tags (AWS internal, GitGuardian Public Monitoring IP).
* **Honeytoken**: it is now possible to manage labels from the Honeytoken settings page.
* **Secrets detection engine**: upgrade to version 2.91 with the addition of two new detectors ([Tableau Personal Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/tableau_pat)
, [Yelp API key](/secrets-detection/secrets-detection-engine/detectors/specifics/yelp_api_key)
) and the improvement of two detectors ([GitHub Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/github_access_token)
, [OpenAI API Key](/secrets-detection/secrets-detection-engine/detectors/specifics/openai_apikey)
).
#### Bug fixes[](#bug-fixes-11 "Direct link to Bug fixes")
* **Teams**: fix a bug that prevented invitees, who already had a GitGuardian workspace, from being added to the expected teams when they accepted an invitation.
* **Emails**: button URLs are now hardcoded to prevent a bad user experience when the button is not visible due to HTML-escaping by email providers.
### May 30, 2023[](#may-30-2023 "Direct link to May 30, 2023")
#### Features[](#features-13 "Direct link to Features")
* **Custom severity rules**: new option to recompute severity scoring manually.
* **Secrets detection engine**: upgrade to version 2.90 with the addition of two new detectors ([Palantir JWT](/secrets-detection/secrets-detection-engine/detectors/specifics/palantir_jwt)
, [Figma Personal Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/figma_personal_access_token)
) and the improvement of one detector ([LDAP credentials](/secrets-detection/secrets-detection-engine/detectors/specifics/ldap_credentials)
).
* **Honeytoken:** “Created at” column has been added to the honeytoken list, and it is now possible to sort on this property.
* **Honeytoken:** honeytokens can now be searched by ID.
* **Honeytoken:** an email notification is sent when a honeytoken is found to be publicly exposed.
* **API:** labels are added to honeytoken [endpoints](https://api.gitguardian.com/docs#operation/list-honeytoken)
.
#### Bug fixes[](#bug-fixes-12 "Direct link to Bug fixes")
* **ggshield**: fix a redirection issue upon usage of `ggshield auth login`.
### May 15, 2023[](#may-15-2023 "Direct link to May 15, 2023")
#### Features[](#features-14 "Direct link to Features")
* **Custom severity rules**: the severity ruleset used by the automated severity scoring is now customizable to maximize the coverage of automatically scored incidents.
* **Automated severity scoring**: automated severity scoring is now activated by default for all workspaces under the Free plan.
#### Bug Fixes[](#bug-fixes-13 "Direct link to Bug Fixes")
* **Authentication**: fix broken email confirmation link when registering with email and password.
* **User signup**: fix user signup email verification link.
### May 2, 2023[](#may-2-2023 "Direct link to May 2, 2023")
#### Features[](#features-15 "Direct link to Features")
* **Automated severity scoring**: automated severity scoring is now activated by default for new workspaces.
* **API**: secret detectors are now exposed in the [API](https://api.gitguardian.com/docs#operation/list-secret-detectors)
* **Secrets detection engine**: upgrade to version 2.89 with the addition of five new detectors: [Azure Cosmos DB Credentials](/secrets-detection/secrets-detection-engine/detectors/specifics/azure_cosmosdb_credentials)
, [Redis Server Password](/secrets-detection/secrets-detection-engine/detectors/specifics/redis_server_password)
, [DigitalOcean Refresh Token](/secrets-detection/secrets-detection-engine/detectors/specifics/digitalocean_refresh_token_v1)
, [DigitalOcean OAuth Application Token](/secrets-detection/secrets-detection-engine/detectors/specifics/digitalocean_oauth_application_token_v1)
and [DigitalOcean Personal Access Token](/secrets-detection/secrets-detection-engine/detectors/specifics/digitalocean_personal_token_v1)
.
#### Bug fixes[](#bug-fixes-14 "Direct link to Bug fixes")
* **Custom severity rule**: fix wrong timeline when setting a manual severity to an incident having only an automatic severity.
* **Grant access**: copy-pasting now works correctly.
### April 17, 2023[](#april-17-2023 "Direct link to April 17, 2023")
#### Features[](#features-16 "Direct link to Features")
* **Incidents**: filepaths can now be searched in the free text search of the secret incidents table.
* **Secrets detection engine**: upgrade to version 2.88 with the addition of two new detectors: [Cloudinary API keys](/secrets-detection/secrets-detection-engine/detectors/specifics/cloudinary_api_keys)
and [MongoDB Atlas Keys](/secrets-detection/secrets-detection-engine/detectors/specifics/mongodb_atlas_keys)
.
#### Bug fixes[](#bug-fixes-15 "Direct link to Bug fixes")
* **Incidents**: performance for loading secret incidents has been improved for workspaces with a large number of incidents.
* **Loader**: fix loader size in incident and Perimeter pages.
* **API**: comment field is now required on [incident note creation endpoint](https://api.gitguardian.com/docs#operation/create-incident-note)
.
### April 11, 2023[](#april-11-2023 "Direct link to April 11, 2023")
#### Feature[](#feature "Direct link to Feature")
* **Honeytoken**: introduction of new Honeytoken icon in the sidebar: module is coming soon! Join the waitlist to be notified when it becomes available.
### April 3, 2023[](#april-3-2023 "Direct link to April 3, 2023")
#### Features[](#features-17 "Direct link to Features")
* **Custom remediation workflow**: remediation workflow is now 100% customizable thanks to the deletion of the last static step.
* **Secrets detection engine**: upgrade to version 2.87 with the addition of a new detector (Keycloak Api Keys).
* **API**: [new endpoints](https://api.gitguardian.com/docs#tag/API-Tokens)
are added for API tokens management (personal access tokens and service accounts).
* **API**: new fields `resolver_id` and `ignorer_id` are available into the [secret incident payload](https://api.gitguardian.com/docs#operation/list-incidents)
.
#### Bug fixes[](#bug-fixes-16 "Direct link to Bug fixes")
* **VCS Integrations**: Bitbucket instances can be deleted even if the account is no longer in the Business plan.
* **Detectors list**: when the validity checks are disabled, the detectors are sorted by status.
* **Notifications**: fix empty emails being sent after an occurrence was found during real time scan.
* **Personal access tokens**: `Restricted` users now only see the scan scope in the personal access token form.
### March 20, 2023[](#march-20-2023 "Direct link to March 20, 2023")
#### Bug fixes[](#bug-fixes-17 "Direct link to Bug fixes")
* **Jira integration**: Jira ticket creation CTAs are hidden for workspaces without a single Jira site installed.
* **Jira integration**: fix permission issues by disabling the configure button for users without a `Manager` role and allowing users with the `Restricted` role and `can edit` permissions to create a Jira ticket.
### March 6, 2023[](#march-6-2023 "Direct link to March 6, 2023")
#### Features[](#features-18 "Direct link to Features")
* **Subscription**: New and existing users can subscribe to a Business plan via the AWS Marketplace.
#### Bug fixes[](#bug-fixes-18 "Direct link to Bug fixes")
* **Members**: fix invitation link for new members.
### February 20, 2023[](#february-20-2023 "Direct link to February 20, 2023")
#### Bug fixes[](#bug-fixes-19 "Direct link to Bug fixes")
* **ggshield**: `ggshield auth login` flow now expires after 5 minutes.
* **Incidents**: performances when filtering incidents on a detector are improved.
* **VCS integrations**: fix broken links to documentation.
### February 15, 2023[](#february-15-2023 "Direct link to February 15, 2023")
#### Features[](#features-19 "Direct link to Features")
* **Automated severity scoring**: incident severity can now be scored and assigned automatically.
### February 6, 2023[](#february-6-2023 "Direct link to February 6, 2023")
#### Features[](#features-20 "Direct link to Features")
* **Azure Repos**: addition of a loader and notifications when an organization is being installed.
* **API**: add filters to multiple endpoints
#### Bug fixes[](#bug-fixes-20 "Direct link to Bug fixes")
* **GitHub**: fix the integration of a GitHub installation with a large number of repositories.
* **Incidents**: fix performance issue when filtering on detectors.
* **GitHub**: fix check-runs running forever by enforcing a timeout.
### January 23, 2023[](#january-23-2023 "Direct link to January 23, 2023")
#### Features[](#features-21 "Direct link to Features")
* **Alerting integration**: introduction of the new Jira integration. More information available in [the documentation](/platform/monitor-perimeter/issue-tracking-integrations/jira-cloud)
.
* **API**: Specify missing scopes in error message when the API token being used doesn't include the appropriate scopes.
### January 10, 2023[](#january-10-2023 "Direct link to January 10, 2023")
#### Features[](#features-22 "Direct link to Features")
* **Azure Repos**: Azure Repos integration is now available. You can scan your Azure Repos repositories for secrets detection.
### January 9, 2023[](#january-9-2023 "Direct link to January 9, 2023")
#### Features[](#features-23 "Direct link to Features")
* **IaC**: add analytics page to monitor IaC scanning usage (beta).
* **Perimeter**: improve display of the historical scan's last status information.
#### Bug fixes[](#bug-fixes-21 "Direct link to Bug fixes")
* **Members**: Restricted users can now be promoted without requiring to add them in a team.
### December 21, 2022[](#december-21-2022 "Direct link to December 21, 2022")
#### Features[](#features-24 "Direct link to Features")
* **Custom Remediation Workflow**: Remediation workflow can now be customized in the settings.
### December 15, 2022[](#december-15-2022 "Direct link to December 15, 2022")
#### Features[](#features-25 "Direct link to Features")
* **VCS integrations**: workspaces with less than 25 contributing developers can now monitor their private collaborative repositories for free.
* **SSO**: SSO configuration is enabled for all plans (free and business).
### December 13, 2022[](#december-13-2022 "Direct link to December 13, 2022")
#### Features[](#features-26 "Direct link to Features")
* **Custom webhook**: addition of the new event-based custom webhook integration.
* **Teams**: addition of a description field for your teams.
* **Teams**: the "all-incidents" team is now visible in the members table.
#### Bug fixes[](#bug-fixes-22 "Direct link to Bug fixes")
* **SSO**: fix "sign in" redirection for SSO connection.
### November 28, 2022[](#november-28-2022 "Direct link to November 28, 2022")
#### Features[](#features-27 "Direct link to Features")
* **API**: expose `external_id` representing the VCS id of a source in API `source` payload.
* **Historical scan**: increase the maximum size of the historical scan from 1GB to 12GB for Business workspaces.
#### Bug fixes[](#bug-fixes-23 "Direct link to Bug fixes")
* **Historical scan**: reduce errors during scans of large repositories.
* **Members**: fix the sorting when navigating through pages.
### November 15, 2022[](#november-15-2022 "Direct link to November 15, 2022")
#### Features[](#features-28 "Direct link to Features")
* **Historical scan**: new email template for historical scan report.
#### Bug fixes[](#bug-fixes-24 "Direct link to Bug fixes")
* **GitLab integration**: handle timeout errors when setting up a new instance.
* **Playbooks**: fix incorrect default permission `can view` applied with auto-access playbook instead of correct `can edit`.
* **Filepath exclusions**: ignore hidden occurrences in the auto-access playbook and notifications.
* **Custom webhooks**: fix incorrect event names.
### November 3, 2022[](#november-3-2022 "Direct link to November 3, 2022")
#### Features[](#features-29 "Direct link to Features")
* **Azure Repos**: introducing Azure Repos integration. This feature is available in beta upon request.
* **Custom webhooks**: update the `action` field with more user-friendly messages.
* **Perimeter page**: update the information displayed in the Protection section.
* **Analytics**: addition of all the ggshields modes to the Analytics section.
#### Bug fixes[](#bug-fixes-25 "Direct link to Bug fixes")
* **Check runs**: when deactivating a check run, finish the processing if it was already in progress.
* **Custom webhook**: remove `matches` from webhooks' new occurrence.
### October 17, 2022[](#october-17-2022 "Direct link to October 17, 2022")
#### Features[](#features-30 "Direct link to Features")
* **Teams**: introducing team management within a workspace and granular incident permissions (`can view`, `can edit`, `full access`) for business workspaces.
* **Playbooks**: new Auto-resolution playbook to automatically close incidents that have once been valid and that become invalid.
* **Share link**: prevent valid secrets from being "marked as revoked" in the public sharing page of a secret incident.
#### Bug fixes[](#bug-fixes-26 "Direct link to Bug fixes")
* **GitHub**: fix display latency observed for big GitHub organizations.
* **Settings**: fix start trial links not redirecting to correct page.
### October 3, 2022[](#october-3-2022 "Direct link to October 3, 2022")
#### Features[](#features-31 "Direct link to Features")
* **Incidents**: selection is maintained after a bulk action.
* **API**: add an ordering filter on the `/incidents/secrets` list endpoint.
### September 21, 2022[](#september-21-2022 "Direct link to September 21, 2022")
#### Bug fixes[](#bug-fixes-27 "Direct link to Bug fixes")
* **Custom webhook**: Fix `assign` action that was replaced by `reassign`.
* **Incidents**: Provide a more user-friendly error message when a bulk action can't be applied to the selected incidents.
### September 8, 2022[](#september-8-2022 "Direct link to September 8, 2022")
#### Features[](#features-32 "Direct link to Features")
* **Custom webhook**: New Member payload for the Grant/Remove access action.
* **Members**: Notification is sent to users who are removed from a Workspace.
#### Bug fixes[](#bug-fixes-28 "Direct link to Bug fixes")
* **Custom webhook**: Remove the resolve\_reason field from all payloads.
### August 22, 2022[](#august-22-2022 "Direct link to August 22, 2022")
#### Features[](#features-33 "Direct link to Features")
* **API**: enrich Members section with retrieve and delete endpoints.
#### Bug fixes[](#bug-fixes-29 "Direct link to Bug fixes")
* **Incident details**: Searching GitHub pull requests associated with an issue can be performed on a specific #ID and repository name.
* **GitHub**: do not display "scan integrated repositories" modal if autoscan is on.
### August 9, 2022[](#august-9-2022 "Direct link to August 9, 2022")
#### Features[](#features-34 "Direct link to Features")
* **API**: handle invitations on grant/revoke access endpoints.
* **API**: addition of a filter by role and a search on name and email for the `/members` endpoint.
#### Bug fixes[](#bug-fixes-30 "Direct link to Bug fixes")
* **Incident**: secrets with validity status "failed to check" are no longer checked automatically after they have been marked as resolved.
* **Incident**: the button to manually check the presence in git history remains when the incident is closed.
* **Incidents**: Fix icon for the 'info' severity badge.
### July 27, 2022[](#july-27-2022 "Direct link to July 27, 2022")
#### Features[](#features-35 "Direct link to Features")
* **GDPR**: closing the banner now automatically rejects the consent and the consent is stored for 6 months.
* **Incidents**: include unaffected count for bulk actions.
* **API**: add filters to the audit log list endpoint.
#### Bug fixes[](#bug-fixes-31 "Direct link to Bug fixes")
* **Custom webhooks**: fix the webhook event based signature.
* **GitLab integration**: allow gitlab installation deletion when your business trial expired.
* **GitLab integration**: keep unmonitored projects unmonitored.
* **API**: API respects the validity checks setting ON/OFF.
### July 11, 2022[](#july-11-2022 "Direct link to July 11, 2022")
#### Features[](#features-36 "Direct link to Features")
* **API**: add an endpoint to fetch the audit logs. API key needs to have the new `audit_logs:read` scope to query the endpoint.
* **API**: tags are exposed in the incidents endpoint.
* **CSV**: tags are exposed in the csv report of secrets incidents.
* **Perimeter**: the repository name is now a link to the incidents list filtered on this repository. The link to the VCS is also available as a popup icon.
#### Bug fixes[](#bug-fixes-32 "Direct link to Bug fixes")
* **Perimeter**: fix bug preventing Members to launch historical scans.
#### Deprecation[](#deprecation-1 "Direct link to Deprecation")
* **API**: deprecated `issue_id` in favor of `incident_id` on incident note management endpoints.
### June 27, 2022[](#june-27-2022 "Direct link to June 27, 2022")
#### Features[](#features-37 "Direct link to Features")
* **Alerting**: the custom webhook alerting is now event-based. More information in the [dedicated documentation](/platform/monitor-perimeter/notifiers-integrations/custom-webhook)
.
* **API**: the `/occurrences`[endpoint](https://api.gitguardian.com/docs#operation/list-occs)
can be filtered by `author_name` and `author_info`.
#### Bug fixes[](#bug-fixes-33 "Direct link to Bug fixes")
* **Detectors**: activating and deactivating detectors is now forbidden for Members.
### June 14, 2022[](#june-14-2022 "Direct link to June 14, 2022")
#### Features[](#features-38 "Direct link to Features")
* **Members**: invitations can be resent through the dashboard.
* **API**: add endpoints to manage invitations. API key needs to have the new `members:write` scope to query those endpoints.
* **API**: add endpoint to set severity of a secret incident.
#### Bug fixes[](#bug-fixes-34 "Direct link to Bug fixes")
* **Service account**: fix a permission error allowing all roles to modify service accounts.
* **GitHub**: fix re-run action of old check runs to show an explicit error.
### June 1, 2022[](#june-1-2022 "Direct link to June 1, 2022")
#### Features[](#features-39 "Direct link to Features")
* **ggshield:** setting up ggshield is made easy with the new `ggshield auth login` command. More information in the [dedicated documentation](/ggshield-docs/reference/auth/login)
.
* **Grant access:** notify Restricted users by email when they are granted access to an incident.
* **Members:** notify users by email when their role is updated.
* **CSV**: add `status`, `ignore_reason` and `status_revoked` columns to the CSV export of secret incidents.
* **CSV**: add `occurrence_id` column to CSV export of occurrences.
* **CSV**: return the dates in isoformat.
#### Bug fixes[](#bug-fixes-35 "Direct link to Bug fixes")
* **GitLab**: adding a GitLab project that had been deleted now correctly set it as monitored.
* **Analytics**: pre-receive mode is displayed correctly in the shift-left panel.
#### Deprecation[](#deprecation-2 "Direct link to Deprecation")
* **ggshield:**: since v1.12 of ggshield, `ggshield scan` and `ggshield ignore` commands are deprecated, use `ggshield secret scan` and `ggshield secret ignore` instead.
### May 17, 2022[](#may-17-2022 "Direct link to May 17, 2022")
#### Features[](#features-40 "Direct link to Features")
* **GitHub:** expose base/head branch of GitHub pull requests.
* **Incident:** mark the third remediation step "rewrite git history" as optional.
#### Bug fixes[](#bug-fixes-36 "Direct link to Bug fixes")
* **GitHub:** explicitly neutralize old check runs that are re-run.
* **GitHub:** users with an email address that has a reserved email domain can no longer register via GitHub SSO, but they can still log in if SSO is not forced.
* **Incident:** fix grant access modal broken when too many Restricted users.
### May 2, 2022[](#may-2-2022 "Direct link to May 2, 2022")
#### Features[](#features-41 "Direct link to Features")
* **API:** move the Personal access tokens to the API section.
* **Check runs:** improve success message in GitHub UI.
### April 19, 2022[](#april-19-2022 "Direct link to April 19, 2022")
#### Features[](#features-42 "Direct link to Features")
* **API documentation:** the organization of the API documentation has been reworked for better readability.
#### Bug fixes[](#bug-fixes-37 "Direct link to Bug fixes")
* **Grant Access:** Members in Business workspaces can give access to restricted users but can’t invite new users by typing email addresses.
* **Incident details:** timestamp of last presence check is updated synchronously upon manual check.
* **CSV Export:** disable timeouts.
* **Incidents:** improve performance on the incidents table.
* **Detector:** improve performance of table of detectors for workspaces with many incidents.
### April 4, 2022[](#april-4-2022 "Direct link to April 4, 2022")
#### Features[](#features-43 "Direct link to Features")
* **Incidents list:** display repository state (unmonitored or deleted) on incidents list and incident detail pages.
* **API:** adapt API to be compatible with personal access tokens.
* **Personal access tokens:** Managers can monitor the Personal access tokens created on the workspace in the API section.
#### Bug fixes[](#bug-fixes-38 "Direct link to Bug fixes")
* **Incident detail:** prevent users with role Restricted from sharing externally the incident
* **Historical Scan:** fix a bug leading to automatic historical scans being stuck in “Pending” state
* **Bitbucket Data Center**: Deleting a Bitbucket integration deletes the webhook created on the Bitbucket instance.
### March 23, 2022[](#march-23-2022 "Direct link to March 23, 2022")
#### Features[](#features-44 "Direct link to Features")
* **API:** introduction of a new type of API keys: the Personal Access Tokens.
* **Audit Log:** add audit log for “Service Account”.
* **API:** new endpoint to list workspace members having access to an incident.
* **API**: New pages are now available in the API section: Quota, Service Account and Secrets detection playground.
#### Bug fixes[](#bug-fixes-39 "Direct link to Bug fixes")
* **Check runs**: Enforce the 65K characters limit on check run templates.
* **SSO:** Fix small Okta logo and missing sso name.
* **Secret detectors:** Fix the display of detector logos being sometimes too small.
* **GitLab**: Disallow group hook integration on namespaces that are not in the GitLab premium plan.
### March 7, 2022[](#march-7-2022 "Direct link to March 7, 2022")
#### Features[](#features-45 "Direct link to Features")
* **Bitbucket integration** Bitbucket repositories can now be scanned automatically upon their integration.
#### Bug fixes[](#bug-fixes-40 "Direct link to Bug fixes")
* **Filepath exclusion:** improve performances on the filepath suggestions
### February 21, 2022[](#february-21-2022 "Direct link to February 21, 2022")
#### Features[](#features-46 "Direct link to Features")
* **API:** new endpoint and scope to list members of a workspace
* **API:** new fields exported in the Source payload: health, last\_scan, open\_incidents\_count and closed\_incidents\_count
* **API:** add option to filter sources by health and last scan status
* **Grant access:** ability to invite new Restricted users directly from an incident.
* **GitLab:** GitLab repositories can now be scanned automatically upon their integration.
### February 9, 2022[](#february-9-2022 "Direct link to February 9, 2022")
#### Features[](#features-47 "Direct link to Features")
* **Perimeter:** add filtering capability on last scan status.
* **Detectors:** addition of the number of secret incidents for each detector in the table of detectors.
* **Custom detectors:** add questions in Additional notes placeholder
* **Custom detectors:** Business plan users can now extend GitGuardian's secrets detection engine to support secrets specific to their organization.
* **GitHub check runs**: GitGuardian incidents and GitHub check runs are now linked.
#### Bug fixes[](#bug-fixes-41 "Direct link to Bug fixes")
* **RBAC**: Auto-healing playbook is no longer case sensitive for email matching
### January 24, 2022[](#january-24-2022 "Direct link to January 24, 2022")
#### Features[](#features-48 "Direct link to Features")
* **Members:** added filtering and sorting on the members and invitations tables.
* **Detectors:** display detector type (generic/specific) in the table.
* **Incidents list:** enable bulk actions for Restricted users
* **GitHub:** handle `Organization renamed` event
* **Filepath exclusions**: actions on filepath exclusion are now added to activity logs
#### Bug fixes[](#bug-fixes-42 "Direct link to Bug fixes")
* **Incident detail:** fix horizontal scroll for very long lines in git patch
* **Analytics:** fix bug when switching the aggregate (day/week) in the analytics.
### January 17, 2022[](#january-17-2022 "Direct link to January 17, 2022")
#### Features[](#features-49 "Direct link to Features")
* **Integrations**: sort sources alphabetically by default.
* **Incident detail:** improve the right sidebar scrolling behaviour.
#### Bug fixes[](#bug-fixes-43 "Direct link to Bug fixes")
* **GitHub SSO**: users can link their existing GIM account through the GitHub SSO, unlocking the authentication flow without a configured password.
* **Validity check**: fix bug that could make the validity check less frequent than expected.
* **Presence check**: fix bug that could make the presence check less frequent than expected.
### December 17, 2021[](#december-17-2021 "Direct link to December 17, 2021")
#### Features[](#features-50 "Direct link to Features")
* **API:** add the ability to create, update and delete incident notes.
#### Bug fixes[](#bug-fixes-44 "Direct link to Bug fixes")
* **Bitbucket Data Center**: fix the loader and empty states during various installation steps.
### November 30, 2021[](#november-30-2021 "Direct link to November 30, 2021")
#### Features[](#features-51 "Direct link to Features")
* **Settings:** add the Regression setting. Managers can decide whether a new occurrence of a previously resolved incident reopens it.
#### Bug fixes[](#bug-fixes-45 "Direct link to Bug fixes")
* **Incident detail**: improve performance of issue detail pages when there are a lot of occurrences by paginating them.
* **Analytics:** Display deleted sources in the "Top 5 sources" panel.
* **API:** Return a valid JSON when maintenance mode is active.
### November 14, 2021[](#november-14-2021 "Direct link to November 14, 2021")
#### Features[](#features-52 "Direct link to Features")
* **API** added secret validity information.
* **API:** new scope incident::share.
* **API:** add new endpoints for grant access and revoke access actions.
* **Custom webhook:** added validity and severity to payload.
#### Bug fixes[](#bug-fixes-46 "Direct link to Bug fixes")
* **Analytics:** fix the links to the incident list filtered by detectors.
* **Historical scan:** handle merge commits during historical scan.
* **Incident details:** fix the git patch component not highlighting secrets properly when there was a context before the first hunk header.
### November 3, 2021[](#november-3-2021 "Direct link to November 3, 2021")
#### Features[](#features-53 "Direct link to Features")
* **GitHub:** GitHub repositories can now be scanned automatically upon their integration.
* **GitHub check runs** post a comment in pull request timeline upon detection of a secret.
* **Integration** add links to the Version Control System for each repository.
* **GitLab** implement the token edition token for group hook integration.
* **Historical scanning** implement bulk scan cancellation.
* **Audit log** ability to search audit logs by incident ids and event name.
#### Bug fixes[](#bug-fixes-47 "Direct link to Bug fixes")
* **Incidents** fix activity logs of incidents ignored via API.
* **Navigation** fix backward navigation broken when visiting a page with existing filters persisted in the URL query params.
* **Analytics** fix the "count of secrets per 1000 commits" stat that included secrets for historical scans.
### October 18, 2021[](#october-18-2021 "Direct link to October 18, 2021")
#### Features[](#features-54 "Direct link to Features")
* **GitHub** automatic scan of new repos added on GitHub.
* **API** added severity information in incident payload.
### October 13, 2021[](#october-13-2021 "Direct link to October 13, 2021")
#### Features[](#features-55 "Direct link to Features")
* **RBAC** introduction of the Restricted role and the Auto-access granting playbook.
* **API** new endpoint for the ability to share and unshare an incident.
* **Footer** add footer with detection engine and status page.
* **Detectors** add links to documentation for each detector.
* **GitLab** handle GitLab.com integration with multiple GitLab groups.
* **Audit log** add audit log for check runs setting.
#### Bug fixes[](#bug-fixes-48 "Direct link to Bug fixes")
* **Validity check** backpopulate the uncheckability of old Google keys.
* **Settings** fix Members table pagination reset on change.
### September 20, 2021[](#september-20-2021 "Direct link to September 20, 2021")
#### Features[](#features-56 "Direct link to Features")
* **Incidents**: introduction of validity checks for secret incidents. Ability to trigger the validity check manually.
* **Presence check** add presence information to incidents in the CSV report and the API occurrence payload.
* **GitHub** delete installation dangling for more than 6 months.
#### Bug fixes[](#bug-fixes-49 "Direct link to Bug fixes")
* **Incidents** increase source filter limit to 500.
* **Incidents** fix a performance issue when filtering by presence.
* **Perimeter** fix related incidents count not updated after incident update.
### September 7, 2021[](#september-7-2021 "Direct link to September 7, 2021")
#### Features[](#features-57 "Direct link to Features")
* **Incidents**: introduction of presence checks for secret occurrences. Ability to trigger the presence check manually.
* **API**: new search and filtering capabilities
#### Bug fixes[](#bug-fixes-50 "Direct link to Bug fixes")
* **Historical scan**: Fix pending scans running forever.
### August 11, 2021[](#august-11-2021 "Direct link to August 11, 2021")
#### Features[](#features-58 "Direct link to Features")
* **GitHub Checkruns** allow customization of message and final status (fail or neutral).
* **Integrations** possibility of integrating several GitHub Enterprise instances.
* **Historical scan** Business workspaces now have a dedicated queue for historical scanning.
* **Incidents** handle Bitbucket repositories in search filters.
#### Bug fixes[](#bug-fixes-51 "Direct link to Bug fixes")
* **Authentication** email authentication is no longer case sensitive.
* **Filtering** filtering and ordering of tables are now kept throughout the app.
* **Incidents** quick actions are now propagated immediately.
### July 27, 2021[](#july-27-2021 "Direct link to July 27, 2021")
#### Features[](#features-59 "Direct link to Features")
* **Incidents** Increase source filter search results limit from 10 to 100.
* **GitHub** regularly check that the GitHub App still exists.
* **Share incident** adding TTL (Time To Live) to the share link.
* **Integrations** add docker integration.
#### Bug fixes[](#bug-fixes-52 "Direct link to Bug fixes")
* **Historical scan** fix a race condition in incident creation.
* **Historical scan** fix an error where the scan loader remained after the scan finished (or failed).
* **Analytics** fix a page crash when a member to display was deleted.
### July 13, 2021[](#july-13-2021 "Direct link to July 13, 2021")
#### Features[](#features-60 "Direct link to Features")
* **API** introduction of data management scopes for API keys
* **GitHub** allow users with a linked GitHub account to link a dangling installation to their workspace. It also works from unauthenticated users installing the GitHub App directly from GitHub.
* **Onboarding** implementation of an onboarding todo list to guide users in their first steps on the application
#### Bug fixes[](#bug-fixes-53 "Direct link to Bug fixes")
* **Incidents** correctly display incidents closed via the API or by an external developer via a share link.
* **Detectors** fix a performance issue when changing a secret detector status in the settings.
* **GitHub** fetch GitHub content between 100kB and 1MB when the patch is not returned by GitHub.
### June 30, 2021[](#june-30-2021 "Direct link to June 30, 2021")
#### Features[](#features-61 "Direct link to Features")
* **Analytics** add panel to visualize your shift left efforts.
* **CI/CD integrations** add an instruction page on how to configure ggshield with each CI/CD tool.
* **API** API now respects the 20MB limit.
#### Bug fixes[](#bug-fixes-54 "Direct link to Bug fixes")
* **GitLab** clean up orphaned webhooks on the GitLab side when installing a new integration.
### June 14, 2021[](#june-14-2021 "Direct link to June 14, 2021")
#### Features[](#features-62 "Direct link to Features")
* **Incidents**: introduction of severity for incidents. Triaging your incident becomes easier.
* **Filepath exclusion** suggestion of filepath to exclude based on workspace incidents
* **API** implement incidents list and sources list endpoints.
#### Bug fixes[](#bug-fixes-55 "Direct link to Bug fixes")
* **SSO** when force SSO is active, redirect to the SSO login page from the GitHub SSO flow.
### May 26, 2021[](#may-26-2021 "Direct link to May 26, 2021")
#### Features[](#features-63 "Direct link to Features")
* **Filepath exclusion** add ability to configure filepath to exclude filepaths from monitoring. You can also test a filepath against your exclusion list.
* **Settings** users can customize their email notification for each of their workspaces.
* **Incidents** show assignee for closed incidents and ability to filter on assignee.
* **Incidents** add quick actions to resolve/ignore/reopen/assign directly in the incidents table row.
* **Incidents** add the bulk action “add note”.
* **Incident detail** update "how to remediate" section with detailed indications and blog links
* **Perimeter** add link to incidents page for closed incidents.
* **CI/CD** add drone.io and Azure pipelines.
### May 5, 2021[](#may-5-2021 "Direct link to May 5, 2021")
#### Features[](#features-64 "Direct link to Features")
* **Playbook** introduction of "Auto-healing" playbook. Developers involved in a secret incident can now automatically receive an incident's share link.
* **Incidents** add a filter for developer feedback and icons indicating feedback status in the incidents table.
* **Share link** add resolve/ignore actions to the share page.
* **Detectors** deprecated detectors now appear disabled in the settings.
* **Incidents** CSV report now respects the secret incidents table filters and search.
#### Bug fixes[](#bug-fixes-56 "Direct link to Bug fixes")
* **Incidents** show number of open incidents in the inactive tab headers.
* **Incident detail** fix detector logo not displayed on incident detail page.
* **Incidents** fix bug not updating incidents list when navigating back from incident detail page after having updated it.
### April 19, 2021[](#april-19-2021 "Direct link to April 19, 2021")
#### Features[](#features-65 "Direct link to Features")
* **Share link** ability for a developer to give feedback from the share page of an incident. Feedback is displayed on the incident detail page.
* **Integrations** display ggshield integrations (git hook, CI/CD …) on the integrations pages.
* **Alerting integrations** add Pagerduty, Discord and Splunk integrations in the app.
* **Historical scan** add ability to cancel a running historical scan.
#### Bug fixes[](#bug-fixes-57 "Direct link to Bug fixes")
* **Authentication** fix the 404 on some authentication pages.
* **Audit** fix a bug that could allow users to have their audit logs created without their IP address.
### April 6, 2021[](#april-6-2021 "Direct link to April 6, 2021")
#### Features[](#features-66 "Direct link to Features")
* **Analytics** introduction of the Analytics section. This new section provides insight into the evolution of your workspace metrics helping you monitor your security posture over time.
* **Incident detail** ability to share an incident externally. Security teams can give visibility to developers, involved in the incident, but who are not authenticated on the workspace.
* **GitLab** display in-app warning when an integration is no longer monitored.
* **Bitbucket Data Center** display in-app warning when an integration is no longer monitored.
#### Bug fixes[](#bug-fixes-58 "Direct link to Bug fixes")
* **Analytics** fix incidents coming from an historical scan not taken into account in Analytics.
### March 9, 2021[](#march-9-2021 "Direct link to March 9, 2021")
#### Features[](#features-67 "Direct link to Features")
* **Bitbucket Data Center** Bitbucket integration is now available. You can monitor your Bitbucket repositories for secrets detection.
* **Audit log** introduction of an Audit log section in the settings. As the Owner or Managers of your GitGuardian workspace, get a centralized view of all the user activity that took place on your workspace.
* **GitLab** improve the settings perimeter of namespaces/projects. Display the number of monitored projects per namespace and display the number of pending changes while changing the monitoring states. Lazy loads the projects only when a namespace is open.
#### Bug fixes[](#bug-fixes-59 "Direct link to Bug fixes")
* **Historical scan** do not send email when all scans of a bulk scan fail.
February 22, 2021[](#february-22-2021 "Direct link to February 22, 2021")
---------------------------------------------------------------------------
#### Features[](#features-68 "Direct link to Features")
* **Incidents** introduction of bulk actions. While we highly encourage you to examine an incident closely before closing it, you can now perform bulk actions (such as resolve, ignore, assign) to quickly change the status of multiple incidents.
* **Incident detail** implement navigation through matches in the git patch of a secret incident.
* **Historical scan** add a new failed reason: "timed out".
* **Perimeter** add a banner to remind users of missing integrations and unscanned repositories.
#### Bug fixes[](#bug-fixes-60 "Direct link to Bug fixes")
* **CSV** implement streaming download for long term performance fix.
February 8, 2021[](#february-8-2021 "Direct link to February 8, 2021")
------------------------------------------------------------------------
#### Features[](#features-69 "Direct link to Features")
* **Settings** ability to transfer workspace ownership.
* **Incidents** add a loading visual upon table page change.
#### Bug fixes[](#bug-fixes-61 "Direct link to Bug fixes")
* **Alerting integrations** do not send notifications for deactivated detectors.
January 25, 2021[](#january-25-2021 "Direct link to January 25, 2021")
------------------------------------------------------------------------
#### Features[](#features-70 "Direct link to Features")
* **Incidents** introduction of "sensitive file" and "test file" tags. "Sensitive file" tag indicates that one of the occurrences of the incident happened on a potential sensitive file. "Test file" tag indicates that one of the occurrences of the incident happened on a potential test file.
* **Members** introduction of Viewer role. A Viewer has access to all the incidents of your workspace. However, a Viewer cannot take actions such as resolving or ignoring an incident.
January 11, 2021[](#january-11-2021 "Direct link to January 11, 2021")
------------------------------------------------------------------------
#### Features[](#features-71 "Direct link to Features")
* **Alerting integrations** add a setting for alerting frequency. An incident may contain several occurrences. Therefore, you can pick if your Slack or custom webhook notifications fire only when a new incident is triggered (at the first occurrence) or at all occurrences of every incident.
* **GitLab** add a configuration page for system hook integration, and improve group hook one.
* **GitLab** allow integration of multiple GitLab instances on a workspace.
* **Security** strengthen password policy.
#### Bug fixes[](#bug-fixes-62 "Direct link to Bug fixes")
* **Incidents** fix regression breaking timeline logs order.
* **Incident** fix bug allowing several logs for an action (resolve/ignore) on an incident.
#### Was this page helpful?
[](#)
[](#)
* [January 13, 2025](#january-13-2025)
* [December 23, 2024](#december-23-2024)
* [December 12, 2024](#december-12-2024)
* [December 5, 2024](#december-5-2024)
* [November 18, 2024](#november-18-2024)
* [November 4, 2024](#november-4-2024)
* [October 28, 2024](#october-28-2024)
* [October 21, 2024](#october-21-2024)
* [October 17, 2024](#october-17-2024)
* [October 14, 2024](#october-14-2024)
* [October 7, 2024](#october-7-2024)
* [September 23, 2024](#september-23-2024)
* [September 9, 2024](#september-9-2024)
* [August 26, 2024](#august-26-2024)
* [August 14, 2024](#august-14-2024)
* [July 29, 2024](#july-29-2024)
* [July 15, 2024](#july-15-2024)
* [June 24, 2024](#june-24-2024)
* [June 17, 2024](#june-17-2024)
* [June 10, 2024](#june-10-2024)
* [June 4, 2024](#june-4-2024)
* [May 27, 2024](#may-27-2024)
* [May 20, 2024](#may-20-2024)
* [May 13, 2024](#may-13-2024)
* [May 6, 2024](#may-6-2024)
* [April 29, 2024](#april-29-2024)
* [April 23, 2024](#april-23-2024)
* [April 16, 2024](#april-16-2024)
* [April 15, 2024](#april-15-2024)
* [April 10, 2024](#april-10-2024)
* [April 8, 2024](#april-8-2024)
* [April 2, 2024](#april-2-2024)
* [March 25, 2024](#march-25-2024)
* [March 18, 2024](#march-18-2024)
* [March 11, 2024](#march-11-2024)
* [March 4, 2024](#march-4-2024)
* [February 26, 2024](#february-26-2024)
* [February 19, 2024](#february-19-2024)
* [February 13, 2024](#february-13-2024)
* [February 6, 2024](#february-6-2024)
* [January 29, 2024](#january-29-2024)
* [January 22, 2024](#january-22-2024)
* [January 15, 2024](#january-15-2024)
* [January 9, 2024](#january-9-2024)
* [December 11, 2023](#december-11-2023)
* [November 27, 2023](#november-27-2023)
* [November 15, 2023](#november-15-2023)
* [October 30, 2023](#october-30-2023)
* [October 16, 2023](#october-16-2023)
* [October 3, 2023](#october-3-2023)
* [September 28, 2023](#september-28-2023)
* [September 21, 2023](#september-21-2023)
* [September 4, 2023](#september-4-2023)
* [August 22, 2023](#august-22-2023)
* [August 7, 2023](#august-7-2023)
* [July 25, 2023](#july-25-2023)
* [July 24, 2023](#july-24-2023)
* [July 10, 2023](#july-10-2023)
* [June 26, 2023](#june-26-2023)
* [June 12, 2023](#june-12-2023)
* [May 30, 2023](#may-30-2023)
* [May 15, 2023](#may-15-2023)
* [May 2, 2023](#may-2-2023)
* [April 17, 2023](#april-17-2023)
* [April 11, 2023](#april-11-2023)
* [April 3, 2023](#april-3-2023)
* [March 20, 2023](#march-20-2023)
* [March 6, 2023](#march-6-2023)
* [February 20, 2023](#february-20-2023)
* [February 15, 2023](#february-15-2023)
* [February 6, 2023](#february-6-2023)
* [January 23, 2023](#january-23-2023)
* [January 10, 2023](#january-10-2023)
* [January 9, 2023](#january-9-2023)
* [December 21, 2022](#december-21-2022)
* [December 15, 2022](#december-15-2022)
* [December 13, 2022](#december-13-2022)
* [November 28, 2022](#november-28-2022)
* [November 15, 2022](#november-15-2022)
* [November 3, 2022](#november-3-2022)
* [October 17, 2022](#october-17-2022)
* [October 3, 2022](#october-3-2022)
* [September 21, 2022](#september-21-2022)
* [September 8, 2022](#september-8-2022)
* [August 22, 2022](#august-22-2022)
* [August 9, 2022](#august-9-2022)
* [July 27, 2022](#july-27-2022)
* [July 11, 2022](#july-11-2022)
* [June 27, 2022](#june-27-2022)
* [June 14, 2022](#june-14-2022)
* [June 1, 2022](#june-1-2022)
* [May 17, 2022](#may-17-2022)
* [May 2, 2022](#may-2-2022)
* [April 19, 2022](#april-19-2022)
* [April 4, 2022](#april-4-2022)
* [March 23, 2022](#march-23-2022)
* [March 7, 2022](#march-7-2022)
* [February 21, 2022](#february-21-2022)
* [February 9, 2022](#february-9-2022)
* [January 24, 2022](#january-24-2022)
* [January 17, 2022](#january-17-2022)
* [December 17, 2021](#december-17-2021)
* [November 30, 2021](#november-30-2021)
* [November 14, 2021](#november-14-2021)
* [November 3, 2021](#november-3-2021)
* [October 18, 2021](#october-18-2021)
* [October 13, 2021](#october-13-2021)
* [September 20, 2021](#september-20-2021)
* [September 7, 2021](#september-7-2021)
* [August 11, 2021](#august-11-2021)
* [July 27, 2021](#july-27-2021)
* [July 13, 2021](#july-13-2021)
* [June 30, 2021](#june-30-2021)
* [June 14, 2021](#june-14-2021)
* [May 26, 2021](#may-26-2021)
* [May 5, 2021](#may-5-2021)
* [April 19, 2021](#april-19-2021)
* [April 6, 2021](#april-6-2021)
* [March 9, 2021](#march-9-2021)
* [February 22, 2021](#february-22-2021)
* [February 8, 2021](#february-8-2021)
* [January 25, 2021](#january-25-2021)
* [January 11, 2021](#january-11-2021)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# GitGuardian CLI (ggshield) | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)

###### Developer tools
GitGuardian CLI (ggshield)
==========================
Take GitGuardian’s secrets detection engine to the command line with ggshield, the GitGuardian CLI application. Detect and prevent 350+ types of hardcoded secrets (API keys, certificates, database connection URLs) and 70+ Infrastructure-as-Code misconfigurations before pushing code, with ggshield.
User guide
----------
[### Quick start guide\
\
Learn how to install ggshield on your MacOS, Linux or Windows machine, generate a GitGuardian API key, and start scanning.](/ggshield-docs/getting-started)
[### Integrate ggshield into pre-commit hooks\
\
Learn how to quickly set up ggshield with pre-commit git hooks to prevent hardcoded secrets from reaching the codebase.](/ggshield-docs/integrations/git-hooks/pre-commit)
[### Integrate ggshield into CI/CD pipelines\
\
Learn how to quickly set up ggshield to detect secrets weaknesses in your CI/CD pipelines.](/ggshield-docs/integrations/cicd-integrations/azure-pipelines)
Resources
---------
[### Docker image scanning\
\
Learn how to scan Docker images for secrets, before publishing them to your internal registries.](/ggshield-docs/integrations/docker/docker_image)
[### Release notes\
\
Read the latest ggshield feature updates in the official release notes.](https://github.com/GitGuardian/ggshield/releases)
[### ggshield command reference\
\
Learn how to use ggshield commands and their different options.](/ggshield-docs/reference/overview)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Secrets Detection | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
###### Modules
Secrets Detection
=================
Find and fix hardcoded secrets in your Version Control Systems and CI/CD pipelines with GitGuardian’s automated secrets detection and remediation.
[Join us for a concise 20-minute live demo of GitGuardian Secrets Detection](https://app.livestorm.co/gitguardian/live-product-demo-gitguardian-secrets-detection)
with our in-house security experts Dwayne McDaniel and Jason Miller.

Get started
-----------
[### Detect hardcoded secrets\
\
Learn more about secrets incidents and how to tune GitGuardian’s detection engine to your liking.](/secrets-detection/detect/secrets-incidents)
[### Remediate your first secret incident\
\
Follow the best practices and tips from GitGuardian to resolve your very first open incident.](/secrets-detection/remediate/remediate-incidents)
[### Track your progress\
\
Analyze secrets exposure trends and understand how your secrets management practices are evolving.](/secrets-detection/tracking-performance/analyze-trends-and-performance)
Popular
-------
[### What is a secret?\
\
Learn what are secrets and how they are used in software development.](/secrets-detection/core-concepts/what-is-a-secret)
[### Prioritize hardcoded secrets incidents\
\
Find out how to best prioritize your remediation efforts based on the contextual data from GitGuardian.](/secrets-detection/remediate/prioritize-incidents)
[### Detect secrets in real-time in GitHub pull requests\
\
See how GitGuardian brings secrets detection to GitHub pull requests and check runs to keep developers in flow.](/secrets-detection/secrets-detection-in-sdlc/detect-secrets-in-real-time-in-github)
What’s new
----------
[### Create your custom remediation guidelines\
\
Tailor remediation guidelines to your organization and align them with internal incident response policies.](/secrets-detection/secrets-detection-in-sdlc/detect-secrets-in-real-time-in-github#customize-remediation-guidelines)
[### Automate Severity Scoring\
\
Let GitGuardian assess the severity of your hardcoded secrets incidents for you.](/secrets-detection/remediate/prioritize-incidents#severity)
[### Playbook: Auto-resolve secrets incidents\
\
GitGuardian will crawl your open incidents to check if their secrets' validity has changed, and close them when invalid.](/secrets-detection/remediate/automate-workflows#auto-healing-playbook)
First steps
===========
Core concepts
-------------
[What is a secret?](/secrets-detection/core-concepts/what-is-a-secret)
[Secure secrets management](/secrets-detection/core-concepts/secure-secrets-management)
[Where should you scan for secrets in the SDLC?](/secrets-detection/core-concepts/where-to-implement-secrets-detection)
For developers
==============
Secrets detection in the SDLC
-----------------------------
[Overview](/secrets-detection/secrets-detection-in-sdlc/overview)
[Detect secrets in GitHub PRs](/secrets-detection/secrets-detection-in-sdlc/detect-secrets-in-real-time-in-github)
[Detect secrets in CI pipelines](/secrets-detection/secrets-detection-in-sdlc/detect-secrets-in-ci-cd-pipelines)
[Detect secrets on dev machines](/secrets-detection/secrets-detection-in-sdlc/detect-secrets-on-workstations)
[Block secrets from the VCS](/secrets-detection/secrets-detection-in-sdlc/block-secrets-from-entering-vcs)
Secrets Detection Engine
------------------------
[Overview](/secrets-detection/secrets-detection-engine/quick_start)
[PreValidators and PostValidators](/secrets-detection/secrets-detection-engine/validation)
[Encrypted Secrets](/secrets-detection/secrets-detection-engine/encrypted_secrets)
[Frequently Asked Questions](/secrets-detection/secrets-detection-engine/frequently_asked_questions)
[Glossary](/secrets-detection/secrets-detection-engine/glossary)
[Remediate a leak on public GitHub](/secrets-detection/secrets-detection-engine/leaks_remediation)
[Detectors](/secrets-detection/secrets-detection-engine/detectors/introduction)
Finding & Fixing hardcoded secrets
==================================
Detect exposed secrets
----------------------
[Secrets incidents](/secrets-detection/detect/secrets-incidents)
[Customize detection](/secrets-detection/detect/customize-detection)
Remediate incidents
-------------------
[Overview](/secrets-detection/remediate/overview)
[Prioritize incidents](/secrets-detection/remediate/prioritize-incidents)
[Investigate incidents](/secrets-detection/remediate/investigate-incidents)
[Remediate incidents](/secrets-detection/remediate/remediate-incidents)
[Common scenarios](/secrets-detection/remediate/remediation-scenarios/overview)
[Automate with playbooks](/secrets-detection/remediate/automate-workflows)
Track your performance
----------------------
[Analyze trends & performance](/secrets-detection/tracking-performance/analyze-trends-and-performance)
[Export data](/secrets-detection/tracking-performance/export-data)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Integrate your first repositories | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Integrate your first repositories
=================================
To get started with Internal Monitoring for secrets, you need to add an integration with a source like a Version Control System (VCS).
 
tip
If you want to try GitGuardian Internal Monitoring out on a test repository, go ahead and clone our [**sample\_secrets repo**](https://github.com/GitGuardian/sample_secrets)
. It contains 8 unique secrets our detection engine will find during the scans.
Integrate with GitHub[](#integrate-with-github "Direct link to Integrate with GitHub")
----------------------------------------------------------------------------------------
1. From the VCS integrations page, select GitHub

2. Confirm access to your GitHub account

3. Choose whether you want GitGuardian to monitor all your repositories or a selection of repositories. This can be changed later from your GitHub account.
 
4. Go back to your GitGuardian dashboard to see your added user or organization and its repositories.

Once installed, GitGuardian will also give you the option to add or remove repositories from the monitored perimeter directly from your workspace.
Integrate with other VCS platforms[](#integrate-with-other-vcs-platforms "Direct link to Integrate with other VCS platforms")
-------------------------------------------------------------------------------------------------------------------------------
### Integrate with GitLab[](#integrate-with-gitlab "Direct link to Integrate with GitLab")
When integrating GitGuardian with GitLab, you can choose to monitor an entire instance or certain groups only. In both cases, you will need to generate a personal access token with admin permissions for the chosen perimeter.
Once installed, GitGuardian will also give you the option to add or remove repositories from the monitored perimeter directly from your workspace.
#### Step 1. Create a personal access token[](#step-1-create-a-personal-access-token "Direct link to Step 1. Create a personal access token")
1. Go to your **User Settings** on GitLab
2. View the **Access Tokens** section
3. Choose a name (for example “gitguardian-secrets-scanning”)
4. IMPORTANT: Select the **API** scope
If you need to, visit the [GitLab documentation](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html)
for more details on how to create personal access tokens.
#### Step 2. Configure your GitLab integration via a system hook or a group hook[](#step-2-configure-your-gitlab-integration-via-a-system-hook-or-a-group-hook "Direct link to Step 2. Configure your GitLab integration via a system hook or a group hook")
There are two ways to configure your GitLab integration, using system hooks or group hooks. Now that you have your personal access token ready, follow one of these guides depending on your preference:
* [setup a system hooks type integration](/platform/monitor-perimeter/vcs-integrations/gitlab#integrate-your-gitlab-instance-with-system-hooks)
,
* [setup a group hooks type integration](/platform/monitor-perimeter/vcs-integrations/gitlab#integrate-your-gitlab-groups-with-group-hooks)
.
### Integrate with Bitbucket server/data center[](#integrate-with-bitbucket-serverdata-center "Direct link to Integrate with Bitbucket server/data center")
danger
This integration does not support projects and repositories hosted on Bitbucket Cloud (bitbucket.org). Check out our Bitbucket Pipelines integration to keep your Bitbucket Cloud workspace secure.
#### Step 1. Create a personal access token[](#step-1-create-a-personal-access-token-1 "Direct link to Step 1. Create a personal access token")
1. In your Bitbucket workspace, navigate to your Bitbucket user settings (typically on your upper right hand corner, under Manage Account)
2. Go to the Personal access tokens section
3. Create a personal access token with a simple name such as "GitGuardian" and Read permissions on projects and Admin permissions on repositories. Set the "Automatic Expiry" option to "No".
#### Step 2. Configure your Bitbucket integration via a system hook or a group hook[](#step-2-configure-your-bitbucket-integration-via-a-system-hook-or-a-group-hook "Direct link to Step 2. Configure your Bitbucket integration via a system hook or a group hook")
There are two ways to configure your Bitbucket integration, at the instance-level or at the project-level. Follow one of these guides depending on your preference:
* [setup an instance-level integration](/platform/monitor-perimeter/vcs-integrations/bitbucket#instance-level-integration)
,
* [setup a project-level integration](/platform/monitor-perimeter/vcs-integrations/bitbucket#project-level-integration)
.
#### Was this page helpful?
[](#)
[](#)
* [Integrate with GitHub](#integrate-with-github)
* [Integrate with other VCS platforms](#integrate-with-other-vcs-platforms)
* [Integrate with GitLab](#integrate-with-gitlab)
* [Integrate with Bitbucket server/data center](#integrate-with-bitbucket-serverdata-center)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Workspace settings | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Workspace settings
==================
Collaboration and sharing options[](#collaboration-and-sharing-options "Direct link to Collaboration and sharing options")
----------------------------------------------------------------------------------------------------------------------------
### Enable public sharing[](#enable-public-sharing "Direct link to Enable public sharing")
In the [workspace settings](https://dashboard.gitguardian.com/settings/workspace/general)
, Managers can activate or deactivate public sharing across the entire workspace. Enabling public sharing allows users to access an incident without needing to be registered.
For more details about public sharing, please refer to our [Collaboration and sharing section](/platform/collaboration-and-sharing/incident-permissions-and-sharing)
.
Public sharing is available in all plans:
* in the `Free` plan, both Managers and Members can perform public sharing.
* in the `Business` plan, only users with `Full_access` incident permission can perform public sharing.
Public sharing is `OFF` by default.
### Allow team leaders to invite users[](#allow-team-leaders-to-invite-users "Direct link to Allow team leaders to invite users")
info
This feature is only available for workspaces with a Business plan.
Enabling this setting allows users with the `Member` access level to invite people to the teams they lead. Team leaders can only invite new users by adding them to their teams and cannot invite new users to the workspace via the Settings > Members page.
Newly added users will be assigned the `Member` access level. Upon signing up, they will automatically be added to the team from which they were invited.
This setting is `ON` by default. Deactivate it [in your workspace settings](https://dashboard.gitguardian.com/settings/workspace/general)
if you want the privilege of adding new users to your workspace to remain exclusive to `Managers`.
### “Full access” incident permissions allow to invite users[](#full-access-incident-permissions-allow-to-invite-users "Direct link to “Full access” incident permissions allow to invite users")
info
This feature is only available for workspaces with a Business plan.
Enabling this setting allows users with `Full access` incident permission to invite new users to the workspace. Users with `Full access` incident permission can only invite new users by granting them access to the incident where they have `Full access` permission, and cannot invite new users to the workspace via the Settings > Members page.
Upon signup:
* the newly added user will only have access to the incident they have been invited from
* to prevent privilege escalation, the access level of the new user will be the same as the person who granted them access to the incident:
* If granted access by a `Restricted` user, the new user will have the `Restricted` access level.
* If granted access by a `Member` user, the new user will have the `Member` access level.
* If granted access by a `Manager` user, the new user will have the `Member` access level since we consider the highly privileged `Manager` access level can only be given specifically on the Settings > Members page.
This setting is `ON` by default. Deactivate it [in your workspace settings](https://dashboard.gitguardian.com/settings/workspace/general)
if you want the privilege of adding new users to your workspace to remain exclusive to `Managers`.
Security options[](#security-options "Direct link to Security options")
-------------------------------------------------------------------------
### Enforce a maximum lifetime for API personal access tokens[](#enforce-a-maximum-lifetime-for-api-personal-access-tokens "Direct link to Enforce a maximum lifetime for API personal access tokens")
info
This feature is only available for workspaces with a Business plan.
In [the workspace settings](https://dashboard.gitguardian.com/settings/workspace/security)
, Managers can enforce a maximum lifetime for API personal access tokens created within their workspace. This applies whether the creation happens via [the API > Personal access tokens page](https://dashboard.gitguardian.com/api/personal-access-tokens)
or via ggshield using the `ggshield auth login` command.
If existing personal access tokens exceed the new maximum lifetime at the time of the setting modification, GitGuardian will force their lifetime to fit the new setting, starting from the time of the setting modification.
By default, there is no enforced maximum lifetime for API personal access tokens.
### Restrict git patch visibility[](#restrict-git-patch-visibility "Direct link to Restrict git patch visibility")
info
This feature is only available for workspaces with a Business plan.
In [the workspace settings](https://dashboard.gitguardian.com/settings/workspace/security)
, Managers can active the restriction for git patch visibility.
When the restriction is activated, the git patch of an occurrence will be visible to a user if either of the following conditions are met:
* **The user is a member of a team that includes the repository where the occurrence took place**. It's worth noting that since workspace Managers are automatically part of the "All-incidents" team, they will always have access to all the git patches.
* **The user is directly involved in the occurrence**, meaning their email matches the committer email of the occurrence.
It is important to note that while the restriction on git patch visibility is in effect, the metadata of an occurrence will still be visible to users. Only the git patch of the occurrence will be impacted by the restriction.
This means that there may be instances where a user has access to a secret incident that contains multiple occurrences. The user will be able to view the metadata of all occurrences, but only a subset of them will have visible git patches.
This distinction is critical to ensure an effective remediation when multiple teams are involved and collaboration is necessary. By restricting access to the code (git patch) of each other's occurrences, teams can maintain the necessary level of confidentiality while still working together to resolve the incident.
When the restriction on git patch visibility is enabled, the git patches of occurrences are hidden on the public share page of an incident.
#### Was this page helpful?
[](#)
[](#)
* [Collaboration and sharing options](#collaboration-and-sharing-options)
* [Enable public sharing](#enable-public-sharing)
* [Allow team leaders to invite users](#allow-team-leaders-to-invite-users)
* [“Full access” incident permissions allow to invite users](#full-access-incident-permissions-allow-to-invite-users)
* [Security options](#security-options)
* [Enforce a maximum lifetime for API personal access tokens](#enforce-a-maximum-lifetime-for-api-personal-access-tokens)
* [Restrict git patch visibility](#restrict-git-patch-visibility)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# How GitGuardian works | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
How GitGuardian works
=====================
GitGuardian architecture[](#gitguardian-architecture "Direct link to GitGuardian architecture")
-------------------------------------------------------------------------------------------------
### Server-side VCS integration[](#server-side-vcs-integration "Direct link to Server-side VCS integration")
GitGuardian's internal repository monitoring product integrates natively with your VCS (Version Control System), hence on the **server side**. This is done through a GitHub app or a webhook for GitLab, Bitbucket and Azure repos. GitGuardian "listens" to all the events reaching the **post-receive hook stage**.
Read our [blog article](https://blog.gitguardian.com/git-hooks-automated-secrets-detection/)
if you want to learn more about hooks and why we believe they are a must-have when it comes to automated secrets detection.
### Scanning incremental change[](#scanning-incremental-change "Direct link to Scanning incremental change")
**Commits contained in such events, typically push events**, are then scanned by our [library of secrets detectors](/secrets-detection/secrets-detection-engine/detectors/introduction)
. If a secret is detected, an incident is raised in your dashboard instantly and you get alerted in real time.
### Scanning your commit history[](#scanning-your-commit-history "Direct link to Scanning your commit history")
GitGuardian also gives you the ability (and encourages you) to **scan the entire git history of your perimeter**. All secrets present in your code prior to installing GitGuardian will be detected.
GitGuardian dashboard[](#gitguardian-dashboard "Direct link to GitGuardian dashboard")
----------------------------------------------------------------------------------------
GitGuardian dashboard users have access to all detected secrets and are typically in charge of ensuring proper remediation. Through the dashboard, users can collaborate with teammates and configure custom monitoring settings.

#### Was this page helpful?
[](#)
[](#)
* [GitGuardian architecture](#gitguardian-architecture)
* [Server-side VCS integration](#server-side-vcs-integration)
* [Scanning incremental change](#scanning-incremental-change)
* [Scanning your commit history](#scanning-your-commit-history)
* [GitGuardian dashboard](#gitguardian-dashboard)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Secrets incidents | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Secrets incidents
=================
What is a secret incident? What are its implications?[](#what-is-a-secret-incident-what-are-its-implications "Direct link to What is a secret incident? What are its implications?")
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Secret incidents are open issues that need your attention to be resolved. They are created thanks to [our secrets detection engine](/secrets-detection/home)
that scans your sources code for [hardcoded secrets](/secrets-detection/core-concepts/what-is-a-secret)
to display them in your dashboard.
Leaving a secret in plain text in source control represents a threat for the security of the resources that are protected by that secret. To learn more about why hardcoded secrets are a vulnerability that needs your Application or Product Security teams' attention, read the related paragraph in our [Core Concepts](/secrets-detection/core-concepts/what-is-a-secret)
section.
What are the occurrences of an incident?[](#what-are-the-occurrences-of-an-incident "Direct link to What are the occurrences of an incident?")
------------------------------------------------------------------------------------------------------------------------------------------------
The **same secret can be seen multiple times** in your VCS. They are referred to as occurrences.
GitGuardian streamlines the remediation process by automatically **grouping multiple occurrences of the same secret into a single secret incident**.
Thus, an occurrence of a secret incident is uniquely identified by the combination of the following parameters:
* the source (for instance: a GitHub repository or a GitLab project) impacted by the secret occurrence,
* the commit in which we detected the secret occurrence,
* the commit file containing the secret occurrence,
* the line within the commit file where the secret occurred.
Alerts are sent only when a new incident is created or reopened because of a regression. A new occurrence attached to an already-existing open secret incident won't raise any alerts.
> GitGuardian sets a maximum limit of 1,000 occurrences for a single secret incident (this does not apply to the self-hosted platform).
#### Was this page helpful?
[](#)
[](#)
* [What is a secret incident? What are its implications?](#what-is-a-secret-incident-what-are-its-implications)
* [What are the occurrences of an incident?](#what-are-the-occurrences-of-an-incident)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Getting started | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Getting started
===============
Discover GitGuardian's Honeytoken[](#discover-gitguardians-honeytoken "Direct link to Discover GitGuardian's Honeytoken")
---------------------------------------------------------------------------------------------------------------------------
Honeytoken is a new module in the GitGuardian platform. You can request a [live demo](https://www.gitguardian.com/book-a-demo)
!
The module is restricted to Managers
The Honeytoken module is reserved for users with a "Manager" access level on the GitGuardian workspace. This will evolve in the future when we will support roles to create and manage honeytokens.
Create and deploy your first honeytoken[](#create-and-deploy-your-first-honeytoken "Direct link to Create and deploy your first honeytoken")
----------------------------------------------------------------------------------------------------------------------------------------------

In the Honeytoken module, click “Create honeytoken”. Enter a name for the honeytoken, and optionally a description. The description may contain more detail about where and how exactly you will place this honeytoken. You can also select or create some [labels](/honeytoken/manage#using-labels-to-categorize-your-honeytokens)
to define your honeytoken in a more structured way.

> **Note:** For now, we are only proposing AWS keys, but we are exploring other types of honeytokens.

Congratulations! Your honeytoken creation is confirmed, and you get your honeytoken key.
Insert this key [in the asset you want to protect](/honeytoken/core-concepts#where-should-you-place-your-honeytokens)
! If an attacker ever trips on the honeytoken, you'll get an instant alert letting you know that it has happened.
info
This method allows you to decide exactly where and how your honeytoken will be inserted, but is quite manual. If you seek a more automated and effortless solution for deploying honeytokens across numerous repositories, explore our [Deployment Jobs](/honeytoken/deploy-honeytokens/deployment-jobs)
feature.
Test your honeytoken[](#test-your-honeytoken "Direct link to Test your honeytoken")
-------------------------------------------------------------------------------------
If you want to test the triggering and alerting mechanism, you can trigger your own honeytoken.
info
To use the following method, ensure that the AWS CLI is installed on your system. If not, refer to the official [AWS CLI documentation](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
for instructions on how to install it.
In the honeytoken detail page, click “How to test your honeytoken”.

Copy the AWS “get-caller-identity” command and run it in your terminal or command prompt.
This will generate an event and thus trigger the honeytoken.
Don’t forget to reset your honeytoken afterward to be alerted of any “real” trigger on it.
#### Was this page helpful?
[](#)
[](#)
* [Discover GitGuardian's Honeytoken](#discover-gitguardians-honeytoken)
* [Create and deploy your first honeytoken](#create-and-deploy-your-first-honeytoken)
* [Test your honeytoken](#test-your-honeytoken)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Core concepts | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Core concepts
=============
See how Honeytoken works in this brief video.
What are honeytokens?[](#what-are-honeytokens "Direct link to What are honeytokens?")
---------------------------------------------------------------------------------------
GitGuardian Honeytoken allows you to create decoy credentials called “honeytokens” that do not allow any access to any actual customer resources or data. Instead, they act as tripwires that reveal information about the attacker (eg. IP Address, User Agent, Location, etc.).
Our honeytokens look just like any other secret to attackers. We designed our honeytokens to be triggered by all types of secret scanners, like open-source projects TruffleHog or Gitleaks, that are often put to wrong use by attackers. This means that if a hacker uses a secret scanner to search for developer secrets, they will trip on the honeytoken, triggering an alert that notifies the security team of a potential security incident.
Why should you use honeytokens?[](#why-should-you-use-honeytokens "Direct link to Why should you use honeytokens?")
---------------------------------------------------------------------------------------------------------------------
Honeytokens are a useful tool for the software development life cycle (SDLC) and software supply chain for several reasons:
1. **An essential function in secrets remediation:** Honeytoken serves as the initial line of defense for users grappling with thousands of secrets incidents. It functions as an alarm system. It provides reassurance and buys valuable time when addressing secrets incidents at scale. Moreover, it acts as a prioritization tool, directing focus to critical incidents, when triggered.
2. **Early detection of security breaches**: By planting honeytokens in your SDLC system and supply chain, you can detect security breaches early on before they cause any real damage. Honeytokens can act as an alarm system that signals the presence of an attacker or malicious activity.
3. **Strengthened supply chain security**: Honeytokens can be used to quickly detect any breaches and identify if a vendor in the supply chain has been compromised. This helps you to strengthen your supply chain security and prevent further damage from occurring.
4. **Complete visibility of monitored codebase**: Honeytokens provide you with a clear view of where they have been deployed, ensuring they were deployed as intended and identifying if they were mistakenly duplicated in several repositories.
5. **Easy deployment at scale**: Honeytokens can be created, deployed, and managed on a large enterprise scale, allowing you to secure thousands of code repositories simultaneously. The integration of Honeytoken in the GitGuardian code security platform ensures that our secret scanning does not generate useless alerts for the deployed honeytokens.
6. **Detection of code leakage**: By placing our honeytokens in code, you can detect if it has been leaked on public GitHub, saving time and resources by providing an easy and quick way to detect code leakage and prevent further data loss.
Read this [blog post](https://blog.gitguardian.com/gitguardian-honeytoken)
to learn more about the use cases of our honeytokens.
Where should you place your honeytokens?[](#where-should-you-place-your-honeytokens "Direct link to Where should you place your honeytokens?")
------------------------------------------------------------------------------------------------------------------------------------------------
Our honeytokens are tailor-made for deployment in **Version Control Systems (git repositories).** Git repositories are your treasure troves, packed with valuable code essential for your software's functionality. If unauthorized access occurs, it could lead to code theft, tampering, or disruption of your operations.
Deploy in all your repositories to detect when your codebase is compromised. Check our detailed [guide](https://blog.gitguardian.com/how-to-secure-your-scm-repositories-with-gitguardian-honeytokens)
.
Additionally, leverage honeytokens in other critical areas (where your real secrets might be found). Here are some examples:
* Insert them into **[CI/CD tools](https://blog.gitguardian.com/how-to-add-gitguardian-honeytokens-in-ci-cd-pipelines/)
** to detect compromised pipelines.
* Plant them in **[Docker images](https://blog.gitguardian.com/how-to-secure-your-container-registries-with-gitguardians-honeytoken/)
** or other **internal packages**.
* Place them in [project management tools](https://blog.gitguardian.com/secure-your-productivity-tools-with-gitguardian-honeytoken/)
like **Jira**, internal wikis like **Confluence**, or messaging tools like **Slack**.
tip
We recommend that each honeytoken be deployed in a unique place. If it appears in several places, then if it gets triggered, you would not be able to identify for sure which place is compromised.
#### Was this page helpful?
[](#)
[](#)
* [What are honeytokens?](#what-are-honeytokens)
* [Why should you use honeytokens?](#why-should-you-use-honeytokens)
* [Where should you place your honeytokens?](#where-should-you-place-your-honeytokens)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Assess your repositories' health | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Assess your repositories' health
================================
How do I launch a historical scan of my repositories?[](#how-do-i-launch-a-historical-scan-of-my-repositories "Direct link to How do I launch a historical scan of my repositories?")
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Now that you have integrated your first repositories, it's time to check if they contain any secrets! GitGuardian gives you the ability to scan the entire commit history, across all branches, of your repositories to check if they are safe.
> Understanding your perimeter[](#understanding-your-perimeter "Direct link to Understanding your perimeter")
>
> -------------------------------------------------------------------------------------------------------------
>
> Your perimiter is simply anywhere you are storing your shared code repositories. This includes shared repository hosting like GitHub, GitLab, Bitbucket or Azure Repos.
Your perimeter view[](#your-perimeter-view "Direct link to Your perimeter view")
----------------------------------------------------------------------------------
Simply go to the [**Perimeter view**](https://dashboard.gitguardian.com/perimeter)
and launch your first historical scan!

How do I read the results of my scan?[](#how-do-i-read-the-results-of-my-scan "Direct link to How do I read the results of my scan?")
---------------------------------------------------------------------------------------------------------------------------------------
The [Perimeter view](https://dashboard.gitguardian.com/perimeter)
contains a table listing the sources of your monitored perimeter.
After running your first historical scan, GitGuardian will update the `Health` status of each repository, it will be set to `AT RISK` if a repository contains at least one hard-coded secret or `SAFE` if it doesn't contain any. The total number of unique secrets found will also be displayed in the `Secret incidents` column.
If your repositories contain any hardcoded secrets, click on the Open secrets incidents link. It will take you to the `Incidents view` and display all the secret incidents found in a particular source.
#### Was this page helpful?
[](#)
[](#)
* [How do I launch a historical scan of my repositories?](#how-do-i-launch-a-historical-scan-of-my-repositories)
* [Your perimeter view](#your-perimeter-view)
* [How do I read the results of my scan?](#how-do-i-read-the-results-of-my-scan)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Add and manage users | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Add and manage users
====================
Adding new users[](#adding-new-users "Direct link to Adding new users")
-------------------------------------------------------------------------
### Inviting via email[](#inviting-via-email "Direct link to Inviting via email")
As a workspace Owner or Manager, you can invite via email other users to join your GitGuardian workspace.
1. Navigate to Settings > User management > [Members](https://dashboard.gitguardian.com/settings/user/members)
2. Simply submit the email address of the person you want to invite. If you are under a Business plan, you will be able to specify the teams of your new invitee.
3. The invited user will receive and email with an invitation link. If you have performed an SSO integration, the invitation link will redirect to your dedicated SSO login URL.

There is no limit to the number of users on your workspace.
### Pointing to SSO login URL[](#pointing-to-sso-login-url "Direct link to Pointing to SSO login URL")
If you have configured SSO, you can simply let the Just-In-Time provisioning do the work.
1. Make sure the people you want to add to your GitGuardian workspace are part of the allowed IdP group
2. Point those people to the SSO login URL dedicated to your workspace. This URL is accessible by workspace Manager in the [Authentication settings section](https://dashboard.gitguardian.com/settings/workspace/auth/saml)
.

### Manage pending invitations[](#manage-pending-invitations "Direct link to Manage pending invitations")
Once invited, the new user appears in the "Pending" list in the [Members section](https://dashboard.gitguardian.com/settings/user/members)
of your workspace. There, you can choose the access level they will be attributed upon sign up.
You can delete a pending invitation, which invalidates the sent invitation link.
Access levels[](#access-levels "Direct link to Access levels")
----------------------------------------------------------------
Each user has its own user account and can be member of one or multiple workspaces. Thus, user membership is handled at the workspace level. Each member is assigned a access level that defines its privileges on the workspace at stake.
| Action | Owner | Manager | Member | Restricted |
| --- | --- | --- | --- | --- |
| Can access incidents and act on them according to their incident permissions (share, assign, resolve, ignore, export) | ✅ | ✅ | ✅ | ✅, only to incidents they are given access to |
| Can create/delete API personal access tokens | ✅ | ✅ | ✅ | ✅, only with `scan` scope |
| Can create/delete API service accounts (Business only) | ✅ | ✅ | ❌ | ❌ |
| Can launch historical scans | ✅ | ✅ | ✅ | ❌ |
| Can add/remove/change members | ✅ | ✅ | ❌ | ❌ |
| Can join/leave/request access to teams | ✅ | ✅ | ✅ | ❌ |
| Can see workspace settings | ✅ | ✅ | ✅ | ❌ |
| Can change workspace settings (SSO, detection capabilities,...) | ✅ | ✅ | ❌ | ❌ |
| Can configure integrations (VCS and notifiers) | ✅ | ✅ | ❌ | ❌ |
| Can delete workspace | ✅ | ❌ | ❌ | ❌ |
### Owner[](#owner "Direct link to Owner")
* The Owner has unrestricted access and all rights over the entire workspace.
* Each workspace must have one and only one Owner.
* When the Owner deletes their user account, it also deletes their workspace and members.
### Manager[](#manager "Direct link to Manager")
* A Manager has the same level of access as the Owner except they cannot delete the workspace.
* A Manager can manage workspace settings and fellow members of the workspace.
* A Manage can access all the incidents.
Managers are the people responsible for managing the GitGuardian workspace. These may be security or technology managers, depending on your own organization.
### Member[](#member "Direct link to Member")
* A Member can view the workspace settings but cannot act on them.
* A Member can access the incidents.
* A Member can be part of teams.
Members are people in your organization (Developers, Ops, Security) that you want to collaborate to remediate incidents.
info
Memberships with Viewers have been migrated to access level Member with `Can view` incident permissions on all the incidents.
### Restricted[](#restricted "Direct link to Restricted")
* A Restricted can only access a certain set of incidents defined by the Manager or the Member on an ad-hoc basis.
* A Restricted cannot be part of a team.
* A Restricted can list members and teams to assign or share incidents they have access to.
Restricted are typically people outside of your organization who you want to allow access only to very specific incidents.
#### Promote a Restricted to Member[](#promote-a-restricted-to-member "Direct link to Promote a Restricted to Member")
When promoting a Restricted to Member access level:
1. They have read access to the workspace settings
2. They are able to request to join teams in the workspace
#### Demote a Member to Restricted[](#demote-a-member-to-restricted "Direct link to Demote a Member to Restricted")
When demoting a Member (or a Manager) to Restricted access level:
1. They are removed from all the teams they belong to
2. Only incidents to which they are granted access to manually are accessible.
3. All open incidents they were assigned to are unassigned
info
The Restricted access level is only accessible to workspaces under the Business plan.
Delete or deactivate members[](#delete-or-deactivate-members "Direct link to Delete or deactivate members")
-------------------------------------------------------------------------------------------------------------
As a workspace Owner or Manager, you can remove or deactivate a member from the workspace. Deactivating a member temporarily restricts their access to the workspace without permanently deleting their account or data, allowing you to reactivate them later if needed. In contrast, removing a member permanently revokes their access and deletes their association with the workspace. However, note that the Owner of the workspace cannot be removed or deactivated by any user.
1. Navigate to Settings > User management > [Members](https://dashboard.gitguardian.com/settings/user/members)
2. To the right of the person's name, click the  menu, then select Delete or Deactivate.
3. Confirm your action.
This person will instantly lose access to your workspace and all of its data. Personal access tokens belonging to that person will also be revoked.

\[Self-hosting\] Access to the Admin Area[](#self-hosting-access-to-the-admin-area "Direct link to self-hosting-access-to-the-admin-area")
--------------------------------------------------------------------------------------------------------------------------------------------
If you are using GitGuardian in a self-hosted environment, you will have access to the Admin Area for managing your system. For additional information, please refer to the [Admin Area User Management](/self-hosting/management/application-management/admin-area)
page.
#### Was this page helpful?
[](#)
[](#)
* [Adding new users](#adding-new-users)
* [Inviting via email](#inviting-via-email)
* [Pointing to SSO login URL](#pointing-to-sso-login-url)
* [Manage pending invitations](#manage-pending-invitations)
* [Access levels](#access-levels)
* [Owner](#owner)
* [Manager](#manager)
* [Member](#member)
* [Restricted](#restricted)
* [Delete or deactivate members](#delete-or-deactivate-members)
* [Self-hosting Access to the Admin Area](#self-hosting-access-to-the-admin-area)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Overview | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Overview
========
The secret incident and its occurrences[](#the-secret-incident-and-its-occurrences "Direct link to The secret incident and its occurrences")
----------------------------------------------------------------------------------------------------------------------------------------------
### What is a secret occurrence[](#what-is-a-secret-occurrence "Direct link to What is a secret occurrence")
The **same secret can be seen multiple times** in your VCS. They are referred to as occurrences.
Thus, an occurrence of a secret incident is uniquely identified by the combination of the following parameters:
* the source (GitHub repository or GitLab project) impacted by the secret occurrence,
* the commit in which we detected the secret occurrence,
* the commit file containing the secret occurrence,
* the line within the commit file where the secret occurred.
### Grouping of occurrences into secret incidents[](#grouping-of-occurrences-into-secret-incidents "Direct link to Grouping of occurrences into secret incidents")
GitGuardian enhances the remediation process by automatically **grouping multiple occurrences of the same secret into a single secret incident**.
However, within Business Workspaces, the workspace Owner has the exclusive ability to adjust how these secret occurrences are grouped within the [settings](https://dashboard.gitguardian.com/settings/workspace/settings/secrets/general)
. Two levels of granularity are available:
1. **per secret** \[default\]
* All occurrences of the same secret across different sources (e.g., repositories) are consolidated into a single secret incident.
* This means if a particular secret is found in multiple sources, it will generate only one secret incident.
2. **per secret x source:**
* Occurrences of the same secret are grouped into separate secret incidents based on their respective sources.
* This means that if the same secret appears in multiple sources, each source will have its own individual secret incident. This configuration helps tailor the grouping strategy to align with your company's remediation processes and data privacy policies.

danger
Changing the occurrence grouping setting should be done **with utmost care, as it has a significant impact on secret incident population and analytics**. This modification should be considered a **one-off action**.
Upon changing this setting, all existing secret incidents will be migrated to comply with the new grouping mode, and please note that this migration process may take some time.

Alerts are sent only when a new incident is created or reopened because of a regression. A new occurrence attached to an already-existing open secret incident won't raise any alerts.
> GitGuardian sets a maximum limit of 1,000 occurrences for a single secret incident (this does not apply to the self-hosted platform).
Statuses of an incident[](#statuses-of-an-incident "Direct link to Statuses of an incident")
----------------------------------------------------------------------------------------------
**Triggered**: A triggered incident is an incident detected and stored by GitGuardian but not yet investigated by a member of your dashboard.
**Assigned**: An assigned incident is being investigated by a specific member of the dashboard. It is not resolved or ignored yet.
**Resolved:** A resolved incident is an incident considered as remediated. In the case of secrets incidents, you must revoke the secret (and optionally erase all evidence from the git history) before considering it resolved.
> Erasing all evidence from the git history is optional and depends on your code policy.
* If you consider a new occurrence of an incident that has already been resolved to be problematic, you will want the regression behavior enabled. When the regression behavior is turned `On`, GitGuardian will reopen this incident and alert you again. The regression behavior only applies to occurrences detected through real time monitoring. A resolved incident won't be reopened if a new occurrence is uncovered by a historical scan.
* If rewriting the git history is not important to you and only revocation matters, you can turn `Off` the regression behavior and GitGuardian will silently add the occurrence to the existing resolved incident without delivering any notifications.
> The regression behavior can be configured in the [General section of your settings](https://dashboard.gitguardian.com/settings/workspace/general)
> .

**Ignored**: An ignored incident is an incident not considered as such by a member of your team and does not require remediation. For secrets incidents, ignore reasons can be:
* this is not a secret (false positive)
* this is test credential
* this is low risk secret
> Ignoring an incident means that you don't want GitGuardian to consider it anymore. If a new occurrence appears for an ignored incident, GitGuardian will not reopen it or alert you.
graph LR Triggered --> Assigned Assigned --> Resolved Assigned --> Ignored Ignored -...->|Reopen| Triggered Resolved -...->|Reopen or regression| Triggered
Lifecycle of an incident[](#lifecycle-of-an-incident "Direct link to Lifecycle of an incident")
-------------------------------------------------------------------------------------------------
### 1\. Receiving incidents alerts[](#1-receiving-incidents-alerts "Direct link to 1. Receiving incidents alerts")
As explained in the section [How GitGuardian works](/platform/core-concepts/how-gitguardian-works)
, GitGuardian scans every commit in real-time and sends an alert **upon detection of a new incident**. All the members of the dashboard are alerted by email, and on their alerting integrations, in order to tackle the new incident as quickly as possible.
> Note that for incidents detected thanks to historical scanning, we do not send an alert per incident but rather an email recap with all the incidents discovered on a given historical scan.
As mentioned above, all the members of the dashboard receive alert upon regression of an already-resolved incident.
### 2\. Assigning incidents[](#2-assigning-incidents "Direct link to 2. Assigning incidents")
Investigation and remediation of an incident can take some time. So let your teammates know that you are **currently working on a given incident**, by declaring the assignee, in order not to duplicate work within your team.
**Prioritizing and knowing which incident is more severe than another can be very challenging**, especially when you are dealing with a large number of incidents. Have a look at our [Prioritize and explore guide](/secrets-detection/remediate/prioritize-incidents)
to read our good pratices for spotting the incidents you need to tackle first.
### 3\. Collaborate and remediate[](#3-collaborate-and-remediate "Direct link to 3. Collaborate and remediate")
Once you decide which incident you want to work on, a new phase of collaboration and remediation starts. GitGuardian helps you by providing as much as **contextual information** as possible and features that help you **get in touch with the appropriate stakeholders** and **check that the incident has been properly remediated**. Read more about this topic in our [Remediating incidents](/secrets-detection/remediate/remediate-incidents)
section.
Ultimately, you can resolve or ignore the incident. You will always have the possibility to reopen it manually. In the specific case of resolved incidents for which new occurrences are detected again, you can configure GitGuardian to automatically re-open incidents and receive alerts or not by choosing your preferred [Regression setting.](https://dashboard.gitguardian.com/settings/workspace/general)
All user activity and team notes attached to a given incident can be found in the **Timeline section** of the incident page.

#### Was this page helpful?
[](#)
[](#)
* [The secret incident and its occurrences](#the-secret-incident-and-its-occurrences)
* [What is a secret occurrence](#what-is-a-secret-occurrence)
* [Grouping of occurrences into secret incidents](#grouping-of-occurrences-into-secret-incidents)
* [Statuses of an incident](#statuses-of-an-incident)
* [Lifecycle of an incident](#lifecycle-of-an-incident)
* [1\. Receiving incidents alerts](#1-receiving-incidents-alerts)
* [2\. Assigning incidents](#2-assigning-incidents)
* [3\. Collaborate and remediate](#3-collaborate-and-remediate)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Manage your population of honeytokens | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Manage your population of honeytokens
=====================================
Overview[](#overview "Direct link to Overview")
-------------------------------------------------
The Honeytoken module homepage presents the list of your honeytokens, displaying the main information as well as the status of each one.

You can filter the honeytokens based on a number of filters:
* Type of honeytokens
* Source (monitored repositories where the honeytoken is located)
* Status (Active, Triggered, Revoked)
* Tag (`Publicly exposed`)
* Labels
Clicking on the honeytoken name will direct you to its detail page.

* The Information section summarises the main information about your honeytoken and allows you to edit the name, description and labels.
* The Events section is where any usage of the honeytoken will get logged.
* The Timeline section provides the history of the honeytoken: when and where it was created, edited, deployed in a monitored source, triggered… It is also possible to add comments there.
Using labels to categorize your honeytokens[](#using-labels-to-categorize-your-honeytokens "Direct link to Using labels to categorize your honeytokens")
----------------------------------------------------------------------------------------------------------------------------------------------------------
Labels provide a flexible way to organize honeytokens. You can create your own labels in the form of keys and values, assign them to honeytokens, and use them to filter and search for honeytokens based on specific characteristics.
### Manage labels[](#manage-labels "Direct link to Manage labels")
Go to Settings > Secrets > [Honeytoken](https://dashboard.gitguardian.com/settings/secrets/honeytoken)
to access the Labels settings page. From here, you can view the existing keys as well as the existing values for each key, and see how many honeytokens are categorized under them.

#### Create labels[](#create-labels "Direct link to Create labels")
You can create new keys and values from the [Labels setting page](https://dashboard.gitguardian.com/settings/secrets/honeytoken)
. It is also possible to create them directly when creating or editing a honeytoken.
#### Edit or delete labels[](#edit-or-delete-labels "Direct link to Edit or delete labels")
On the [Labels settings page](https://dashboard.gitguardian.com/settings/secrets/honeytoken)
, hover over a key or value name to bring up the option to edit or delete the label. Note that deleting a label is not reversible, even if it is used in honeytokens. However, it is still possible to delete it, which will remove it from any honeytoken.
Similarly, if you edit a key or value, the modification will be applied to all honeytokens that use that label.
### Examples of use[](#examples-of-use "Direct link to Examples of use")
* Create one `place` key that can have the values `codebase`, `docker`, `jenkins`, `jira`, `slack`... representing the type of location where the honeytoken is deployed.
* Create one `team` key that can have values representing your teams and indicating which scope is covered by this honeytoken.
* Create one `env` key that can have the values `prod`, `test`, `staging`...
### Assigning Labels to Honeytokens[](#assigning-labels-to-honeytokens "Direct link to Assigning Labels to Honeytokens")
Each honeytoken can receive one or several labels. Please note that when assigning labels to a honeytoken, only one value from each key may be used.
Number of allowed honeytokens[](#number-of-allowed-honeytokens "Direct link to Number of allowed honeytokens")
----------------------------------------------------------------------------------------------------------------
AWS honeytokens are available in a limited number. If you have reached this limitation, it is not possible to create new honeytokens anymore.
Revoked honeytokens are not included in the count of honeytokens. Only active and triggered honeytokens are included.
If you don’t have enough honeytokens, you can reach out to GitGuardian to discuss extending your limitation.
#### Was this page helpful?
[](#)
[](#)
* [Overview](#overview)
* [Using labels to categorize your honeytokens](#using-labels-to-categorize-your-honeytokens)
* [Manage labels](#manage-labels)
* [Examples of use](#examples-of-use)
* [Assigning Labels to Honeytokens](#assigning-labels-to-honeytokens)
* [Number of allowed honeytokens](#number-of-allowed-honeytokens)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Analyze trends and performance | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Analyze trends and performance
==============================
The GitGuardian Analytics feature enables you to closely monitor the evolution of your security posture and quickly identify potential threats. In just a few clicks, you can, for instance:
* Monitor the progression of new incidents.
* Determine the total count of open incidents.
* Understand how your incidents are categorized by severity and validity.
The Analytics page is divided into two sections: **Insights** and **Charts**. Insights provides high-level metrics, while Charts offer a detailed view of incident trends based on various parameters.
Analytics Insights[](#analytics-insights "Direct link to Analytics Insights")
-------------------------------------------------------------------------------
The "How GitGuardian protects you" panel of your [Analytics](https://dashboard.gitguardian.com/analytics)
section illustrates **how GitGuardian has been able to help your team** with secrets detection, whether through the dashboard or a shift-left approach.
> The default time range is `Last month`. You can change the time range in the top right-hand corner of the page. For stat metrics, GitGuardian compares the metric with the previous period (computed to have the same number of days).
### Dashboard protection[](#dashboard-protection "Direct link to Dashboard protection")
**Secrets detectors**: total number of secrets detectors used from the GitGuardian secrets detection engine. You can even see how many new secrets detectors were added by our dedicated R&D team during the selected time period. The entire list is accessible in [your settings](https://dashboard.gitguardian.com/settings/secrets/detectors)
or in the [secrets detection section of our documentation](/secrets-detection/home)
.
#### Historical protection[](#historical-protection "Direct link to Historical protection")
**All time historical scans**: total number of historical scans performed by GitGuardian. You can also see how many historical scans were triggered during the period.
**All time percentage of historical scans detecting secrets**: "all time" percentage of historical scans that uncovered a secret incident. This metric counts incidents that are already open or brand new (already resolved or ignored secret incidents are no longer taken into account during the historical scan). You can even see this same percentage but only for historical scans performed during the selected time period.

#### Real-time protection[](#real-time-protection "Direct link to Real-time protection")
**Commits scanned**: number of commits scanned on server side (post-receive hook stage) through your native VCS integrations (GitHub, GitLab, Bitbucket).
**Evolution of commits scanned over time**: distribution of commits scanned on server side (post-receive hook stage) through your native VCS integrations over time. It shows your developers' activity monitored by GitGuardian.
**Secret occurrences detected per 1000 commits**: ratio of secret occurrences found per commits analyzed. Note that a commit can contains more than 1 secret occurrence.
### Shift left protection[](#shift-left-protection "Direct link to Shift left protection")
GitGuardian CLI (Command Line Interface) application ggshield allows you to deploy GitGuardian's secret detection engine in a shift-left approach.
**ggshield scans**: number of ggshield scans through git hooks or CI/CD integrations.
**Secret detected by ggshield scan**: number of secrets detected with ggshield scans. If the secret was detected with a ggshield scan at git hooks level (pre-commit, pre-push, pre-receive), **it is a secret prevented from reaching the VCS and therefore, one less incident**!
**Evolution of ggshield scans over time**: distribution of ggshield scans over time per ggshield mode (CI/CD integrations, git hooks). For each mode, you will find the number of ggshield scans over the period and the percentage of those scans that detected secrets.

Analytics Charts[](#analytics-charts "Direct link to Analytics Charts")
-------------------------------------------------------------------------
### Introduction[](#introduction "Direct link to Introduction")
Analytics Charts is a powerful feature designed to help you **visualize** and get insights on your **incidents over time**. Whether you are a developer, security lead, or manager, Analytics Charts provides valuable tools to track progress, measure performance, and make informed decisions. With Analytics Charts, you can turn your data into actionable insights and drive your team's success.
Let's dive in and explore how to get started.
### Getting Started[](#getting-started "Direct link to Getting Started")
#### Steps to get started[](#steps-to-get-started "Direct link to Steps to get started")
1. **Access the [Analytics Charts](https://dashboard.gitguardian.com/advanced-analytics)
**
2. **Review pre-built charts**: Get a quick overview of your incidents data with our pre-built charts.
* "Real time" chart: select it from the top menu.

* Modify the chart by adding a new filter. Select the "Secret Validity" filter and choose the option "Valid".

* You have just modified your first chart! The chart is now filtered by incidents detected in real time and valid. You can add as many filters as you like.

### Using pre-built charts[](#using-pre-built-charts "Direct link to Using pre-built charts")
Find a variety of pre-built charts to provide you with quick insights into your data. These charts are designed to highlight key metrics.
**Available pre-built charts:**
1. **Critical**: Track the rate of new incidents over time, broken down by high and critical severity.
2. **Real time**: All secret incidents detected in real time.
3. **New incidents**: Track the daily count of new incidents.
4. **Open incidents**: Track the distribution of open incidents.
5. **Public exposure**: Track the number of secret exposed in public codebases to identify high risks.
6. **Severity distribution**: Tracking the distribution of secret severity.
7. **Severity validity**: Assess the overall validity of secrets.

**Accessing pre-built charts:**
1. **Navigate to the Analytics Charts page:** Access all charts available from the "+" button.
2. **Explore charts details:** Change the time frame (daily, weekly, monthly).
3. **Customize the chart:** Add or remove filters following your needs.
4. **Export the data:** Export the data in CSV format.
5. Duplicate, hide or delete a chart: Decide to duplicate, hide or delete a chart.
Note: Updating a pre-built GitGuardian chart is not possible. It is necessary to create a new chart or duplicate the existing one before saving it as a new chart.
### Understanding your data[](#understanding-your-data "Direct link to Understanding your data")
By understanding the types of data available and how to leverage it, you can gain valuable insights into your team's performance and security posture.
#### Data sources[](#data-sources "Direct link to Data sources")
Currently, Analytics Charts supports the following data sources:
* **Stock**: Open secret incidents over time
* **Flow**: Newly detected secrets over time
#### Filtering and "group by" options[](#filtering-and-group-by-options "Direct link to Filtering and "group by" options")
You can _filter_ or _group by_ charts data by:
* Time
* Team
* Detector type
* Publicly leaked/exposed
* Real-time
* Secret validity
* Severity
* Detector type
* Publicly leaked/exposed
* Real-time
* Secret Validity


#### Data visualization[](#data-visualization "Direct link to Data visualization")
There are various visualization options such as line charts, bar charts, area charts to help you understand data trends and patterns. You can change the way you display your data when creating or updating a chart.

#### Charts visibility[](#charts-visibility "Direct link to Charts visibility")
Charts can be accessible to all workspace members or kept private and visible only to the creator. Additionally, if a member is part of a specific team, he can only visualize data related to his team.
This visibility option is accessible from the side panel when you are creating or updating a chart.
#### Charts options[](#charts-options "Direct link to Charts options")
* Charts can be duplicated.
* Charts data can be exported in CSV format.
* Charts can be deleted.

### How to create your custom chart[](#how-to-create-your-custom-chart "Direct link to How to create your custom chart")
Analytics empowers you to create custom visualizations that perfectly suit your needs. You can easily build charts that highlight the most important aspects of your data.
#### Steps to create a custom chart[](#steps-to-create-a-custom-chart "Direct link to Steps to create a custom chart")
Firstly, click on the "+" button next to the list of pre-built charts. This will open a side panel allowing you to create a new chart and select options.

1. **Add a title and a description:** Provide a clear and concise title and description for your chart.
2. **Select the data source:** Choose the data sources you want to include in your chart.
3. **Select the way to display data:** Choose how you want your data to be displayed, such as a line chart, bar chart and so on.
4. **Group by option:** Group your data by a specific category or dimension (for instance: detector type).
5. **Filters options:** Apply filters to your data to focus on specific time periods.
6. **Visibility options:** Determine whether the chart should be accessible to all workspace members or kept private.
7. **Save your new chart:** Save your custom chart for future use and easily share it with colleagues and stakeholders.
By following these steps and taking advantage of the customization options, creating custom charts is easy and a powerful tool for communicating your data effectively.
#### Was this page helpful?
[](#)
[](#)
* [Analytics Insights](#analytics-insights)
* [Dashboard protection](#dashboard-protection)
* [Shift left protection](#shift-left-protection)
* [Analytics Charts](#analytics-charts)
* [Introduction](#introduction)
* [Getting Started](#getting-started)
* [Using pre-built charts](#using-pre-built-charts)
* [Understanding your data](#understanding-your-data)
* [How to create your custom chart](#how-to-create-your-custom-chart)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Overview | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Overview
========
Why should organizations shift security testing left?[](#why-should-organizations-shift-security-testing-left "Direct link to Why should organizations shift security testing left?")
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Shift left is a development principle which states that code quality and security should move from the right or at the very end of the software development life cycle (after code is deployed to runtime environments) to the left – in developer workstations and IDEs, in Continuous Integration (CI) pipelines, etc.
In other words, security, and secrets detection, should be integrated and designed into all stages of the development process. This new shift requires developers to take more ownership of security and security principles.
### GitGuardian CLI (ggshield)[](#gitguardian-cli-ggshield "Direct link to GitGuardian CLI (ggshield)")
**ggshield, the GitGuardian CLI (command-line interface)** integrates GitGuardian's secrets detection engine in your developer workflows,
[Getting started with ggshield](/ggshield-docs/getting-started)
.
FAQ[](#faq "Direct link to FAQ")
----------------------------------
#### I have GitHub, GitLab or an other VCS configured. Why should I use ggshield?[](#i-have-github-gitlab-or-an-other-vcs-configured-why-should-i-use-ggshield "Direct link to I have GitHub, GitLab or an other VCS configured. Why should I use ggshield?")
GitGuardian CLI or ggshield helps you catch hardcoded secrets earlier in the software development lifecycle. In cases where pre-commit or pre-receive hooks are configured with ggshield, you will be alerted before secrets leave your local workstation and enter the shared/central repositories. This prevents secrets from getting exposed and in turn, avoids you the pain of incident remediation and the revoking and rotating of secrets.
#### I have ggshield configured. Should I also scan my GitHub, GitLab and other VCS?[](#i-have-ggshield-configured-should-i-also-scan-my-github-gitlab-and-other-vcs "Direct link to I have ggshield configured. Should I also scan my GitHub, GitLab and other VCS?")
GitGuardian CLI is a very flexible tool. It is fast and easy to integrate but does not provide the same security guarantees as real-time monitoring of your Version Control System (VCS). Pre-commit or pre-receive hooks can be bypassed for example on developer workstations. In Continuous Integration (CI) pipelines, ggshield has to be configured individually for each workflow/pipeline to add a secrets scanning job.
The GitGuardian Internal Monitoring platform and its native VCS integrations give you:
* Complete visibility over all repositories in your perimeter in addition to the possibility to scan their entire commit history (periodically and on-demand),
* Real-time protection with automated scanning of every new code commit that reaches the VCS.
#### Was this page helpful?
[](#)
[](#)
* [Why should organizations shift security testing left?](#why-should-organizations-shift-security-testing-left)
* [GitGuardian CLI (ggshield)](#gitguardian-cli-ggshield)
* [FAQ](#faq)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Account settings | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Account settings
================
Change your first and last name[](#change-your-first-and-last-name "Direct link to Change your first and last name")
----------------------------------------------------------------------------------------------------------------------
If you sign up via email / password, GitGuardian would have asked you to submit your first and last names upon registration.
If you have signed up through GitHub, GitGuardian infers your first and last name from the name indicated on GitHub. But if a name is not indicated on GitHub, GitGuardian will consider your GitHub login as your first name. In such cases, we recommend that you change your first and last name in order to facilitate collaboration with other members of your workspace.
To change your first name and last name:
1. Navigate to Settings > Personal > [Account](https://dashboard.gitguardian.com/settings/personal/account)
2. Enter a new `First name` and `Last name`
3. Submit the form
Change your email address[](#change-your-email-address "Direct link to Change your email address")
----------------------------------------------------------------------------------------------------
We currently do not support email address modification. If you want to use another email address on GitGuardian, you would need to create another workspace.
Change your GitHub login[](#change-your-github-login "Direct link to Change your GitHub login")
-------------------------------------------------------------------------------------------------
If you registered to GitGuardian using GitHub, your GitHub login will be visible in the Settings page. Since your GitGuardian and GitHub identities are intertwined, we do not allow you to edit your GitHub login within GitGuardian.
Change your password[](#change-your-password "Direct link to Change your password")
-------------------------------------------------------------------------------------
1. Navigate to Settings > Personal > [Account](https://dashboard.gitguardian.com/settings/personal/account)
2. Scroll to the `Password` section
3. Enter your current password in the `Current password` field.
4. Enter your desired new password twice, once in the `New password` field and once in the `Confirm new password` field.
5. Submit the form
**Current password policy**:
* your password must be at least 12 characters long
* your password must contain at least 1 letter, 1 numeric character and 1 special character
info
I signed up through SSO and, now I don't have any password.
Whenever you register through SSO, GitGuardian lets the IdP handle the authentication, therefore you don't need a password. However, we do let you configure a password if you want. This password will be associated with the email address you are using on GitGuardian. If the SSO is disabled, you will then be able to sign in via email / password submission.
Belong to multiple workspaces[](#belong-to-multiple-workspaces "Direct link to Belong to multiple workspaces")
----------------------------------------------------------------------------------------------------------------
GitGuardian allows you to be member of several workspaces. Thus, your email address can be associated to multiple workspaces.
However, GitGuardian allows you to only create only one workspace yourself. In order to be member of other workspaces, you must receive an invitation. You can be a member of **at most 5 workspaces**.
If you are member of several workspaces and you want to switch the workspace you are currently viewing, click on the first tab of the sidebar and then select the workspace to switch to.
#### Was this page helpful?
[](#)
[](#)
* [Change your first and last name](#change-your-first-and-last-name)
* [Change your email address](#change-your-email-address)
* [Change your GitHub login](#change-your-github-login)
* [Change your password](#change-your-password)
* [Belong to multiple workspaces](#belong-to-multiple-workspaces)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Deployment methods | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Deployment methods
==================
Deploying honeytokens can be accomplished through various methods, each suited to different needs and scenarios:
Automatically and at scale with Deployment jobs[](#automatically-and-at-scale-with-deployment-jobs "Direct link to Automatically and at scale with Deployment jobs")
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
info
Deployment jobs are only available for workspaces under the Business plan.
Deployment jobs enable the automated deployment of honeytokens into code repositories that are integrated with GitGuardian. For an in-depth exploration of Deployment jobs, please refer to [our detailed page on this topic](/honeytoken/deploy-honeytokens/deployment-jobs)
.
This approach is highly recommended for broad coverage across numerous repositories, offering an efficient and streamlined process.
Manually[](#manually "Direct link to Manually")
-------------------------------------------------
Manual deployment of honeytokens is always an option. This involves creating a honeytoken from the GitGuardian dashboard, copying the AWS key, and then inserting it into the asset you wish to monitor. Detailed instructions for this process can be found on our [Getting Started](/honeytoken/getting-started#create-and-deploy-your-first-honeytoken)
page.
This method is particularly useful for assets not under GitGuardian's monitoring or in scenarios where automation is not feasible. It is best suited for situations involving a smaller number of assets.
caution
When manually inserting honeytokens into assets not integrated with GitGuardian, it's crucial to assign them distinctive names and descriptions. This way, should the honeytoken be triggered, you'll be able to identify which asset was compromised. We recommend naming the honeytoken after the asset itself and using the description field to provide additional details about its precise location. Labels can also be utilized to categorize your honeytokens effectively.
Via custom scripts leveraging the GitGuardian API[](#via-custom-scripts-leveraging-the-gitguardian-api "Direct link to Via custom scripts leveraging the GitGuardian API")
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
For those with specific needs or seeking greater flexibility, creating custom deployment scripts is a viable option. You can craft scripts that generate honeytokens by leveraging [GitGuardian's Honeytoken API](https://api.gitguardian.com/docs#tag/Honeytokens)
, insert them into the desired context, and then deploy them to your target assets.
This method offers a high degree of customization and control but requires a significant technical investment from the user. It is a good choice for covering a vast array of assets not supported by GitGuardian's integrations, or if you prefer to dictate the exact context in which your honeytokens are deployed.
#### Was this page helpful?
[](#)
[](#)
* [Automatically and at scale with Deployment jobs](#automatically-and-at-scale-with-deployment-jobs)
* [Manually](#manually)
* [Via custom scripts leveraging the GitGuardian API](#via-custom-scripts-leveraging-the-gitguardian-api)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Self-hosting GitGuardian | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
###### Configuration
Self-hosting
============
Find everything you need to know to set up and run the GitGuardian platform on your infrastructure. This section includes details on the hardware and software requirements, installation steps, upgrading instructions, and troubleshooting.
User guide
----------
[### Install the application\
\
Learn more about the options for installing the GitGuardian self-hosted application and follow the steps for your first installation.](/self-hosting/installation/choose-embedded-existing)
[### Manage the application\
\
Learn how to manage your infrastructure and application configuration using the Admin console, to meet your high availability, scaling, and business continuity requirements.](/self-hosting/management/infrastructure-management/admin-console)
[### Secure the application\
\
Read the best practices for securing your GitGuardian application, learn how to configure TLS certificates or even how to use custom Certificate Authorities (CA).](/self-hosting/security/recommendations)
Requirements and troubleshooting
--------------------------------
[### System requirements\
\
Learn more about the hardware, software, and domain name requirements for installing GitGuardian self-hosted. Requirements are detailed for both Embedded and Existing Kubernetes cluster installs.](/self-hosting/system-requirements)
[### Network requirements\
\
Learn more about the network requirements for running your GitGuardian instance and how they vary depending on the selected installation method and whether it is deployed in an air-gapped environment.](/self-hosting/network-requirements)
[### Troubleshooting\
\
Learn more about services health checks, and also how to generate and send a support bundle for GitGuardian to identify and help you fix any deployment or run issues.](/self-hosting/troubleshoot/support)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Respond to a triggered honeytoken | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Respond to a triggered honeytoken
=================================
GitGuardian helps you by providing as much contextual information as possible about the events and some general guidelines:

The lifecycle of a honeytoken[](#the-lifecycle-of-a-honeytoken "Direct link to The lifecycle of a honeytoken")
----------------------------------------------------------------------------------------------------------------
The lifecycle of a honeytoken and the possible actions are shown in the following schema:
graph LR Active -...->|Event happens!| Triggered Triggered -->|Reset| Active Triggered -->|Revoke| Revoked Active -->|Revoke| Revoked
Reset a triggered honeytoken[](#reset-a-triggered-honeytoken "Direct link to Reset a triggered honeytoken")
-------------------------------------------------------------------------------------------------------------
If your investigation has determined that the trigger alert was a false alarm, such as when one of your developers genuinely tried to use the honeytoken, or when it was triggered for test purpose, you should reset the honeytoken.
Resetting the honeytoken changes its status back to Active, allowing it to be triggered again on future attempts.
After resetting, your honeytoken is as good as new!

Revoke a triggered honeytoken[](#revoke-a-triggered-honeytoken "Direct link to Revoke a triggered honeytoken")
----------------------------------------------------------------------------------------------------------------
If your investigation has confirmed a real security incident, and you have taken the necessary steps to remediate the incident and ensure that your environment is protected, it is important to revoke the triggered honeytoken. This honeytoken is now compromised and thus useless.
Revoking the honeytoken will deactivate it entirely by deleting the associated AWS key pair. Events will no longer be logged on this honeytoken.
caution
Remember to create a new honeytoken to replace the compromised one in order to be alerted of new incidents in the same environment!

#### Was this page helpful?
[](#)
[](#)
* [The lifecycle of a honeytoken](#the-lifecycle-of-a-honeytoken)
* [Reset a triggered honeytoken](#reset-a-triggered-honeytoken)
* [Revoke a triggered honeytoken](#revoke-a-triggered-honeytoken)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Data retention | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Data retention
==============
GitGuardian takes data collection and privacy very seriously.
In order to perform monitoring effectively, GitGuardian needs to process multiple data and collects only what is actually needed for the product to meet the monitoring and remediation expectations.
### Commits with incidents only[](#commits-with-incidents-only "Direct link to Commits with incidents only")
As explained in the [How it works section](/platform/core-concepts/how-gitguardian-works)
, GitGuardian integrates with your VCS on the server side. Therefore, every commit reaching the server and belonging to the perimeter will be scanned for secrets.
A commit consists of:
* its actual content: the patches containing the additions and/or deletions of code in the different files. A commit can have several patches.
* its metadata:
* commit date
* author date
* committer email
* committer name
* author email
* [author name](/platform/glossary#author-vs-committer)
* commit SHA
GitGuardian collects:
* The metadata of all the events including mostly push events. Push events metadata contains commits metadata. We do this in order to keep track of all the activity and compute analytics.
* The precise patch of the commits for which GitGuardian has detected secrets This in order for the secret to be displayed in the dashboard to help with remediation. Plus if the git history is overwritten by the developer, GitGuardian becomes the only place where the security team can access the secret in order to perform the remediation and access logs checking.
#### What happens during historical scans?[](#what-happens-during-historical-scans "Direct link to What happens during historical scans?")
During a historical scan, GitGuardian goes through all existing commits on the repository across all branches. The patches containing secrets are collected for the same reasons as mentioned above. The other commits are not collected. We also collect some metadata about the historical scan performed in order to compute analytics and improve the robustness of the algorithms:
* Number of commits scanned
* Number of branches scanned
### Perimeter sources’ metadata[](#perimeter-sources-metadata "Direct link to Perimeter sources’ metadata")
When integrating with GitGuardian, you allow the monitoring of specific GitHub repositories or GitLab projects you own. They constitute the sources of your perimeter. GitGuardian collects the metadata of those sources:
* Name
* Size (in bytes)
* Visibility (public/private)
* VCS unique identifier
* Number of stars
* Number of forks
* Number of watchers
We use such information to give you an overview of your entire perimeter analytics and the ability to filter the secret incidents by sources. Metadata are also crucial to allow seamless integration between GitGuardian and your VCS.
### VCS members basic information[](#vcs-members-basic-information "Direct link to VCS members basic information")
GitGuardian has read-access to your VCS members:
* Members of your GitHub organization (private and public members)
* Members of your GitLab instance in case of an instance-level integration.
It is necessary for GitGuardian to compute the number of seats for billing purposes.
If you would rather have your data completely isolated, you might want to self-host GitGuardian.
### SaaS Europe: GDPR Compliance[](#saas-europe-gdpr-compliance "Direct link to SaaS Europe: GDPR Compliance")
For customers in the European Union, GitGuardian offers a SaaS solution that is fully compliant with the [General Data Protection Regulation (GDPR)](https://gdpr.eu/what-is-gdpr/)
. This ensures that all data processing and retention adhere to the strict privacy and data protection regulations mandated by GDPR. Data is stored and processed within the EU, providing peace of mind and compliance assurance for EU-based organizations.
If you are interested, please reach out to the GitGuardian team at [support@gitguardian.com](mailto:support@gitguardian.com)
. Please note that we do not support migration of existing workspace from our US platform to the EU platform at this time.
#### Was this page helpful?
[](#)
[](#)
* [Commits with incidents only](#commits-with-incidents-only)
* [Perimeter sources’ metadata](#perimeter-sources-metadata)
* [VCS members basic information](#vcs-members-basic-information)
* [SaaS Europe: GDPR Compliance](#saas-europe-gdpr-compliance)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Understand honeytoken events and trigger mechanism | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Understand honeytoken events and trigger mechanism
==================================================
An event in the context of honeytokens represents the recorded use of a honeytoken. When a honeytoken is in `Active` status, any new event will immediately change its status to `Triggered`, initiating the corresponding alerts.
Exception
The trigger mechanism differs for allowed events. See the [related section](#open-vs-archived-vs-allowed-events)
for more details.
graph LR A\[Honeytoken is Active\] -->|New event!| B{Is the event allowed?} B -->|Yes| C\[Honeytoken remains Active\] B -->|No| D\[Honeytoken is Triggered\]
Events data[](#events-data "Direct link to Events data")
----------------------------------------------------------
Events can be seen in the honeytoken detail page. For AWS honeytokens, you can observe the following information:
* **Timestamp**: The exact moment of honeytoken usage
* **IP address and country**: Location information linked to the honeytoken usage
* **User-agent**: The accessing software's identity (may be blank).
* **Action**: Specific action performed like `GetCallerIdentity`, `ListBuckets`, etc.
Events tags[](#events-tags "Direct link to Events tags")
----------------------------------------------------------
Event tags provide additional context based on the event's IP address.
You can create custom tags using the [IP rules](#ip-rules-configuration)
settings. Furthermore, GitGuardian manages some default tags:
* `GitGuardian Public Monitoring IP`: Implies the event originates from an IP address used by GitGuardian to monitor public GitHub. This indicates that the honeytoken itself has been leaked and is publicly exposed on GitHub.
* `AWS internal IP`: Signifies the event originates from within AWS, commonly occurring when a honeytoken is publicly exposed on GitHub. Note that for this particular case there is no actual IP address attached to the event.
Open vs. archived vs. allowed events[](#open-vs-archived-vs-allowed-events "Direct link to Open vs. archived vs. allowed events")
-----------------------------------------------------------------------------------------------------------------------------------
Events can be categorized into three states:
* **Open**: The default state of events.
* **Archived**: Initiated by resetting or revoking a honeytoken, resulting in the archiving of all open events..
* **Allowed:**: Events from IPs on the allow-list, ignored by the trigger mechanism.
Archived and allowed events remain present, but they are hidden by default. You can use the status filter in the Events section to see them.

Both archived and allowed events are still stored but are hidden by default. Use the status filter in the Events section to view them. Archived and allowed events are displayed in grey, with allowed events marked by a green tick next to the IP address.
Pausing events reception[](#pausing-events-reception "Direct link to Pausing events reception")
-------------------------------------------------------------------------------------------------
When a honeytoken accumulates 100 open events, the reception of new events will be paused. We pause event reception at this threshold because additional events beyond this number are unlikely to provide new information and could negatively impact performance.
This situation typically occurs in the following scenarios:
* The honeytoken becomes [publicly exposed on GitHub](/honeytoken/code-leakage)
, causing scanners to detect and test it. In this case, the honeytoken should definitely be considered compromised, and revoked.
* Some internal and known tools regularly call the honeytoken for legitimate reasons. In this case, you may want to [allow](#ip-allowlisting)
these calls and then reset the honeytoken.
Note that events reception will resume if the honeytoken is reset, as this action resets the count of open events to zero.
Using IP rules to enrich and manage events[](#using-ip-rules-to-enrich-and-manage-events "Direct link to Using IP rules to enrich and manage events")
-------------------------------------------------------------------------------------------------------------------------------------------------------
IP rules help in declaring known IP ranges for better identification and management of events, serving two purposes: IP tagging and IP allow-listing.
### IP tagging[](#ip-tagging "Direct link to IP tagging")
The feature enables you to attach custom tags to events based on IP addresses, useful for identifying events from familiar sources like your company's internal network.
### IP allowlisting[](#ip-allowlisting "Direct link to IP allowlisting")
Each tag and its associated IP range can be added to an allowlist. Events from these IPs are ignored and do **not** trigger the honeytoken.
caution
Handle this feature cautiously as it might lead to overlooking unauthorized attempts on your honeytokens.
Events from allowed IPs are recorded but greyed out and excluded by default. You can opt to display them using the “status” filter.
### IP rules configuration[](#ip-rules-configuration "Direct link to IP rules configuration")
To manage custom IP rules, go to Settings > Honeytoken > [IP rules](https://dashboard.gitguardian.com/settings/secrets/honeytoken)
.
While GitGuardian sets some uneditable rules, you can create and manage your own using valid CIDRs for IP ranges.
 
No retroactive application of the IP rule on existing events
Adding, modifying, or deleting IP rules won't affect existing honeytoken events. Only future events will be impacted.
Behavior in case of several rules for same IP range
Multiple rules for the same IP range are allowed. Events matching these rules receive all associated tags. If any rule has "allow-list" selected, those events will be considered 'allowed', except for events from GitGuardian Public Monitoring IPs, which cannot be overridden.
#### Was this page helpful?
[](#)
[](#)
* [Events data](#events-data)
* [Events tags](#events-tags)
* [Open vs. archived vs. allowed events](#open-vs-archived-vs-allowed-events)
* [Pausing events reception](#pausing-events-reception)
* [Using IP rules to enrich and manage events](#using-ip-rules-to-enrich-and-manage-events)
* [IP tagging](#ip-tagging)
* [IP allowlisting](#ip-allowlisting)
* [IP rules configuration](#ip-rules-configuration)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Glossary | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Glossary
========
Here you can find a list of some Git, GitHub and GitGuardian specific terms and concepts that we use across our documentation.
### Author vs Committer[](#author-vs-committer "Direct link to Author vs Committer")
[From Git definitions](https://git-scm.com/book/en/v2/Git-Basics-Viewing-the-Commit-History)
:
* The author is the person who originally wrote the work
* The committer is the person who most recently applied a set of changes, for example by using commands such as `rebase` or `cherry-pick`
### Commit[](#commit "Direct link to Commit")
A commit is a Git object. It "is an individual change to a file (or set of files)". See the [GitHub glossary](https://help.github.com/en/github/getting-started-with-github/github-glossary#commit)
for a more precise definition.
Commits typically include a commit message, which provides a brief description of the changes made, the date of the commit, and the **author** and **committer** of the commit, who can be two distinct users.
### Commit author[](#commit-author "Direct link to Commit author")
The Git user who makes the commit.
### Commit SHA[](#commit-sha "Direct link to Commit SHA")
Unique identifier of a commit created by Git. It is a 40-character checksum hash. For the sake of convenience, only the first 7 characters are usually displayed.
### Custom webhooks[](#custom-webhooks "Direct link to Custom webhooks")
Custom webhooks allow you to build dedicated integration to receive different type of events (like incidents) from GitGuardian. It provides a way to integrate your different services with the GitGuardian alerting pipeline.
### GitHub contributor[](#github-contributor "Direct link to GitHub contributor")
A contributor is a GitHub user who does not have collaborator access to a repository but has contributed to a project and had a pull request they opened merged into the repository.
### GitHub events[](#github-events "Direct link to GitHub events")
Every interaction between a user and GitHub is logged in a GitHub Event. The complete list of event types is available [here](https://docs.github.com/en/free-pro-team@latest/developers/webhooks-and-events/github-event-types)
It contains useful information, such as:
* the **actor**, the GitHub user who triggered the event (in the case of a `PushEvent`, i.e when pushing several commits on GitHub, the actor is also referred to as the **pusher**)
* the **organization** id, if the event occurred on a GitHub organization
* the **payload** which depend on the event's type
* the **repo** on which the event happened
* the **type**
### GitHub organization[](#github-organization "Direct link to GitHub organization")
GitHub organizations are a group of multiple users that typically mirror the structure of your real-world organization. GitGuardian can monitor as many GitHub organizations and scan their associated activity.
### Git users vs GitHub Users[](#git-users-vs-github-users "Direct link to Git users vs GitHub Users")
A commit as defined in the Git protocol, contains both an `author` and `committer`, defined by their email address and name. For example `"Author Name "` is a valid git user (either a committer or an author). This email is configured at the git protocol level, on your developers’ computers, using the commands:
git config --global user.name "FIRST_NAME LAST_NAME"
git config --global user.email "MY_NAME@MY_DOMAIN.com"
On top of that, GitHub **sometimes** adds a GitHub author and / or committer, if it managed to link the git user to an existing GitHub user, based on the **email addresses**. In that case, the commit also contains a GitHub login as the author and / or the committer.
### Patch and diff[](#patch-and-diff "Direct link to Patch and diff")
A patch/diff is a git concept that represents the difference in changes between two commits, or saved changes. The diff will visually describe what was added or removed from a file since its last commit.
### Push Event[](#push-event "Direct link to Push Event")
A Push Event is triggered whenever several commits are pushed on GitHub, from a local repository, and therefore its payload contains a list of commits. That is the main type of event we monitor, since it is the one containing commits, reflecting changes in code.
### Repository[](#repository "Direct link to Repository")
Following [GitHub's definition](https://help.github.com/en/github/getting-started-with-github/github-glossary#repository)
, a repository is the most basic element of GitHub. They are the easiest to imagine as a project's folder. A repository contains all of the project files (including documentation), and stores each file's revision history. Repositories can have multiple collaborators and can be either public or private.
### Secret[](#secret "Direct link to Secret")
A secret is any of the following: API keys, database connection strings, certificates.
#### Was this page helpful?
[](#)
[](#)
* [Author vs Committer](#author-vs-committer)
* [Commit](#commit)
* [Commit author](#commit-author)
* [Commit SHA](#commit-sha)
* [Custom webhooks](#custom-webhooks)
* [GitHub contributor](#github-contributor)
* [GitHub events](#github-events)
* [GitHub organization](#github-organization)
* [Git users vs GitHub Users](#git-users-vs-github-users)
* [Patch and diff](#patch-and-diff)
* [Push Event](#push-event)
* [Repository](#repository)
* [Secret](#secret)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Investigate and remediate your first open incident | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Investigate and remediate your first open incident
==================================================
What is a secret incident? What are its implications?[](#what-is-a-secret-incident-what-are-its-implications "Direct link to What is a secret incident? What are its implications?")
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Secret incidents are open issues that need your attention to be resolved. They are created thanks to [our secrets detection engine](/secrets-detection/home)
that scans your sources code for hardcoded secrets to display them in your dashboard.
Leaving a secret in plain text in source control represents a threat for the security of the resources that are protected by that secret. To learn more about why hardcoded secrets are a vulnerability that needs your Application or Product Security teams' attention, read the related paragraph in our [Core Concepts](/secrets-detection/core-concepts/what-is-a-secret)
section of Secrets Detection.
What are the occurrences of an incident?[](#what-are-the-occurrences-of-an-incident "Direct link to What are the occurrences of an incident?")
------------------------------------------------------------------------------------------------------------------------------------------------
The **same secret can be seen multiple times** in your VCS. They are referred to as occurrences.
GitGuardian streamlines the remediation process by automatically **grouping multiple occurrences of the same secret into a single secret incident**.
Thus, an occurrence of a secret incident is uniquely identified by the combination of the following parameters:
* the source (for instance: a GitHub repository or a GitLab project) impacted by the secret occurrence,
* the commit in which we detected the secret occurrence,
* the commit file containing the secret occurrence,
* the line within the commit file where the secret occurred.
Alerts are sent only when a new incident is created or reopened because of a regression. A new occurrence attached to an already-existing open secret incident won't raise any alerts.
> GitGuardian sets a maximum limit of 1,000 occurrences for a single secret incident (this does not apply to the self-hosted platform).
#### Was this page helpful?
[](#)
[](#)
* [What is a secret incident? What are its implications?](#what-is-a-secret-incident-what-are-its-implications)
* [What are the occurrences of an incident?](#what-are-the-occurrences-of-an-incident)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Configure your alerts | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Configure your alerts
=====================
If a honeytoken is in an Active status, any new event will change the status to Triggered.
Email notifications[](#email-notifications "Direct link to Email notifications")
----------------------------------------------------------------------------------
Managers will receive an email notification whenever a honeytoken’s status is changed to Triggered.
This notification can be deactivated in Settings > Personal: Notifications > [Email preferences](https://dashboard.gitguardian.com/settings/personal/notifications)
.
Custom webhooks[](#custom-webhooks "Direct link to Custom webhooks")
----------------------------------------------------------------------
It is possible to configure custom webhooks to receive alerts when honeytokens are triggered or when a new event appears. This allows you to integrate and manage the information directly within your SIEM or other security systems.
You can create dedicated webhooks or use the same ones for secrets detection events and refine the "Event Subscription" scopes as needed.

The possible event subscriptions are:
* Honeytoken > Triggers: get a webhook event whenever the status of a honeytoken gets changed to Triggered.
* Honeytoken > Events: get a webhook event whenever a new honeytoken event is received.
### Payload structure[](#payload-structure "Direct link to Payload structure")
Payload for new trigger
#### Honeytoken triggered[](#honeytoken-triggered "Direct link to Honeytoken triggered")
{ "source": "GitGuardian", "timestamp": "2023-04-20T08:22:19.913732Z", "action": "honeytoken_triggered", "message": "This honeytoken has been triggered.", "target_user": null, "honeytoken": { "id": "12d14831-6b2b-4bd6-881b-53c83a09f07b", "name": "ht27", "description": "", "created_at": "2023-04-12T10:21:28.972903Z", "gitguardian_url": "https://dashboard.gitguardian.com/workspace/1/honeytokens/12d14831-6b2b-4bd6-881b-53c83a09f07b", "status": "triggered", "triggered_at": "2023-04-20T08:22:19.838234Z", "revoked_at": null, "open_events_count": 1, "type": "AWS", "creator_id": 397542, "creator_api_token_id": null, "revoker_id": null, "revoker_api_token_id": null }}
Payload for new honeytoken event
#### New event[](#new-event "Direct link to New event")
{ "source": "GitGuardian", "timestamp": "2023-04-07T15:56:42.171075Z", "action": "new_honeytoken_event", "message": "A new honeytoken event has been received.", "target_user": null, "honeytoken_event": { "id": "2bdc644e-ce7e-49e8-a3a6-56fca0364a63", "honeytoken_id": "12d14831-6b2b-4bd6-881b-53c83a09f07b", "triggered_at": "2023-04-07T15:56:37Z", "status": "open", "ip_address": "54.39.187.211", "action": "GetCallerIdentity", "data": { "event_id": "98a080cf-a268-4a2e-b013-6259122b8a05", "user_agent": "python-requests/2.28.2" }, "tags": [] }}
#### Was this page helpful?
[](#)
[](#)
* [Email notifications](#email-notifications)
* [Custom webhooks](#custom-webhooks)
* [Payload structure](#payload-structure)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Pre-Validators and Post-Validators | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Pre-Validators and Post-Validators
==================================
A `Detector` consists of three core components:
* **Pre-Validators**: These rules are applied before the detection process begins. They determine whether the detection should proceed.
* **Matchers**: Matchers are string extractors that identify and return matched strings, also known as "matches". Typically, matchers use regular expressions, but they can be more complex, such as detecting connection strings.
* **Post-Validators**: These rules are applied after the matchers. They validate the identified matches. Note that post-validators can be applied to a single match or to all matches found by the matcher.
Pre-Validation[](#pre-validation "Direct link to Pre-Validation")
-------------------------------------------------------------------
Pre-validators are an essential component of the secrets detection process. They serve as an initial filter, determining whether further analysis and detection should occur. Pre-validators apply specific rules and conditions before the actual detection process takes place. Their purpose is to ensure that documents meet certain criteria before scanning them. These criteria include checking for specific patterns in the content, filename, path or extensions, or banning minified JavaScript files. Pre-validators optimize the scanning process by focusing on relevant documents.
The following pre-validators are used by our secrets detection engine:
* `BanMinifiedPreValidator`: Bans minified JavaScript files based on a specified threshold.
* `ContentWhitelistPreValidator`: Returns true if the filename or content contains specific patterns.
* `FilenameWhitelistPreValidator`: Returns true if the filename matches an allow-listed name or extension.
* `FilenameBanlistPreValidator`: Returns false if the filename matches a ban-listed name, path, or extension.
Post-Validation[](#post-validation "Direct link to Post-Validation")
----------------------------------------------------------------------
Post-validators are critical in the secrets detection pipeline as they validate and filter the matches identified by the matchers. After the initial matches are identified, post-validators apply additional rules and checks to determine the legitimacy of the detected secrets. These validators ensure that the matches meet specific criteria, such as banning common false positives. They can also assess the entropy of the matches, verify the presence of a minimum number of digits, and apply various heuristics to filter out irrelevant matches. Post-validators provide an additional layer of validation and fine-tuning, improving the accuracy and reliability of the detected secrets by reducing the false positives rate and enhancing the overall effectiveness of the secrets detection engine.
The following post-validators are used by our secrets detection engine:
* `AssignmentBanlistPostValidator`: Discards matches based on the pattern of their assignment variables.
* `CommonHostBanlistPostValidator`: Bans commonly used false positive hosts.
* `CommonPasswordBanlistPostValidator`: Bans commonly used false positive passwords.
* `CommonUsernameBanlistPostValidator`: Bans commonly used false positive usernames.
* `CommonHighEntropyBanlistPostValidator`: Bans commonly used placeholder or generic high entropy values.
* `CommonValueBanlistPostValidator`: Bans commonly used false positive generic values.
* `DictFilterPostValidator`: Filters out matches that contain common dictionary words.
* `EntropyPostValidator`: Ensures that the entropy of the match is above a specified threshold.
* `HeuristicPostValidator`: Applies various heuristics to filter out certain types of matches.
* `MatchesPostValidator`: Applies post-validators to a subset of matches.
* `MinimumDigitsPostValidator`: Verifies that matches contain a minimum number of digits.
* `ValueBanlistPostValidator`: Bans matches that match specific value patterns.
* `ValueSimilarityPostValidator`: Bans match groups with a similarity above a specified threshold.
* `ContextWindowBanlistPostValidator`: Bans value patterns in a window around the matched string.
Example[](#example "Direct link to Example")
----------------------------------------------
Let's consider the example of the [Slack App Token](/secrets-detection/secrets-detection-engine/detectors/specifics/slack_app_token)
detector. It utilizes a `ContentWhitelistPreValidator` pre-validator which specifically looks for the prefix `xapp-` in the documents, which is a rare occurrence, appearing in only around one document per million on GitHub. As a result, the pre-validator quickly eliminates 99.9999% of the documents, significantly narrowing down the search.
Here are some examples of documents that would be accepted by the pre-validator:
curl -X POST https://slack.com/api/chat.postMessage \ -d '{"channel":"C12345678","text":"Hello, Slack!"}' \ -H "Content-Type: application/json" \ -H "Authorization: Bearer xapp-1-XQ1QRVG5098-91645510917198-7bda3ae63ec19bcbc94c9907a52835cd47f8835e0a7553ffa3a494a4bd82e572"
bin/xfce4-set-wallpaperinclude/xapp/libxapp/xapp-gtk-window.h
SLACK_APP_TOKEN="xapp-1-ABCDEFGHIJK-12345678901234-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
Among those documents, the matcher identifies two matches:
* `xapp-1-XQ1QRVG5098-91645510917198-7bda3ae63ec19bcbc94c9907a52835cd47f8835e0a7553ffa3a494a4bd82e572`
* `xapp-1-ABCDEFGHIJK-12345678901234-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa`
However, the Slack App Token detector also employs an `EntropyPostValidator`, which filters out the second match due to its low entropy.
In conclusion, based on the example documents, the detector successfully identifies the only valid secret: `xapp-1-XQ1QRVG5098-91645510917198-7bda3ae63ec19bcbc94c9907a52835cd47f8835e0a7553ffa3a494a4bd82e572`.
#### Was this page helpful?
[](#)
[](#)
* [Pre-Validation](#pre-validation)
* [Post-Validation](#post-validation)
* [Example](#example)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Dashboard | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Dashboard
=========
GitGuardian Internal Monitoring comes with a dashboard for security and development teams to:
* Configure their perimeter of monitored code repositories
* Centralize their incidents in one area
* Manage the incident lifecycle and coordinate remediation requiring cross-functional effort
* Integrate with other platforms like SIEMs and ITSMs to forward GitGuardian alerts
* Deploy secrets scanning in developer workflows (using the GitGuardian CLI or API)
Resources[](#resources "Direct link to Resources")
----------------------------------------------------
* [**Dashboard**](https://dashboard.gitguardian.com)
* [**Documentation**](/platform/home)
#### Was this page helpful?
[](#)
[](#)
* [Resources](#resources)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Secrets Detection Engine | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Secrets Detection Engine
========================
Philosophy[](#philosophy "Direct link to Philosophy")
-------------------------------------------------------
Secrets detection is probabilistic: some secrets are easier to find than others. There is a trade-off between low number of false alerts and low number of missed credentials (precision/recall trade-off)
Our secrets detection engine has been **running in production since 2017**, analyzing billions of commits coming from GitHub. Since day one we began to train and benchmark our algorithms against the open source code. It allowed GitGuardian to build a language agnostic secrets detection engine, integrating new secrets or new way of declaring secrets really fast while keeping a really low number of false positives. We are also collecting feedbacks from the alerts we are sending including the pro bono alerts:
* Explicit feedback when a developer or security team marks an alert as a false alert.
* Implicit feedback when a developer takes down a public repository or deletes a public commit a few minutes after we sent an alert.
We are currently implementing two types of detectors:
* Specific detectors: we implement an algorithm dedicated to looking for one specific type of secret like AWS keys, Postgres URI or SMTP credentials. This type of detector aims at having high recall and precision for the targeted type of secret. The downside of this approach is that we have to implement a lot of specific detectors to have a good coverage of all existing secrets.
* Generic detectors: The purpose of these detectors is to catch what our specific detectors are missing with a generic approach. We will implement generic detectors capturing patterns such as `secret={high_entropy_string}` or `password=xxx, email=yyy@corp.com`. We can thereby achieve a low number of secrets missed even if the precision of these detectors is slightly lower than the specific ones.
You can of course choose what detectors you want to allow or deny in our different web applications.
How it works[](#how-it-works "Direct link to How it works")
-------------------------------------------------------------
Our secrets detection engine takes as input a `Document` having as parameter a string (a Git Patch, a GitHub gist, a Slack message) and an _optional_ parameter which is the filename (`secrets.py`, `index.html`, ...) Note that this detection engine can use the filename when available in a pre-validation step: for example we won't scan an image or a video file since nobody puts secrets in it.
We currently have the following ban-lists in place:
1. We do not scan binary files such as `jpg`, `tar.*`, ...
2. We exclude some filepaths using the following regexes:
node_modules(/|\\)vendors?(/|\\)top-1000\.txt$\.sops$\.sops\.yaml$
3. In most cases, we do not scan documents with the following extensions because they bring a lot of false positives and almost no real secrets: `["html", "css", "md", "lock", "storyboard", "xib"]`
Tao of our secrets detection engine[](#tao-of-our-secrets-detection-engine "Direct link to Tao of our secrets detection engine")
----------------------------------------------------------------------------------------------------------------------------------
* 🎯 **High precision**: We want to keep a low number of false positives to avoid alert fatigue.
* 🔐 **High recall**: We want to keep a low number of missed secrets to keep our customers safe.
* ⚡ **Speed**: While speed is less important than recall and precision our secrets detection engine is designed to be fast and scan a common Git repository history in less than a minute.
* 👥 **Community and customer driven**: Our engine is constantly trained and improved by feedbacks from hundreds of thousands developers using our applications and by feedbacks of our customers.
Main features[](#main-features "Direct link to Main features")
----------------------------------------------------------------
### Broad coverage with 350+ specific detectors[](#broad-coverage-with-350-specific-detectors "Direct link to Broad coverage with 350+ specific detectors")
We have developed the vastest library of specific detectors being able to detect more than 350 different types of secrets (10 times more than the current competition). You can find the exhaustive list [here](/secrets-detection/secrets-detection-engine/detectors/introduction)
.
### Detecting secrets with multiples matches and multi-line secrets[](#detecting-secrets-with-multiples-matches-and-multi-line-secrets "Direct link to Detecting secrets with multiples matches and multi-line secrets")
GitGuardian supports the detection of multi-matches secrets such as oauth `client_id` and `client_secret`, database credentials, SMTP credentials...
GitGuardian supports the detection of multi-line secrets such as private keys.
For example we are able to detect AWS keys from the following snippet and the output will be two matches: one for the client id and one for the client secret.
input: 'id=AKIAFJKR45SAWSZ5XDF3, client_secret: hjshnk5ex5u34565d4654HJKGjhz545d89sjkjka'output: client_id: AKIAFJKR45SAWSZ5XDF3 client_secret: hjshnk5ex5u34565d4654HJKGjhz545d89sjkjka
Example for database credentials:
input: | dbusername = admin dbpassword = 8095uohoiw4ur90 dbhost = db-postgres-nyc1-1111-do-user-111111-0.db.ondigitalocean.com dbport = 25060 dbdatabase = defaultdb dbsslmode = requireoutput: username: admin password: 8095uohoiw4ur90 host: db-postgres-nyc1-1111-do-user-111111-0.db.ondigitalocean.com port: 25060
### Automatic de-duplication[](#automatic-de-duplication "Direct link to Automatic de-duplication")
* If two detectors match the same characters and have the same matches we drop the output of the detectors bringing less information.
For example the following content `slack_token="xoxp-198947049743-7861195093-830655328819-9d40a979cac97bccf1190afb660b37e1"` triggers two detectors: our `slack_user_token` detector and our detector catching generic secrets (token={high\_entropy\_string}). We only keep the results of the `slack_user_token` detector in order to reduce alert fatigue and attach the maximum information to help with the remediation process.
### Detecting prefixed Base64 encoded secrets[](#detecting-prefixed-base64-encoded-secrets "Direct link to Detecting prefixed Base64 encoded secrets")
Recent frameworks like Kubernetes use Base64-encoded secrets and it is becoming pretty common to see Base64-encoded secrets. We are able to detect prefixed secrets encoded in Base64 like private keys.
### Add insights to secrets to ease the work of security engineers and analysts[](#add-insights-to-secrets-to-ease-the-work-of-security-engineers-and-analysts "Direct link to Add insights to secrets to ease the work of security engineers and analysts")
We attach insights to secrets so the application security analysts can have more context information for the remediation. Currently we support the following insights:
* `test_file`: We found the secret in a test context (test folder, test filename).
* `sensitive_file`: We found the secret in a document with a filename considered as sensitive (`.env`, `credentials.json`, ...).
* `whitelisted`: The secret has been white-listed by the developer that wrote the code.
* `decoded value for encoded secret`: We can attach the decoded secret value to encoded secret.
Limitations[](#limitations "Direct link to Limitations")
----------------------------------------------------------
1. We are not able to scan binary files (for now). Some binary filenames can contain secrets, such as `.pyc` files in Python for example.
2. The number of secrets detected **per detector and per file** is limited to **8** by default. This limit is here to avoid receiving a huge volume of alerts for the same document. We always recommend to look into the document where we detected a secret, there might be other sensitive information that we didn't highlight.
Architecture[](#architecture "Direct link to Architecture")
-------------------------------------------------------------
Our secret detection engine is based on the following logic:

We use `PreValidators` to remove some filenames bringing false positives or to select a document based on the presence of a keyword. For example every `SendGrid API key` must start with the prefix `SG.`, we can discard all documents that don't contain this prefix. These pre-validation steps are the first steps of our secrets detection engine. You can find more information about pre-validators [here](/secrets-detection/secrets-detection-engine/validation#pre-validation)
.
We then use `PostValidators` to validate if our secrets candidate are real secrets. We configure `PostValidators` for each `Detector` so we can achieve the best trade-off between recall and precision. You can find more information about all the `PostValidators` we currently use and support [here](/secrets-detection/secrets-detection-engine/validation#post-validation)
.
Our `Scanner` is a collection of detectors that scans a `Document` and yield `Secret` objects.
#### Was this page helpful?
[](#)
[](#)
* [Philosophy](#philosophy)
* [How it works](#how-it-works)
* [Tao of our secrets detection engine](#tao-of-our-secrets-detection-engine)
* [Main features](#main-features)
* [Broad coverage with 350+ specific detectors](#broad-coverage-with-350-specific-detectors)
* [Detecting secrets with multiples matches and multi-line secrets](#detecting-secrets-with-multiples-matches-and-multi-line-secrets)
* [Automatic de-duplication](#automatic-de-duplication)
* [Detecting prefixed Base64 encoded secrets](#detecting-prefixed-base64-encoded-secrets)
* [Add insights to secrets to ease the work of security engineers and analysts](#add-insights-to-secrets-to-ease-the-work-of-security-engineers-and-analysts)
* [Limitations](#limitations)
* [Architecture](#architecture)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Introduction | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Introduction
============
The GitGuardian API gives you full creative control to **manage your dashboard** data and also to **use GitGuardian secrets detection engine**, whether through ggshield or in a custom way. All API calls need to be authenticated.
### Use cases[](#use-cases "Direct link to Use cases")
* Export your incidents to build custom reports.
* Manage your incidents programmatically.
* Perform your users and teams management programmatically.
* Plug GitGuardian easily into your existing services.
* Build your own integration for secrets detection.
* You want to use ggshield to shift left.
### Considerations[](#considerations "Direct link to Considerations")
* The GitGuardian API is versioned.
* All requests to the GitGuardian API must be authenticated.
* The GitGuardian API enforces rate limits on all requests.
### Limitations[](#limitations "Direct link to Limitations")
* Only secret incidents are available through the API.
[Start to use the API by creating your API key ->](/api-docs/authentication)
#### Was this page helpful?
[](#)
[](#)
* [Use cases](#use-cases)
* [Considerations](#considerations)
* [Limitations](#limitations)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Authentication | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Authentication
==============
The GitGuardian API uses API keys to authenticate requests.
Creating your API key[](#creating-your-api-key "Direct link to Creating your API key")
----------------------------------------------------------------------------------------
There are 2 different types of API keys:
* **[Service accounts](/api-docs/service-accounts)
:** a special type of token intended to represent a non-human user that needs to authenticate and be authorized for scenarios such as secrets scanning in CI pipelines or batch processing open incidents.
* **[Personal access tokens](/api-docs/personal-access-tokens)
:** a token intended for the use of the GitGuardian API and command-line application ggshield by individual developers on their local workstations (e.g. pre-commit or pre-push git hooks).
You need to [create an account](https://dashboard.gitguardian.com/auth/signup)
in order to get an API key. Your API key must kept private and should neither be embedded directly in the code nor versioned in Git. (Please do not push GitGuardian's API keys to public GitHub repositories ^^).
As in the example below, use the [`/health` endpoint](https://api.gitguardian.com/docs#tag/Status/operation/health_check)
to check the validity of your API key.
Authentication scheme[](#authentication-scheme "Direct link to Authentication scheme")
----------------------------------------------------------------------------------------
The GitGuardian API uses `Authorization` header authentication for its requests. The `Authorization` header value must be prefixed with `Token`.
Example request using `curl`:
curl -H "Authorization: Token ${TOKEN}" \ https://api.gitguardian.com/v1/health
Scopes[](#scopes "Direct link to Scopes")
-------------------------------------------
**Scopes are tied to an API key and control the access to resources and scan capability**.
### Dashboard data management scopes[](#dashboard-data-management-scopes "Direct link to Dashboard data management scopes")
* `incidents`
* `incidents:share`: grant view, edit and share permissions on the incidents of your GitGuardian workspace.
* `incidents:write`: grant view and edit permissions on the incidents of your GitGuardian workspace.
* `incidents:read`: grant view only permission on the incidents of your GitGuardian workspace.
* `sources`
* `sources:write`: grant view and edit permissions on the sources (code repositories only) of your GitGuardian workspace.
* `sources:read`: grant view only permission on the sources (code repositories only) of your GitGuardian workspace.
* `honeytokens`
* `honeytokens:write`: grant view and edit permissions on the honeytokens of your GitGuardian workspace. Available under specific conditions: the honeytoken module must be enabled for the workspace, and for personal access token the role must be minimum "manager".
* `honeytokens:read`: grant view only permission on the honeytokens of your GitGuardian workspace. Available under specific conditions: the honeytoken module must be enabled for the workspace, and for personal access token the role must be minimum "manager".
* `members`
* `members:write`: grant view and edit permissions on the members of your GitGuardian workspace.
* `members:read`: grant view permission on the members of your GitGuardian workspace.
* `teams`
* `teams:write`: grant view and edit permissions on the teams of your GitGuardian workspace.
* `teams:read`: grant view permission on the teams of your GitGuardian workspace.
* `api_tokens`
* `api_tokens:write`: grant view and edit permissions on the api tokens (personal access tokens and service accounts) of your GitGuardian workspace.
* `api_tokens:read`: grant view permission on the api tokens (personal access tokens and service accounts) of your GitGuardian workspace.
* `audit_logs:read`: grant view permission on the audit logs of your GitGuardian workspace. If you are using personal access tokens, it is only available to Managers.
* `ip_allowlist`
* `ip_allowlist:write`: grant view and edit permissions on the IP allowlist of your GitGuardian workspace.
* `ip_allowlist:read`: grant view only permission on the IP allowlist of your GitGuardian workspace.
### Scan capability scope[](#scan-capability-scope "Direct link to Scan capability scope")
* `scan`: grant permissions to scan any text content for secrets with GitGuardian secrets detection engine. Required to use [ggshield](/ggshield-docs/getting-started)
.
> You can even test this capability directly in the [Secrets detection playground section in your dashboard](https://dashboard.gitguardian.com/api/secrets-detection-playground)
> :

#### Was this page helpful?
[](#)
[](#)
* [Creating your API key](#creating-your-api-key)
* [Authentication scheme](#authentication-scheme)
* [Scopes](#scopes)
* [Dashboard data management scopes](#dashboard-data-management-scopes)
* [Scan capability scope](#scan-capability-scope)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Service accounts | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Service accounts
================
Prelude[](#prelude "Direct link to Prelude")
----------------------------------------------
A **Service account** is a special type of API key intended to represent a non-human user that needs to authenticate and be authorized for scenarios such as secrets scanning in CI pipelines or batch processing open incidents.
> Please note that service accounts are **only available for workspaces under our Business plan**.
Creating a service account[](#creating-a-service-account "Direct link to Creating a service account")
-------------------------------------------------------------------------------------------------------
> **Only workspace Managers** are allowed to manage service accounts.
1. Go to the [Service accounts page](https://dashboard.gitguardian.com/api/service-accounts)
in the API section of your workspace. Click on `Create service account`.
2. Name your service account according to its use-case (for example `-`)
3. Set an expiry date for your token (in 1 week, 1 month, 6 months, 1 year, or never). If an expiry date is set, all the Managers of the workspace will receive an email notification 5 days before expiration.
4. Choose one or several scopes for your service account.
5. Click on `Create service account`
Make sure you copy the service account, it will no longer be visible to you in the future.

The service accounts of your workspace are visible and can be managed [here](https://dashboard.gitguardian.com/api/service-accounts)
by workspace Managers of workspaces under our Business plan.

#### Was this page helpful?
[](#)
[](#)
* [Prelude](#prelude)
* [Creating a service account](#creating-a-service-account)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Personal access tokens | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Personal access tokens
======================
Prelude[](#prelude "Direct link to Prelude")
----------------------------------------------
**Personal access tokens are used to authenticate calls to the GitGuardian API**. They are intended to be used by developers on their local workstations to scan for secrets with the help of [ggshield](/ggshield-docs/getting-started)
(in [pre-commit](/ggshield-docs/integrations/git-hooks/pre-commit)
or [pre-push](/ggshield-docs/integrations/git-hooks/pre-commit)
git hooks).
Creating a personal access token[](#creating-a-personal-access-token "Direct link to Creating a personal access token")
-------------------------------------------------------------------------------------------------------------------------
1. Go to the [Personal access tokens page](https://dashboard.gitguardian.com/api/personal-access-tokens)
in the API section of your workspace. Click on `Create token`
2. Name your key according to its use-case (for example `-`)
3. Set an expiry date for your token (in 1 week, 1 month, 6 months, 1 year, or never). If you set an expiry date, you will receive an email to notify you 5 days before expiration.
4. Click on `Create token`
Make sure you copy the token, it will no longer be visible to you in the future.

Additional thoughts[](#additional-thoughts "Direct link to Additional thoughts")
----------------------------------------------------------------------------------
* A user provisioning a personal access token with any data scope will allow them to **only retrieve resources following what they have access to via the UI**.
* Each user is allowed 5 personal access tokens in total.
* A personal access token is tied to the user who created it. If the user is deleted, their personal access tokens are also deleted. This is especially useful for deprovisioning purposes in a large organization.
* If you are a member of more than one workspace, you will need to specify which workspace your personal access token is attached to.
Managing personal access tokens[](#managing-personal-access-tokens "Direct link to Managing personal access tokens")
----------------------------------------------------------------------------------------------------------------------
In the Business plan, workspace Managers can administrate the personal access tokens issued for their GitGuardian workspace. They can view, filter, and revoke personal access tokens of all workspace members directly from the table.

#### Was this page helpful?
[](#)
[](#)
* [Prelude](#prelude)
* [Creating a personal access token](#creating-a-personal-access-token)
* [Additional thoughts](#additional-thoughts)
* [Managing personal access tokens](#managing-personal-access-tokens)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Encrypted Secrets | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Encrypted Secrets
=================
What are encrypted secrets?[](#what-are-encrypted-secrets "Direct link to What are encrypted secrets?")
---------------------------------------------------------------------------------------------------------
Encrypted secrets are secrets which are not stored in clear-text: they are encrypted using a key stored in a secured area.
Those are safe to share publicly. As such, GitGuardian strives not to report encrypted secrets as leaks.
Heuristics we use[](#heuristics-we-use "Direct link to Heuristics we use")
----------------------------------------------------------------------------
Since we don't want to report encrypted secrets as leaks, we have to identify which secrets are encrypted: at first glance, an encrypted secret might seem very similar to an unencrypted one. Here are different heuristics we use to identify encrypted secrets.
Note that a secret is often composed of several [matches](/secrets-detection/secrets-detection-engine/glossary#match)
. GitGuardian considers the secret encrypted if at least one of the matches is encrypted.
### Found by a generic detector[](#found-by-a-generic-detector "Direct link to Found by a generic detector")
First, the secret must have been found by a generic detector. Patterns used by API-specific detectors are unlikely to mistakenly match an encrypted secret, because these patterns have constraints like starting with a given prefix, being of a precise length, or consisting of a specific set of characters.
### Stored in a file generated by encrypting tools[](#stored-in-a-file-generated-by-encrypting-tools "Direct link to Stored in a file generated by encrypting tools")
Tools like [SOPS](https://github.com/mozilla/sops)
can encrypt and decrypt secrets in JSON or YAML files. We skip files whose extensions match those used by such tools.
### Match BCrypt or Crypt format[](#match-bcrypt-or-crypt-format "Direct link to Match BCrypt or Crypt format")
If one of the secret matches follows the format of a [BCrypt hash string](https://en.wikipedia.org/wiki/Bcrypt#Description)
or a [Crypt hash string](https://en.wikipedia.org/wiki/Crypt_(C))
it is considered encrypted.
### Context hints[](#context-hints "Direct link to Context hints")
If the text before one of the matches contains one of the following common encryption indicators (this list is non-exhautive):
* "ENC\[" or "ENC("\
* "SealedSecret"\
* "encrypteddata"\
* "encryptedpassword"\
* "encryptedsecrets"\
* "encvalues"\
* "secure"\
* "type: Opaque"\
\
Then the match is considered encrypted.\
\
### Base64 encrypted data[](#base64-encrypted-data "Direct link to Base64 encrypted data")\
\
If the match is a long Base64-encoded string and the first decoded bytes match: (1, 0), (2, 0), (1,1) or (10, 36, 0) then the match is considered to be Base64 encrypted data.\
\
#### Was this page helpful?\
\
[](#)\
[](#)\
\
* [What are encrypted secrets?](#what-are-encrypted-secrets)\
\
* [Heuristics we use](#heuristics-we-use)\
* [Found by a generic detector](#found-by-a-generic-detector)\
\
* [Stored in a file generated by encrypting tools](#stored-in-a-file-generated-by-encrypting-tools)\
\
* [Match BCrypt or Crypt format](#match-bcrypt-or-crypt-format)\
\
* [Context hints](#context-hints)\
\
* [Base64 encrypted data](#base64-encrypted-data)\
\
\
[](https://www.gitguardian.com/)\
\
[](https://www.gitguardian.com/legal/public-security-policy)\
[](https://www.gitguardian.com/legal/public-security-policy)\
\
[](https://twitter.com/gitguardian?lang=en)\
[](https://www.linkedin.com/company/gitguardian/)\
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)\
[](https://github.com/GitGuardian)\
[](https://www.facebook.com/GitGuardian/)\
\
Something we didn’t cover?\
--------------------------\
\
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)\
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)\
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)\
[\
\
API status\
==========](https://status.gitguardian.com/)\
\
Subscribe to our newsletter\
---------------------------\
\
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)\
\
Thank you! Your submission has been received!\
\
Oops! Something went wrong while submitting the form.
---
# Integrate a new Slack source | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Integrate a new Slack source
============================
info
All detectors are supported, with the exception of these 2 generic detectors, in order to limit the risk of false positives:
* [Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret)
* [Generic Password](/secrets-detection/secrets-detection-engine/detectors/generics/generic_password)
Setting up and configuring this integration is limited to users with an **Owner** or **Manager** access level. Slack workspace installation is only open to workspaces under the **Business** plan, but uninstallation is open to all. Alternatively, you can install and test secret detection in Slack with a 30-day trial. Any secret incidents created during this period will remain accessible in your incident dashboard after the trial period.
GitGuardian integrates natively with Slack via a **Slack app** that you can install on your public and/or private channels of your Slack workspaces. Note that the GitGuardian Slack app only has **read access** to your channels.
In case your Slack workspace is configured to restrict installations of apps, you will need **Workspace Owner** rights in your Slack workspace to set up the integration. You can refer to the [Slack documentation](https://api.slack.com/start/apps)
for more information on managing Slack apps.
Setup your Slack integration[](#setup-your-slack-integration "Direct link to Setup your Slack integration")
-------------------------------------------------------------------------------------------------------------
You can install GitGuardian on multiple Slack workspaces to monitor your public and private channels.
### Setup your Slack integration for public channels[](#setup-your-slack-integration-for-public-channels "Direct link to Setup your Slack integration for public channels")
1. Make sure you're logged in the Slack workspace you want to install
2. In the GitGuardian platform, navigate to the [Sources integration](https://dashboard.gitguardian.com/settings/integrations/sources)
page
3. Click on the **Install** button next to **Slack** in the **Messaging** section 
4. Click on the **Install** button of the [Slack integration](https://dashboard.gitguardian.com/settings/integrations/slack)
page
5. Select the Slack workspace you want to add
6. Click on the **Allow** button to accept the permissions requested by GitGuardian 
That's it! Our GitGuardian app is now automatically invited on all your public channels. It will now start monitoring all messages shared on your public channels for secrets.
### Extend your Slack integration to private channels[](#extend-your-slack-integration-to-private-channels "Direct link to Extend your Slack integration to private channels")
By default, the GitGuardian app only accesses public channels. We do not access private channels without your consent. Optionally, you can authorize the GitGuardian Slack app to integrate and monitor your private channels.
To do so, simply invite our GitGuardian app into the desired private Slack channels:
1. Navigate to the private Slack channel of your choice
2. Go to the **Integrations** tab of your channel settings
3. Click on the **Add an App** button
4. Click on the **Add** button next to the **GitGuardian** app 
That's it! Our GitGuardian app is now invited to your private channel and ready for monitoring.
To remove the Slack app from a private Slack channel:
1. Navigate to the private Slack channel of your choice
2. Go to the **Integrations** tab of your channel settings
3. Click on the **GitGuardian** app
4. Select **Remove this app from #channel**
5. Confirm by clicking on the **Remove** button 
That's it! Our GitGuardian app is now removed from your private channel and secret detection is disabled.
Setup Slack for self-hosted GitGuardian[](#setup-slack-for-self-hosted-gitguardian "Direct link to Setup Slack for self-hosted GitGuardian")
----------------------------------------------------------------------------------------------------------------------------------------------
info
We recommend using dedicated workers for Slack. For more detailed information on scaling and configuration, please visit our [scaling](/self-hosting/management/infrastructure-management/scaling#configure-scaling-settings)
page.
If you are using a self-hosted GitGuardian instance, you must first configure a dedicated Slack App so that you own the entire data stream. GitGuardian handles it for you programmatically via the Slack manifest. This will ensure that your Slack App is created with all the appropriate rights.
### 1\. Create a Slack app[](#1-create-a-slack-app "Direct link to 1. Create a Slack app")
#### You are a GitGuardian Manager and you have the right to create a Slack app[](#you-are-a-gitguardian-manager-and-you-have-the-right-to-create-a-slack-app "Direct link to You are a GitGuardian Manager and you have the right to create a Slack app")
1. Navigate to the [Slack integration](https://dashboard.gitguardian.com/settings/integrations/slack)
page
2. Click on **Configure Slack app**

3. Click on **Create Slack app**
4. Select the Slack workspace on which you will create your new custom Slack app
5. Click on **Next**
6. Click on **Create**
7. Go to **Settings > Basic Information > App Credentials** section
8. Get your App Credentials (`App ID`, `Client ID`, `Client Secret`, `Signing Secret`)

That's it! Your Slack app has been created and you can now [declare your Slack app in the GitGuardian Platform](/platform/monitor-perimeter/messaging-integrations/slack#2-declare-your-slack-app-in-the-gitguardian-platform)
.
#### You are a GitGuardian Manager and you don't have the right to create a Slack app[](#you-are-a-gitguardian-manager-and-you-dont-have-the-right-to-create-a-slack-app "Direct link to You are a GitGuardian Manager and you don't have the right to create a Slack app")
If you don't have the right to create a Slack app, please ask your Slack administrator to do it for you. You can easily forward a request with this procedure:
1. Navigate to the [Slack integration](https://dashboard.gitguardian.com/settings/integrations/slack)
page
2. Click on **Configure Slack app**

3. Click on the **Send a request to a Slack administrator** link to easily forward your request
4. They should in turn provide you with the Slack app credentials to proceed with the [rest of the configuration](/platform/monitor-perimeter/messaging-integrations/slack#2-declare-your-slack-app-in-the-gitguardian-platform)
.
#### You are not a GitGuardian Manager and you received a request to create a Slack app because you have the rights to do so[](#you-are-not-a-gitguardian-manager-and-you-received-a-request-to-create-a-slack-app-because-you-have-the-rights-to-do-so "Direct link to You are not a GitGuardian Manager and you received a request to create a Slack app because you have the rights to do so")
You received a request to create a new custom Slack app so you can use GitGuardian to scan your Slack workspace for secrets.
1. Go to the [Slack App creation](https://api.slack.com/apps?new_app=1&manifest_json=%7B%22display_information%22%3A%7B%22name%22%3A%22GitGuardian%22%7D%2C%22features%22%3A%7B%22bot_user%22%3A%7B%22display_name%22%3A%22GitGuardian%22%2C%22always_online%22%3Afalse%7D%7D%2C%22oauth_config%22%3A%7B%22redirect_urls%22%3A%5B%22https%3A//dashboard.gitguardian.com/api/v1/slack/app/install_callback/%22%5D%2C%22scopes%22%3A%7B%22user%22%3A%5B%5D%2C%22bot%22%3A%5B%22channels%3Ajoin%22%2C%22channels%3Aread%22%2C%22channels%3Ahistory%22%2C%22groups%3Ahistory%22%2C%22groups%3Aread%22%2C%22team%3Aread%22%2C%22users%3Aread%22%2C%22users%3Aread.email%22%5D%7D%7D%2C%22settings%22%3A%7B%22event_subscriptions%22%3A%7B%22request_url%22%3A%22https%3A//dashboard.gitguardian.com/api/v1/receiver/slack/%22%2C%22bot_events%22%3A%5B%22app_uninstalled%22%2C%22channel_archive%22%2C%22channel_created%22%2C%22channel_deleted%22%2C%22channel_history_changed%22%2C%22channel_id_changed%22%2C%22channel_left%22%2C%22channel_rename%22%2C%22channel_shared%22%2C%22channel_unarchive%22%2C%22channel_unshared%22%2C%22email_domain_changed%22%2C%22group_archive%22%2C%22group_deleted%22%2C%22group_history_changed%22%2C%22group_left%22%2C%22group_rename%22%2C%22group_unarchive%22%2C%22member_joined_channel%22%2C%22message.channels%22%2C%22message.groups%22%2C%22team_access_granted%22%2C%22team_access_revoked%22%2C%22team_domain_change%22%2C%22team_rename%22%5D%7D%2C%22org_deploy_enabled%22%3Afalse%2C%22socket_mode_enabled%22%3Afalse%2C%22token_rotation_enabled%22%3Afalse%7D%7D)
page
2. Select the Slack workspace on which you will create your new custom Slack app
3. Click on **Next**
4. Click on **Edit Configurations**
5. Edit the **redirect\_url** and **request\_url** in the manifest to fit with the GitGuardian self-hosted instance URL:
* **redirect\_url**:
* replace: `https://dashboard.gitguardian.com/api/v1/slack/app/install_callback/`
* with: `https:///api/v1/slack/app/install_callback/`
* **request\_url**:
* replace: `https://dashboard.gitguardian.com/api/v1/receiver/slack/`
* with: `https:///api/v1/receiver/slack/`
6. Click on **Next**
7. Click on **Create**
8. Go to **Settings > Basic Information > App Credentials** section
9. Return the App Credentials to your requester in the secure way of your choice (`App ID`, `Client ID`, `Client Secret`, `Signing Secret`)

That's it! Your Slack app has been created, and the requester will be able to declare the Slack app configuration in the GitGuardian platform. Thank you for your cooperation!
### 2\. Declare your Slack app in the GitGuardian Platform[](#2-declare-your-slack-app-in-the-gitguardian-platform "Direct link to 2. Declare your Slack app in the GitGuardian Platform")
1. Paste your Slack app credentials
2. Click on **Save and close**

That's it! Your Slack app configuration is now ready and you can now [setup your Slack integration](/platform/monitor-perimeter/messaging-integrations/slack#setup-your-slack-integration)
.
Edit your Slack app configuration[](#edit-your-slack-app-configuration "Direct link to Edit your Slack app configuration")
----------------------------------------------------------------------------------------------------------------------------
In case you need to edit your Slack app configuration, due to an error when declaring your Slack app credentials or due to a secret rotation, you can do so as follows:
1. Click on **Edit Slack app**
2. Update your Slack app credentials
3. Click on **Save and close**

Delete your Slack app configuration[](#delete-your-slack-app-configuration "Direct link to Delete your Slack app configuration")
----------------------------------------------------------------------------------------------------------------------------------
In case you need to delete your Slack app configuration, you can do so as follows:
1. Click on **Edit Slack app**
2. Click on **Delete configuration**
3. Confirm by clicking on **Delete configuration** in the confirmation modal
info
Deleting your Slack app configuration will uninstall all your Slack integrations. However, all your existing incidents detected on Slack will remain available on your dashboard. Note that deleting the Slack app configuration will only delete the configuration, not the Slack app. If you want to delete your Slack app, you must do so from your Slack workspace.
Uninstall your Slack workspace[](#uninstall-your-slack-workspace "Direct link to Uninstall your Slack workspace")
-------------------------------------------------------------------------------------------------------------------
To uninstall a Slack workspace:
1. In the GitGuardian platform, navigate to the [Sources integration](https://dashboard.gitguardian.com/settings/integrations/sources)
page
2. Click on the **Edit** button next to **Slack** in the **Messaging** section
3. Click on the bin icon next to the Slack workspace to be uninstalled
4. Confirm by clicking on the **Uninstall** button in the confirmation modal 
That's it! Your Slack workspace is now uninstalled and the associated secret incidents remain visible in the incident dashboard.
Limitations[](#limitations "Direct link to Limitations")
----------------------------------------------------------
* **Monitored Perimeter:** Customization of the monitored perimeter is not supported. By default, all public channels are monitored and cannot be excluded. Private channels can be included by inviting the GitGuardian Slack app.
* **Team Perimeter:** Customization of a team perimeter with Slack channels is not supported. Users must be part of the **All-incidents** team to view and access secret incidents related to Slack.
* **Direct Messages:** Direct messages are not scanned.
* **File Attachments:** File attachments are not scanned.
* **Occurrence Previews:** Previews of occurrences are not supported.
Privacy[](#privacy "Direct link to Privacy")
----------------------------------------------
Country-specific laws and regulations may require you to inform your Slack users that your channels are being scanned for secrets. Here is a suggestion for a message you may want to use:
> As part of our internal information security process, the company scans the Slack channels for potential secrets leaks using [GitGuardian](https://www.gitguardian.com/monitor-internal-repositories-for-secrets)
> . All data collected will be processed for the purpose of detecting potential leaks. To find out more about how we manage your personal data and to exercise your rights, please refer to our employee/partner privacy notice. _Please note that only channels relating to the company’s activity and business may be monitored and that users shall refrain from sharing personal or sensitive data not relevant to the channel’s purpose._
#### Was this page helpful?
[](#)
[](#)
* [Setup your Slack integration](#setup-your-slack-integration)
* [Setup your Slack integration for public channels](#setup-your-slack-integration-for-public-channels)
* [Extend your Slack integration to private channels](#extend-your-slack-integration-to-private-channels)
* [Setup Slack for self-hosted GitGuardian](#setup-slack-for-self-hosted-gitguardian)
* [1\. Create a Slack app](#1-create-a-slack-app)
* [2\. Declare your Slack app in the GitGuardian Platform](#2-declare-your-slack-app-in-the-gitguardian-platform)
* [Edit your Slack app configuration](#edit-your-slack-app-configuration)
* [Delete your Slack app configuration](#delete-your-slack-app-configuration)
* [Uninstall your Slack workspace](#uninstall-your-slack-workspace)
* [Limitations](#limitations)
* [Privacy](#privacy)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Usage and quotas | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Usage and quotas
================
Usage[](#usage "Direct link to Usage")
----------------------------------------
The **GitGuardian API and its scan capability** can be used to scan simple content quickly, or even to write complex integrations for non-publicly available services.
Most of GitGuardian's Open Source projects use the **GitGuardian API** as their backbone. [ggshield](/ggshield-docs/getting-started)
and [py-gitguardian](https://github.com/GitGuardian/py-gitguardian)
are two examples.
Stateless scanning[](#stateless-scanning "Direct link to Stateless scanning")
-------------------------------------------------------------------------------
The GitGuardian API endpoints are stateless, meaning any scanned documents or found secrets are not stored on our servers when performing a secrets scan. We do, however, collect and store some metadata for purposes such as quota usage and access logs.
Quotas[](#quotas "Direct link to Quotas")
-------------------------------------------
API quotas are only consumed by API calls related to the [`scan` scope](/api-docs/introduction#scopes)
:
* the [`/scan` endpoint](https://api.gitguardian.com/docs#operation/content_scan)
ingests only one document (piece of text) and consumes 1 quota.
* the [/multiscan endpoint](https://api.gitguardian.com/docs#operation/multiple_scan)
ingests several documents at a time (20 max) and consumes 1 quota.
If a commit contains 40 different documents to scan, scanning this commit will require 2 quotas.
Quota usage is based on requests, not on the size of the content you scan.
**The quota is set on a rolling month**, not on a calendar month.
This means that if 200 API calls are made on the last day of the month, you will need to wait 30 days before 200 new calls are credited back to your account.
This quota is applied at the workspace level, not at the individual API key level. Consequently, exceeding the quota with one API key will restrict all other API keys in the same workspace from making further API calls.
The quota depends on your plan but you can always contact us to increase it:
| | Free plan | Paid plan |
| --- | --- | --- |
| **Quota** | 10,000 calls/month | 100,000 calls/month |
Workspace Managers can track usage of their quota in the [Quota section](https://dashboard.gitguardian.com/api/quota)
of their workspace:

Rate limiting[](#rate-limiting "Direct link to Rate limiting")
----------------------------------------------------------------
The GitGuardian API implements rate limiting to manage the number of requests made to the API.
This helps prevent abuse, ensures fair usage, and maintains the performance and availability of the API.
The GitGuardian API implements rate limiting at the API key level, ensuring that each key is allocated a predetermined maximum number of requests within a designated timeframe.
If the limit is exceeded, the GitGuardian API will return error with status code 429 and the requests will not be processed.
The rate limiting varies based on the type of API key (personal access token or service account) and the plan of your workspace:
| | Free plan | Paid plan |
| --- | --- | --- |
| **Personal access token** | 50 requests/minute | 200 requests/minute |
| **Service account** | N/A
Service accounts are not available under the Free plan | 1000 requests/minute |
> By default, API rate limiting is not applied to GitGuardian self-hosted instances.
#### Was this page helpful?
[](#)
[](#)
* [Usage](#usage)
* [Stateless scanning](#stateless-scanning)
* [Quotas](#quotas)
* [Rate limiting](#rate-limiting)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Integrate a new GitHub source | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Integrate a new GitHub source
=============================
GitGuardian integrates natively with GitHub via a **GitHub app** that you can install on your personal GitHub repositories and on the repositories of your GitHub organizations.
You can refer to the [GitHub documentation](https://docs.github.com/en/free-pro-team@latest/developers/apps)
for more information on GitHub apps.
Setup your GitHub integration[](#setup-your-github-integration "Direct link to Setup your GitHub integration")
----------------------------------------------------------------------------------------------------------------
### Scan for incidents with the GitGuardian GitHub app[](#scan-for-incidents-with-the-gitguardian-github-app "Direct link to Scan for incidents with the GitGuardian GitHub app")
info
The GitGuardian GitHub app has **only read access** to your code.
Optionally, it is possible to grant GitGuardian **write access** to benefit from specific business features. See [dedicated section](#grant-code-write-permissions-with-the-gitguardianwrite-github-app)
for more detail.
You will need Owner or Manager rights in GitGuardian to set up an integration or customize your settings.
You can install GitGuardian on:
* **your personal GitHub account** to monitor your personal repositories,
* **a GitHub organization** that you own.
1. Navigate to Settings > Integrations > [Sources](https://dashboard.gitguardian.com/settings/integrations/sources)
.
2. Click on **Install** for GitHub.
3. Click on **Install** to start the GitHub app installation process (you will then be redirected to GitHub).
4. Authenticate on GitHub if you are not already logged in.
5. Choose where to install the GitHub app (either for your personal GitHub account or for the GitHub organization of which you are an admin)

6. Choose your preferred installation mode: **All repositories** or **Only select repositories**.
* **All repositories**: GitGuardian will be installed on all existing repositories. New repositories will be integrated to GitGuardian automatically.
* **Only select repositories**: GitGuardian will only be installed on the repositories you select. New repositories will not automatically be integrated with GitGuardian - the installation process will need to be run again in order to integrate new repositories.
We recommend choosing **All repositories** since you can then manually deselect these via the GitGuardian dashboard.

7. Follow the prompts and your chosen GitHub repositories will be added to your workspace.

info
If you attempt to install GitGuardian on a GitHub organization where you are only a member, and not the owner, GitHub will prompt you to use a "Request installation" flow.
We highly recommend inviting the owner to your GitGuardian workspace to perform the integration, thus attaching the GitHub organization to your workspace.
### Grant code write permissions with the GitGuardian:write GitHub app[](#grant-code-write-permissions-with-the-gitguardianwrite-github-app "Direct link to Grant code write permissions with the GitGuardian:write GitHub app")
info
Some business features require write permissions to your repositories in order to open pull requests.
Currently, this concerns the [Honeytoken Deployment jobs](/honeytoken/deploy-honeytokens/deployment-jobs)
feature.
Granting write permissions to GitGuardian is done through the installation of a second GitHub app “GitGuardian:write”.
1. Navigate to [GitHub settings section](https://dashboard.gitguardian.com/settings/integrations/github)
where your integration is already configured with the main app.
2. Click on Manage sources > Configure write permissions. 
3. Choose on which organization you want to install the GitHub app, then choose your preferred installation mode (all organization or selected repositories). Note that you must install it on repositories where the main GitHub is already installed if you want to see them in the GitGuardian dashboard.
Setup GitHub for self-hosted GitGuardian[](#setup-github-for-self-hosted-gitguardian "Direct link to Setup GitHub for self-hosted GitGuardian")
-------------------------------------------------------------------------------------------------------------------------------------------------
If you are using a self-hosted GitGuardian instance, you must first create a dedicated GitHub App so that you own the entire data stream. GitGuardian handles it for you programmatically via GitHub manifest. This will ensure that your GitHub App is created with all the appropriate rights.
info
By default, the GitGuardian GitHub app has **only read access** to your code.
Optionally, it is possible to grant GitGuardian **write access** to benefit from specific business features (more detail in [this dedicated section](#grant-gitguardian-code-write-permissions)
).
You will need Owner or Manager rights in GitGuardian to set up an integration or customize your settings.
1. Navigate to Settings > Integrations > [Sources](https://dashboard.gitguardian.com/settings/integrations/sources)
.
2. Click on **Configure** for GitHub.
3. Click on **Install** to start the GitHub app creation and installation process.
4. Choose a name and validate the GitHub App creation. 
5. Once the GitHub app is created, you can now follow the SAAS installation steps from **step 5** above and choose the GitHub organizations to integrate with GitGuardian.
caution
The GitHub App **belongs to the user who created it**. We recommend that you transfer the ownership to an organization in case the user is later deactivated.

> **IMPORTANT**: GitGuardian cannot monitor repositories whose owner has not installed the GitHub App. If the repo is owned by a GitHub organization, the owner of the organization must install the GitHub App.
### Grant GitGuardian code write permissions[](#grant-gitguardian-code-write-permissions "Direct link to Grant GitGuardian code write permissions")
info
Some business features require write permissions to your repositories in order to open pull requests.
Currently, this concerns the [Honeytoken Deployment jobs](/honeytoken/deploy-honeytokens/deployment-jobs)
feature.
To allow GitGuardian to open pull requests on the repositories of your instance, go to the app settings page in GitHub, in the tab "Permissions & events". Under the "Repository permissions" section, change permissions on Contents to "Read and write":

This change then needs to be propagated to the organizations where this app is installed, by accepting the permission update request:


Adding new repositories[](#adding-new-repositories "Direct link to Adding new repositories")
----------------------------------------------------------------------------------------------
You can add new organizations or repositories by clicking on **add another** on either the list of integrations page or the GitHub integration page.
You can also re-configure a previously installed personal GitHub account / GitHub organization and change the installation mode to **All repositories** or **Only select repositories**.
Automatic historical scan[](#automatic-historical-scan "Direct link to Automatic historical scan")
----------------------------------------------------------------------------------------------------
By default, GitGuardian performs a historical scan for each newly created Github repository added to your perimeter.
You can deactivate this behavior in your [GitHub settings](https://dashboard.gitguardian.com/settings/integrations/github)
if you are a Manager of the workspace.

Automatic repository monitoring[](#automatic-repository-monitoring "Direct link to Automatic repository monitoring")
----------------------------------------------------------------------------------------------------------------------
By default, GitGuardian automatically monitors repositories added to your perimeter.
You can deactivate this behavior in your [GitHub settings](https://dashboard.gitguardian.com/settings/integrations/github)
if you are a Manager of the workspace.
Customize your monitored perimeter[](#customize-your-monitored-perimeter "Direct link to Customize your monitored perimeter")
-------------------------------------------------------------------------------------------------------------------------------
Once you have set up your GitHub integration, you can configure which repositories to monitor in the [GitHub settings section](https://dashboard.gitguardian.com/settings/integrations/github)
of your workspace.
If you unselect a repository from your monitored perimeter:
* GitGuardian will no longer fetch the content of its commits, and therefore alerts won't be raised for this repository.
* The GitGuardian GitHub app will remain installed on this repository, therefore you can easily turn the monitoring back on.
#### Was this page helpful?
[](#)
[](#)
* [Setup your GitHub integration](#setup-your-github-integration)
* [Scan for incidents with the GitGuardian GitHub app](#scan-for-incidents-with-the-gitguardian-github-app)
* [Grant code write permissions with the GitGuardian:write GitHub app](#grant-code-write-permissions-with-the-gitguardianwrite-github-app)
* [Setup GitHub for self-hosted GitGuardian](#setup-github-for-self-hosted-gitguardian)
* [Grant GitGuardian code write permissions](#grant-gitguardian-code-write-permissions)
* [Adding new repositories](#adding-new-repositories)
* [Automatic historical scan](#automatic-historical-scan)
* [Automatic repository monitoring](#automatic-repository-monitoring)
* [Customize your monitored perimeter](#customize-your-monitored-perimeter)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Machine Learning | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Machine Learning
================
Detecting secrets with high quality results is a challenging and intricate task. To enhance our detection engine, we opted to train various models to scrutinize code like a professional developer and pinpoint false positives or enrich generic secrets (soon coming).
False Positive Remover[](#false-positive-remover "Direct link to False Positive Remover")
-------------------------------------------------------------------------------------------
Business Feature
Only workspaces with a Business plan can access this functionality.
When it comes to avoiding false positives, we've pushed imperative programming and regular expressions to their limits. It is simply not possible to write conditions or regular expression patterns for every potential scenario.
To overcome this technological constraint we implemented machine learning to train machines to quickly and efficiently navigate this complex domain and identify the elements we are looking for.
False Positive Remover is an **internally** developed and trained model, independent of third-party services, that accurately identify and label incidents as 'false positives' through its thorough analysis.
### How to use it?[](#how-to-use-it "Direct link to How to use it?")

You can improve your workflow by using the `Filters > Tags > False Positive` filter located in the incidents list page.
This filter allows you to easily identify and manage false positive incidents, helping you streamline your incident resolution process.
[Read more on our blog post](https://blog.gitguardian.com/fp-remover-cuts-false-positives-by-half/)
FAQ[](#faq "Direct link to FAQ")
----------------------------------
### What does this model consider as "False positive"?[](#what-does-this-model-consider-as-false-positive "Direct link to What does this model consider as "False positive"?")
Something that cannot be a secret in any context.
In the example below (`"signup_form_confirm_password": " Confirmar contrasinal"`) looks like a true positive for a regex but is not for our model which analyzes a context (lines before/after)
{ "signup_form_username": "Identificador", "signup_form_password": "Contrasinal", "signup_form_confirm_password": " Confirmar contrasinal", <- a regex may consider this a true positive, not our model. "signup_form_button_submit": "Crear conta",}
### If these are false positives, why don't you just remove them?[](#if-these-are-false-positives-why-dont-you-just-remove-them "Direct link to If these are false positives, why don't you just remove them?")
During beta, we will safely evaluate the accuracy of the model before potentially using it to remove all false positives upfront.
### Are you catching all the false positives I have?[](#are-you-catching-all-the-false-positives-i-have "Direct link to Are you catching all the false positives I have?")
We estimate that in v1 the model can detect 50% of your false positives, on average. We focus on being as accurate as possible and will try to improve our recall over time.
#### Was this page helpful?
[](#)
[](#)
* [False Positive Remover](#false-positive-remover)
* [How to use it?](#how-to-use-it)
* [FAQ](#faq)
* [What does this model consider as "False positive"?](#what-does-this-model-consider-as-false-positive)
* [If these are false positives, why don't you just remove them?](#if-these-are-false-positives-why-dont-you-just-remove-them)
* [Are you catching all the false positives I have?](#are-you-catching-all-the-false-positives-i-have)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Integrate a new Jira Cloud source | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Integrate a new Jira Cloud source
=================================
info
For now, only real-time scanning is supported to detect secrets in issues and comments. All detectors are supported, with the exception of these 2 generic detectors, in order to limit the risk of false positives:
* [Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret)
* [Generic Password](/secrets-detection/secrets-detection-engine/detectors/generics/generic_password)
Setting up and configuring this integration is limited to users with an **Owner** or **Manager** access level. Jira Cloud site installation is only open to workspaces under the **Business** plan, but uninstallation is open to all. Alternatively, you can install and test secret detection in Jira Cloud with a 30-day trial. Any secret incidents created during this period will remain accessible in your incident dashboard after the trial period.
GitGuardian integrates natively with Jira Cloud via a **Jira Cloud app** that you can install on your Jira Cloud sites. Note that the GitGuardian Jira Cloud app only has **read access** to your projects.
Setup your Jira Cloud integration[](#setup-your-jira-cloud-integration "Direct link to Setup your Jira Cloud integration")
----------------------------------------------------------------------------------------------------------------------------
You can install GitGuardian on multiple Jira Cloud sites to monitor your projects.
1. Make sure you're logged in the Jira Cloud site you want to install
2. In the GitGuardian platform, navigate to the [Sources integration](https://dashboard.gitguardian.com/settings/integrations/sources)
page
3. Click on the **Install** button next to **Jira Cloud** in the **Ticketing** section 
4. Click on the **Install** button of the [Jira Cloud integration](https://dashboard.gitguardian.com/settings/integrations/jira_cloud)
page
5. Select the Jira Cloud site you want to add
6. Click on the **Accept** button to accept the permissions requested by GitGuardian 
That's it! Our GitGuardian app is now automatically invited on all your projects. It will now start monitoring all issues of your projects for secrets.
Setup Jira Cloud for self-hosted GitGuardian[](#setup-jira-cloud-for-self-hosted-gitguardian "Direct link to Setup Jira Cloud for self-hosted GitGuardian")
-------------------------------------------------------------------------------------------------------------------------------------------------------------
info
We recommend using dedicated workers for Jira Cloud. For more detailed information on scaling and configuration, please visit our [scaling](/self-hosting/management/infrastructure-management/scaling#configure-scaling-settings)
page.
If you are using a self-hosted GitGuardian instance, you must first configure a dedicated Jira Cloud App so that you own the entire data stream. This will ensure that your Jira Cloud App is created with all the appropriate rights.
### 1\. Create a Jira Cloud app[](#1-create-a-jira-cloud-app "Direct link to 1. Create a Jira Cloud app")
1. Navigate to the [Jira Cloud integration](https://dashboard.gitguardian.com/settings/integrations/jira_cloud)
page
2. Click on **Configure Jira Cloud app**

#### As a Jira Cloud administrator[](#as-a-jira-cloud-administrator "Direct link to As a Jira Cloud administrator")
1. Click on **Create Jira Cloud app** (Alternatively, if you're not a GitGuardian Manager, you can access the [Atlassian developer console](https://developer.atlassian.com/console/myapps/create-3lo-app)
directly)
2. Type the name of your new Jira Cloud app: `GitGuardian`
3. Agree to Atlassian's developer terms by checking: **I agree to be bound by Atlassian's developer terms.**
4. Click on **Create**

5. Go to the **Permissions** page
6. Click on **Add** button next to the **Jira API** line

7. Click on **Configure** button next to the **Jira API** line
8. In the **Classic scopes** tab, click on the **Edit Scopes** button of the **Jira platform REST API** section

9. Select the following **classic scopes**:
* `read:jira-user`
* `read:jira-work`
* `write:jira-work`
* `manage:jira-configuration`
* `manage:jira-webhook`
10. Click on **Save**

11. In the **Granular scopes** tab, click on the **Edit Scopes** button

12. Select the following **granular scopes**:
* `read:application-role:jira`
* `read:attachment:jira`
* `read:avatar:jira`
* `read:comment.property:jira`
* `read:comment:jira`
* `read:epic:jira-software`
* `read:field-configuration:jira`
* `read:field:jira`
* `read:group:jira`
* `read:issue-details:jira`
* `read:issue-event:jira`
* `read:issue-field-values:jira`
* `read:issue-meta:jira`
* `read:issue-security-level:jira`
* `read:issue-type-hierarchy:jira`
* `read:issue-type:jira`
* `read:issue.changelog:jira`
* `read:issue.property:jira`
* `read:issue.vote:jira`
* `read:issue:jira`
* `read:jql:jira`
* `read:project-category:jira`
* `read:project-role:jira`
* `read:project-version:jira`
* `read:project.component:jira`
* `read:project.property:jira`
* `read:project:jira`
* `read:status:jira`
* `read:user:jira`
* `read:webhook:jira`
* `write:webhook:jira`
* `delete:webhook:jira`
13. Click on **Save**

14. Go to the **Authorization** page
15. Click on **Add** button next to the **OAuth 2.0 (3LO)** line

16. Enter the callback URL based on your GitGuardian self-hosted instance URL:
`https:///api/v1/jira-cloud/app/install_callback/`
17. Click on **Save changes**

18. Go to the **Overview** page
19. Get your App details (`App ID`) (alternatively, you can find and copy it more easily from the URL)

20. Go to the **Settings** page
21. Get your Authentication details (`Client ID`, `Secret`)

That's it! Your Jira Cloud app has been created and you can now [declare your Jira Cloud app in the GitGuardian Platform](/platform/monitor-perimeter/ticketing-integrations/jira-cloud#2-declare-your-jira-cloud-app-in-the-gitguardian-platform)
. Alternatively, if you are not a GitGuardian Manager, you can now return the Jira Cloud app credentials to your requester in the secure way of your choice (`App ID`, `Client ID`, `Secret`).
info
All these permissions are defined for the creation of your Jira Cloud app. This Jira Cloud app can be used for any type of Jira Cloud integration (secret detection, issue tracking). When installing a Jira Cloud site for a specific integration, only a subset of your Jira Cloud app's permissions will be requested. GitGuardian requires only the minimum number of permissions per integration.
#### As a non Jira Cloud administrator[](#as-a-non-jira-cloud-administrator "Direct link to As a non Jira Cloud administrator")
If you don't have the right to create a Jira Cloud app, please ask your Jira Cloud administrator to do it for you. You can easily forward a request with this procedure:
1. Click on the **Send a request to a Jira administrator** link to easily forward your request
2. They should in turn provide you with the Jira Cloud app credentials to proceed with the [rest of the configuration](/platform/monitor-perimeter/ticketing-integrations/jira-cloud#2-declare-your-jira-cloud-app-in-the-gitguardian-platform)
.
### 2\. Declare your Jira Cloud app in the GitGuardian Platform[](#2-declare-your-jira-cloud-app-in-the-gitguardian-platform "Direct link to 2. Declare your Jira Cloud app in the GitGuardian Platform")
1. Paste your Jira Cloud app credentials (`App ID`, `Client ID`, `Secret`)
2. Click on **Save and close**

That's it! Your Jira Cloud configuration is now ready and you can now [setup your Jira Cloud integration](/platform/monitor-perimeter/ticketing-integrations/jira-cloud#setup-your-jira-cloud-integration)
.
Edit your Jira Cloud app configuration[](#edit-your-jira-cloud-app-configuration "Direct link to Edit your Jira Cloud app configuration")
-------------------------------------------------------------------------------------------------------------------------------------------
In case you need to edit your Jira Cloud app configuration, due to an error when declaring your Jira Cloud app credentials or due to a secret rotation, you can do so as follows:
1. Click on **Edit Jira Cloud app**
2. Update your Jira Cloud app credentials
3. Click on **Save and close**

Delete your Jira Cloud app configuration[](#delete-your-jira-cloud-app-configuration "Direct link to Delete your Jira Cloud app configuration")
-------------------------------------------------------------------------------------------------------------------------------------------------
In case you need to delete your Jira Cloud app configuration, you can do so as follows:
1. Click on **Edit Jira Cloud app**
2. Click on **Delete configuration**
3. Confirm by clicking on **Delete configuration** in the confirmation modal
info
Deleting your Jira Cloud app configuration will uninstall all your Jira Cloud integrations. However, all your existing incidents detected on Jira Cloud will remain available on your dashboard. Note that deleting the Jira Cloud app configuration will only delete the configuration, not the Jira Cloud app. If you want to delete your Jira Cloud app, you must do so from your Jira Cloud site.
Uninstall your Jira Cloud site[](#uninstall-your-jira-cloud-site "Direct link to Uninstall your Jira Cloud site")
-------------------------------------------------------------------------------------------------------------------
To uninstall a Jira Cloud site:
1. In the GitGuardian platform, navigate to the [Sources integration](https://dashboard.gitguardian.com/settings/integrations/sources)
page
2. Click on the **Edit** button next to **Jira Cloud** in the **Ticketing** section
3. Click on the bin icon next to the Jira Cloud site to be uninstalled
4. Confirm by clicking on the **Yes, uninstall** button in the confirmation modal 
That's it! Your Jira Cloud site is now uninstalled.
Remove the GitGuardian app from your Jira Cloud site[](#remove-the-gitguardian-app-from-your-jira-cloud-site "Direct link to Remove the GitGuardian app from your Jira Cloud site")
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Uninstalling a Jira Cloud site from the GitGuardian platform does not remove the GitGuadian app from your Jira Cloud site. This is not a mandatory step, but you can remove it manually after uninstalling your Jira Cloud site from the GitGuardian platform.
Warning
The GitGuardian app is shared with the [Jira Cloud issue tracking integration](/platform/monitor-perimeter/issue-tracking-integrations/jira-cloud)
. Removing the app from your Jira Cloud site will break any existing integration in the GitGuardian platform. Make sure your Jira Cloud site is no longer installed on the GitGuardian platform before removing the GitGuardian app manually.
To remove the GitGuardian app from your Jira Cloud site:
1. Go to your Jira Cloud site
2. Select **Settings > Atlassian account settings**
3. Go to the **Connected apps** tab
4. Click on the **Remove access** button next to the GitGuardian app 
5. Click on the **Remove** button in the confirmation modal
That's it! The GitGuardian app is now removed from your Jira Cloud site.
Limitations[](#limitations "Direct link to Limitations")
----------------------------------------------------------
* **Historical Scan:** Historical scans are not yet supported (coming soon).
* **Source Listing:** Monitored Jira Cloud projects are not yet listed on the [Perimeter](https://dashboard.gitguardian.com/perimeter)
page (coming soon).
* **Monitored Perimeter:** Customization of the monitored perimeter is not supported. All projects are monitored by default.
* **Team Perimeter:** Customization of a team perimeter with Jira Cloud projects is not supported. Users must be part of the **All-incidents** team to view and access secret incidents related to Jira Cloud.
* **Source Visibility:** The visibility of projects is not determined. All projects are considered `private` in both the UI and API.
* **File Attachments:** File attachments are not scanned.
* **Occurrence Previews:** Previews of occurrences are not supported.
Privacy[](#privacy "Direct link to Privacy")
----------------------------------------------
Country-specific laws and regulations may require you to inform your Jira Cloud users that your projects are being scanned for secrets. Here is a suggestion for a message you may want to use:
> As part of our internal information security process, the company scans the Jira Cloud projects for potential secrets leaks using [GitGuardian](https://www.gitguardian.com/monitor-internal-repositories-for-secrets)
> . All data collected will be processed for the purpose of detecting potential leaks. To find out more about how we manage your personal data and to exercise your rights, please refer to our employee/partner privacy notice. _Please note that only projects relating to the company’s activity and business may be monitored and that users shall refrain from sharing personal or sensitive data not relevant to the project’s purpose._
#### Was this page helpful?
[](#)
[](#)
* [Setup your Jira Cloud integration](#setup-your-jira-cloud-integration)
* [Setup Jira Cloud for self-hosted GitGuardian](#setup-jira-cloud-for-self-hosted-gitguardian)
* [1\. Create a Jira Cloud app](#1-create-a-jira-cloud-app)
* [2\. Declare your Jira Cloud app in the GitGuardian Platform](#2-declare-your-jira-cloud-app-in-the-gitguardian-platform)
* [Edit your Jira Cloud app configuration](#edit-your-jira-cloud-app-configuration)
* [Delete your Jira Cloud app configuration](#delete-your-jira-cloud-app-configuration)
* [Uninstall your Jira Cloud site](#uninstall-your-jira-cloud-site)
* [Remove the GitGuardian app from your Jira Cloud site](#remove-the-gitguardian-app-from-your-jira-cloud-site)
* [Limitations](#limitations)
* [Privacy](#privacy)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Secrets Analyzers [BETA] | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Secrets Analyzers \[BETA\]
==========================
caution
This feature is currently in beta.
Two Slack API keys may seem to offer the same accesses, but their associated permissions can differ significantly. If a secret with the permission `read:profile` is exposed, it will cause less harm than a secret with `read:everything`. It's important to share this information with users so they can prioritize their remediation efforts.
The Secrets Analyzer feature offers additional context on detected secrets, including their roles and permissions, as well as relevant contextual information such as ownership and perimeter when found. This helps security teams evaluate the potential impact of a secret incident and effectively prioritize their remediation efforts.
Understanding the context of a secret is a game changer for assessing the impact of a secret incident, as it directly correlates to the possible damages in the event of a breach.
Activate the feature[](#activate-the-feature "Direct link to Activate the feature")
-------------------------------------------------------------------------------------
The feature is not activated by default.
To enable it, navigate to `Settings > Secrets > General`.
Once activated, the analyzer will immediately work on upcoming incidents but also existing incidents.
Helping Prioritize with a Built-in Saved View: `Critical Scopes`[](#helping-prioritize-with-a-built-in-saved-view-critical-scopes "Direct link to helping-prioritize-with-a-built-in-saved-view-critical-scopes")
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
To help you quickly identify incidents involving secrets with permissions that require your immediate attention, we provide the built-in saved view `Critical Scopes`. This view filters for the most critical permissions associated with the analyzers we currently implement.
In the future, we will update this saved view to include additional permissions as we add more analyzers.

What permissions does this saved view encompass ?
* GitHub PAT Fine Grained
# Repo permissionsAdministration:Read, ReadWriteContents:Read, ReadWriteEnvironments:Read, ReadWriteSecret scanning alerts:Read,ReadWriteSecrets:Read, ReadWrite# Accounts permissionsCodespaces user secrets:Read, ReadWriteGPG keys: Read, ReadWriteGit SSH keys: Read, ReadWrite
* GitHub PAT Classic
admin:orgrepowrite:packageswrite:orgdelete:packagesread:orgadmin:public_keyadmin:org_hookdelete_repoadmin:enterpriseadmin:gpg_keyadmin:ssh_signing_key
* Gitlab PAT
apiread_repositoryread_apiadmin_modesudo
* Stripe
credit_note_readcredit_note_writecoupon_readpromotion_code_readterminal_reader_readterminal_reader_writesecret_writetoken_readtoken_writetransfer_readtransfer_writecharge_readcharge_writeapple_pay_domain_readapple_pay_domain_writeterminal_connection_token_write
New Filters for Navigating Incidents with Discovered Permissions[](#new-filters-for-navigating-incidents-with-discovered-permissions "Direct link to New Filters for Navigating Incidents with Discovered Permissions")
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The **Secret Scopes** filter enables you to filter incidents based on the permissions associated with your secret. This lets you quickly identify incidents involving secrets with the most impactful permissions.
Additionally, the **Secret Analyzer** lets you filter incidents by their analyzer statuses, such as "Successful" and "Failed."

Current Analyzers[](#current-analyzers "Direct link to Current Analyzers")
----------------------------------------------------------------------------
* GitHub PAT Fine Grained
* GitHub PAT Classic
* GitLab PAT
* Stripe
* PostgreSQL
* Slack Bot Token
* BitBucket App Password
* BitBucket Access Token
* MySQL URI
#### Was this page helpful?
[](#)
[](#)
* [Activate the feature](#activate-the-feature)
* [Helping Prioritize with a Built-in Saved View: `Critical Scopes`](#helping-prioritize-with-a-built-in-saved-view-critical-scopes)
* [New Filters for Navigating Incidents with Discovered Permissions](#new-filters-for-navigating-incidents-with-discovered-permissions)
* [Current Analyzers](#current-analyzers)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Pagination | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Pagination
==========
Cursor-based pagination is the method used to navigate through the large datasets offered by the GitGuardian API. This method allows you to retrieve items in chunks (pages) by using cursors, which are pointers to a specific item in a dataset. The cursor indicates the position in the dataset, making it easier to navigate back and forth between pages.
How cursor-based pagination works[](#how-cursor-based-pagination-works "Direct link to How cursor-based pagination works")
----------------------------------------------------------------------------------------------------------------------------
* **Initial Request**: When you make the first request to an endpoint, you receive the first set of results
* **Subsequent Requests**: Use the response's [`link`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Link)
header to request the next set of results. `link: ; rel="next"`
* **No more data**: If there's no more data to retrieve, the response will have no `link` header.
Examples[](#examples "Direct link to Examples")
-------------------------------------------------
### Python[](#python "Direct link to Python")
import osimport requestsBASE_URL = "https://api.gitguardian.com/v1"API_KEY = os.environ['GITGUARDIAN_API_TOKEN']HEADERS = {"Authorization": f"Token {API_KEY}"}endpoint_url = f"{BASE_URL}/members?per_page=10"all_members = []while True: response = requests.get(endpoint_url, headers=HEADERS) assert response.status_code == 200, response.json() all_members += response.json() if "next" not in response.links: # final page was reached break endpoint_url = response.links["next"]["url"]
### Bash/cURL[](#bashcurl "Direct link to Bash/cURL")
#!/bin/bashURL="https://api.gitguardian.com/v1/members?per_page=10"# Check if jq is installedif ! command -v jq &> /dev/null; then echo "jq could not be found, please install it to parse JSON." exit 1fiMEMBERS="[]"while [ "${URL}" ]; do RESP=$(curl -i -Ss -H "Authorization: Token $API_KEY" "${URL}") # Check for curl error if [ $? -ne 0 ]; then echo "Error: Failed to retrieve data from ${URL}" exit 1 fi # Extract HTTP status code HTTP_STATUS=$(echo "$RESP" | grep HTTP | awk '{print $2}') if [ "$HTTP_STATUS" != "200" ]; then echo "Error: Received HTTP status $HTTP_STATUS" exit 1 fi # Retrieve the body of the response and parse it with jq BODY=$(echo "$RESP" | sed -n '/^\r$/,$p' | sed '1d' | jq '.') # Append to members list MEMBERS=$(echo "${MEMBERS}" | jq ". + ${BODY}") # Retrieve the next url from the response's headers URL=$(echo "$RESP" | grep -i '^link:' | sed -n -E 's/^link:.*<(.*)>; rel="next".*/\1/p')done# Output the members list formatted with jqecho "${MEMBERS}" | jq '.'
#### Was this page helpful?
[](#)
[](#)
* [How cursor-based pagination works](#how-cursor-based-pagination-works)
* [Examples](#examples)
* [Python](#python)
* [Bash/cURL](#bashcurl)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Integrate a new Confluence Cloud source | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Integrate a new Confluence Cloud source
=======================================
info
For now, only real-time scanning is supported to detect secrets in pages, blogs and comments. All detectors are supported, with the exception of these 2 generic detectors, in order to limit the risk of false positives:
* [Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret)
* [Generic Password](/secrets-detection/secrets-detection-engine/detectors/generics/generic_password)
Setting up and configuring this integration is limited to users with an **Owner** or **Manager** access level. Confluence Cloud site installation is only open to workspaces under the **Business** plan, but uninstallation is open to all. Alternatively, you can install and test secret detection in Confluence Cloud with a 30-day trial. Any secret incidents created during this period will remain accessible in your incident dashboard after the trial period.
GitGuardian integrates natively with Confluence Cloud via an **OAuth2 app** and a **Connect app** that you can install on your Confluence Cloud sites. Note that the GitGuardian OAuth2 app only has **read access** to your spaces.
Setup your Confluence Cloud integration[](#setup-your-confluence-cloud-integration "Direct link to Setup your Confluence Cloud integration")
----------------------------------------------------------------------------------------------------------------------------------------------
You can install GitGuardian on multiple Confluence Cloud sites to monitor your spaces.
1. Make sure you're logged in the Confluence Cloud site you want to install
2. In the GitGuardian platform, navigate to the [Sources integration](https://dashboard.gitguardian.com/settings/integrations/sources)
page
3. Click on the **Install** button next to **Confluence Cloud** in the **Documentation** section 
4. Click on the **Install** button of the [Confluence Cloud integration](https://dashboard.gitguardian.com/settings/integrations/confluence_cloud)
page
5. Click on the **Connect with Confluence Cloud** in the installation modal 
6. Make sure you are connected to the right Confluence Cloud site
7. Click on the **Accept** button to accept the permissions requested by GitGuardian 
8. Click on the **Open Confluence Cloud settings** in the installation modal 
9. Click on **Settings** in the **Manage apps** page of your Confluence Cloud site
10. Check the **Enable development mode** option and click **Apply** in order to allows the installation of our Connect app 
11. Click on **Upload app** in the **Manage apps** page of your Confluence Cloud site
12. Paste our **app descriptor URL** and click **Upload** to upload and install our app:
* For GitGuardian SaaS US:
`https://dashboard.gitguardian.com/api/v1/confluence-cloud/connect-app/app-descriptor/`
* For GitGuardian SaaS EU:
`https://dashboard.eu1.gitguardian.com/api/v1/confluence-cloud/connect-app/app-descriptor/`
* For GitGuardian Self-Hosted:
`https:///api/v1/confluence-cloud/connect-app/app-descriptor/`
Customize with your GitGuardian Self-Hosted instance URL 
That's it! Our OAuth2 app is now automatically invited on all your spaces and our Connect app connected to your Confluence Cloud site. It will now start monitoring all pages, blogs and comments of your spaces for secrets.
Setup Confluence Cloud for self-hosted GitGuardian[](#setup-confluence-cloud-for-self-hosted-gitguardian "Direct link to Setup Confluence Cloud for self-hosted GitGuardian")
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
info
We recommend using dedicated workers for Confluence Cloud. For more detailed information on scaling and configuration, please visit our [scaling](/self-hosting/management/infrastructure-management/scaling#configure-scaling-settings)
page.
If you are using a self-hosted GitGuardian instance, you must first configure a dedicated Confluence Cloud App so that you own the entire data stream. This will ensure that your Confluence Cloud App is created with all the appropriate rights.
### 1\. Create a Confluence Cloud app[](#1-create-a-confluence-cloud-app "Direct link to 1. Create a Confluence Cloud app")
1. Navigate to the [Confluence Cloud integration](https://dashboard.gitguardian.com/settings/integrations/confluence_cloud)
page
2. Click on **Configure Confluence Cloud app**

#### As a Confluence Cloud administrator[](#as-a-confluence-cloud-administrator "Direct link to As a Confluence Cloud administrator")
1. Click on **Create Confluence Cloud app** (Alternatively, if you're not a GitGuardian Manager, you can access the [Atlassian developer console](https://developer.atlassian.com/console/myapps/create-3lo-app)
directly)
2. Type the name of your new Confluence Cloud app: `GitGuardian`
3. Agree to Atlassian's developer terms by checking: **I agree to be bound by Atlassian's developer terms.**
4. Click on **Create**

5. Go to the **Permissions** page
6. Click on **Add** button next to the **Confluence API** line

7. Click on **Configure** button next to the **Confluence API** line
8. In the **Classic scopes** tab, click on the **Edit Scopes** button of the **Confluence platform REST API** section

9. Select the following **classic scopes**:
* `read:confluence-content.all`
* `read:confluence-content.permission`
* `read:confluence-content.summary`
* `read:confluence-groups`
* `read:confluence-props`
* `read:confluence-space.summary`
* `read:confluence-user`
* `readonly:content.attachment:confluence`
* `search:confluence`
10. Click on **Save**

11. In the **Granular scopes** tab, click on the **Edit Scopes** button

12. Select the following **granular scopes**:
* `read:blogpost:confluence`
* `read:comment:confluence`
* `read:page:confluence`
* `read:space:confluence`
13. Click on **Save**

14. Go to the **Authorization** page
15. Click on **Add** button next to the **OAuth 2.0 (3LO)** line

16. Enter the callback URL based on your GitGuardian self-hosted instance URL:
`https:///api/v1/confluence-cloud/app/install_callback/`
17. Click on **Save changes**

18. Go to the **Overview** page
19. Get your App details (`App ID`) (alternatively, you can find and copy it more easily from the URL)

20. Go to the **Settings** page
21. Get your Authentication details (`Client ID`, `Secret`)

That's it! Your Confluence Cloud app has been created and you can now [declare your Confluence Cloud app in the GitGuardian Platform](/platform/monitor-perimeter/documentation-integrations/confluence-cloud#2-declare-your-confluence-cloud-app-in-the-gitguardian-platform)
. Alternatively, if you are not a GitGuardian Manager, you can now return the Confluence Cloud app credentials to your requester in the secure way of your choice (`App ID`, `Client ID`, `Secret`).
#### As a non Confluence Cloud administrator[](#as-a-non-confluence-cloud-administrator "Direct link to As a non Confluence Cloud administrator")
If you don't have the right to create a Confluence Cloud app, please ask your Confluence Cloud administrator to do it for you. You can easily forward a request with this procedure:
1. Click on the **Send a request to a Confluence administrator** link to easily forward your request
2. They should in turn provide you with the Confluence Cloud app credentials to proceed with the [rest of the configuration](/platform/monitor-perimeter/documentation-integrations/confluence-cloud#2-declare-your-confluence-cloud-app-in-the-gitguardian-platform)
.
### 2\. Declare your Confluence Cloud app in the GitGuardian Platform[](#2-declare-your-confluence-cloud-app-in-the-gitguardian-platform "Direct link to 2. Declare your Confluence Cloud app in the GitGuardian Platform")
1. Paste your Confluence Cloud app credentials (`App ID`, `Client ID`, `Secret`)
2. Click on **Save and close**

That's it! Your Confluence Cloud configuration is now ready and you can now [setup your Confluence Cloud integration](/platform/monitor-perimeter/documentation-integrations/confluence-cloud#setup-your-confluence-cloud-integration)
.
Edit your Confluence Cloud app configuration[](#edit-your-confluence-cloud-app-configuration "Direct link to Edit your Confluence Cloud app configuration")
-------------------------------------------------------------------------------------------------------------------------------------------------------------
In case you need to edit your Confluence Cloud app configuration, due to an error when declaring your Confluence Cloud app credentials or due to a secret rotation, you can do so as follows:
1. Click on **Edit Confluence Cloud app**
2. Update your Confluence Cloud app credentials
3. Click on **Save and close**

Delete your Confluence Cloud app configuration[](#delete-your-confluence-cloud-app-configuration "Direct link to Delete your Confluence Cloud app configuration")
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
In case you need to delete your Confluence Cloud app configuration, you can do so as follows:
1. Click on **Edit Confluence Cloud app**
2. Click on **Delete configuration**
3. Confirm by clicking on **Delete configuration** in the confirmation modal
info
Deleting your Confluence Cloud app configuration will uninstall all your Confluence Cloud integrations. However, all your existing incidents detected on Confluence Cloud will remain available on your dashboard. Note that deleting the Confluence Cloud app configuration will only delete the configuration, not the Confluence Cloud app. If you want to delete your Confluence Cloud app, you must do so from your Confluence Cloud site.
Uninstall your Confluence Cloud site[](#uninstall-your-confluence-cloud-site "Direct link to Uninstall your Confluence Cloud site")
-------------------------------------------------------------------------------------------------------------------------------------
To uninstall a Confluence Cloud site:
1. In the GitGuardian platform, navigate to the [Sources integration](https://dashboard.gitguardian.com/settings/integrations/sources)
page
2. Click on the **Edit** button next to **Confluence Cloud** in the **Documentation** section
3. Click on the bin icon next to the Confluence Cloud site to be uninstalled
4. Confirm by clicking on the **Yes, uninstall the connect app** button in the confirmation modal 
5. Uninstall the Connect App by clicking on **Uninstall**
6. Confirm by clicking on the **Uninstall app** button in the confirmation modal 
That's it! Your Confluence Cloud site is now uninstalled.
Remove the GitGuardian OAuth2 app from your Confluence Cloud site[](#remove-the-gitguardian-oauth2-app-from-your-confluence-cloud-site "Direct link to Remove the GitGuardian OAuth2 app from your Confluence Cloud site")
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Uninstalling a Confluence Cloud site from the GitGuardian platform does not remove the GitGuardian OAuth2 app from your Confluence Cloud site. This is not a mandatory step, but you can remove it manually after uninstalling your Confluence Cloud site from the GitGuardian platform.
To remove the GitGuardian OAuth2 app from your Confluence Cloud site:
1. Go to the **[Connected apps](https://id.atlassian.com/manage-profile/apps)
** page of your Confluence Cloud site
2. Click on the **Remove access** button next to the **GitGuardian Confluence** app
3. Confirm by clicking on the **Remove** button in the confirmation modal 
That's it! The GitGuardian OAuth2 app is now removed from your Confluence Cloud site.
Limitations[](#limitations "Direct link to Limitations")
----------------------------------------------------------
* **Historical Scan:** Historical scans are not yet supported (coming soon).
* **Source Listing:** Monitored Confluence Cloud spaces are not yet listed on the [Perimeter](https://dashboard.gitguardian.com/perimeter)
page (coming soon).
* **Monitored Perimeter:** Customization of the monitored perimeter is not supported. All spaces are monitored by default.
* **Team Perimeter:** Customization of a team perimeter with Confluence Cloud spaces is not supported. Users must be part of the **All-incidents** team to view and access secret incidents related to Confluence Cloud.
* **Source Visibility:** The visibility of spaces is not determined. All spaces are considered `private` in both the UI and API.
* **File Attachments:** File attachments are not scanned.
* **Occurrence Previews:** Previews of occurrences are not supported.
Privacy[](#privacy "Direct link to Privacy")
----------------------------------------------
Country-specific laws and regulations may require you to inform your Confluence Cloud users that your spaces are being scanned for secrets. Here is a suggestion for a message you may want to use:
> As part of our internal information security process, the company scans the Confluence Cloud spaces for potential secrets leaks using [GitGuardian](https://www.gitguardian.com/monitor-internal-repositories-for-secrets)
> . All data collected will be processed for the purpose of detecting potential leaks. To find out more about how we manage your personal data and to exercise your rights, please refer to our employee/partner privacy notice. _Please note that only spaces relating to the company’s activity and business may be monitored and that users shall refrain from sharing personal or sensitive data not relevant to the space’s purpose._
#### Was this page helpful?
[](#)
[](#)
* [Setup your Confluence Cloud integration](#setup-your-confluence-cloud-integration)
* [Setup Confluence Cloud for self-hosted GitGuardian](#setup-confluence-cloud-for-self-hosted-gitguardian)
* [1\. Create a Confluence Cloud app](#1-create-a-confluence-cloud-app)
* [2\. Declare your Confluence Cloud app in the GitGuardian Platform](#2-declare-your-confluence-cloud-app-in-the-gitguardian-platform)
* [Edit your Confluence Cloud app configuration](#edit-your-confluence-cloud-app-configuration)
* [Delete your Confluence Cloud app configuration](#delete-your-confluence-cloud-app-configuration)
* [Uninstall your Confluence Cloud site](#uninstall-your-confluence-cloud-site)
* [Remove the GitGuardian OAuth2 app from your Confluence Cloud site](#remove-the-gitguardian-oauth2-app-from-your-confluence-cloud-site)
* [Limitations](#limitations)
* [Privacy](#privacy)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# API Reference | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
API Reference
=============
The [**API Reference Documentation**](https://api.gitguardian.com/docs)
contains useful information for developers about the GitGuardian API.
> Note that if you are using a GitGuardian self-hosted instance, the base url of the API routes will be `https://dashboard.gitguardian.mycorp.local/exposed/` instead of `https://api.gitguardian.com/`.
> For example, the scan route will be: `https://dashboard.gitguardian.mycorp.local/exposed/v1/scan`
Examples are provided in all supported programming languages (e.g. Python and Go).
#### Was this page helpful?
[](#)
[](#)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Configure real-time alerting and notifications for your perimeter | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Configure real-time alerting and notifications for your perimeter
=================================================================
GitGuardian’s real-time monitoring allows alerts to be sent immediately when an incident is detected.
Events and notification preferences[](#events-and-notification-preferences "Direct link to Events and notification preferences")
----------------------------------------------------------------------------------------------------------------------------------
Configuring a notifier from your GitGuardian workspace allows you to push incident alerts to the channel of your choice (e.g Slack, PagerDuty...). These alerts will contain details about the incident such as the triggered detector and location (org and repository) without revealing the secrets detected or any other sensitive data, avoiding any further contribution to sprawling of secrets.
You can configure the notifier's frequency to send you alerts either `for the first occurrence only and in case of regression` or `for all occurrences`. We recommend the first option if you prefer having fewer alerts related to the same incident show up in your notification channels. If you don't want to miss anything, toggle the second option instead.

Available integrations[](#available-integrations "Direct link to Available integrations")
-------------------------------------------------------------------------------------------
By default, GitGuardian will notify dashboard users via email for every incident. You can [read more about email alerting here](/platform/monitor-perimeter/notifiers-integrations/email-alerting)
. You can also choose to integrate with other notification channels, GitGuardian currently supports:
* [Custom webhooks](/platform/monitor-perimeter/notifiers-integrations/custom-webhook)
Custom services can be written to listen in on GitGuardian's detection engine and programmatically treat detected incidents.
* [PagerDuty](/platform/monitor-perimeter/notifiers-integrations/pagerduty)
Send incidents as PagerDuty event notifications with the PagerDuty Integration.
* [Splunk](/platform/monitor-perimeter/notifiers-integrations/splunk)
Treat incidents as data with the Splunk Integration.
* [Slack](/platform/monitor-perimeter/notifiers-integrations/slack)
The Slack integration allows you to be notified on your team's workspace in a channel of your choice.
* [Discord](/platform/monitor-perimeter/notifiers-integrations/discord)
The Discord integration allows you to be notified on your team's discord server of your choice.
* [Microsoft Teams](/platform/monitor-perimeter/notifiers-integrations/microsoft-teams)
The Microsoft Teams integration allows you to be notified on your team's workspace in a channel of your choice.
#### Was this page helpful?
[](#)
[](#)
* [Events and notification preferences](#events-and-notification-preferences)
* [Available integrations](#available-integrations)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Remediate a leak on public GitHub | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Remediate a leak on public GitHub
=================================
If you end up on this page, it is likely that you got an alert from our _pro bono_ alerting service. Don't worry, leaks sometimes just happen... even to the best of us... **This section provides a step by step guide on how to remediate a leak that occurred on public GitHub.**
⚠️ What you should NOT do:[](#️-what-you-should-not-do "Direct link to ⚠️ What you should NOT do:")
-----------------------------------------------------------------------------------------------------
* **Committing on top of the current source code version is not a solution**. Bear in mind that git keeps track of the history, the secret will still be visible in previous commits.
* **Only taking down the involved repository is not a correct solution**. The leaked credentials will still be exposed in forks of the repository, and attackers could still access it in mirrored versions of GitHub.
✅ Step by step guide to remediate the leak[](#-step-by-step-guide-to-remediate-the-leak "Direct link to ✅ Step by step guide to remediate the leak")
------------------------------------------------------------------------------------------------------------------------------------------------------
* **Step 1:** Revoke the exposed secret.
* **Step 2:** Clean the git history.
* **Step 3:** Inspect logs.
### 🔒 Step 1: Revoke the secret (~ 3 min)[](#-step-1-revoke-the-secret--3-min "Direct link to 🔒 Step 1: Revoke the secret (~ 3 min)")
Revoking the secret **is the only way to ensure no attacker will access the involved service.**
**How to do it:**
* Having been alerted by GitGuardian, you can navigate to the corresponding GitGuardian [detector's documentation](/secrets-detection/secrets-detection-engine/detectors/supported_credentials)
, all information about revocation are available in the `Revoke the secret` section of the selected detector.
* If you found out about the leak without GitGuardian and it is not a secret type handled by one of our detectors, have a look at the relevant provider's documentation. You can usually revoke your credentials in the same section you issued them.
* Finally, **if you leaked corporate credentials or credentials you cannot revoke by yourself, we highly recommend you get in touch with your security team.** It's OK to make mistakes, hiding them is often a bigger problem.
Whether you managed to revoke the credentials or not, move to step 2 to mitigate the leak and remove evidence of it.
### 🧹 Step 2: Clean the git history (~ 10 min)[](#-step-2-clean-the-git-history--10-min "Direct link to 🧹 Step 2: Clean the git history (~ 10 min)")
**If for any reason you could not revoke the leaked credentials, the quickest action to remove the credentials from most attackers' sight is to make the repository private.** Although your credentials are probably mirrored in some other place on the internet, that's already a good way to buy you some time.
**How to do it:** Go under the `settings` section of your GitHub project and chose the `change visibility` button at the bottom.

For a matter of brand image, you may also want to clean the git history to remove any evidence of the leak. **Bear in mind that this action is not sufficient** as the secret can still be visible to attackers, either in forks of the involved repository, or on mirrored version of GitHub.
Also **this is not a trivial action to conduct**, be advised that rewriting git history may break contributing developers' workflow. Now that the credentials have been revoked and attackers cannot use it anymore, take time to do things properly.
**How to do it:**
* We recommend you use [git-filter-repo](https://github.com/newren/git-filter-repo)
, this tool helps to rewrite the history of a project in a user-friendly way. You can refer to this [GitGuardian's blogpost](https://blog.gitguardian.com/rewriting-git-history-cheatsheet/#how-complicated-is-the-situation)
for detailed instructions.
* Once you fixed your git history and pushed it to the remote server. Be aware that this may result in an orphan leaky commit remaining on GitHub. You can get in touch with [GitHub support](https://support.github.com/request)
to permanently delete this data.
### 🔎 Step 3: Inspect logs (~ 5 min)[](#-step-3-inspect-logs--5-min "Direct link to 🔎 Step 3: Inspect logs (~ 5 min)")
Inspecting your logs will give you a quick idea of whether the compromised credentials were used by an attacker or not, and what exactly happened there.
**How to do it:** If the involved provider is handled by GitGuardian's detection engine, you can look in the `Check for suspicious activity` section of the concerned detector's documentation. Otherwise, the API provider usually gives insights on when the credentials were last used in the settings page. If the compromised credentials are database credentials or private keys, you may want to look in relevant server logs.
🏁 Finally[](#-finally "Direct link to 🏁 Finally")
-----------------------------------------------------
Congratulations, now you should be covered. As you know mistakes can happen and GitGuardian is here for you. You just have to sign-up for free and benefit from GitGuardian's real-time alerting to be protected in the future. You can also scan your history to verify that you don't have other secrets buried in your code.
If you are more of a CLI person, you can have a look at [GitGuardian CLI](https://github.com/GitGuardian/ggshield)
. This CLI application can run in your local environment, or in a CI environment to detect more than 300 types of secrets.
[Sign-up](https://dashboard.gitguardian.com/auth/signup?utm_source=outreach&utm_medium=email&utm_campaign=alerting_documentation)
#### Was this page helpful?
[](#)
[](#)
* [⚠️ What you should NOT do:](#️-what-you-should-not-do)
* [✅ Step by step guide to remediate the leak](#-step-by-step-guide-to-remediate-the-leak)
* [🔒 Step 1: Revoke the secret (~ 3 min)](#-step-1-revoke-the-secret--3-min)
* [🧹 Step 2: Clean the git history (~ 10 min)](#-step-2-clean-the-git-history--10-min)
* [🔎 Step 3: Inspect logs (~ 5 min)](#-step-3-inspect-logs--5-min)
* [🏁 Finally](#-finally)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Email alerting | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Email alerting
==============
GitGuardian sends an email to all members of the affected team anytime it detects an incident. To prevent alert fatigue, only one email is sent for multiple occurrences of the same incident.
The members of a team will only receive emails for incidents within their team(s). If you want to receive emails for all the incidents of your workspace, make sure you're a member of the `all-incidents` team.
Email alerts[](#email-alerts "Direct link to Email alerts")
-------------------------------------------------------------
Email alerts include:
* Details of the incident (secret detector, repository and commit involved)
* Date of the incident
* A link to view the offending file directly on the source
* A link to the incident in the GitGuardian dashboard
> You can configure your email alerts in your [personal settings](https://dashboard.gitguardian.com/settings/personal/notifications)
> . Read [our dedicated documentation on email preferences](/platform/user-account/email-preferences)
> .
FAQ[](#faq "Direct link to FAQ")
----------------------------------
**I just received an alert email on which I did not install GitGuardian. Why did this happen?**
**Public Alerts** are another type of GitGuardian alert that you may encounter. They originate from our pro-bono public alerting service, which is not related to this application.
When GitGuardian detects a secret on a public GitHub repository, it alerts the developer responsible for the incident through their commit email.
If you have received an alert email, please see our [remediation guide for leaks on public GitHub](/secrets-detection/secrets-detection-engine/leaks_remediation)
#### Was this page helpful?
[](#)
[](#)
* [Email alerts](#email-alerts)
* [FAQ](#faq)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Introduction | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Introduction
============
Specific vs generic detectors[](#specific-vs-generic-detectors "Direct link to Specific vs generic detectors")
----------------------------------------------------------------------------------------------------------------
GitGuardian makes the distinction between two main categories of detectors:
* **Specific detectors** are designed to detect one specific type of secret, such as an AWS detector that will only detect AWS secrets, or a MongoDB detector that will only detect MongoDB database credentials. The main advantage of such detectors is that they offer high recall and high precision, meaning that they will rapidly catch all specific secrets while raising a low number of false alerts.
* **Generic detectors** are designed to detect a broad variety of secrets without focusing on finding what exact secret has been caught. Therefore, they often catch more secrets, but can also bring more false positives than specific detectors if special care is not taken. That's why the team developing GitGuardian's secrets detection engine is constantly fine tuning these generic detectors (adding additional post validators) to keep an acceptable rate of false positive (around **20%**) while maintaining high recall.
Priority between generic and specific detectors[](#priority-between-generic-and-specific-detectors "Direct link to Priority between generic and specific detectors")
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
When a secret is matched by both a generic and specific detector, we will keep the secret matched by the specific detector since more information is available for the remediation.
Let's take a specific example with a SendGrid token in the following context:
# all SendGrid secrets start with SG.TOKEN=SG.gxxxxxxxxx
The secret will be captured both by our `SendGrid` detector and our `generic high entropy secret` detector, yet we will keep the `SendGrid` secret since it provides more information for remediation.
**Specific detectors always have priority over generic detectors**
How to read a detector's file[](#how-to-read-a-detectors-file "Direct link to How to read a detector's file")
---------------------------------------------------------------------------------------------------------------
### General information[](#general-information "Direct link to General information")
**IPs allowlist:** Indicates if the provider offers a way to restrict credentials usage base on incoming IP address.
**Scopes:** Indicates if the provider supports different ranges of permissions for credentials.
**Revoke the secret:** Steps to follow in order to revoke a key.
**Check for suspicious activity:** Procedure to inspect credentials usage and detect some suspicious activities.
### Details section glossary[](#details-section-glossary "Direct link to Details section glossary")
**Family:** Detectors can be classified in families. We currently have the following ones:
* api
* database
* private\_key
* other
**Company:** The company that issues the credentials. We tend to use company names of holdings rather than subsidiaries.
**High\_recall:** This flag indicates that the detector will not miss credentials. Usually this is caused by very well identified and unique patterns in credentials.
**Prefixed:** This flag indicates whether the credentials caught by the detector are prefixed. If this is True, it tends to ensure a very high precision and a very high recall for the detector.
**Can be checked:** This flag indicates whether the key can be checked as valid by using a non-intrusive API call.
**Minimum number of matches:** This corresponds to the number of matches contained in the actual secret. This would be 2 for a secret composed of a `client_id` and a `client_secret`.
**Frequency\_estimate:** This figure gives the average number of credentials that the detector finds per million commits.
#### Was this page helpful?
[](#)
[](#)
* [Specific vs generic detectors](#specific-vs-generic-detectors)
* [Priority between generic and specific detectors](#priority-between-generic-and-specific-detectors)
* [How to read a detector's file](#how-to-read-a-detectors-file)
* [General information](#general-information)
* [Details section glossary](#details-section-glossary)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Detect code leakage on public GitHub | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
Detect code leakage on public GitHub
====================================
GitGuardian natively monitors all the commits on public GitHub for secrets getting leaked.
As for real secrets, whenever a honeytoken ends up in a public GitHub repository, it will be detected by GitGuardian, and this will trigger specific events.
Events originating from the IP addresses of GitGuardian monitoring of public GitHub are marked as `GitGuardian Public Monitoring IP`, and as a result, the honeytoken itself will receive tag `Publicly exposed`.

Clicking the `Publicly exposed` tag of the honeytoken will display all the public GitHub commits detected by GitGuardian as containing the honeytoken.
caution
This specific bit of feature (returning the list of public GitHub commits) is unfortunately not available for self-hosted installations.
Publicly exposed honeytokens can be quickly identified and filtered from the honeytoken list.

#### Was this page helpful?
[](#)
[](#)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Create and manage teams | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Create and manage teams
=======================
A team is a group of people having access to the incidents occurring on a set of sources defined as the team's perimeter.
Only workspaces under Business plan can create and use teams.
Creating a team[](#creating-a-team "Direct link to Creating a team")
----------------------------------------------------------------------
Only Managers can create teams within the workspace.
1. Navigate to Settings > User management > [Teams](https://dashboard.gitguardian.com/settings/user/teams)
.
2. In the top-right-hand corner of the page, click on **Create team**.
3. Define the name of the team and give it a description.

Add teammates to your team[](#add-teammates-to-your-team "Direct link to Add teammates to your team")
-------------------------------------------------------------------------------------------------------
You can add as many teammates you want to a team. Remember that Restricted cannot be added to teams.
1. Within your team page, go to Teammates panel.
2. Click on **Add teammates**.

### Define their incident permissions[](#define-their-incident-permissions "Direct link to Define their incident permissions")
For each teammate, you can define an incident permissions which will define the default level of permission they will automatically have on all incidents that have occurred and will occur on sources belonging to the perimeter of the team and therefore for which he will have access.
* **Can view**: they can only view team incidents.
* **Can edit**: they can resolve, ignore, comment and be assigned on team incidents.
* **Full access**: they have the "Can edit" permissions, plus the ability to share team incidents within the workspace or publicly.
When added to a team, a workspace Manager has unmodifiable `Full access` incident permissions by default.

> For more details about incident permissions, read the [dedicated documentation](/platform/collaboration-and-sharing/incident-permissions-and-sharing)
> .
### Define team leaders[](#define-team-leaders "Direct link to Define team leaders")
For each team, you can define team leaders. Team leaders can:
* manage teammates (add/remove/accept or decline team requests),
* manage team settings and even delete the team.
A workspace Manager added to a team has the same rights as a team leader.

By default, team leaders can invite new users to the workspace by adding them to their team.
This behavior can be deactivated via a workspace setting. Please refer to [this page](/platform/enterprise-administration/workspace-settings)
for more details.
info
A team leader won't be able to configure the team perimeter. For security reasons, configuration of the team perimeter can only be done by a workspace Manager.
Configure team perimeter[](#configure-team-perimeter "Direct link to Configure team perimeter")
-------------------------------------------------------------------------------------------------
The perimeter of the team is a set of sources (GitHub repositories, GitLab projects, etc...) for which the team will have access to all the incidents that have occurred there and will occur there.
### Adding sources to the perimeter[](#adding-sources-to-the-perimeter "Direct link to Adding sources to the perimeter")
1. Within your team page, go to Perimeter panel.
2. Click on **Add sources**.
3. If you have multiple VCS integrations, select the VCS you want to add sources from.
4. Select the repositories you want to add the team perimeter and click on **Add sources**.


info
For security reasons, configuration of the team perimeter can only be done by a workspace Manager.
Indeed, the addition of new sources to the perimeter of the team has very significant implications since it allows access to all the incidents that have occurred on these new sources. This is why only people with the highest privileges, workspace managers, can perform this action.
### About source nodes addition and others important things to know[](#about-source-nodes-addition-and-others-important-things-to-know "Direct link to About source nodes addition and others important things to know")
Few things you should be aware of when configuring the perimeter:
* If you **select an entire node** of sources (eg: a GitHub organization, a GitLab group, a Bitbucket project):
* all the existing sources contained in this node will obviously be added to the perimeter of the team,
* but also the **future sources of this node will automatically be added** to the team perimeter.
* If you **select all the nodes of the VCS integration** (eg: all the GitHub organizations you have integrated), GitGuardian assumes you want to monitor the VCS integration as a whole. **Future nodes will automatically be added** to the team perimeter (eg: future GitHub organizations you will integrate).
* a source can belong to multiple teams.
### Removing sources from the perimeter[](#removing-sources-from-the-perimeter "Direct link to Removing sources from the perimeter")
1. Within your team page, go to Perimeter panel.
2. Click on the bin icon and confirm your action.

If you want to be more specific, you can also click on the cog icon to open the configuration modal and edit the perimeter of the team - add and remove sources - by checking or unchecking the sources of your choice and confirming your action.
Requesting access to a team[](#requesting-access-to-a-team "Direct link to Requesting access to a team")
----------------------------------------------------------------------------------------------------------
People with the `Member` access level must request access to join a team. In order to request access:
1. Navigate to Settings > User management > [Teams](https://dashboard.gitguardian.com/settings/user/members)
.
2. To the right of the team's name, click on **Request access**.
3. An email is then sent to teammates with `Can manage` team permissions notifying this new request. If there are no teammates with `Can manage` team permissions, the email is sent to workspace managers.

Members can cancel their own team requests at any time.
Teammates with `Can manage` team permissions can review team requests on the team page and decide whether to accept or decline them. The Member who made the request will be informed by email of the decision.

info
Workspace Managers have the ability to visit, join, accept or decline team requests, and leave any teams present on the Workspace, even if they are not part of it.
Add alerting integrations to a team[](#add-alerting-integrations-to-a-team "Direct link to Add alerting integrations to a team")
----------------------------------------------------------------------------------------------------------------------------------
info
This feature is currently in beta testing. If you're interested in trying it out, kindly get in touch with your account manager.
As a workspace Manager you can manage alerting integrations for any team from the Integration section. 
As a Member with `Can manage` team permissions, you can create and modify alerting integration for your specific team. 
Team-level alerting enable you to send alerts directly to each team's preferred communication channel, reducing unnecessary distractions for other team members. Team members will only receive alerts for incidents that require their attention and remediation.
If an incident already exist in an other team, and a new occurrence of this incident occurs in a repository attached to your team, you'll receive an alert - even if you've asked to be alerted only by new incident and not occurrences. This ensures you won't overlook any incident.
info
Each workspace has a default limitation of 1000 integrations for all the teams. If you need to increase this quota, please get in touch with your account manager.
Deleting a team[](#deleting-a-team "Direct link to Deleting a team")
----------------------------------------------------------------------
As a workspace Manager or a teammate with `Can manage` team permission, you can delete a team.
1. Navigate to Settings > User management > [Teams](https://dashboard.gitguardian.com/settings/user/members)
.
2. Visit the page of the team you want to delete and scroll down to the "Danger zone".
3. Click on **Delete team** and confirm your action by typing the name of the team.
This action cannot be undone. All teammates will instantly lose access to incidents they were able to access because those incidents occurred within the team perimeter.

A specific team: The "All-incidents" team[](#a-specific-team-the-all-incidents-team "Direct link to A specific team: The "All-incidents" team")
-------------------------------------------------------------------------------------------------------------------------------------------------
### What is the "All-incidents" team[](#what-is-the-all-incidents-team "Direct link to What is the "All-incidents" team")
In the team management feature within a GitGuardian workspace there is a particularity: **the "All-incidents" team**.
The "All-incidents" team is a team that **exists by default on the workspace** and which **gives access to all the incidents** of the workspace to the people who compose it. Consequently, there is no notion of perimeter within the "All-Incidents" team.
This team will usually bring together the people responsible for security at the global level of your organization (eg: CISOs).

info
The "All-incidents" team cannot be deleted.
### How the "All-incidents" team articulates in with access levels and plans[](#how-the-all-incidents-team-articulates-in-with-access-levels-and-plans "Direct link to How the "All-incidents" team articulates in with access levels and plans")
About access levels:
* By default, **all Managers in your workspace are part of the "All-incidents" team and cannot be withdrawn from it**.
* That said, people with the **Member access level can also be part of the "All-Incidents" team** (ex: security auditors).
* People with the Member access level who are not part of the "All incidents" team cannot see it in the list of teams and therefore **cannot request access** to it. A Member can only be part of the "All-incident" team if added manually by a Manager.
About plans:
* As the team management feature - and therefore the ability to have siloed views on incidents - is only allowed in the Business plan, **any workspace under the Free plan works as if only the team "All-Incidents" was present**.
* Thus, when switching from the Business plan to the Free plan (eg: end of contract or end of business trial), **all people who are not part of the "All-incidents" team are considered deactivated**.
#### Was this page helpful?
[](#)
[](#)
* [Creating a team](#creating-a-team)
* [Add teammates to your team](#add-teammates-to-your-team)
* [Define their incident permissions](#define-their-incident-permissions)
* [Define team leaders](#define-team-leaders)
* [Configure team perimeter](#configure-team-perimeter)
* [Adding sources to the perimeter](#adding-sources-to-the-perimeter)
* [About source nodes addition and others important things to know](#about-source-nodes-addition-and-others-important-things-to-know)
* [Removing sources from the perimeter](#removing-sources-from-the-perimeter)
* [Requesting access to a team](#requesting-access-to-a-team)
* [Add alerting integrations to a team](#add-alerting-integrations-to-a-team)
* [Deleting a team](#deleting-a-team)
* [A specific team: The "All-incidents" team](#a-specific-team-the-all-incidents-team)
* [What is the "All-incidents" team](#what-is-the-all-incidents-team)
* [How the "All-incidents" team articulates in with access levels and plans](#how-the-all-incidents-team-articulates-in-with-access-levels-and-plans)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Jira Cloud | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Jira Cloud
==========
GitGuardian provides an integration with Jira Cloud to empower users to synchronize their GitGuardian incidents with Jira Cloud issues. This integration aims to streamline incident remediation processes and strengthen alignment with your Software Development Lifecycle (SDLC).
Benefits[](#benefits "Direct link to Benefits")
-------------------------------------------------
This feature streamlines the process of creating issues from GitGuardian incidents:
* Supports both manual and automatic issue creation upon incident detection.
* Enables issue creation directly in the Jira project linked to the GitGuardian Team.
* Provides customizable templates that utilize Jira custom fields and GitGuardian variables for tailored issue descriptions.
* Includes an auto-resolve feature that automatically closes GitGuardian incidents when the corresponding Jira issues are resolved.
Requirements[](#requirements "Direct link to Requirements")
-------------------------------------------------------------
The Jira integration uses Jira OAuth and requires installation with a Jira user account possessing these permissions across all projects:
* **Manage:** Jira-configuration, Jira-webhook
* **View:** Jira-user, Jira-work
* **Update:** Jira-work
info
We recommend creating a dedicated Jira user, `GitGuardian`, for the integration. This prevents issues if the user who set up the integration leaves the company or loses Jira admin access. The reporter for issues in Jira will be the account name used during setup.
Installation[](#installation "Direct link to Installation")
-------------------------------------------------------------
The integration is available on the Integrations > [Destinations](https://dashboard.gitguardian.com/settings/integrations/destinations)
page, under the Issue Tracking section. Do not confuse it with the Jira Cloud integration for secret scanning.

### Authentication with Jira[](#authentication-with-jira "Direct link to Authentication with Jira")

1. Ensure you're logged into Jira with a user account that meets the [requirements](#requirements)
.
2. Click **Install your first site**.
3. If multiple Jira Cloud sites are available, select the desired one for integration.

Repeat this process for multiple Jira sites, if needed. Note that the same Jira site cannot be installed on multiple GitGuardian workspaces.
caution
If you had installed the initial version of our integration (without auto-creation and auto-resolve features), you will need to reinstall to meet additional scope requirements.
### Project selection[](#project-selection "Direct link to Project selection")
Select Jira projects for synchronization.

* Choose only projects necessary for GitGuardian.
* Avoid creating overly long project lists to simplify selection during manual issue creation.
* Prevent issues in unrelated projects by refining project choices.
### Creating templates and configuring Jira for teams[](#creating-templates-and-configuring-jira-for-teams "Direct link to Creating templates and configuring Jira for teams")
The integration allows you to create templates for automatic issue creation, tailored to your workspace plan:
* **Free Plan Users:** One template applicable to all incidents.
* **Business Plan Users:** Create multiple templates, each assigned to specific teams.
Templates automatically apply to new incidents. A team-specific template is used only for incidents linked to that team. To apply a template across all incidents, associate it with the "All-incidents team".
#### Template functionality[](#template-functionality "Direct link to Template functionality")
The templates are automatically generated based on the Jira template defined for the selected issue type.
* **Required Fields:** Clearly marked as mandatory in the GitGuardian template.
* **Optional Fields:** Can be added as needed.
* **Dynamic UI:** Automatically adjusts based on the type of each field.
#### Supported Jira custom fields[](#supported-jira-custom-fields "Direct link to Supported Jira custom fields")
The integration supports the following Jira custom fields:
* **Selection Fields:** Single/multiple choice, Radio Buttons, Checkboxes
* **Date & Labels:** Date Picker, Labels
* **Text Fields:** Single-line, Multi-line
* **Special Fields:** URL Field, User Picker (single user), Priority
For unsupported fields, contact our **[support team](mailto:support@gitguardian.com)
**.
#### Steps to create a template[](#steps-to-create-a-template "Direct link to Steps to create a template")
1. Begin by adding an integration to the desired team.

2. Choose the Jira project and the corresponding issue type for the template.

3. Adjust fields as needed and save the template by clicking **Add Integration**.

4. View the configured template under the selected team, including its association with the chosen Jira project.

Additional features[](#additional-features "Direct link to Additional features")
----------------------------------------------------------------------------------
### Issue update[](#issue-update "Direct link to Issue update")
By default, updates from GitGuardian incidents (e.g., status changes, comments, severity changes) are added as comments in Jira issues. This feature can be disabled.
### Auto-resolve[](#auto-resolve "Direct link to Auto-resolve")
When enabled, specify the Jira status that triggers automatic closure of associated incidents. The incident will be marked as resolved when the Jira issue reaches the defined status.

Note: Reopening Jira issues will not reopen incidents.
Manual issue creation[](#manual-issue-creation "Direct link to Manual issue creation")
----------------------------------------------------------------------------------------
It is possible to manually create Jira tickets for incidents that were created **before the Jira/GitGuardian integration was configured** to automatically create tickets for new incidents. Users can do this from either the **incident page** or the **incident list page**, provided that a template is assigned to the user’s team.

The Jira issue will be accessible from the incident page.
caution
Bulk issue creation is not supported.
Uninstallation[](#uninstallation "Direct link to Uninstallation")
-------------------------------------------------------------------
1. Navigate to Settings > Integrations > Destinations > [Jira Cloud](https://dashboard.gitguardian.com/settings/integrations/jira_cloud_notifier)
.
2. Click **Delete** in the site configuration panel.
3. Remove the GitGuardian application from your Jira site's profile.

4. Remove access for the GitGuardian app under _Apps with access to your accounts_.
5. Confirm removal in GitGuardian.
Warning
The GitGuardian app is shared across integrations. Ensure no Jira Cloud site is installed on the platform before removing the app.
Troubleshooting[](#troubleshooting "Direct link to Troubleshooting")
----------------------------------------------------------------------
If issue creation fails, verify:
* Jira integration user permissions.
* Existence of project/issue types in templates.
* Mandatory fields added to Jira projects after template creation.
* Fields in templates that were deleted from Jira.
For assistance, contact **[support](mailto:support@gitguardian.com)
**.
#### Was this page helpful?
[](#)
[](#)
* [Benefits](#benefits)
* [Requirements](#requirements)
* [Installation](#installation)
* [Authentication with Jira](#authentication-with-jira)
* [Project selection](#project-selection)
* [Creating templates and configuring Jira for teams](#creating-templates-and-configuring-jira-for-teams)
* [Additional features](#additional-features)
* [Issue update](#issue-update)
* [Auto-resolve](#auto-resolve)
* [Manual issue creation](#manual-issue-creation)
* [Uninstallation](#uninstallation)
* [Troubleshooting](#troubleshooting)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Incident permissions and sharing | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Incident permissions and sharing
================================
GitGuardian is designed to be super collaborative yet very secure. Learn how to use incident permission levels and our sharing capability to do so, so users only access and do what you want them to access and do.
What are incident permissions[](#what-are-incident-permissions "Direct link to What are incident permissions")
----------------------------------------------------------------------------------------------------------------
Incident permissions define the set of actions that users can perform on the incident in question:
* **Can view**: they can only view the incident but not comment on it or edit it. They also cannot share the incident.
* **Can edit**: they can resolve, ignore, comment and be assigned on the incident.
* **Full access**: they have the "Can edit" permissions, plus the ability to share the incident within the workspace or publicly.
Any time you manually grant someone access to an incident, you will need to set their incident permissions. The default incident permission is `Can edit`.

Those advanced granular incident permissions are only allowed in the Business plan, thus:
* **any workspace under the Free plan works as if only the `Full access` incident permission was present**.
* when switching from the Business plan to the Free plan (eg: end of contract or end of business trial), **all people who do not have `Full access` incident permission are considered deactivated**.
Granting access to incidents[](#granting-access-to-incidents "Direct link to Granting access to incidents")
-------------------------------------------------------------------------------------------------------------
GitGuardian has a sharing capability internal to the workspace: this is called the "Grant Access" feature. This makes it possible to share an incident with a person registered on the workspace or even a team.
info
The "Grant access" capability is a feature reserved for workspaces under the Business plan.
Only people with `Full access` incident permissions can use the "Grant access" feature.
### Granting access to individuals[](#granting-access-to-individuals "Direct link to Granting access to individuals")
Sometimes you will want to share an incident only with certain other members of your workspace to gain their expertise or knowledge.
1. Click on **Share** at the top-right-hand corner of the incident you want to share.
2. Search for the people you want by typing in their name or email address.
Since workspace Managers have access to all incidents of the workspaces, **only Members and Restricted are eligible to be selected**.
3. You can set their incident permission from the dropdown in the input.
4. Click on **Grant access**.
5. An email is then sent to these people to notify them of their new access.

By default, users with `Member` or `Restricted` access level and `Full access` incident permission can enter the email address of someone who is not yet registered in the workspace.
This behavior can be deactivated via a workspace setting. Please refer to [this page](/platform/enterprise-administration/workspace-settings)
for more details.
#### How can I automate incident this workflow?[](#how-can-i-automate-incident-this-workflow "Direct link to How can I automate incident this workflow?")
If you are under our Business plan (or in Business trial), you can automate this entire process with our [Auto-access granting playbook](/secrets-detection/remediate/automate-workflows)
### Granting access to entire teams[](#granting-access-to-entire-teams "Direct link to Granting access to entire teams")
Sometimes you will want to share an incident with an entire team to better collaborate on an incident.
1. Click on **Share** at the top-right-hand corner of the incident you want to share.
2. Search for the teams you want by typing in their name.
3. You can set the incident permission of those teams from the dropdown in the input.
4. Click on **Grant access**.
5. An email is then sent to all teammates belonging to the teams to notify them of their new access.

Revoking access[](#revoking-access "Direct link to Revoking access")
----------------------------------------------------------------------
If you want to revoke access to the incident for a specific person or team.
1. Click on **Share** at the top-right-hand corner of the incident.
2. To the right of the team's name or the individual's name, click on the bin icon.
You can use the search bar at the top of the modal if needed.

If a team has access to an incident because it occurred on their perimeter, access cannot be revoked.

If a user is assigned to an incident, access cannot be revoked. The assignment needs to be changed first for access to be revoked.
Sharing incidents publicly[](#sharing-incidents-publicly "Direct link to Sharing incidents publicly")
-------------------------------------------------------------------------------------------------------
GitGuardian has a sharing capability external to the workspace. This allows you to share an incident on the web via a single link accessible to everyone, even those who are not registered in your workspace.
Public sharing can be deactivated via a workspace setting. Please refer to [this page](/platform/enterprise-administration/workspace-settings)
for more details.
info
Under Business plan, only people with `Full access` incident permissions can share the incident publicly.
Under Free plan, every user can share the incident publicly.
### Creating the public share link[](#creating-the-public-share-link "Direct link to Creating the public share link")
You can share any incident by turning on the sharing switch. Such action will **generate a unique link** containing by default:
* the **incident** with the secret visible,
* its **occurrences** with links to their locations on the VCS and the resulting check of their presence in the git history,
* the resulting check of the secret's **validity**,
* **"How to remediate"** guidelines.
This link will automatically expire either 30 days after its creation or 5 days after the incident is closed, whichever of the two dates is earlier. A new link can be generated at any time after the expiration of the previous one.

The publicly accessible page of the incident via the unique share link looks like this:

### Enabling feedback collection[](#enabling-feedback-collection "Direct link to Enabling feedback collection")
The feedback collection process can be achieved via this link. The sharing link of an incident has a **"Feedback collection" option**.
When this option is on, an entire section becomes available in the shared page where **the person having access to it can submit their feedback**.

When the feedback is submitted, it will be **directly visible on the incident page of your GitGuardian dashboard** under the **"Feedback" section**.

info
This "Feedback collection" option is ON by default whenever a share link is generated manually.
The feedback form is not customizable yet.
### Allowing auto-healing[](#allowing-auto-healing "Direct link to Allowing auto-healing")
The share link also provides a **"Resolve or ignore via link" option**.
When turned on, you enable the **auto-healing of the incident**: the person who has access to the link can close the incident themselves. An entire section becomes accessible within the shared page to enable "Resolve" and "Ignore" actions.

This is particularly useful if **you want to reduce your workload and if you trust members of your team external to your dashboard**, namely the developer responsible for the leak, to properly remediate the incident.
info
This "Auto-healing" option is OFF by default whenever a share link is generated manually as GitGuardian considers closing an incident as a sensitive action.
#### Was this page helpful?
[](#)
[](#)
* [What are incident permissions](#what-are-incident-permissions)
* [Granting access to incidents](#granting-access-to-incidents)
* [Granting access to individuals](#granting-access-to-individuals)
* [Granting access to entire teams](#granting-access-to-entire-teams)
* [Revoking access](#revoking-access)
* [Sharing incidents publicly](#sharing-incidents-publicly)
* [Creating the public share link](#creating-the-public-share-link)
* [Enabling feedback collection](#enabling-feedback-collection)
* [Allowing auto-healing](#allowing-auto-healing)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Support bundle | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Support bundle
==============
We are here to assist you and welcome your feedback on our features. Feel free to reach out at [support@gitguardian.com](mailto:support@gitguardian.com)
. Additionally, you can submit any ideas or feature requests directly on our [Product Portal](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
.
Generate a support bundle[](#generate-a-support-bundle "Direct link to Generate a support bundle")
----------------------------------------------------------------------------------------------------
### KOTS-based installation[](#kots-based-installation "Direct link to KOTS-based installation")
caution
If you previously installed GitGuardian on an existing cluster using KOTS and either lack `cluster-admin` rights in your Kubernetes cluster or wish to limit permissions for the KOTS Admin Console, you must apply the configuration in your targeted namespace as described in **[Kubernetes Application RBAC](/self-hosting/installation/installation-existing-cluster#kubernetes-application-rbac)
**.
The **KOTS Admin Console** includes a diagnosis tool for generating a support bundle to identify common issues. Sensitive information is automatically redacted. You can also get a command to manually generate a support bundle from a CLI.

Once generated, you can preview the contents and send it directly to GitGuardian for analysis.

To customize the number of log lines captured in the support bundle, go in the **KOTS Admin Console** and set the **Maximum number of lines in logs** field in the Support Bundle section of the configuration section.

Then save the configuration, and **Deploy** the application to apply the new configuration.
### Helm-based installation[](#helm-based-installation "Direct link to Helm-based installation")
For Helm-based installations, the KOTS Admin Console isn't available. Instead, you'll need to use a client-side utility, packaged as a kubectl plugin and distributed via the [krew package manager](https://krew.dev/)
.
To generate a support bundle:
1. [Install the krew plugin](https://krew.sigs.k8s.io/docs/user-guide/setup/install/)
.
2. Install the support-bundle utility: `kubectl krew install support-bundle`.
3. Run: `kubectl support-bundle --load-cluster-specs --namespace `.
This command will create a `.tar.gz` support bundle in your current directory. You can then send it to GitGuardian support.
To customize the number of log lines captured, set the `maxLines` parameter as shown below. Adjust the value to capture more or fewer logs as needed:
replicated: supportBundle: logs: maxLines: 100000 # Maximum number of log lines
For generating a support bundle using Helm, the following YAML configuration provides minimal Role-Based Access Control (RBAC) settings. Cluster admins must apply these RBAC rules where GitGuardian is deployed.
Replace `` with your namespace in `Role`. Note that `ClusterRole` is not namespace-scoped.
---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata: name: support-bundlerules: - apiGroups: [''] resources: ['namespaces', 'nodes'] verbs: ['get', 'list', 'watch'] - apiGroups: ['apiextensions.k8s.io'] resources: ['customresourcedefinitions'] verbs: ['get', 'list', 'watch'] - apiGroups: ['storage.k8s.io'] resources: ['storageclasses'] verbs: ['get', 'list', 'watch']---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: support-bundle namespace: rules: - apiGroups: ['*'] resources: ['*'] verbs: ['get', 'list', 'watch'] - apiGroups: [''] resources: ['pods/exec'] verbs: ['create']
Generate a support bundle when the Kubernetes cluster is down[](#generate-a-support-bundle-when-the-kubernetes-cluster-is-down "Direct link to Generate a support bundle when the Kubernetes cluster is down")
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
When debugging an offline Kubernetes cluster, you can utilize host collectors to generate a support bundle even without access to the Admin Console.
To begin, install the support bundle tool on a host with access the cluster you need to debug:
curl -L https://github.com/replicatedhq/troubleshoot/releases/latest/download/support-bundle_linux_amd64.tar.gz | tar xzvf -
Next, generate the support bundle using the following command:
./support-bundle --interactive=false https://raw.githubusercontent.com/replicatedhq/troubleshoot-specs/main/host/default.yaml
note
If your current user lacks the necessary access to gather information for a specific collector, you may need to run the above command with `sudo`.
For air gap environments, download the YAML file and copy it to the air gap machine.
For more details, refer to [Replicated Documentation](https://docs.replicated.com/enterprise/troubleshooting-an-app#generate-a-host-support-bundle)
.
* [Generate a support bundle](#generate-a-support-bundle)
* [KOTS-based installation](#kots-based-installation)
* [Helm-based installation](#helm-based-installation)
* [Generate a support bundle when the Kubernetes cluster is down](#generate-a-support-bundle-when-the-kubernetes-cluster-is-down)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Transfer workspace ownership | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
Transfer workspace ownership
============================
As a workspace Owner, you can transfer your ownership to any users of your workspace.
1. Go to Settings > User management > [Members](https://dashboard.gitguardian.com/settings/user/members)
.
2. Find the user you want to transfer the ownership to.
3. Click on the "access level" dropdown and choose Owner.
4. You will be prompted for a confirmation.
The former owner will automatically be demoted to `Manager` access level. The new owner will receive a notification email.
#### Was this page helpful?
[](#)
[](#)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Manage email domain | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Manage email domain
===================
How to reserve an email domain[](#how-to-reserve-an-email-domain "Direct link to How to reserve an email domain")
-------------------------------------------------------------------------------------------------------------------
Once an SAML SSO integration is completed, the users of your GitGuardian workspace (usually the Owner or a Manager) can request to **reserve one or several specific email domains that belong to them or your company**. This feature goes one step further in the authentication/security aspect. It is independent from the “force SSO” feature.
* When you reserve a domain `company.com`, you **restrict users with an email address "[xxxx@company.com](mailto:xxxx@company.com)
" from signing up to GitGuardian and creating their own workspace**. It is a guarantee that there will only be one workspace for users having an email address “[xxx@company.com](mailto:xxx@company.com)
”.
* When users try to sign up with a reserved email domain address, they are alerted that **they are required to sign up via SSO**.
* Also, reserving an email domain will allow users to **find your custom SSO page just by just filling in their email**. Without this option you would need to bookmark your SSO login url.

Users who already have a workspace and are impacted by a newly reserved email domain will not be affected. They will be able to join the workspace that requested these domains be reserved for SSO.
info
This feature is reserved to workspaces with Business access (Business or Business trial plans). After the end of a Business trial, the email domains will no longer be reserved.
This feature is not accessible with GitGuardian self-hosted instances.
Domain synchronization between regions[](#domain-synchronization-between-regions "Direct link to Domain synchronization between regions")
-------------------------------------------------------------------------------------------------------------------------------------------
Reserved domains are synchronized between the EU and US regions. This ensures that once a domain is reserved in either region, users are prevented from signing up in one region if they already have an account in the other.
#### Was this page helpful?
[](#)
[](#)
* [How to reserve an email domain](#how-to-reserve-an-email-domain)
* [Domain synchronization between regions](#domain-synchronization-between-regions)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Audit log | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Audit log
=========
The audit log is **the centralized stream of user activity which occurs on your workspace**.
It allows the workspace Managers to investigate for potential suspicious behavior and security issues by reviewing the actions performed by users of their workspace.
The following information is included in each event recorded:
* **Actor**: the GitGuardian user who performed the event.
* **Event**: the event recorded.
* **Date**: the date when the event happened.
* **IP address**: the IP address of the actor who performed the event.
### Accessing the audit log[](#accessing-the-audit-log "Direct link to Accessing the audit log")
1. Navigate to Settings > Workspace > [Audit log](https://dashboard.gitguardian.com/settings/workspace/audit-logs)
.
2. Search for logs.

info
Only the Owner and Managers have access to the workspace's audit log.
### Email Alerts for Audit Log Failures[](#email-alerts-for-audit-log-failures "Direct link to Email Alerts for Audit Log Failures")
For self-hosted, owners and managers can receive email alerts for audit log failures. These alerts will provide details about the issue. To enable this feature, run the following command:
kubectl exec --namespace deployments/webapp-internal-api -c app -- python manage.py set_preferences --general__is_audit_log_failure_triggers_mail=True
If needed, specify the Kubernetes namespace with `--namespace` (default namespace is used if not specified).
#### Was this page helpful?
[](#)
[](#)
* [Accessing the audit log](#accessing-the-audit-log)
* [Email Alerts for Audit Log Failures](#email-alerts-for-audit-log-failures)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Generic Private Key | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Generic Private Key
===================
Description[](#description "Direct link to Description")
----------------------------------------------------------
### General[](#general "Direct link to General")
* **Summary**: The generic private key detector finds generic private key defined with a `-----BEGIN PRIVATE KEY-----` header. More details about cryptographic keys can be found in this [FAQ](/secrets-detection/secrets-detection-engine/frequently_asked_questions#are-cryptographic-keys-sensitive-objects)
.
### Revoke the secret[](#revoke-the-secret "Direct link to Revoke the secret")
Revoking the key depends on the service being used.
### Check for suspicious activity[](#check-for-suspicious-activity "Direct link to Check for suspicious activity")
Checking for suspicious activity depends on the service being used.
### Details for `Base64 private key generic`[](#details-for-base64-private-key-generic "Direct link to details-for-base64-private-key-generic")
* **Family:** PrivateKey
* **Category:** Private key
* **High recall:** True
* **Validity check available:** False
* **Minimum number of matches:** 1
* **Occurrences found for one million commits:** 10.75
* **Prefixed:** True
* **PreValidators**:
- type: ContentWhitelistPreValidator patterns: - ls0tls1crudjtibquklwqvrfietfws0tls0t - 0tls0tqkvhsu4gufjjvkfursblrvktls0tl - tls0tlujfr0loifbssvzbveugs0vzls0tls
### Examples[](#examples "Direct link to Examples")
LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tIEtKSUNkUUlCQURBTEJna3Foa2lHOXcwQkFRRUVnZ0poTUlJQ1hRSUJBQUtCZ1FDN0pIb0pmZzZ5TnpMTU9XZXQgOFo0OWE0S0QwZENzcE1BWXZvMllBTUI3L3dkRXljb2N1amJoSjJuL3NlT05pKzVYcVRxcUZrTTVWQmw4cm1rayBGUFprLzd4MHhtZHNUUEVDU1duSEsrSGhvYU5ERlBSM2o4alFoVm8xbGF4aXFjRWhBSGVnaTVjd3RGb3N1SkF2IFNLQUZLRXZ5RDQzc2kwMERRblhXcllIQUVRSURBUUFCQW9HQUFQeTVTaVlIaVZFclUzS1I0QmcrcGw0eDc1d00gRmlSQzBDZ3orZnJRUEZRRUJzQVY5UnVhc3lReHF6eHJSME93MHFuY0JlR0JXYllFNldaaHF0Y0xBSTg5NWIraSArRjRsYkI0aUQ3VDlRZUlETVYvYUlNWEE4MVVPNGNuczF6NHFEQUhLZXlMTHJQUXJKL0I0WDdYQytlZ1VXbTUrIGhyMXFteUFNdXN5WElCRUNRUURKV1o4cGlsdWY0eXJZZnNKQW42aEY1VDRSalR6dGJxdk8wR1ZHMk1jSFk3VWogTlBTZmZoekh4L2xsMGZRRVFqaStPZ3lkQ0NYOG8zSFpyZ3c1WWZTSkFrRUE3ZStycWRVNW5PNVpHLy9QU0VRYiB0akxuUmlUekJIL2VsUWh0ZFo1bkY3cGNwTlRpNGsxM3p1dG1LY1dXNEdLNzVhemNSR0pVaHUxa0RNN1FZQU9kIFNRSkFWTmtZY2lma3ZuYTdHbW9vTDVWWUVzUXNxTGJNNHYwTkYyVElHTmZHM3oxTUdwNzVLckM1TGhMOTdNTlIgd2UycC9iZDJrMEhZeUNLVUduZjJuTVBEaVFKQkFJNzVwd2l0dFNvRTI0MEVvYlVHSURUU3o4Q0pzWEl4dURtTCB6K0tPcGRwUFJSNVRRbWJFTUVzcGpzRnBGeW1NaXVZUGdtaWhRYk8yY0psMXFTY1k1T2tDUVFDSjZtNXRjTjhsIFh4Zy9TTnBqRUl2K3FBeVVEOTZYVmxPSmxPSWVMSFE4a1lFMEM2WkErTXNxWUl6Z0FyZUprODhZbjBsVS9YMC8gbXUvVXBFL0JSVGZzIC0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
Here's the decoded string:
-----BEGIN PRIVATE KEY-----KJICdQIBADALBgkqhkiG9w0BAQEEggJhMIICXQIBAAKBgQC7JHoJfg6yNzLMOWet8Z49a4KD0dCspMAYvo2YAMB7/wdEycocujbhJ2n/seONi+5XqTqqFkM5VBl8rmkkFPZk/7x0xmdsTPECSWnHK+HhoaNDFPR3j8jQhVo1laxiqcEhAHegi5cwtFosuJAvSKAFKEvyD43si00DQnXWrYHAEQIDAQABAoGAAPy5SiYHiVErU3KR4Bg+pl4x75wMFiRC0Cgz+frQPFQEBsAV9RuasyQxqzxrR0Ow0qncBeGBWbYE6WZhqtcLAI895b+i+F4lbB4iD7T9QeIDMV/aIMXA81UO4cns1z4qDAHKeyLLrPQrJ/B4X7XC+egUWm5+hr1qmyAMusyXIBECQQDJWZ8piluf4yrYfsJAn6hF5T4RjTztbqvO0GVG2McHY7UjNPSffhzHx/ll0fQEQji+OgydCCX8o3HZrgw5YfSJAkEA7e+rqdU5nO5ZG//PSEQbtjLnRiTzBH/elQhtdZ5nF7pcpNTi4k13zutmKcWW4GK75azcRGJUhu1kDM7QYAOdSQJAVNkYcifkvna7GmooL5VYEsQsqLbM4v0NF2TIGNfG3z1MGp75KrC5LhL97MNRwe2p/bd2k0HYyCKUGnf2nMPDiQJBAI75pwittSoE240EobUGIDTSz8CJsXIxuDmLz+KOpdpPRR5TQmbEMEspjsFpFymMiuYPgmihQbO2cJl1qScY5OkCQQCJ6m5tcN8lXxg/SNpjEIv+qAyUD96XVlOJlOIeLHQ8kYE0C6ZA+MsqYIzgAreJk88Yn0lU/X0/mu/UpE/BRTfs-----END PRIVATE KEY-----
### Details for `Private key generic`[](#details-for-private-key-generic "Direct link to details-for-private-key-generic")
* **Family:** PrivateKey
* **Category:** Private key
* **High recall:** True
* **Validity check available:** False
* **Minimum number of matches:** 1
* **Occurrences found for one million commits:** 227.58
* **Prefixed:** True
* **PreValidators**:
- type: ContentWhitelistPreValidator patterns: - '-----begin private key-----'
### Examples[](#examples-1 "Direct link to Examples")
- text: > -----BEGIN PRIVATE KEY----- KJICdQIBADALBgkqhkiG9w0BAQEEggJhMIICXQIBAAKBgQC7JHoJfg6yNzLMOWet 8Z49a4KD0dCspMAYvo2YAMB7/wdEycocujbhJ2n/seONi+5XqTqqFkM5VBl8rmkk FPZk/7x0xmdsTPECSWnHK+HhoaNDFPR3j8jQhVo1laxiqcEhAHegi5cwtFosuJAv SKAFKEvyD43si00DQnXWrYHAEQIDAQABAoGAAPy5SiYHiVErU3KR4Bg+pl4x75wM FiRC0Cgz+frQPFQEBsAV9RuasyQxqzxrR0Ow0qncBeGBWbYE6WZhqtcLAI895b+i +F4lbB4iD7T9QeIDMV/aIMXA81UO4cns1z4qDAHKeyLLrPQrJ/B4X7XC+egUWm5+ hr1qmyAMusyXIBECQQDJWZ8piluf4yrYfsJAn6hF5T4RjTztbqvO0GVG2McHY7Uj NPSffhzHx/ll0fQEQji+OgydCCX8o3HZrgw5YfSJAkEA7e+rqdU5nO5ZG//PSEQb tjLnRiTzBH/elQhtdZ5nF7pcpNTi4k13zutmKcWW4GK75azcRGJUhu1kDM7QYAOd SQJAVNkYcifkvna7GmooL5VYEsQsqLbM4v0NF2TIGNfG3z1MGp75KrC5LhL97MNR we2p/bd2k0HYyCKUGnf2nMPDiQJBAI75pwittSoE240EobUGIDTSz8CJsXIxuDmL z+KOpdpPRR5TQmbEMEspjsFpFymMiuYPgmihQbO2cJl1qScY5OkCQQCJ6m5tcN8l Xxg/SNpjEIv+qAyUD96XVlOJlOIeLHQ8kYE0C6ZA+MsqYIzgAreJk88Yn0lU/X0/ mu/UpE/BRTfs -----END PRIVATE KEY-----
#### Was this page helpful?
[](#)
[](#)
* [Description](#description)
* [General](#general)
* [Revoke the secret](#revoke-the-secret)
* [Check for suspicious activity](#check-for-suspicious-activity)
* [Details for `Base64 private key generic`](#details-for-base64-private-key-generic)
* [Examples](#examples)
* [Details for `Private key generic`](#details-for-private-key-generic)
* [Examples](#examples-1)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# CyberArk | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
CyberArk
========
Beta program
Please note that **CyberArk integration is currently in beta**. If you want more info on this integration, check [_our blog post_](https://blog.gitguardian.com/protect-secrets-with-cyberark-and-gitguardian-integration/)
.
CyberArk, a leader in privileged access management, helps secure, manage, and monitor privileged accounts and credentials. The GitGuardian integration leverages CyberArk to securely manage secrets and automate secret rotation, enhancing security alongside GitGuardian's leak detection capabilities.
This integration involves open-source Go applications, Brimstone and Hailstone, developed by CyberArk and GitGuardian.
Use cases[](#use-cases "Direct link to Use cases")
----------------------------------------------------
1. Receive events from GitGuardian when a secret is detected [using Brimstone](#brimstone)
1. Known secrets are rotated with CyberArk Password Manager (CPM)
2. New secrets are added to a Pending safe
2. Syncing CyberArk accounts in Brimstone's database [using Hailstone](#hailstone)
3. Test secrets in Brimstone's database against [HasMySecretLeaked](https://blog.gitguardian.com/hasmysecretleaked-building-a-trustless-and-secure-protocol/)
Limitations[](#limitations "Direct link to Limitations")
----------------------------------------------------------
* It is not available for our Self Hosted users for now.
Requirements[](#requirements "Direct link to Requirements")
-------------------------------------------------------------
### Access[](#access "Direct link to Access")
* CyberArk application user credentials with access to safes
* GitGuardian account with owner/manager privileges
### Build application[](#build-application "Direct link to Build application")
1. Clone the project [conjurdemos/cyberark-gitguardian-hmsl-remediation-integration-service](https://github.com/conjurdemos/cyberark-gitguardian-hmsl-remediation-integration-service)
git clone https://github.com/conjurdemos/cyberark-gitguardian-hmsl-remediation-integration-service.git
2. Move into the project folder
cd cyberark-gitguardian-hmsl-remediation-integration-service
3. Build the applications using Make
make oapi-codegenmake build-brimstone build-hailstone -B
info
For Go version compatibility issues, follow instruction at [https://go.dev/doc/manage-install](https://go.dev/doc/manage-install)
to install `go1.21.9` then in the `Makefile` update the line `GO := $(shell command -v go 2> /dev/null)` to `GO := $(shell command -v go1.21.9 2> /dev/null)`
4. This produces two executables: `bin/brimstone` and `bin/hailstone`
Brimstone[](#brimstone "Direct link to Brimstone")
----------------------------------------------------
Brimstone, a server application, handles GitGuardian events. It attempts to rotate known secrets in CyberArk or adds new secrets to a designated CyberArk safe.
The matching between secrets found by GitGuardian and accounts stored in CyberArk is done using the hashing method of [HasMySecretLeaked](https://blog.gitguardian.com/hasmysecretleaked-building-a-trustless-and-secure-protocol/)
. In Brimstone database, **secrets are NOT saved**, only hashes.
### Setup integration[](#setup-integration "Direct link to Setup integration")
From GitGuardian Platform,
* Go to `Integrations` and scroll to the `Secrets manager` section
* Click `Install` next to CyberArk
* Choose a name, write the URL where Brimstone will be deployed and **take note of the signature token**
* Click `Submit`
### Environment Variables for Brimstone[](#environment-variables-for-brimstone "Direct link to Environment Variables for Brimstone")
The following environment variables are necessary for Brimstone
| Environment variable | Description | Example |
| --- | --- | --- |
| `GG_API_TOKEN` | [GitGuardian API Token](/api-docs/service-accounts) | `abcdef123456789` |
| `GG_WEBHOOK_TOKEN` | Signature token generated when setting up the integration | `abcdef123456789` |
| `BRIMSTONE_API_KEY` | API Key used to communicate with Brimstone, create/generate it | `abcdefghijklmnopqrstuvwxyz` |
| `DB_URL` | Database URL used by Brimstone, support `sqlite://` and `postgres://` | `sqlite://brimstone.sqlite` |
| `ID_TENANT_URL` | CyberArk Privileged Access Manager ID Tenant URL | `https://abcdef123.id.cyberark.cloud` |
| `PCLOUD_URL` | CyberArk Privilege Cloud URL | `https://example.privilegecloud.cyberark.cloud` |
| `SAFE_NAME` | CyberArk Safe Name, where new secrets are saved | `PENDING` |
| `PLATFORM_ID` | CyberArk Platform used when creating new account | `UnixSSH` |
| `PAM_USER` | CyberArk Application User name | `username` |
| `PAM_PASS` | CyberArk Application User password | `password` |
### Deployment[](#deployment "Direct link to Deployment")
Deploy Brimstone as preferred. An example for Unix-bases system, is to create an `.env` file containing the environment variables and use the following command:
# Run Brimstone with the environment variable in .env(env $(cat .env | sed 's/#.*//g' | xargs) bin/brimstone)
### Interacting with HasMySecretLeaked[](#interacting-with-hasmysecretleaked "Direct link to Interacting with HasMySecretLeaked")
Use the `/v1/hashes/sendhashes` endpoint to send stored hashes to the HasMySecretLeaked, utilizing `BRIMSTONE_API_KEY` for authorization.
curl http://localhost:9191/v1/hashes/sendhashes -H "Authorization: Bearer $BRIMSTONE_API_KEY"
Hailstone[](#hailstone "Direct link to Hailstone")
----------------------------------------------------
Hailstone, a CLI tool, syncs CyberArk accounts with Brimstone, ensuring Brimstone is aware of existing secrets.
### Environment Variables for Hailstone[](#environment-variables-for-hailstone "Direct link to Environment Variables for Hailstone")
The following environment variables are necessary for Hailstone
| Environment variable | Description | Example |
| --- | --- | --- |
| `BRIMSTONE_URL` | URL of the Brimstone instance | `http://127.0.0.1:9191` |
| `BRIMSTONE_API_KEY` | Brimstone API key, same as above | `abcdefghijklmnopqrstuvwxyz` |
| `ID_TENANT_URL` | CyberArk Privileged Access Manager ID Tenant URL | `https://abcdef123.id.cyberark.cloud` |
| `PCLOUD_URL` | CyberArk Privilege Cloud URL | `https://example.privilegecloud.cyberark.cloud` |
| `SAFE_NAME` | CyberArk Safe Name | `PENDING` |
| `PLATFORM_ID` | CyberArk Platform used when creating new account | `UnixSSH` |
| `PAM_USER` | CyberArk Application User name | `username` |
| `PAM_PASS` | CyberArk Application User password | `password` |
### Execution[](#execution "Direct link to Execution")
On Unix-bases system, run Hailstone using the .env file approach, similar to Brimstone, to sync CyberArk accounts:
# Run Hailstone with the environment variable in .env(env $(cat .env | sed 's/#.*//g' | xargs) bin/hailstone)
#### Was this page helpful?
[](#)
[](#)
* [Use cases](#use-cases)
* [Limitations](#limitations)
* [Requirements](#requirements)
* [Access](#access)
* [Build application](#build-application)
* [Brimstone](#brimstone)
* [Setup integration](#setup-integration)
* [Environment Variables for Brimstone](#environment-variables-for-brimstone)
* [Deployment](#deployment)
* [Interacting with HasMySecretLeaked](#interacting-with-hasmysecretleaked)
* [Hailstone](#hailstone)
* [Environment Variables for Hailstone](#environment-variables-for-hailstone)
* [Execution](#execution)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Frequently Asked Questions | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Frequently Asked Questions
==========================
### What is the difference between a honeytoken and a traditional honeypot?[](#what-is-the-difference-between-a-honeytoken-and-a-traditional-honeypot "Direct link to What is the difference between a honeytoken and a traditional honeypot?")
A honeypot is a decoy system or network that is set up to simulate vulnerabilities, lure attackers, and detect or deflect their malicious activities. It's a trap that is designed to deceive attackers and redirect them away from the actual network. The honeypot can be a physical or virtual system, and it can be set up with vulnerable applications or services to attract attackers. The goal of a honeypot is to identify and study attackers' tactics, techniques, and procedures (TTPs) to help organizations better defend against real attacks.
On the other hand, **a honeytoken is a piece of dummy credential that is deliberately placed in your SDLC to detect unauthorized access or malicious activity**. The goal of honeytokens is to provide an early warning of an attack, indicating that an attacker has gained access to the system or is attempting to access the false credential.
Honeytokens do offer some unique benefits over traditional honeypots:
1. **Precision**: Honeytokens are highly precise. They can be deployed with specific and customized information, such as a unique username or a fake file name, which makes it easier to detect exactly what is being targeted. Traditional honeypots, on the other hand, require attackers to engage with a broader system, making it more difficult to pinpoint the specific vulnerability that is being exploited.
2. **Simplicity**: Honeytokens are relatively simple to implement and maintain. They require fewer resources to deploy and monitor than traditional honeypots, which can be time-consuming and costly to set up and maintain.
3. **Scalability**: Honeytokens can be easily scaled to different parts of an organization’s supply chain, allowing them to be deployed more broadly and monitored more effectively. Traditional honeypots can be more difficult to scale, as they require more resources and may not be as precise as honeytokens.
4. **Early detection**: Honeytokens can help organizations detect attacks earlier in the attack lifecycle. Since honeytokens are designed to detect unauthorized access attempts, they can alert organizations to potential security breaches before attackers are able to execute their attacks fully.
Overall, honeytokens are a useful addition to an organization's security toolkit, as they offer specific benefits that traditional honeypots may not provide.
### Is it easy for an attacker to recognize a honeytoken?[](#is-it-easy-for-an-attacker-to-recognize-a-honeytoken "Direct link to Is it easy for an attacker to recognize a honeytoken?")
To automate their attacks, attackers often use secrets scanning tools that can quickly scan and identify secrets in a system. It's highly unlikely that an attacker would inspect each secret manually, as this would be an extremely time-consuming and inefficient process.
It can be difficult for an attacker to recognize a honeytoken like a dummy AWS credential if it is properly implemented and hidden within a system. Since we are using actual AWS keys as honeytokens, attackers have no way of discovering them.
### How are honeytokens triggered?[](#how-are-honeytokens-triggered "Direct link to How are honeytokens triggered?")
When an attacker tries to use a honeytoken, the login attempt is logged in AWS, giving us detailed information about the attack. This triggers an alert in GitGuardian's system, letting you know that someone has accessed the honeytoken along with valuable info about the attack.
### Why should you choose the GitGuardian Honeytoken SaaS version instead of using open-source projects?[](#why-should-you-choose-the-gitguardian-honeytoken-saas-version-instead-of-using-open-source-projects "Direct link to Why should you choose the GitGuardian Honeytoken SaaS version instead of using open-source projects?")
GitGuardian's Honeytoken SaaS version offers a number of benefits over open-source alternatives. For example, GitGuardian offers a more user-friendly interface and dashboard for easy honeytoken management. You can also monitor their deployment, in particular in the codebase, thanks to the synergy with our Secret Detection capabilities.
GitGuardian's Honeytoken is specifically designed to detect code leakage by instantly alerting you if a honeytoken you've placed in your code is found on public GitHub. Our solution creates easily recognizable events that tag exposed honeytokens as "Publicly Exposed," so you can quickly identify which repo and honeytoken have been compromised and take swift action to safeguard your sensitive data. This ability sets GitGuardian apart from its competitors.
It is much easier to roll out the solution. You don’t have to spend time and effort on installation. You can also get expert support and guidance from the GitGuardian team.
#### Was this page helpful?
[](#)
[](#)
* [What is the difference between a honeytoken and a traditional honeypot?](#what-is-the-difference-between-a-honeytoken-and-a-traditional-honeypot)
* [Is it easy for an attacker to recognize a honeytoken?](#is-it-easy-for-an-attacker-to-recognize-a-honeytoken)
* [How are honeytokens triggered?](#how-are-honeytokens-triggered)
* [Why should you choose the GitGuardian Honeytoken SaaS version instead of using open-source projects?](#why-should-you-choose-the-gitguardian-honeytoken-saas-version-instead-of-using-open-source-projects)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Configure SAML SSO | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Configure SAML SSO
==================
Single Sign-On (or SSO) allows you to manage your organization’s entire membership via a third-party provider.
GitGuardian supports the SAML2 standard for SSO which allows the Owner or any Manager, of the workspace to configure any SAML2-enabled Identity Provider (IdP) system (Google, Okta,...).
Set up SSO[](#set-up-sso "Direct link to Set up SSO")
-------------------------------------------------------
To configure your SSO, navigate to Settings > [Authentication](https://dashboard.gitguardian.com/settings/workspace/auth)
.
Detailed set up procedures are available for the following IdP:
* [Google](#google)
* [Okta](#okta)
* [Auth0](#auth0)
* [Microsoft Entra ID](#microsoft-entra-id)
* [Duo](#duo)
* [Keycloak](#keycloak)
For all other SAML2-enabled IdP, you can follow the [generic procedure](#generic-procedure-for-saml2-enabled-idp)
.
Just-In-Time (JIT) provisioning[](#just-in-time-jit-provisioning "Direct link to Just-In-Time (JIT) provisioning")
--------------------------------------------------------------------------------------------------------------------
GitGuardian supports Just-In-Time (JIT) provisioning. **New members of your workspace are automatically registered with GitGuardian on their first login attempt with SAML2 SSO** if they are authorized on the IdP side.
You don't need to invite users manually. You just need to authorize them **on the IdP's side** by being part of the "GitGuardian group". Users who are not part of the GitGuardian group on the IdP side will be rejected during their attempt to sign in via SSO.
info
GitGuardian does not support JIT deprovisioning yet but you can use the [SCIM](/platform/enterprise-administration/scim-configuration)
to automatically deprovision your users.
Default access level[](#default-access-level "Direct link to Default access level")
-------------------------------------------------------------------------------------
Because GitGuardian uses Just-In-Time (JIT) provisioning, new members will be given **a default access level upon their first login**.
"Member" is the default setting. You can modify this default in your [Authentication settings page](https://dashboard.gitguardian.com/settings/workspace/auth/saml)
.

If you selected "Member" as the default access level and your workspace is under the Business plan, you must also configure whether new Members will be part of the ["All-incidents" team](/platform/collaboration-and-sharing/teams#a-specific-team-the-all-incidents-team)
or not upon sign up. This option is available in Business plan.

Force SSO[](#force-sso "Direct link to Force SSO")
----------------------------------------------------
Once you have successfully set up an SAML2 SSO integration, in your [Authentication settings page](https://dashboard.gitguardian.com/settings/workspace/auth/saml)
, you have the option to **force the SSO**:
* If the option is turned ON, **all the members of your workspace will have to go through your IdP in order to be able to access your GitGuardian workspace**. Thus, only the users you have authorized on your IdP’s side will be able to sign into your GitGuardian workspace. If you want to activate the option, you will have the possibility to visualize the users that may encounter an issue.
* If the option is turned OFF, members of your workspace can still login via SSO, going through your IdP, but they can also sign up via email. As a result, **users that are not whitelisted on the IdP side can still login to your GitGuardian workspace**.

> Once SSO is forced, all the members of the workspace, including the owner, will have to connect using SSO. If the owner has never connected with SSO, you will not be able to activate the option.
>
> Make sure that your SSO connection works before enforcing SSO. In case of issues, you can contact the [support team](mailto:support@gitguardian.com)
> for assistance.
Set up procedures[](#set-up-procedures "Direct link to Set up procedures")
----------------------------------------------------------------------------
### Google[](#google "Direct link to Google")
1. First, go to the Google Admin Console, and create a new custom SAML app.
2. You will land on this page, where you can set your app name and general information for your SAML app that users will see when logging in.

3. Click on "Continue". Now, you need to configure the Identity Provider in your GitGuardian dashboard. Use these values provided by Google:
* `Entity Id` field is filled with the `Entity ID`
* `Single Sign-On URL` field is filled with the `SSO URL`
* `X509 Cert` field is filled with the certificate from Google. Download it, use `cat` and copy/paste the plaintext value.
* On the GitGuardian dashboard, ensure that the checkbox "I have specified that the response assertions with RSA\_SHA256 as signature algorithm and SHA256 as digest algorithm" is **unchecked**. 
4. Click on "Continue". You can now configure the Service Provider details provided by GitGuardian within Google:
* `ACS URL` field is filled with the `ACS URL` value.
* `Entity ID` field is filled with the `SP Entity id` value.
* `Signed Response` must be checked
* `Name ID format` must be set to `EMAIL`
* `Name ID` must be set to `Basic Information > Primary Email`
5. Now, some mappings need to be done, they are quite straightforward:
* `first_name` is mapped to the user first name
* `last_name` is mapped to the user last name 
6. Finish your app configuration by clicking on "Finish". You might need to modify the SAML app user access, which is OFF for everyone by default.
### Okta[](#okta "Direct link to Okta")
1. First, go to https://$YOUR\_OKTA\_DOMAIN-admin.okta.com/admin/apps/add-app, then click on "Create New App".
2. You will land on this page, where you can set the general information for your SAML app that users will see when logging in. 
3. Click "Next". You can now configure basic settings:
* `Single sign on URL` field is filled with the `ACS URL` value on GitGuardian dashboard.
* `Audience URI (SP Entity ID)` field is filled with the `SP Entity ID` value on GitGuardian dashboard.
* `Default RelayState` is left blank
* `Name ID format` must be set to `EmailAddress`
4. Click on "Show Advanced Settings". Here make sure that both `Response` and `Assertion Signature` are signed, and that `Signature` and `Digest Algorithm` are respectively set to `RSA-SHA256` and `SHA256`. Assertions are not encrypted. 
5. Now, some straightforward mapping needs to done:
* `first_name` is mapped the user first name
* `last_name` is mapped the user last name 
6. Finish your app configuration. 
7. Finally, we need to configure the Identity Provider in GitGuardian dashboard. First, click on "View Setup Instructions", then use these values:
* `Entity Id` field is filled with the `Identity Provider Issuer`
* `Single Sign-On URL` field is filled with the `Identity Provider Single Sign-On URL`
* `X509 Cert` field is filled with the `X.509 Certificate`
### Auth0[](#auth0 "Direct link to Auth0")
1. First, go to your dashboard, select "Application", and click on "Create Application"
2. Choose "Regular Web Applications" as type and a name. 
3. Go to your application addons. Click on "SAML2 Web App" and then on "Settings"
4. Fill the `Application Callback URL` with the `ACS URL` provided in GitGuardian dashboard. 
5. Then, copy-paste these settings to configure mappings, name identifier and message signatures:
{ "mappings": { "given_name": "first_name", "family_name": "last_name" }, "signatureAlgorithm": "rsa-sha256", "digestAlgorithm": "sha256", "signResponse": true, "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "nameIdentifierProbes": [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" ], "includeAttributeNameFormat": "false"}
6. Finally, we need to configure the Identity Provider in GitGuardian dashboard. First, click on "Usage", then use these values:
* `Entity id` field is filled with the `Issuer` value
* `Single Sign-On URL` field is filled with the `Identity Provider Login URL` value
* `X509 Cert` field is filled with the plain text value of the Identity Provider Certificate
* Ensure that the checkbox "I have specified that the response assertions with RSA\_SHA256 as signature algorithm and SHA256 as digest algorithm" is **unchecked**.

### Microsoft Entra ID[](#microsoft-entra-id "Direct link to Microsoft Entra ID")
1. First, go to the [Microsoft Entra admin center](https://entra.microsoft.com/)
, click on "Add enterprise application" at the bottom of the page, then "Create your own application".
2. In the new panel that appears on the right, provide a name (e.g. "GitGuardian") and select "Integrate any other application you don't find in the gallery (Non-gallery)". Finally, click on the "Create" button. 
3. After a few seconds, you will be redirected to your newly created application. Click on "Set up single sign on" and choose the SAML sign-on method. 
4. Now, you need to configure the Service Provider in Microsoft Entra ID. Click on Edit in the "Basic SAML Configuration" box. Use these values:
* `Identifier (Entity Id)` field is filled with the `SP Entity ID` value on GitGuardian dashboard.
* `Reply URL (Assertion Consumer Service URL)` field is filled with the `ACS URL` value on GitGuardian dashboard.
Don't forget to click on "Save". 
5. Now, some mappings need to be done. Select 'Edit' on the 'Attributes & Claims' box. Click on 'Add new claim'. Leave 'Namespace' empty and use these values:
* Name: `first_name` + Source attribute: `user.givenname`
Don't forget to click on "Save". 
* Name: `last_name` + Source attribute: `user.surname`
Don't forget to click on "Save". 
6. You also need to make sure that the Unique User Identifier (Name ID) claim is set to user.mail. 
7. Then, setup how responses and assertions are signed: Select 'Edit' on the 'SAML Certificates' box and choose 'Sign SAML response and assertion' as Signing Option and 'SHA-256' as Signing Algorithm: 
8. Now, you need to configure the Identity Provider in GitGuardian dashboard. Use these values:
* `Entity Id` field is filled with the `Microsoft Entra Identifier`
* `Single Sign-On URL` field is filled with the `Login URL`
* `X509 Cert` field is filled with the certificate. Download the Base64 certificate, use `cat` and copy/paste the plaintext value. 
9. Test your app configuration by clicking on "Test".
### Duo[](#duo "Direct link to Duo")
1. Configure an Authentication Source for Single Sign-On in the Duo Dashboard. Ensure that `FirstName` and `LastName` are provided as attributes as described in the [Duo documentation](https://duo.com/docs/sso#configure-your-authentication-source)
.
2. From the "Applications" tab, click on "Protect an Application", and choose to protect a "Generic Service Provider" with "2FA with SSO hosted by Duo (Single Sign-On)" 
3. Map the following from the Duo Generic Service Provider values into the GitGuardian dashboard:
| Duo values | GitGuardian configuration |
| --- | --- |
| Entity ID | Entity ID |
| Single Sign-On URL | Single Sign On URL |
| Certificate contents | X509 Cert |
4. Map the following from the GitGuardian dashboard into the Duo Generic Service Provider configuration:
| Duo Service Provider configuration | GitGuardian values |
| --- | --- |
| Service Provider Entity ID | SP Entity id |
| Assertion Consumer Service | ACS URL |
5. In the SAML Response section, add the following mapping in "Map attributes"
| IdP Attribute | SAML Response Attribute |
| --- | --- |
| First Name | first\_name |
| Last Name | last\_name |

6. Give the Service Provider configuration a recognizable name, such as "GitGuardian".
7. Save.
### Keycloak[](#keycloak "Direct link to Keycloak")
1. Navigate to "Realm Settings" under the "General" tab in Keycloak, and copy the 'SAML 2.0 Identity Provider Metadata'. For example: `https://$YOUR_KEYCLOAK_DOMAIN/realms/master/protocol/saml/descriptor`.

2. Go to the "Keys" tab, and click on the 'Certificate' button next to the RS256 algorithm. Copy the displayed certificate.

3. To configure the Identity Provider in the GitGuardian dashboard, use the following values:
* The `Entity Id` field should be filled with the Keycloak SAML 2.0 Identity Provider Metadata URL, excluding `/protocol/saml/descriptor` from the end. Example: `https://$YOUR_KEYCLOAK_DOMAIN/realms/master`.
* The `Single Sign-On URL` field should include the Keycloak SAML 2.0 Identity Provider URL, excluding `/descriptor` from the end. Example: `https://$YOUR_KEYCLOAK_DOMAIN/realms/master/protocol/saml`.
* In the `X509 Cert` field, paste the certificate copied in the previous step.
4. To configure the "Client" (Service Provider) in Keycloak:
* Navigate to the Clients menu and click on 'Create client'. Use the following values:
* Set the `Client type` field to `SAML`.
* Fill the `Client ID` field with the `SP Entity ID` from the GitGuardian dashboard.
* Click on 'Next', then:
* Fill the `Home URL` field with the URL of your GitGuardian dashboard. For example: `https://dashboard.gitguardian.com` (SaaS) or `https://gitguardian.mycorp.local` (Self-Hosted).
* Fill the `Valid Redirect URIs` and `Master SAML Processing URL` fields with the `ACS URL`.
5. Click on 'Save', then configure these settings on the newly created client:
* In 'SAML capabilities', set the `Name ID Format` to `email`.
* Set `Force POST Binding` and `Include AuthnStatement` to `ON`.
* In 'Signature and Encryption', set `Sign documents` and `Sign assertions` fields to `ON`.
* `Signature algorithm` should be `RSA_SHA256`.
* Set `SAML signature key name` to `NONE`.
* In 'Logout settings', set `Front Channel Logout` to `ON`.
* Click on 'Save'.
* In the 'Keys' tab, set `Client signature required` to `OFF`.

6. Still in the same client, under the 'Client scopes' tab, edit the 'Dedicated scope and mappers for this client' and configure a new mapper for the first name:
* Choose `User Property` as the `Mapper Type`.
* The `Name` field should be `firstName`.
* The `Property` field should be `firstName`.
* Set the `SAML Attribute Name` to `first_name` and the `SAML Attribute NameFormat` to `Basic`.
7. For the last name, create a second mapper:
* Again, select `User Property` for the `Mapper Type`.
* The `Name` field should be `lastName`.
* The `Property` field should be `lastName`.
* Set the `SAML Attribute Name` to `last_name` and the `SAML Attribute NameFormat` to `Basic`.

8. In the "Client Scopes" tab, note the 'Assigned Default Client Scopes'. For example, `role_list`.

9. Edit the client scope(s) listed in the previous step by navigating to the "Client Scopes" menu. Go to the "Mappers" tab, edit the Role list mapper, and ensure the `Single Role Attribute` field is set to `ON`.

10. Finalize your setup by testing the SSO authentication using the `Login URL` provided in the GitGuardian dashboard [SAML configuration page](https://dashboard.gitguardian.com/settings/workspace/auth/saml)
.
### Generic procedure for SAML2-enabled IdP[](#generic-procedure-for-saml2-enabled-idp "Direct link to Generic procedure for SAML2-enabled IdP")
#### 1\. Register GitGuardian on your Identity provider.[](#1-register-gitguardian-on-your-identity-provider "Direct link to 1. Register GitGuardian on your Identity provider.")
In order to integrate GitGuardian with your Identity Provider, you must first register GitGuardian (Service Provider) as an application on the IdP’s side. Follow these steps carefully:
1. Navigate to Settings > [Authentication](https://dashboard.gitguardian.com/settings/workspace/auth)
2. Click on "Configure"

3. On your IdP:
1. Fill in the SAML endpoint provided by GitGuardian (ACS url, SP Entity id)
2. Fill in Email or EmailAddress as the primary identifier (Name ID format).
Refer to our [FAQ](#faq)
if this Name ID format is not available in your IdP.
3. Set RSA\_SHA256 for the signature algorithm, and SHA256 for the digest algorithm for your response.
Some Identity Providers (IdPs) may require you to sign either the response message or the response assertions. GitGuardian provides the ability to specify this IdP behavior.
Note that at least one of these, either the response message or the response assertions, must be signed.
4. Configure `first_name` and `last_name` mapped attributes.

#### 2\. Register your IdP on GitGuardian’s side[](#2-register-your-idp-on-gitguardians-side "Direct link to 2. Register your IdP on GitGuardian’s side")
Once GitGuardian is registered as an application on your IdP’s side, you need to provide your IdP metadata fields on GitGuardian (Service Provider side) in order to complete the integration:
1. While still on the [Authentication config page](https://dashboard.gitguardian.com/settings/workspace/auth/saml/setup)
of your workspace settings, complete the form with:
* Entity Id \[required\]
* Single Sign On Url \[required\]
* Single Log Out Url \[optional\]
* X509 certificate \[required\]
2. Submit the form to fully register the SAML integration. 
3. The setup is complete. Your workspace will have **a dedicated SSO login url for your collaborators to sign in using your IdP**. 
> You can register this SSO login url on the IdP side to enable the SSO flow with one click directly in the IdP interface. However this IdP-Initiated flow carries a security risk and is therefore NOT recommended. Make sure you understand the risks before enabling IdP-initiated SSO.
FAQ[](#faq "Direct link to FAQ")
----------------------------------
**How to verify that my SSO connection is working?**
If you have not reserved [an email domain](https://docs.gitguardian.com/platform/enterprise-administration/email-domain-management#how-to-reserve-an-email-domain)
, please remember your SSO login URL.
1. Make sure to know your login credentials, i.e., your `email` and `password`.
2. Log out of the application.
3. Go to the SSO login URL, and log in by selecting the SSO option.
For additional security purpose, GitGuardian will ask you to submit your email and password to confirm your identity.
**My Identity Provider (IdP) does not support "emailAddress" as the Name ID format. What do I do?**
If your IdP does not support `emailAddress` as the Name ID format, please [contact us](mailto:support@gitguardian.com)
. We will allow you to use `unspecified` as the Name ID format.
caution
When using `unspecified` as the Name ID format, you must ensure that you send the email addresses of your IdP users as an `email_address` attribute. This is mandatory, as email is the unique identifier that GitGuardian uses for its users.

**I want to configure MFA for GitGuardian. What do I do?**
Combining SSO with MFA is more secure than using a simple SSO connection.
Leverage the MFA feature provided by all the SSO providers we support. We strongly advise that you enable the [Force SSO setting](https://docs.gitguardian.com/platform/enterprise-administration/saml-sso-configuration#force-sso)
to ensure that through SSO authentication, MFA is applied to all users authenticating to GitGuardian.
#### Was this page helpful?
[](#)
[](#)
* [Set up SSO](#set-up-sso)
* [Just-In-Time (JIT) provisioning](#just-in-time-jit-provisioning)
* [Default access level](#default-access-level)
* [Force SSO](#force-sso)
* [Set up procedures](#set-up-procedures)
* [Google](#google)
* [Okta](#okta)
* [Auth0](#auth0)
* [Microsoft Entra ID](#microsoft-entra-id)
* [Duo](#duo)
* [Keycloak](#keycloak)
* [Generic procedure for SAML2-enabled IdP](#generic-procedure-for-saml2-enabled-idp)
* [FAQ](#faq)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Integrate a new GitHub Enterprise source | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Integrate a new GitHub Enterprise source
========================================
GitGuardian integrates natively with GitHub Enterprise via a **GitHub App** that you can install on your personal GitHub Enterprise repositories and the repositories of your GitHub Enterprise organizations.
info
By default, the GitGuardian GitHub app has **only read access** to your code.
Optionally, it is possible to grant GitGuardian **write access** to benefit from specific business features (more detail in [this dedicated section](#grant-gitguardian-code-write-permissions)
).
You will need Owner or Manager rights in GitGuardian to set up an integration or customize your settings.
The pre-existing GitGuardian GitHub App cannot be leveraged to integrate with self hosted GitHub Enterprise. Instead, you will need to create a separate GitHub App on your own GitHub Enterprise instance. This process is extremely straightforward since GitGuardian will automatically indicate the required configurations to your GitHub Enterprise.
You can refer to the [GitHub documentation](https://docs.github.com/en/free-pro-team@latest/developers/apps)
for more information on GitHub apps.
GitGuardian supports [all GitHub Enterprise versions supported by GitHub itself](https://docs.github.com/en/enterprise-server@3.8/admin/all-releases)
.
Setup your GitHub Enterprise integration[](#setup-your-github-enterprise-integration "Direct link to Setup your GitHub Enterprise integration")
-------------------------------------------------------------------------------------------------------------------------------------------------
1. Navigate to Settings > Integrations > [Sources](https://dashboard.gitguardian.com/settings/integrations/sources)
.
2. Click on **Install** for GitHub Enterprise.
3. Enter the URL of your GitHub Enterprise instance, and select the permission level to grant to GitGuardian.
App permissions
**Read-only** is sufficient to scan for incidents, while **read and write** permissions are necessary if you want to leverage business features such as Honeytoken deployment jobs.
The permission level can be changed later. See the [dedicated section](#grant-gitguardian-code-write-permissions)
for more information.

4. Click on **Create the GitHub app** to be redirected to GitHub Enterprise and create your dedicated app
5. Validate the GitHub App creation. We recommend that you choose a simple name for your GitHub app such as **GitGuardian**, which will make it easily recognizable.

6. The GitHub App is now created and you can install it for users and organizations.
7. Follow the [exact same steps](/platform/monitor-perimeter/vcs-integrations/github)
as for the GitHub.com SaaS integration.
caution
The GitHub App **belongs to the user who created it**. We recommend that you transfer the ownership to an organization in case the user is later deactivated.

> **IMPORTANT**: GitGuardian cannot monitor repositories whose owner has not installed the GitHub App. If the repo is owned by a GitHub organization, the owner of the organization must install the GitHub App.
Configuration page[](#configuration-page "Direct link to Configuration page")
-------------------------------------------------------------------------------
When you integrate your GitHub Enterprise instance, you have access to a configuration page.
From this page, you have the possibility to:
* integrate another GitHub Enterprise instance with GitGuardian.
* manage your existing instances and their dedicated GitHub app. GitGuardian tells you which ones are considered inactive.

Grant GitGuardian code write permissions[](#grant-gitguardian-code-write-permissions "Direct link to Grant GitGuardian code write permissions")
-------------------------------------------------------------------------------------------------------------------------------------------------
info
Some business features require write permission to your repositories in order to open pull requests.
Currently, this concerns the [Honeytoken Deployment jobs](/honeytoken/deploy-honeytokens/deployment-jobs)
feature.
If write permission was not provided at the time of app creation, you can grant this permission later by updating the existing app:
1. In the configuration page, click "Configure write permission" for your GitHub Enterprise instance.

2. You will be redirected to GitHub Enterprise, in the tab "Permissions & events" of the app. Under the "Repository permissions" section, change permissions on Contents to "Read and write":

3. This change then needs to be propagated to the organizations where this app is installed, by accepting the permission update request:


Automatic historical scan[](#automatic-historical-scan "Direct link to Automatic historical scan")
----------------------------------------------------------------------------------------------------
By default, GitGuardian performs a historical scan for each newly created GitHub Enterprise repository added to your perimeter.
You can deactivate this behavior in your [GitHub Enterprise settings](https://dashboard.gitguardian.com/settings/integrations/github_enterprise_server)
if you are a Manager of the workspace.

Automatic repository monitoring[](#automatic-repository-monitoring "Direct link to Automatic repository monitoring")
----------------------------------------------------------------------------------------------------------------------
By default, GitGuardian automatically monitors repositories added to your perimeter.
You can deactivate this behavior in your [GitHub Enterprise settings](https://dashboard.gitguardian.com/settings/integrations/github_enterprise_server)
if you are a Manager of the workspace.
#### Was this page helpful?
[](#)
[](#)
* [Setup your GitHub Enterprise integration](#setup-your-github-enterprise-integration)
* [Configuration page](#configuration-page)
* [Grant GitGuardian code write permissions](#grant-gitguardian-code-write-permissions)
* [Automatic historical scan](#automatic-historical-scan)
* [Automatic repository monitoring](#automatic-repository-monitoring)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Configure email preferences | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
Configure email preferences
===========================
You can configure the email notifications you want to receive from GitGuardian in [your personal settings](https://dashboard.gitguardian.com/settings/personal/notifications)
.
By default, GitGuardian notifies you by email for any important events that occur on your dashboard. You can customize the email notifications for each workspace you are a member of. The available notifications are grouped into different categories:
* **Workspace notifications**
* **Team notifications**: Receive email notifications about your teams.
* **Health Checks**: Receive email notifications about the health of your integrations.
* **Secrets detection**
* **Incident alerting**: Receive email notifications upon new incidents.
⚠️ If you were to turn off these notifications, you will be asked to confirm that this is indeed your intention as you may miss future important security-related notifications.
* **Historical scan notifications**: Receive email notifications upon completion of historical scans.
* **Feedback submission notifications**: Receive email notifications upon feedback submission.
* **Access granting notifications**: Receive email notifications when granted access to an incident.
* **Weekly recap**: Receive a weekly email to keep track of the evolution of your incidents.
* **Incident ignored with a valid secret**: Receive email notification when an incident is ignored with a valid secret based on the teams(s) you manage. _This option is available in the business plan_
* **Honeytokens**
* **Trigger notifications**: Receive email notifications when an active token is triggered. Find more information about those alerts [here](/honeytoken/configure-alerts)
.

> If you are a member of multiple workspaces, you can tailor your email notifications for each separate workspace.
#### Was this page helpful?
[](#)
[](#)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Integrate a new GitLab source | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Integrate a new GitLab source
=============================
GitGuardian can integrate with GitLab in two different ways: **at the instance level with system hooks or at the group level with group hooks**.
info
Both integrations require **a personal access token** for GitGuardian to be able to create such webhooks and to subscribe to GitLab group/system's events for analysis.
You will need Owner or Manager rights in GitGuardian to set up an integration or customize your settings.
Please refer to the GitLab documentation for more information on [system hooks](https://docs.gitlab.com/ee/administration/system_hooks.html)
and [group hooks](https://docs.gitlab.com/ee/api/groups.html#hooks)
.
Setup[](#setup "Direct link to Setup")
----------------------------------------
### Create a Personal Access Token[](#create-a-personal-access-token "Direct link to Create a Personal Access Token")
We highly recommend that you use a bot user in order to generate personal access tokens.
1. Navigate to your GitLab user settings
2. Go to **Access Tokens** section
3. Create a personal access token with a simple name such as "GitGuardian" and **api scope**.
The personal token enables GitGuardian to create webhooks through your GitLab permissions. 
Please refer to the [GitLab documentation](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#creating-a-personal-access-token)
for more information about personal access tokens.
It's also possible to use a personal access token with the **read\_api** scope. In this case, a hook URL and a secret token will be displayed once you submit the form. Use this hook URL and secret token to [add a new system hook on your GitLab instance](https://docs.gitlab.com/ee/api/system_hooks.html#add-new-system-hook)
. Once this is done, your GitLab integration will be functional.
### Integrate your GitLab instance with system hooks[](#integrate-your-gitlab-instance-with-system-hooks "Direct link to Integrate your GitLab instance with system hooks")
**System hooks** can only be created **by an Administrator of the instance**, they provide access to projects belonging to all users and groups. The system hook integration is only available for the on-premise version of GitLab (such an integration is not possible on GitLab.com).
tip
We recommend that you leverage a bot user when integrating with GitGuardian.
#### Requirements[](#requirements "Direct link to Requirements")
* Self-managed GitLab: GitLab Community Edition or any plan of GitLab Enterprise Edition. v11.0+
* GitLab.com (SaaS): **IMPORTANT** GitGuardian cannot integrate with GitLab.com (SaaS) via System hooks.
#### Guidelines[](#guidelines "Direct link to Guidelines")
1. Navigate to Settings > Integrations > [Sources](https://dashboard.gitguardian.com/settings/integrations/sources)
.
2. Click on **Configure** for GitLab.
3. Click on **Start** for the system hook option: "Monitor the entire GitLab instance"
4. Submit your GitLab instance url and the personal access token created.

caution
_GitLab instance URL_ must be prefixed with `https://`, instances without a secure connection won't be monitored.
5. GitGuardian will instantly start monitoring your GitLab instance. You can see the projects and groups monitored in your [GitLab settings page](https://dashboard.gitguardian.com/settings/integrations/gitlab)
by clicking on **See my GitLab perimeter**:

#### Events subscription details[](#events-subscription-details "Direct link to Events subscription details")
Our system hook will subscribe to the following events:
* `Repository update events`
* `Push events`
* `Merge request events`
and SSL verification will be enabled.
Other events our system hooks will subscribe to but won't process:
* `Tag push events`
* `Issues events`
* `Confidential issues events`
* `Comments`
* `Confidential comments`
* `Job events`
* `Pipeline events`
* `Wiki page events`
* `Deployments events`
* `Releases events`
* `Member events`
* `Subgroup events`
* `Feature flag events`
#### Troubleshooting[](#troubleshooting "Direct link to Troubleshooting")
* GitGuardian automatically detects if the system hook is deleted from GitLab side or if the Personal access token becomes invalid (by expiring or being revoked). We will send an email to notify you. All of your existing data will remain accessible.
* If your GitLab instance is marked as “not monitored" but the personal access token associated is still active, you can reactivate it by clicking on the **synchronize** button. It will recreate a system hook programmatically.

* If the token is invalid you can set a new personal access token by editing it:

* If the admin token is revoked, GitGuardian will detect it and automatically deactivate your GitLab integration if no other active token is present. If another token suitable for monitoring exists, the GitLab integration will use that token. All your existing data will remain accessible.
caution
**IMPORTANT**: Do not change the URL or the Personal access token of the system hook from the GitLab admin interface or this will break the integration.
### Integrate your GitLab groups with group hooks[](#integrate-your-gitlab-groups-with-group-hooks "Direct link to Integrate your GitLab groups with group hooks")
**Group hooks** require the user to have **Owner permissions on the GitLab groups to be monitored**. Group hooks do not support the monitoring of GitLab users personal projects. The group hook integration works for both GitLab on-premise and Gitlab.com.
tip
We recommend that you leverage a bot user when integrating with GitGuardian.
#### Requirements[](#requirements-1 "Direct link to Requirements")
* Self-managed GitLab: Starter plan and higher tiers. v13.5+
* GitLab.com (SaaS): Premium plan According to [GitLab documentation](https://docs.gitlab.com/ee/api/groups.html#hooks)
, there is a limitation of 50 groups that you can integrate for GitLab.com.
#### Guidelines[](#guidelines-1 "Direct link to Guidelines")
1. Navigate to Settings > Integrations > [Sources](https://dashboard.gitguardian.com/settings/integrations/sources)
.
2. Click on **Configure** for GitLab.
3. Click on **Start** for the group hook option: "Monitor only certain GitLab groups"
4. Submit your GitLab instance url and the personal access token, and make sure to name this personal access token as you might use several of them in the future to integrate more GitLab groups.

caution
_GitLab instance URL_ must be prefixed with `https://`, instances without a secure connection won't be monitored.
5. You are then brought to the configuration page of your GitLab integration where you can see the list of all the GitLab groups and subgroups that your personal access token gives access to.
Click **Install** for the GitLab groups and subgroups you want GitGuardian to monitor.

6. You can see the projects and groups monitored in your [GitLab settings page](https://dashboard.gitguardian.com/settings/integrations/gitlab)

#### Installation remarks[](#installation-remarks "Direct link to Installation remarks")
* When you choose to install a GitLab group, all its sub-groups will also be installed automatically. In doing so, the "parent" group and "children" subgroups are linked together and if you only want to uninstall one subgroup, you will need to uninstall the "parent" group first.
* A GitLab group cannot belong to two personal access tokens. Therefore, when you want to install a "parent" group that has an already-installed subgroup you must first uninstall the "child" subgroup.
#### Events subscription details[](#events-subscription-details-1 "Direct link to Events subscription details")
Our group hooks will subscribe to the following events:
* `Repository update events`
* `Push events`
* `Merge request events`
and SSL verification will be enabled.
Other events our group hooks will subscribe to but won't process:
* `Tag push events`
* `Issues events`
* `Confidential issues events`
* `Comments`
* `Confidential comments`
* `Job events`
* `Pipeline events`
* `Wiki page events`
* `Deployments events`
* `Releases events`
* `Member events`
* `Subgroup events`
* `Feature flag events`
#### Troubleshooting[](#troubleshooting-1 "Direct link to Troubleshooting")
* You can **submit new personal access tokens if you want to monitor more GitLab groups**. Multiple tokens can be added for group hooks integration. If several tokens are associated with the same GitLab group, you have to choose which token will be monitoring it.

* If the token is revoked, the group will no longer be monitored (you can install it again with another token, but GitGuardian will not arbitrarily choose another token for you). In this scenario you'll receive an email informing of the unmonitored status of the integration.
Automatic historical scan[](#automatic-historical-scan "Direct link to Automatic historical scan")
----------------------------------------------------------------------------------------------------
By default, GitGuardian performs a historical scan for each newly created GitLab project added to your perimeter.
You can deactivate this behavior in your [GitLab settings](https://dashboard.gitguardian.com/settings/integrations/gitlab)
if you are a Manager of the workspace.

Automatic repository monitoring[](#automatic-repository-monitoring "Direct link to Automatic repository monitoring")
----------------------------------------------------------------------------------------------------------------------
By default, GitGuardian automatically monitors repositories added to your perimeter.
You can deactivate this behavior in your [GitLab settings](https://dashboard.gitguardian.com/settings/integrations/gitlab)
if you are a Manager of the workspace.
Customize your monitored perimeter[](#customize-your-monitored-perimeter "Direct link to Customize your monitored perimeter")
-------------------------------------------------------------------------------------------------------------------------------
Once you have set up your GitLab integration, you have the possibility to configure which projects to monitor in the [GitLab settings section](https://dashboard.gitguardian.com/settings/integrations/gitlab)
of your workspace.
If you deselect a project from your monitored perimeter:
* GitGuardian will no longer fetch the content of its commits, therefore you won't receive any alerts related to this project.
* The webhook installed on this project will still exist, therefore you can easily turn the monitoring back on at any moment.
#### Was this page helpful?
[](#)
[](#)
* [Setup](#setup)
* [Create a Personal Access Token](#create-a-personal-access-token)
* [Integrate your GitLab instance with system hooks](#integrate-your-gitlab-instance-with-system-hooks)
* [Integrate your GitLab groups with group hooks](#integrate-your-gitlab-groups-with-group-hooks)
* [Automatic historical scan](#automatic-historical-scan)
* [Automatic repository monitoring](#automatic-repository-monitoring)
* [Customize your monitored perimeter](#customize-your-monitored-perimeter)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Plan and usage | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Plan and usage
==============
Overview[](#overview "Direct link to Overview")
-------------------------------------------------
You can find more information about your plan and usage in your workspace settings. Visit the [Plan & usage section](https://dashboard.gitguardian.com/settings/workspace/plan)
.
info
**What is a private collaborative repository?** A private collaborative repository is a private repository belonging to a VCS organization, representing a business entity, and to which multiple developers can be contributing.
**What is a contributing developer?** We define a contributing developer as a commit author email address. A contributing developer is a developer who made at least one commit to a private collaborative repository within the last 90 days.
Plan[](#plan "Direct link to Plan")
-------------------------------------
There are three types of plan:
* Free
* Business
* Enterprise
You can benefit from all Business plan features with a 30-day free trial of the plan.
| Plan / Contributing developers | Free | Trial | Business & Enterprise |
| --- | --- | --- | --- |
| **< 25 devs** | ✅ **All** repositories monitored
❌ No Business features | ✅ **All** repositories monitored
✅ Business features | ✅ **All** repositories monitored
✅ Business features |
| **\> 25 devs** | ❌ Private collaborative repositories **NOT** monitored
❌ No Business features | ✅ **All** repositories monitored
✅ Business features | ✅ **All** repositories monitored
✅ Business features |
If you want additional information about our different plans, please visit the [pricing page on our website](https://www.gitguardian.com/pricing?utm_source=documentation)
.
Usage[](#usage "Direct link to Usage")
----------------------------------------
### Free plan[](#free-plan "Direct link to Free plan")
You can monitor your private collaborative repositories within a **limit of 25 contributing developers**. Only workspace Managers and Owners can view the total number of contributing developers.
If you have more than 25 contributing developers, there are two possibilities:
* Your trial will start automatically if you reach the limit of 25 contributing developers (happens after adding new repositories to your perimeter for example).
* Your free trial has been redeemed and expired, meaning your private collaborative repositories are no longer monitored. We invite you to contact our sales team via [email](mailto:sales@gitguardian.com)
to upgrade your plan.
### Business & Enterprise plan[](#business--enterprise-plan "Direct link to Business & Enterprise plan")
You can monitor your private collaborative repositories, in respect with the number of contributing developer licenses you have acquired.
#### Was this page helpful?
[](#)
[](#)
* [Overview](#overview)
* [Plan](#plan)
* [Usage](#usage)
* [Free plan](#free-plan)
* [Business & Enterprise plan](#business--enterprise-plan)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# GitGuardian CLI (ggshield) | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
GitGuardian CLI (ggshield)
==========================

**ggshield** is an open-source command-line interface application (CLI) for secrets scanning in developer workflows.
`ggshield` can run:
* **in your local environment** to scan local files and repositories or as a pre-commit hook.
* **in a CI environment**,
* **in a pre-receive hook**, if you have a self-managed VCS instance
Resources[](#resources "Direct link to Resources")
----------------------------------------------------
* [**Quick-reference guide**](/ggshield-docs/getting-started)
* [**Integrations guide**](/ggshield-docs/integrations/overview)
* [**CLI command reference**](/ggshield-docs/reference/overview)
* [**GitHub repository**](https://github.com/GitGuardian/ggshield)
#### Was this page helpful?
[](#)
[](#)
* [Resources](#resources)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Python SDK | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Python SDK
==========

**py-gitguardian** is the official python client for GitGuardian's public API. It can be used to create ad-hoc integrations to scan various data sources, from your workstation's filesystem to your favorite ChatOps tools like Slack, MS Teams, or developer wikis and ticketing systems like Confluence and Jira by Atlassian.
Resources[](#resources "Direct link to Resources")
----------------------------------------------------
* [**GitHub repository**](https://github.com/GitGuardian/py-gitguardian)
#### Was this page helpful?
[](#)
[](#)
* [Resources](#resources)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Secure secrets management | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Secure secrets management
=========================
Managing secrets in the SDLC[](#managing-secrets-in-the-sdlc "Direct link to Managing secrets in the SDLC")
-------------------------------------------------------------------------------------------------------------
### There's no silver bullet[](#theres-no-silver-bullet "Direct link to There's no silver bullet")
Secrets are so widely used in DevOps environments that there simply can’t be a one-size-fits-all for managing them. We have development secrets used by developers, build secrets, application secrets, infrastructure secrets, etc.
Even for the most mature DevSecOps organizations or teams, secrets management is very difficult to master, because it is a matter of striking a right balance between security and accessibility. This second point is very important for one simple reason: in modern development teams, secrets are required by everyone. Making it hard to use secrets will inevitably lead to the bypassing of the protective layers in place, and lead to practices such as hardcoding them.
In practice, it is easy to see that there is a gap between theory and practice when it comes to handling and sharing credentials in a team, a department, or an organization. For example, the organization may pay for a cloud-based secrets manager, a vault, or maybe even for a dedicated team to administrate these tools, which makes it falsely think it has solved this problem. But under further scrutiny, it would realize that the long-lived credentials are also stored on the devs’ local machines for convenience.
### Find your way to secure secrets management[](#find-your-way-to-secure-secrets-management "Direct link to Find your way to secure secrets management")
There are various ways with which secrets can be managed in the software development lifecycle. You should explore the following options with infrastructure and engineering teams before deciding which one is the right approach for your organization:
* ~Hardcoded in source code and templates~ (please, don't.)
* Grouping secrets in common, unencrypted configuration files, such as `.env` (outside of the git repository)
* Encrypting secrets in a GitOps or sealed secrets approach, with decryption key stored in a vault
* Storing secrets in a vault and distributing them through a secrets management service
* Generating dynamic secrets, through a complex secrets management infrastructure
The problem of hardcoded secrets[](#the-problem-of-hardcoded-secrets "Direct link to The problem of hardcoded secrets")
-------------------------------------------------------------------------------------------------------------------------
### Are hardcoded secrets a vulnerability?[](#are-hardcoded-secrets-a-vulnerability "Direct link to Are hardcoded secrets a vulnerability?")
[OWASP](https://owasp.org)
, the Open Web Application Security Project foundation that works to improve the security of software, lists hardcoded secrets as one of its famous list of the [Top 10 Web Application Security Risks](https://owasp.org/Top10)
. The vulnerability ranked #2 in the latest edition published in 2021, under the [Cryptographic Failures (A02:2021)](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)
entry.
MITRE, famous for its [ATT&CK](https://attack.mitre.org)
knowledge base of adversary tactics and techniques, also lists the use of hardcoded credentials in its [CWE Top 25 Most Dangerous Software Weaknesses](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html)
. The vulnerability ranked #15 in the 2022 edition, under [CWE-798 – Use of Hard-coded Credentials](https://cwe.mitre.org/data/definitions/798.html)
.
### What makes hardcoded secrets different?[](#what-makes-hardcoded-secrets-different "Direct link to What makes hardcoded secrets different?")
Hardcoded secrets is a unique vulnerability in source code when compared to other vulnerabilities found through static or dynamic analysis. Regardless of whether the code is compiled and in runtime or not, hardcoded secrets represent a risk in themselves. Attackers who gain initial access to a repository can traverse all its branches and commit history to look for valid secrets. It does not matter if a secret is found on the deployed main branch or a short-lived bugfix branch, as long as it is valid and gives access to a resource (e.g. a server, a database, a third-party API).
### Secrets sprawl is a pervasive problem[](#secrets-sprawl-is-a-pervasive-problem "Direct link to Secrets sprawl is a pervasive problem")
Developers write code with the best of intentions, but they still end up compromising credentials and sensitive data. With 6 million secrets exposed on public GitHub in 2021 and a lot more in the private repositories, our research in the [State of Secrets Sprawl 2022 report](https://www.gitguardian.com/state-of-secrets-sprawl-report-2022)
shows that this problem is much more common than developers and security engineers think.
The solution: automated detection and remediation[](#the-solution-automated-detection-and-remediation "Direct link to The solution: automated detection and remediation")
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Detecting secrets in source code is like finding needles in a haystack: there are a lot more sticks than there are needles, and you don’t know how many needles might be in the haystack. In the case of secrets, you don’t even know what all the needles look like!
A high-performing automated scanner will be able to achieve:
* A low number of false alerts raised. We call this **high precision**. Precision answers the question: "What is the percentage of the secrets that you detect that are actual secrets?". This question is legitimate, especially in a context where security teams have to deal with alert-fatigue.
* A low number of secrets missed. This is what we call **high recall**. Considering that a single undetected credential can have a big impact for an organization, some organizations prefer to triage more false alerts but make sure they don’t miss a secret.
Balancing the equation to ensure that the algorithm captures as many secrets as possible without flagging too many false results is an intricate and extremely difficult challenge GitGuardian takes care of for its users. GitGuardian builds and maintains a secrets detection engine with more than 350 specific types of secrets covered in addition to support for generic and custom patterns.
#### Was this page helpful?
[](#)
[](#)
* [Managing secrets in the SDLC](#managing-secrets-in-the-sdlc)
* [There's no silver bullet](#theres-no-silver-bullet)
* [Find your way to secure secrets management](#find-your-way-to-secure-secrets-management)
* [The problem of hardcoded secrets](#the-problem-of-hardcoded-secrets)
* [Are hardcoded secrets a vulnerability?](#are-hardcoded-secrets-a-vulnerability)
* [What makes hardcoded secrets different?](#what-makes-hardcoded-secrets-different)
* [Secrets sprawl is a pervasive problem](#secrets-sprawl-is-a-pervasive-problem)
* [The solution: automated detection and remediation](#the-solution-automated-detection-and-remediation)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Saved views | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Saved views
===========
Saved views allow users to save and share customized filter sets, making it easier to collaborate and maintain consistent views across teams.
Key benefits[](#key-benefits "Direct link to Key benefits")
-------------------------------------------------------------
* Shared views: Workspace managers can create shared views accessible to all team members, enabling smoother workflows and reducing the time spent configuring filters.
* Personalized experience: While the primary focus is on sharing, members can also create private views tailored to their individual needs. Each user can then customize their session by adding or hiding views according to their preferences.
* Dynamic filtering: The "Current user" filter enables views to dynamically adjust and display relevant data for each user, such as "My Incidents," providing a personalized and relevant experience even in shared views. 
How to create a new view[](#how-to-create-a-new-view "Direct link to How to create a new view")
-------------------------------------------------------------------------------------------------
1. Set your desired filters in an existing view.
2. Click "Save" > "Save as new view."
3. Enter a name for the view and save.
info
If you’re a workspace manager, choose whether it should be available to everyone or just to you. Members can only create private views.
 
GitGuardian views[](#gitguardian-views "Direct link to GitGuardian views")
----------------------------------------------------------------------------
In addition to user-created views, GitGuardian provides pre-configured views with recommended filter sets. These views help users quickly access common data configurations. While these views can be hidden, they cannot be edited or deleted. Learn more about:
* [Views for the incidents page](/secrets-detection/remediate/prioritize-incidents#1-prioritize-with-the-incidents-table)
* [Views for the perimeter page](/platform/monitor-perimeter/monitored-perimeter)
#### Was this page helpful?
[](#)
[](#)
* [Key benefits](#key-benefits)
* [How to create a new view](#how-to-create-a-new-view)
* [GitGuardian views](#gitguardian-views)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Honeytoken for self-hosted installations | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Honeytoken for self-hosted installations
========================================
Enabling Honeytoken on self-hosted environments[](#enabling-honeytoken-on-self-hosted-environments "Direct link to Enabling Honeytoken on self-hosted environments")
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
info
The Honeytoken module is available to self-hosted installations as an add-on on top of the Secret Detection license.
To enable Honeytoken in your self-hosted GitGuardian instance, please contact [support@gitguardian.com](mailto:support@gitguardian.com)
.
Please note that this feature is not compatible with self-hosted installations in an airgapped environment as it requires access to AWS.
After your request, we'll enable the module, establish your dedicated AWS infrastructure for Honeytokens, and reach out to finalize the setup.
### Synchronize license[](#synchronize-license "Direct link to Synchronize license")
After receiving confirmation from your GitGuardian contact regarding the module activation for your instance(s), it is crucial to ensure that the GitGuardian application's [license is synchronized accordingly](/self-hosting/license-management)
.
Once this task is completed, the Honeytoken module will appear on your GitGuardian dashboard within a few minutes. However, note that you won't be able to create any honeytokens until you complete the next step.
### Set up the AWS integration[](#set-up-the-aws-integration "Direct link to Set up the AWS integration")
To configure the AWS integration required for the AWS honeytokens, your GitGuardian contact will share a download link for the json file (`aws_honeytoken_config.json`). Follow these steps to complete the configuration:
1. Access the Admin area of your GitGuardian dashboard (administrative rights are necessary).
2. Navigate to Settings > Honeytoken and upload the provided JSON file.
3. This action triggers the configuration process, which establishes users and keys within your dedicated AWS organization.
4. While the full setup may take some time, you can start using available honeytokens immediately.
5. Monitor the dashboard to observe the honeytoken count increasing as the setup progresses.
Navigate to the Admin area in your GitGuardian dashboard (admin rights required). Go to Settings > Honeytoken and upload the provided JSON file. This triggers the configuration process, setting up users and keys within your dedicated AWS organization.
Full setup may take some time, but you can begin using available honeytokens immediately. Monitor the dashboard to see your honeytoken count rise as the setup progresses.
Health checks[](#health-checks "Direct link to Health checks")
----------------------------------------------------------------
The Health Checks page in the Admin area contains a Honeytoken section, showing the AWS integration statuses.
### AWS integration health checks[](#aws-integration-health-checks "Direct link to AWS integration health checks")
There are two types of health checks:
* "Access to AWS resources":
* This health check verifies whether the instance can successfully create AWS users and keys intended for use as honeytokens.
* Additionally, it ensures that access to the S3 bucket containing logs is operational.
* If any issues arise during this check, it can be manually restarted by clicking the "Check again" button.
* “Reception of events”:
* This health check monitors the seamless functioning of the various methods we employ to collect honeytoken events.
* Unlike the previous check, this one is scheduled to run at regular intervals and cannot be manually restarted.

Network requirements[](#network-requirements "Direct link to Network requirements")
-------------------------------------------------------------------------------------
### Inbound rules[](#inbound-rules "Direct link to Inbound rules")
| Port | Source | Destination | Description |
| --- | --- | --- | --- |
| 443 | AWS\* | All K8S nodes | Non real-time events webhook |
| 443 | AWS\* | All K8S nodes | Real-time events webhook |
\* [AWS IP address ranges](https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html)
### Outbound rules[](#outbound-rules "Direct link to Outbound rules")
Outbound requests include the creation of AWS tokens, and retrieving the logs with events. Every outbound communications between your GitGuardian instance and AWS are HTTPS protocol on port 443.
| Port | Source | Destination | Description |
| --- | --- | --- | --- |
| 443 | All K8S nodes | `sts.amazonaws.com` | Authentication AWS API |
| 443 | All K8S nodes | `sts.us-west-2.amazonaws.com` | Regional Authentication AWS API |
| 443 | All K8S nodes | `iam.amazonaws.com` | AWS Identity and Access Management API |
| 443 | All K8S nodes | `s3-accesspoint.us-west-2.amazonaws.com` | Regional S3 AWS API |
| 443 | All K8S nodes | `organizations.us-east-1.amazonaws.com` | Organizations AWS API |
#### Was this page helpful?
[](#)
[](#)
* [Enabling Honeytoken on self-hosted environments](#enabling-honeytoken-on-self-hosted-environments)
* [Synchronize license](#synchronize-license)
* [Set up the AWS integration](#set-up-the-aws-integration)
* [Health checks](#health-checks)
* [AWS integration health checks](#aws-integration-health-checks)
* [Network requirements](#network-requirements)
* [Inbound rules](#inbound-rules)
* [Outbound rules](#outbound-rules)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# API | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
API
===
GitGuardian Internal Monitoring has a public API for teams to:
* Programmatically manage their GitGuardian workspace and handle their incidents lifecycle
* Scan additional data sources for hardcoded secrets (e.g., Slack, MS Teams, Jira, Confluence by Atlassian)
Resources[](#resources "Direct link to Resources")
----------------------------------------------------
* [**API documentation**](/api-docs/introduction)
* [**API reference**](https://api.gitguardian.com/docs)
> Please note that if you are using a GitGuardian self-hosted instance, the base url of the API routes will be `https://dashboard.gitguardian.mycorp.local/exposed/` instead of `https://api.gitguardian.com/`.
> For example, the scan route will be: `https://dashboard.gitguardian.mycorp.local/exposed/v1/scan`
Examples are provided in all supported programming languages (e.g. Python and Go).
#### Was this page helpful?
[](#)
[](#)
* [Resources](#resources)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Deployment jobs | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Deployment jobs
===============
Business feature
Only workspaces under Business plan can access the Deployment jobs feature.
Introduction[](#introduction "Direct link to Introduction")
-------------------------------------------------------------
Deployment jobs are a key feature enabling the efficient dissemination of honeytokens across multiple code repositories. This process involves creating pull requests to insert a file containing a honeytoken into the targeted repositories.
During a deployment job, for each selected repository, GitGuardian will:
1. Create a unique honeytoken.
2. Place it within an appropriate file context.
3. Create a pull request to insert the honeytoken into the repository.
It's important to note that the decision to merge each honeytoken into the main branch rests with the user, who must perform this action directly in the VCS. GitGuardian's function is limited to opening the pull request. In any case, you should consider the honeytoken as deployed as soon as the pull request is created, since it is now visible in the git repository.
info
We use "Pull request" universally across all Version Control Systems (VCSs). For GitLab, this is equivalent to "Merge requests".
Prerequisites[](#prerequisites "Direct link to Prerequisites")
----------------------------------------------------------------
info
Currently, this feature supports GitLab and GitHub sources only. Azure DevOps and BitBucket are not supported at present.
To use deployment jobs, GitGuardian requires write access to the repositories being monitored.
* **For GitLab projects:** No extra setup is needed.
* **For GitHub and GitHub Enterprise repositories:** Additional steps are required to enable write permissions. See detailed instruction in the integration guides for [GitHub](/platform/monitor-perimeter/vcs-integrations/github)
or [GitHub Enterprise](/platform/monitor-perimeter/vcs-integrations/github-enterprise)
.
Creating a deployment Job[](#creating-a-deployment-job "Direct link to Creating a deployment Job")
----------------------------------------------------------------------------------------------------
Navigate to the “[Deployment jobs](https://dashboard.gitguardian.com/honeytokens/deployment-jobs)
” tab within the Honeytoken module and click Create deployment job.

1. **Name**: Assign a descriptive name to your deployment job, indicating its scope or purpose.
2. **Context creation strategy**: Choose a strategy for the types of files to be used for honeytoken insertion. Details on the context creation strategies are available in a [dedicated section](#context-creation-strategy)
.
3. **Labels**: Assign labels to the honeytokens generated in this job, aiding in identification and filtering. For example, **`auto-deploy:true`** could denote honeytokens created from deployment jobs.
4. **Sources**: Select the repositories where you wish to deploy honeytokens.
info
Some sources might not be eligible for deployment jobs, including Azure DevOps, BitBucket, GitHub repositories without write permissions, sources outside the monitored perimeter, and public sources. Refer to the help section for troubleshooting.
Note: The number of sources selected cannot exceed the number of available honeytokens for creation.
Context creation strategy[](#context-creation-strategy "Direct link to Context creation strategy")
----------------------------------------------------------------------------------------------------
In the [Honeytoken settings](https://dashboard.gitguardian.com/settings/secrets/honeytoken)
, you can view and modify context creation strategies. These strategies determine the file types into which honeytokens may be inserted, classified as either "generic" or "dynamic":
info
“Generic” refer to file types that could realistically be found in any repository, irrespective of programming language, such as .env, .txt, .csv, .yaml, .json.
“Dynamic” refer to file types and content aligned with the main language of the target repository. Our dynamic contexts are generated by AI using the requested language. **Note that no code is ever sent to the model**.
When creating or editing a strategy, you must select a "context creation" option, as well as the generic context types that you want to allow:

Even when selecting the “Dynamic contexts” option, you still need to select at least one type of generic context: should the repository language not be existing or available, the system will fallback on a generic file.
Follow the progress of your Deployment job[](#follow-the-progress-of-your-deployment-job "Direct link to Follow the progress of your Deployment job")
-------------------------------------------------------------------------------------------------------------------------------------------------------
Once a deployment job is created, you can view the status of each individual deployment:

* **`Processing`**: The pull request is pending.
* **`Pull request created`**: GitGuardian has successfully created the honeytoken and the pull request.
* **`Merged`**: The proposed change has been approved and merged.
* **`Pull request closed`**: The proposed change has been declined, closing the pull request.
* **`Error`**: An issue occurred during deployment (details available in the side panel upon clicking the deployment).
For statuses other than “Processing” and “Error,” you'll find links to the honeytoken, the pull request, and the inserted file.
It's important to note that a honeytoken is considered deployed once the pull request is created, as it becomes visible in the repository, irrespective of whether it's merged. If a pull request is closed, the honeytoken remains unless the branch and pull request are explicitly deleted.
Characteristics of honeytokens created from deployment jobs[](#characteristics-of-honeytokens-created-from-deployment-jobs "Direct link to Characteristics of honeytokens created from deployment jobs")
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Honeytokens created via deployment jobs have the following characteristics:
* **The name:** Corresponds to the source name, appended with a suffix based on the deployment job
* **Labels:** As specified during the deployment job creation.
* **Link:** When the source is detected and the information added to the honeytoken (shortly after the pull request is created), there is a link to redirect to the associated deployment.

#### Was this page helpful?
[](#)
[](#)
* [Introduction](#introduction)
* [Prerequisites](#prerequisites)
* [Creating a deployment Job](#creating-a-deployment-job)
* [Context creation strategy](#context-creation-strategy)
* [Follow the progress of your Deployment job](#follow-the-progress-of-your-deployment-job)
* [Characteristics of honeytokens created from deployment jobs](#characteristics-of-honeytokens-created-from-deployment-jobs)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Privacy mode | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Privacy mode
============
Protecting sensitive information from unauthorized access is crucial for maintaining data privacy.
The privacy mode enables you to control sensitive information's visibility, preventing unauthorized viewing and aligning with privacy-by-design principles.
### What sensitive information can be obfuscated?[](#what-sensitive-information-can-be-obfuscated "Direct link to What sensitive information can be obfuscated?")
To enable you to use GitGuardian in the best possible conditions, you can choose to show or hide sensitive information at any time from the application.
The obfuscated sensitive information are:
* The secrets themselves with [their multiple matches](/secrets-detection/secrets-detection-engine/quick_start#detecting-secrets-with-multiples-matches-and-multi-line-secrets)
.
* The honeytokens and the IP addresses that triggered the honeytokens.
### How to use the privacy mode?[](#how-to-use-the-privacy-mode "Direct link to How to use the privacy mode?")
* You can activate or deactivate this mode from the top navigation bar.
* When activated, all the workspace's secrets are obfuscated. It is not possible to deactivate the privacy mode for a single secret.
* This mode is a setting available to every user, regardless of their access level or workspace plan.

> Please note that its activation does not affect other users in the same workspace.
#### Was this page helpful?
[](#)
[](#)
* [What sensitive information can be obfuscated?](#what-sensitive-information-can-be-obfuscated)
* [How to use the privacy mode?](#how-to-use-the-privacy-mode)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# DSA Private Key | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
DSA Private Key
===============
Description[](#description "Direct link to Description")
----------------------------------------------------------
### General[](#general "Direct link to General")
* **Documentation**: [RFC 6976](https://tools.ietf.org/html/rfc6979)
* **Summary**: The Digital Signature Algorithm (DSA) can be used to authenticate to services. It works with a public and private key set. The client uses the private key to authenticate to the service that has the public key. Only the private key is sensitive. The public key is not sensitive and can be distributed freely. See the [RFC 6976](https://tools.ietf.org/html/rfc6979)
for more information. More details about cryptographic keys can be found in this [FAQ](/secrets-detection/secrets-detection-engine/frequently_asked_questions#are-cryptographic-keys-sensitive-objects)
.
### Revoke the secret[](#revoke-the-secret "Direct link to Revoke the secret")
Revoking the key depends on the service being used.
### Check for suspicious activity[](#check-for-suspicious-activity "Direct link to Check for suspicious activity")
Checking for suspicious activity depends on the service being used.
### Details for `Private key dsa`[](#details-for-private-key-dsa "Direct link to details-for-private-key-dsa")
* **Family:** PrivateKey
* **Category:** Private key
* **High recall:** True
* **Validity check available:** False
* **Minimum number of matches:** 1
* **Occurrences found for one million commits:** 2.03
* **Prefixed:** True
* **PreValidators**:
- type: ContentWhitelistPreValidator patterns: - '-----begin dsa private key-----'
### Examples[](#examples "Direct link to Examples")
- text: > -----BEGIN DSA PRIVATE KEY----- MIIBvAIBAAKBgQDaqdgwD3YvYwgbWzs8RQQOm8RmPztSYMUrcM7KQtdJ111sTZ/x VAq84frCt/TEupAN5hUFkC+bpJ/diZixQgPvLKo6FVtBKy97HSpuZT8n2pUYZ9/4 sBTR5YQtP9qExXUYO/yR+fZ+RE9w0TbSAtHW2YZHKnoowJAHdoEGMbaChQIVAK/q iXNHCha4xHnIdD2jT0OUs03fAoGBAMnCeTgO09r2GquRAQmGFAT/6IGMhux7KOC8 QrW7jDaqAYLiuA45E3Ira584RF2rg0VhewxcdEMbqNzqCeSKk9OAmwXpJ1J8vCUR dRojGz0DYZHJbcspoGtZF1IF6Z3BoaggRcLX6/KYLbnzFZnBXV/+//gRTbm/V2ie BzCWE/qEAoGBANbrGxzVTTdTD8MaVtlOpjU3RqoGFHmFCd4lv0PIt2mjFsXO3Dt/ 6BMtJVREtb74WF0SUGmnpy6FTYoDb05j2LhH1IvCSkFT5hUK0WtAJ3NidJ6ARxxD z2QITWI1FTr1K9NbZdR6DoTxeKfV6wWbuLywlwoWYmLe6oAmq21Oft4XAhRcKcLk r2R/Rn1uchUL8ru0B2OVkg== -----END DSA PRIVATE KEY-----
### Details for `Base64 private key dsa`[](#details-for-base64-private-key-dsa "Direct link to details-for-base64-private-key-dsa")
* **Family:** PrivateKey
* **Category:** Private key
* **High recall:** True
* **Validity check available:** False
* **Minimum number of matches:** 1
* **Occurrences found for one million commits:** 0.01
* **Prefixed:** True
* **PreValidators**:
- type: ContentWhitelistPreValidator patterns: - ls0tls1crudjtibeu0egufjjvkfursblrvktls0tl - 0tls0tqkvhsu4grfnbifbssvzbveugs0vzls0tls - tls0tlujfr0loiertqsbquklwqvrfietfws0tls0t
### Examples[](#examples-1 "Direct link to Examples")
LS0tLS1CRUdJTiBEU0EgUFJJVkFURSBLRVktLS0tLSBNSUlCdkFJQkFBS0JnUURhcWRnd0QzWXZZd2diV3pzOFJRUU9tOFJtUHp0U1lNVXJjTTdLUXRkSjExMXNUWi94IFZBcTg0ZnJDdC9URXVwQU41aFVGa0MrYnBKL2RpWml4UWdQdkxLbzZGVnRCS3k5N0hTcHVaVDhuMnBVWVo5LzQgc0JUUjVZUXRQOXFFeFhVWU8veVIrZlorUkU5dzBUYlNBdEhXMllaSEtub293SkFIZG9FR01iYUNoUUlWQUsvcSBpWE5IQ2hhNHhIbklkRDJqVDBPVXMwM2ZBb0dCQU1uQ2VUZ08wOXIyR3F1UkFRbUdGQVQvNklHTWh1eDdLT0M4IFFyVzdqRGFxQVlMaXVBNDVFM0lyYTU4NFJGMnJnMFZoZXd4Y2RFTWJxTnpxQ2VTS2s5T0Ftd1hwSjFKOHZDVVIgZFJvakd6MERZWkhKYmNzcG9HdFpGMUlGNlozQm9hZ2dSY0xYNi9LWUxibnpGWm5CWFYvKy8vZ1JUYm0vVjJpZSBCekNXRS9xRUFvR0JBTmJyR3h6VlRUZFREOE1hVnRsT3BqVTNScW9HRkhtRkNkNGx2MFBJdDJtakZzWE8zRHQvIDZCTXRKVlJFdGI3NFdGMFNVR21ucHk2RlRZb0RiMDVqMkxoSDFJdkNTa0ZUNWhVSzBXdEFKM05pZEo2QVJ4eEQgejJRSVRXSTFGVHIxSzlOYlpkUjZEb1R4ZUtmVjZ3V2J1THl3bHdvV1ltTGU2b0FtcTIxT2Z0NFhBaFJjS2NMayByMlIvUm4xdWNoVUw4cnUwQjJPVmtnPT0gLS0tLS1FTkQgRFNBIFBSSVZBVEUgS0VZLS0tLS0K
Here's the decoded string:
-----BEGIN DSA PRIVATE KEY-----MIIBvAIBAAKBgQDaqdgwD3YvYwgbWzs8RQQOm8RmPztSYMUrcM7KQtdJ111sTZ/xVAq84frCt/TEupAN5hUFkC+bpJ/diZixQgPvLKo6FVtBKy97HSpuZT8n2pUYZ9/4sBTR5YQtP9qExXUYO/yR+fZ+RE9w0TbSAtHW2YZHKnoowJAHdoEGMbaChQIVAK/qiXNHCha4xHnIdD2jT0OUs03fAoGBAMnCeTgO09r2GquRAQmGFAT/6IGMhux7KOC8QrW7jDaqAYLiuA45E3Ira584RF2rg0VhewxcdEMbqNzqCeSKk9OAmwXpJ1J8vCURdRojGz0DYZHJbcspoGtZF1IF6Z3BoaggRcLX6/KYLbnzFZnBXV/+//gRTbm/V2ieBzCWE/qEAoGBANbrGxzVTTdTD8MaVtlOpjU3RqoGFHmFCd4lv0PIt2mjFsXO3Dt/6BMtJVREtb74WF0SUGmnpy6FTYoDb05j2LhH1IvCSkFT5hUK0WtAJ3NidJ6ARxxDz2QITWI1FTr1K9NbZdR6DoTxeKfV6wWbuLywlwoWYmLe6oAmq21Oft4XAhRcKcLkr2R/Rn1uchUL8ru0B2OVkg==-----END DSA PRIVATE KEY-----
#### Was this page helpful?
[](#)
[](#)
* [Description](#description)
* [General](#general)
* [Revoke the secret](#revoke-the-secret)
* [Check for suspicious activity](#check-for-suspicious-activity)
* [Details for `Private key dsa`](#details-for-private-key-dsa)
* [Examples](#examples)
* [Details for `Base64 private key dsa`](#details-for-base64-private-key-dsa)
* [Examples](#examples-1)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Where should you scan for secrets in the SDLC? | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
Where should you scan for secrets in the SDLC?
==============================================
We recommend you add automated secrets scanning wherever you can, at every stage of the SDLC. Throwing as many nets as possible builds a layered defense and removes the dangers of having one single point of failure. We believe this should be the pursued strategy by every organization looking to reduce the risk of exposure of its secrets. Counter-intuitively, this layered approach adds little friction and can help you achieve wide-scale adoption from your developers.
We recommend starting with continuous monitoring for your VCS instances (server-side). Results at this level are more informative and non-blocking. As you get used to handling these results, you can incrementally increase the level of restriction, up to the point where it feels more accurate and in line with your organization. With GitGuardian, you will be able to gradually move secrets scanning upstream until you reach developer environments (client-side).
1. Start with continuous scanning for your remote repositories using the available native VCS integrations. It is an easy setup and guarantees your security team(s) total visibility over an evolving perimeter since repositories get created and deleted every day.
2. Add automated scanning jobs in CI environments to test supporting branches such as feature, release, and hotfix; before merging into the main one.
3. Configure developer workstations to scan local changes thanks to the pre-commit git hook and ggshield CLI. It prevents secrets from leaving developer workstations in the first place.
4. If you run your own self-hosted VCS instances, you can leverage a globally configured pre-receive git hook to block secrets from entering centralized repositories.
#### Was this page helpful?
[](#)
[](#)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Integrate a new Jira Data Center source | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Integrate a new Jira Data Center source
=======================================
info
For now, only real-time scanning is supported to detect secrets in issues and comments. All detectors are supported, with the exception of these 2 generic detectors, in order to limit the risk of false positives:
* [Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret)
* [Generic Password](/secrets-detection/secrets-detection-engine/detectors/generics/generic_password)
Setting up and configuring this integration is limited to users with an **Owner** or **Manager** access level. Jira Data Center site installation is only open to workspaces under the **Business** plan, but uninstallation is open to all. Alternatively, you can install and test secret detection in Jira Data Center with a 30-day trial. Any secret incidents created during this period will remain accessible in your incident dashboard after the trial period.
GitGuardian integrates natively with Jira Data Center via an **administrator Personal Access Token** that you can create from your Jira Data Center sites. Note that GitGuardian only has **read access** to your projects.
Setup your Jira Data Center integration[](#setup-your-jira-data-center-integration "Direct link to Setup your Jira Data Center integration")
----------------------------------------------------------------------------------------------------------------------------------------------
You can install GitGuardian on multiple Jira Data Center sites to monitor your projects.
1. Make sure you're logged as an administrator in the Jira Data Center site you want to install
2. Go to the **Profile** page 
3. Go to the **Personal Access Tokens** section and click **Create token** to create a new PAT 
4. Provide a **Token Name**, an optional **Expiry date** and click **Create**
5. Copy your new PAT and click **Close**
6. In the GitGuardian platform, navigate to the [Sources integration](https://dashboard.gitguardian.com/settings/integrations/sources)
page
7. Click on the **Install** button next to **Jira Data Center** in the **Ticketing** section 
8. Click on the **Install** button of the [Jira Data Center integration](https://dashboard.gitguardian.com/settings/integrations/jira_data_center)
page
9. Paste your **Jira Data Center site URL**, your **Administrator Personal Access Token** and click **Add**
That's it! Your Jira Data Center site is installed and we are now monitoring all issues and comments of your projects for secrets.
info
Jira allows the creation of up to 10 PATs. GitGuardian automatically renews PATs before they expire. To do this, you must have at least 2 PAT slots free. Otherwise, an error message will warn you that the integration is no longer functional.
Uninstall your Jira Data Center site[](#uninstall-your-jira-data-center-site "Direct link to Uninstall your Jira Data Center site")
-------------------------------------------------------------------------------------------------------------------------------------
To uninstall a Jira Data Center site:
1. In the GitGuardian platform, navigate to the [Sources integration](https://dashboard.gitguardian.com/settings/integrations/sources)
page
2. Click on the **Edit** button next to **Jira Data Center** in the **Ticketing** section
3. Click on the bin icon next to the Jira Data Center site to be uninstalled
4. Confirm by clicking on the **Yes, uninstall** button in the confirmation modal 
That's it! Your Jira Data Center site is now uninstalled.
Limitations[](#limitations "Direct link to Limitations")
----------------------------------------------------------
* **Historical Scan:** Historical scans are not yet supported (coming soon).
* **Source Listing:** Monitored Jira Data Center projects are not yet listed on the [Perimeter](https://dashboard.gitguardian.com/perimeter)
page (coming soon).
* **Monitored Perimeter:** Customization of the monitored perimeter is not supported. All projects are monitored by default.
* **Team Perimeter:** Customization of a team perimeter with Jira Data Center projects is not supported. Users must be part of the **All-incidents** team to view and access secret incidents related to Jira Data Center.
* **Source Visibility:** The visibility of projects is not determined. All projects are considered `private` in both the UI and API.
* **Presence Check:** The presence check feature is not supported. All occurrences are considered `present` in both the UI and API.
* **File Attachments:** File attachments are not scanned.
* **Occurrence Previews:** Previews of occurrences are not supported.
Privacy[](#privacy "Direct link to Privacy")
----------------------------------------------
Country-specific laws and regulations may require you to inform your Jira Data Center users that your projects are being scanned for secrets. Here is a suggestion for a message you may want to use:
> As part of our internal information security process, the company scans the Jira Data Center projects for potential secrets leaks using [GitGuardian](https://www.gitguardian.com/monitor-internal-repositories-for-secrets)
> . All data collected will be processed for the purpose of detecting potential leaks. To find out more about how we manage your personal data and to exercise your rights, please refer to our employee/partner privacy notice. _Please note that only projects relating to the company’s activity and business may be monitored and that users shall refrain from sharing personal or sensitive data not relevant to the project’s purpose._
#### Was this page helpful?
[](#)
[](#)
* [Setup your Jira Data Center integration](#setup-your-jira-data-center-integration)
* [Uninstall your Jira Data Center site](#uninstall-your-jira-data-center-site)
* [Limitations](#limitations)
* [Privacy](#privacy)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Collaboration between Application Security and development teams | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Collaboration between Application Security and development teams
================================================================
What is the AppSec Shared Responsibility Model?[](#what-is-the-appsec-shared-responsibility-model "Direct link to What is the AppSec Shared Responsibility Model?")
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Shared responsibility essentially means that security should be owned by various teams acting in collaboration to implement its various layers all along the SDLC:
* Developers are provided with access to the right tools to set up their guardrails and remediate the security issues they’re the most familiar with, in context.
* Security engineers are responsible for defining and implementing security policies as well as their controls. Sharing responsibility means they can dedicate more time investigating complex or low-assurance findings.
* Platform/Ops can be tasked with ad-hoc responsibilities to make sure security CI/CD controls are correctly configured, or even to take ownership of certain types of vulnerabilities.
Why do we need it?[](#why-do-we-need-it "Direct link to Why do we need it?")
------------------------------------------------------------------------------
Security can no longer be an afterthought or solely addressed once applications start running in production environments.
The everything-as-code approach or the collapse of the Software Development Lifecycle (SDLC) into Source Control Management (source code, CI/CD configurations, policy-as-code, infrastructure-as-code, documentation-as-code) has spawned a whole new range of attack vectors. In turn, this has led to a shift in the priorities of attackers from applications in runtime to the tools that make up the development environments and CI/CD pipelines.
Organizations can only mitigate such threats by addressing security continuously throughout the SDLC, with the help of the developers designing and authoring the code going to production. Our observations show that, on average, organizations run application security programs with one to two security engineers for every 100 developers. In such a configuration, the vulnerabilities introduced in source code outmatch the capacity of security teams to handle them.
Only an **Application Security Shared Responsibility Model**, where developers contribute their fair share, can scale in this new environment.
How can GitGuardian help your organization achieve it?[](#how-can-gitguardian-help-your-organization-achieve-it "Direct link to How can GitGuardian help your organization achieve it?")
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### For AppSec teams[](#for-appsec-teams "Direct link to For AppSec teams")
GitGuardian aims to:
* Provide AppSec teams with visibility and control over the SCM, DevOps tools and all other components of the SDLC.
* Ease the burden of remediation by pulling developers who own the context closer to the process.
### For development teams[](#for-development-teams "Direct link to For development teams")
GitGuardian aims to:
* Guide developers throughout the remediation process (feedback collection, steps to follow, etc.) and empower them to resolve incidents by themselves when possible.
* Equip developers with supportive tooling (command-line interface, SDKs, REST API) to implement security guardrails in the environments they are most familiar with.
#### Was this page helpful?
[](#)
[](#)
* [What is the AppSec Shared Responsibility Model?](#what-is-the-appsec-shared-responsibility-model)
* [Why do we need it?](#why-do-we-need-it)
* [How can GitGuardian help your organization achieve it?](#how-can-gitguardian-help-your-organization-achieve-it)
* [For AppSec teams](#for-appsec-teams)
* [For development teams](#for-development-teams)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Integrate a new Azure DevOps Repos source | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Integrate a new Azure DevOps Repos source
=========================================
GitGuardian can integrate with Azure Repos in two different ways: **at the instance level or at the organization/collection level**.
note
In Azure Repos the wordings `Organization` and `Collection` refer to the same concept depending on the version of your Azure DevOps. In GitGuardian's dashboard, we use the wording `Organization` as it is the most common, but don't be embarrassed if you have `Collection` in your Azure Repos instance.
This integration supports Azure Repos for any version of Azure DevOps supporting the Rest API ≥ 4.1. This includes both Azure DevOps Services and Azure Devops Server 2019 and 2020.
The Azure DevOps Repos integration can be done at Instance-level or at Organization-level. In either case, it requires **a personal access token** for GitGuardian to be able to access your Azure Repos organizations/collections for analysis.
You will need Owner or Manager rights in GitGuardian to set up an integration or customize your settings.
caution
To enable functional real-time scanning of your projects and repository, the personal access token owner must either be an `Organization admin` or a `Project administrator` for all projects within your organization. This can be accomplished by being added to the `Project Collection Administrators` group of the organization.
Setup[](#setup "Direct link to Setup")
----------------------------------------
### Create a Personal Access Token[](#create-a-personal-access-token "Direct link to Create a Personal Access Token")
tip
We highly recommend that you use a bot user in order to generate personal access tokens.
1. Go to your “User setting” section on Azure DevOps.
2. For Azure Repos Service, Dive into “Personal access tokens” section and create a new token. For Azure Repos Server, you first need to dive into "Security", and then select the Personal access tokens page on the left side bar.
3. Set a name (ex: “gitguardian”).
4. Select if you want to provide access for the current organization or for the entire instance.
5. IMPORTANT: You must check the `Read` scope for **Code** and **Graph** (click on the 'Show all scopes' link to display this scope).
The `Graph:Read` scope is used for billing purposes as it allows us to look at users, groups and their memberships.
6. We recommend you set the expiration date to 1 year, this is the maximum allowed.
caution
Azure DevOps has a limit of 1 year maximum for the validity of a token. It means you'll have to renew the token if you want to keep the integration up and running.
The personal token enables GitGuardian to access your repos through your Azure DevOps permissions.

Click on the 'Show all scopes' link to display the scope for Graph.


caution
This integration doesn't monitor disabled repositories. If you include disabled repositories in your perimeter, they won't be checked and they will appear with the status `Unknown`.

Please refer to the [Azure DevOps documentation](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate)
for more information about personal access tokens.
### Instance-level integration[](#instance-level-integration "Direct link to Instance-level integration")
This integration mode will automatically monitor **all projects and repositories on the instance**. When a new project or a new repository is created on any organization, it will be automatically included in the perimeter by GitGuardian.
#### Requirements[](#requirements "Direct link to Requirements")
* Azure DevOps Service or self-managed Azure DevOps Server: minimum assured compatible version 2019
* A personal access token with **Read scope for "Code" and "Graph"**.
#### Guidelines[](#guidelines "Direct link to Guidelines")
1. Navigate to Settings > Integrations > [Sources](https://dashboard.gitguardian.com/settings/integrations/sources)
.
2. Click on **Configure** for Azure Repos.
3. Click on **Start** for the instance-level option: "Monitor the entire Azure Repos instance"

4. Submit your Azure Repos instance url, and the personal access token created.

caution
Azure instance URL must be prefixed with `https://`, instances without a secure connection won't be monitored. The URL used should be of type scheme+basename (eg: `https://azuredevops.gitguardian.example`).
5. GitGuardian will start scanning your Azure Repos instance. You can view the projects and repositories monitored in your [Azure Repos settings page](https://dashboard.gitguardian.com/settings/integrations/azure_devops)
by clicking on **See my Azure Repos perimeter**.
#### Troubleshooting[](#troubleshooting "Direct link to Troubleshooting")
* You can **submit new personal access tokens if you want to monitor more Azure Repos instances**.
* GitGuardian automatically detects if the Personal access token becomes invalid (by expiring or being revoked) and will send an email to notify you. All of your existing data will remain accessible.
* In case you have a lot of repositories, they may take some time to show up on your perimeter.
### Organization-level integration[](#organization-level-integration "Direct link to Organization-level integration")
This integration will **only monitor organizations you select**. When a new project is added to a monitored organization, it will be automatically added to the perimeter. However, new organizations added to the Azure Repos instance will not be automatically included to the GitGuardian perimeter.
#### Requirements[](#requirements-1 "Direct link to Requirements")
* Azure Devops Service or self-managed Azure DevOps Server/Data Center: minimum assured compatible version 2019
* A personal access token with **Read scope for "Code".**
#### Guidelines[](#guidelines-1 "Direct link to Guidelines")
1. Navigate to Settings > Integrations > [Sources](https://dashboard.gitguardian.com/settings/integrations/sources)
.
2. Click on **Configure** for Azure Repos.
3. Click on **Start** for the instance level option: "Monitor certain Azure Repos organizations only"

4. Submit your Azure DevOps instance url and the personal access token created. If you're willing to install only one organization, submit also the name of this organization.

caution
Azure instance URL must be prefixed with `https://`, instances without a secure connection won't be monitored. The URL used should be of type scheme+basename (eg: `https://azuredevops.gitguardian.example`).
5. GitGuardian will display the organization available for monitoring.
Clicking `Install`, GitGuardian will access the organization and scan the content of the repositories.

6. You can view the projects and repositories monitored in your [Azure Repos settings page](https://dashboard.gitguardian.com/settings/integrations/azurerepos)
by clicking on **See my Azure Repos perimeter**:
#### Troubleshooting[](#troubleshooting-1 "Direct link to Troubleshooting")
* You can **submit new personal access tokens if you want to monitor more Azure Repos instances or organizations**.
* GitGuardian automatically detects if the Personal access token becomes invalid (by expiring or being revoked) and will send an email to notify you. All of your existing data will remain accessible.
* In case you have a lot of repositories, they may take a short time to show up on your perimeter
* If the Azure DevOps user associated with the personal access token used for integration lacks sufficient permissions for real-time project monitoring, a visual icon will be displayed next to the project. This icon indicates that the project is still part of your scope and can be scanned manually, but it cannot be monitored in real time.

### Rotate/Replace a Personal Access Token[](#rotatereplace-a-personal-access-token "Direct link to Rotate/Replace a Personal Access Token")
In Azure Repos, the maximum lifetime of a Personal Access Token is 365 days, and there is no option to extend this duration. Additionally, updating the scopes of a Personal Access Token requires creating a new one; it cannot be modified directly. Consequently, it is necessary to replace your Personal Access Token at least once a year to continue scanning your repositories with GitGuardian.
To minimize disruption, we recommend:
1. Generate a new Personal Access Token in Azure DevOps before the expiration of the current one.
2. Add this newly created Personal Access Token to the list of tokens in GitGuardian.
3. Only after completing steps 1 and 2, remove the old Personal Access Token.
This ensures a seamless transition, allowing the new Personal Access Token to take over in case the current token expires or is deleted, thereby maintaining the functionality of your integration.
caution
For Organization-level installations, the new Personal Access Token should have the same permissions. Failure to do so may result in incomplete access to certain Organizations. GitGuardian will continue monitoring accessible ones and uninstall Organization(s) that are no longer reachable.
Automatic historical scan[](#automatic-historical-scan "Direct link to Automatic historical scan")
----------------------------------------------------------------------------------------------------
By default, GitGuardian performs a historical scan for each newly created Azure Repos repository added to your perimeter.
You can deactivate this behavior in your [Azure Repos settings](https://dashboard.gitguardian.com/settings/integrations/azure_devops/instance)
if you are a Manager of the workspace.

Automatic repository monitoring[](#automatic-repository-monitoring "Direct link to Automatic repository monitoring")
----------------------------------------------------------------------------------------------------------------------
By default, GitGuardian automatically monitors repositories added to your perimeter.
You can deactivate this behavior in your [Azure Repos settings](https://dashboard.gitguardian.com/settings/integrations/azure_devops/instance)
if you are a Manager of the workspace.
Customize your monitored perimeter[](#customize-your-monitored-perimeter "Direct link to Customize your monitored perimeter")
-------------------------------------------------------------------------------------------------------------------------------
Once you have set up your Azure Repos integration, you have the possibility to configure which projects and repositories to monitor in the [Azure Repos settings section](https://dashboard.gitguardian.com/settings/integrations/azurerepos)
of your workspace.

If you deselect a repository from your monitored perimeter, GitGuardian will not receive any commit for your futur scans.
#### Was this page helpful?
[](#)
[](#)
* [Setup](#setup)
* [Create a Personal Access Token](#create-a-personal-access-token)
* [Instance-level integration](#instance-level-integration)
* [Organization-level integration](#organization-level-integration)
* [Rotate/Replace a Personal Access Token](#rotatereplace-a-personal-access-token)
* [Automatic historical scan](#automatic-historical-scan)
* [Automatic repository monitoring](#automatic-repository-monitoring)
* [Customize your monitored perimeter](#customize-your-monitored-perimeter)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Integrate a new Microsoft Teams source (private beta) | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Integrate a new Microsoft Teams source (private beta)
=====================================================
info
For now, only real-time scanning is supported. All detectors are supported, with the exception of these 2 generic detectors, in order to limit the risk of false positives:
* [Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret)
* [Generic Password](/secrets-detection/secrets-detection-engine/detectors/generics/generic_password)
Setting up and configuring this integration is limited to users with an **Owner** or **Manager** access level. Microsoft Teams tenant installation is only open to workspaces under the **Business** plan, but uninstallation is open to all. Alternatively, you can install and test secret detection in Microsoft Teams with a 30-day trial. Any secret incidents created during this period will remain accessible in your incident dashboard after the trial period.
GitGuardian integrates natively with Microsoft Teams via an **Entra app** that you can install on your Microsoft Teams tenants. Note that the GitGuardian Entra app only has **read access** to your channels.
Setup your Microsoft Teams integration[](#setup-your-microsoft-teams-integration "Direct link to Setup your Microsoft Teams integration")
-------------------------------------------------------------------------------------------------------------------------------------------
You can install GitGuardian on multiple Microsoft Teams tenants to monitor your standard, private and shared channels.
1. Make sure you're logged as administrator in the Microsoft Teams tenant you want to install
2. In the GitGuardian platform, navigate to the [Sources integration](https://dashboard.gitguardian.com/settings/integrations/sources)
page
3. Click on the **Install** button next to **Microsoft Teams** in the **Messaging** section 
4. Click on the **Install** button of the [Microsoft Teams integration](https://dashboard.gitguardian.com/settings/integrations/microsoft_teams)
page
5. Select your Microsoft Teams administrator account
6. Click on the **Accept** button to accept the permissions requested by GitGuardian 
That's it! Our GitGuardian Entra app is now automatically installed on your Microsoft Teams tenant. It will now start monitoring all posts shared on your standard, private and shared channels for secrets.
Uninstall your Microsoft Teams tenant[](#uninstall-your-microsoft-teams-tenant "Direct link to Uninstall your Microsoft Teams tenant")
----------------------------------------------------------------------------------------------------------------------------------------
To uninstall a Microsoft Teams tenant:
1. In the GitGuardian platform, navigate to the [Sources integration](https://dashboard.gitguardian.com/settings/integrations/sources)
page
2. Click on the **Edit** button next to **Microsoft Teams** in the **Messaging** section
3. Click on the bin icon next to the Microsoft Teams tenant to be uninstalled
4. Confirm by clicking on the **Yes, uninstall** button in the confirmation modal 
That's it! Your Microsoft Teams tenant is now uninstalled and the associated secret incidents remain visible in the incident dashboard.
Limitations[](#limitations "Direct link to Limitations")
----------------------------------------------------------
The Microsoft Teams integration is currently available in **private beta** and has a number of limitations:
* **Integration:** Once integration has been completed, real-time secret detection is not immediately activated on all channels. The channel integration process continues in the background and may take some time, depending on the size of your Microsoft Teams. Integration progress is visible from the [Microsoft Teams integration](https://dashboard.gitguardian.com/settings/integrations/microsoft_teams)
page. 
* **Monitored channels:** The number of channels that can be included in the monitored perimeter depends on the number of subscriptions authorized by your Azure tenant. In any case, there is a hard limit of 10,000 channels that can be monitored. This limit may be lower, depending on the number of subscriptions already consumed by third-party applications. If your Microsoft Teams has too many channels, your monitoring will be partial. We prioritize the integration of **standard** channels, followed by **private** channels, then **shared** channels. 
* **Historical Scan:** Historical scans are not yet supported (coming soon).
* **Source Listing:** Monitored Microsoft Teams channels are not yet listed on the [Perimeter](https://dashboard.gitguardian.com/perimeter)
page (coming soon).
* **Monitored Perimeter:** Customization of the monitored perimeter is not supported. All channels are monitored by default.
* **Team Perimeter:** Customization of a team perimeter with Microsoft Teams channels is not supported. Users must be part of the **All-incidents** team to view and access secret incidents related to Microsoft Teams.
* **Source Visibility:** The visibility of channels is partially determined. Private channels are considered `private`, while public and shared channels are considered `public` in both the UI and API.
* **Presence Check:** The presence check feature is not supported. All occurrences are considered `present` in both the UI and API.
* **Group Chats:** Group chats are not scanned.
* **File Attachments:** File attachments are not scanned.
* **Occurrence Previews:** Previews of occurrences are not supported.
Privacy[](#privacy "Direct link to Privacy")
----------------------------------------------
Country-specific laws and regulations may require you to inform your Microsoft Teams users that your channels are being scanned for secrets. Here is a suggestion for a message you may want to use:
> As part of our internal information security process, the company scans the Microsoft Teams channels for potential secrets leaks using [GitGuardian](https://www.gitguardian.com/monitor-internal-repositories-for-secrets)
> . All data collected will be processed for the purpose of detecting potential leaks. To find out more about how we manage your personal data and to exercise your rights, please refer to our employee/partner privacy notice. _Please note that only channels relating to the company’s activity and business may be monitored and that users shall refrain from sharing personal or sensitive data not relevant to the channel’s purpose._
#### Was this page helpful?
[](#)
[](#)
* [Setup your Microsoft Teams integration](#setup-your-microsoft-teams-integration)
* [Uninstall your Microsoft Teams tenant](#uninstall-your-microsoft-teams-tenant)
* [Limitations](#limitations)
* [Privacy](#privacy)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Integrate a new Confluence Data Center source | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Integrate a new Confluence Data Center source
=============================================
info
For now, only real-time scanning is supported to detect secrets in pages, blogs and comments. All detectors are supported, with the exception of these 2 generic detectors, in order to limit the risk of false positives:
* [Generic High Entropy Secret](/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret)
* [Generic Password](/secrets-detection/secrets-detection-engine/detectors/generics/generic_password)
Setting up and configuring this integration is limited to users with an **Owner** or **Manager** access level. Confluence Data Center site installation is only open to workspaces under the **Business** plan, but uninstallation is open to all. Alternatively, you can install and test secret detection in Confluence Data Center with a 30-day trial. Any secret incidents created during this period will remain accessible in your incident dashboard after the trial period.
GitGuardian integrates natively with Confluence Data Center via an **administrator Personal Access Token** that you can create from your Confluence Data Center sites. Note that GitGuardian only has **read access** to your spaces.
Setup your Confluence Data Center integration[](#setup-your-confluence-data-center-integration "Direct link to Setup your Confluence Data Center integration")
----------------------------------------------------------------------------------------------------------------------------------------------------------------
You can install GitGuardian on multiple Confluence Data Center sites to monitor your spaces.
1. Make sure you're logged as an administrator in the Confluence Data Center site you want to install
2. Go to the **Settings** page 
3. Go to the **Personal Access Tokens** section and click **Create token** to create a new PAT 
4. Provide a **Token Name**, an optional **Expiry date** and click **Create**
5. Copy your new PAT and click **Close**
6. In the GitGuardian platform, navigate to the [Sources integration](https://dashboard.gitguardian.com/settings/integrations/sources)
page
7. Click on the **Install** button next to **Confluence Data Center** in the **Documentation** section 
8. Click on the **Install** button of the [Confluence Data Center integration](https://dashboard.gitguardian.com/settings/integrations/confluence_data_center)
page
9. Paste your **Confluence Data Center site URL**, your **administrator Personal Access Token** and click **Add**
That's it! Your Confluence Data Center site is installed and we are now monitoring all pages, blogs and comments of your spaces for secrets.
info
Confluence allows the creation of up to 10 PATs. GitGuardian automatically renews PATs before they expire. To do this, you must have at least 2 PAT slots free. Otherwise, an error message will warn you that the integration is no longer functional.
Uninstall your Confluence Data Center site[](#uninstall-your-confluence-data-center-site "Direct link to Uninstall your Confluence Data Center site")
-------------------------------------------------------------------------------------------------------------------------------------------------------
To uninstall a Confluence Data Center site:
1. In the GitGuardian platform, navigate to the [Sources integration](https://dashboard.gitguardian.com/settings/integrations/sources)
page
2. Click on the **Edit** button next to **Confluence Data Center** in the **Documentation** section
3. Click on the bin icon next to the Confluence Data Center site to be uninstalled
4. Confirm by clicking on the **Yes, uninstall** button in the confirmation modal 
That's it! Your Confluence Data Center site is now uninstalled.
Limitations[](#limitations "Direct link to Limitations")
----------------------------------------------------------
* **Historical Scan:** Historical scans are not yet supported (coming soon).
* **Source Listing:** Monitored Confluence Cloud spaces are not yet listed on the [Perimeter](https://dashboard.gitguardian.com/perimeter)
page (coming soon).
* **Monitored Perimeter:** Customization of the monitored perimeter is not supported. All spaces are monitored by default.
* **Team Perimeter:** Customization of a team perimeter with Confluence Cloud spaces is not supported. Users must be part of the **All-incidents** team to view and access secret incidents related to Confluence Cloud.
* **Source Visibility:** The visibility of spaces is not determined. All spaces are considered `private` in both the UI and API.
* **Presence Check:** The presence check feature is not supported. All occurrences are considered `present` in both the UI and API.
* **Occurrence metadata:** Author's email is not determined.
* **File Attachments:** File attachments are not scanned.
* **Occurrence Previews:** Previews of occurrences are not supported.
Privacy[](#privacy "Direct link to Privacy")
----------------------------------------------
Country-specific laws and regulations may require you to inform your Confluence Data Center users that your spaces are being scanned for secrets. Here is a suggestion for a message you may want to use:
> As part of our internal information security process, the company scans the Confluence Data Center spaces for potential secrets leaks using [GitGuardian](https://www.gitguardian.com/monitor-internal-repositories-for-secrets)
> . All data collected will be processed for the purpose of detecting potential leaks. To find out more about how we manage your personal data and to exercise your rights, please refer to our employee/partner privacy notice. _Please note that only spaces relating to the company’s activity and business may be monitored and that users shall refrain from sharing personal or sensitive data not relevant to the space’s purpose._
#### Was this page helpful?
[](#)
[](#)
* [Setup your Confluence Data Center integration](#setup-your-confluence-data-center-integration)
* [Uninstall your Confluence Data Center site](#uninstall-your-confluence-data-center-site)
* [Limitations](#limitations)
* [Privacy](#privacy)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# PGP Private Key | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
PGP Private Key
===============
Description[](#description "Direct link to Description")
----------------------------------------------------------
### General[](#general "Direct link to General")
* **Summary**: Pretty Good Privacy (PGP) provides cryptographic privacy and authentication for data communication. To provide this it uses a private and public key set. The public key is used to encrypt documents or verify a signature. The private key is used to decrypt and sign a document. The public key can be distributed freely whereas the private key must remain private. More details about cryptographic keys can be found in this [FAQ](/secrets-detection/secrets-detection-engine/frequently_asked_questions#are-cryptographic-keys-sensitive-objects)
.
### Revoke the secret[](#revoke-the-secret "Direct link to Revoke the secret")
To revoke the secret, a new key set needs to be generated and the new public key needs to be distributed. Note however that everything that was encrypted with the previous public key will still be readable by someone that has the previous private key.
### Check for suspicious activity[](#check-for-suspicious-activity "Direct link to Check for suspicious activity")
There is no standard way of checking for suspicious activity.
### Details for `Base64 private key pgp`[](#details-for-base64-private-key-pgp "Direct link to details-for-base64-private-key-pgp")
* **Family:** PrivateKey
* **Category:** Private key
* **High recall:** True
* **Validity check available:** False
* **Minimum number of matches:** 1
* **Occurrences found for one million commits:** 0.14
* **Prefixed:** True
* **PreValidators**:
- type: ContentWhitelistPreValidator patterns: - ls0tls1crudjtibqr1agufjjvkfursblrvkgqkxpq0stls0tl - 0tls0tqkvhsu4guedqifbssvzbveugs0vziejmt0nlls0tls - tls0tlujfr0loifbhucbquklwqvrfietfwsbcte9dsy0tls0t
### Examples[](#examples "Direct link to Examples")
LS0tLS1CRUdJTiBQR1AgUFJJVkFURSBLRVkgQkxPQ0stLS0tLSBWZXJzaW9uOiBCQ1BHIEMjIHYxLjYuMS4wCmxRT3NCRnZwWWFrQkNBQ2liWkxMbXpUWkQ1REZ5ZG8ySlFnek5kRFdiZ0JvY1VNaVhKSldFMkJxK1gxTzk3T3ogSWlEblhWT0pmNzIzTXExOWk0ckx6ZytFbzdHREQ5alo1Z0syeHZmRU5EYkcxSVVyNEtLWStDQ0pVNXNWRzVucyBvOVhlZHZrQnNaalFwOWVPZmpFMjFXcTZGWTZZb012SlkvNlh4MHdmdHMvdXBiUDdhOWhuRjdKV0gzdDR1SVhzIEVpeFV2dTRJODVzU0E4Vk1tdjNXVHJReGVpeXJYUEVEdFR2OHlYRkM0NzljNGNySlU1UnE1WnNDMVV4bFlQTGMgdUtObEpHRVZ1TVgvd3JDYy9YZFBxMDlGeWNQdnFzOUZhTzdUTkhUTUJMR0ttL0Fmc1lTdm9jOGNNaFBpYXYvUyBhbHA3VUVHbzhKQnhnanZBU0YzSkR3NENWRE1UMXNWbktRakRBQkVCQUFIL0F3TUM5ZVlKREFWV1l2WmdibFc1IEFlUjVpQWwram9YK3ZsdEMyeFVjZjQzLzRlWm9QeGpzK1VsR0RUUEYvOXArYm8ySk1aODM4eDdRMXVyNlhOamogUUpoRWNGMEt6KzY0ZWVFbCswVVhyQ1pQc2ZEZmx3aTJPK3d3K3dQeE5yN3ZmWVJoVThGYTVPT2xlU21yelRCSyBicFFyNGtsMW4vQzF5aW1LWTNKYWpvWXJiY2hKOXljMUI2RzNLbUxqTEdKbitQeUJHaVM0OUJPd1I3L2NNTkcwIEszOE82NmExQ0hUcE5DOE9aWDlqaUFnek5PYVBNQkVwUmFhSTJjZmMvSFVVM0wyYkdvV3A3VlZFZVFVTHdGaGEgenF6UVI1NjlwRnkwdHQ4MlMxNU5tellNUC9xSlJvWklaQjIwcEMyVzc0YzROd0xxWDdCUnJuSFlIanJTWUxOLyBnMTBiN3BpaGkyZUpnbzNzd1RWY3o1Nll1OW5wMnExbkhwbVA5SFYxTFBHMkl6MFA2aC82ZWNTbGR0eGxXYVJhIFMzMXNjdHV4ZHZzd29heXdHeXB4cTFlYjlIV1RmMW5DbVB3ZVh0c0VibkpOaTl4TThhK2lVQ1RjelpMVHJmd0wgUXpJZDNuRms5R05md3V0SkZxTllCNXhFc0RweUZZZW9na21JREF4Yk5Cb2ZRZXNyUVREMDVGTGpvSklUUy95VyA2KzhsYnBET2FmYlMrNWJ1OVQyY3FoQytoR1o2YTZyWDRodFRVb05jNkxzZEt6MktzNkExelZ5TzZ0TGVHYSt4IEJYNGZzcUg0cVhlb3dCNWZWSmlKSU4vY2ZEWmlHUEFQcVhNSTBYazgxOXo1S0J4ZVN1OUZ6ZndYL2o0bURTNTQgWHlhR0VBaldGZys4c1hSbVc4ZmFySG9KeTE1UVlGM1QrRXBKcXpnWDkydnc4WENOZmZyUlhnQ2RsVHJGSzg5QiBYY2REdFRvR1Uxa1ZlQmptQ24veHhJZmR6aDJ5RXNUYVNjVXNxS05UdW1kT1lYV0NEYVI4elQvQlhtbVB1N1JSIHB3UERsZDR5YlNSeUhaZHM5bmJuQ2hDbDQ3V3lXSVpJaVlJL1dmU282UEQ2WGp2NU9ON0FhaUM5WnpYT3dzR2IgQXd1UlBadlo2SDRPQU1hVU42WmNTdUhZVEIxbTU2clhPL2tBb0FNcTRiUU5kRzkwYjBCdFlXbHNMbU52YllrQiBIQVFRQVFJQUJnVUNXK2xocVFBS0NSQUZqQWJ4dHhyZ0gyR1JDQUNHdHhkWGN6TktndGZXTm5JR1oybFJicFlLIGN2S0F5bCtqcTQ1WjYvUGFtalBvMUp2K21LUTMzUTgrYkMyM1B1OWdYKzh2VEtxVVFwSnh4dUhRN0ZTeWlndEsgTDBPREFDdDFmcWxJNFA1R1dIMDF5NE5DMVAxVndmdnIvQzNIa3RPRnh1cUtnbXEySm9RVGRqb0dCWkdwT0hLWSBXQVJiZzY2N01mY2RBL3RRd2QrWHBFRExlS0MxNkZReDlkL0IxclRHOUtiY1ZCb1lQUU0wenBPajk5MHJMYk80IEt0ZFM3d0FxcWNzQkN5K3dTYUV5VlFKZkc2T0pIY2pCODluci9Pd0xuTDJmVEJnVkJQUFdtZ3lUSzNYUXM3QWQgSWUwQlBHbUI2SCtrV1htbG1QbTlGNzFDbXoyaVR2cnZJNU8vL20wRnZzb1NYall2UzJPWEVCK1dpMFljID1Sa0tUIC0tLS0tRU5EIFBHUCBQUklWQVRFIEtFWSBCTE9DSy0tLS0tCg==
Here's the decoded string:
-----BEGIN PGP PRIVATE KEY BLOCK----- Version: BCPG C# v1.6.1.0lQOsBFvpYakBCACibZLLmzTZD5DFydo2JQgzNdDWbgBocUMiXJJWE2Bq+X1O97OzIiDnXVOJf723Mq19i4rLzg+Eo7GDD9jZ5gK2xvfENDbG1IUr4KKY+CCJU5sVG5nso9XedvkBsZjQp9eOfjE21Wq6FY6YoMvJY/6Xx0wfts/upbP7a9hnF7JWH3t4uIXsEixUvu4I85sSA8VMmv3WTrQxeiyrXPEDtTv8yXFC479c4crJU5Rq5ZsC1UxlYPLcuKNlJGEVuMX/wrCc/XdPq09FycPvqs9FaO7TNHTMBLGKm/AfsYSvoc8cMhPiav/Salp7UEGo8JBxgjvASF3JDw4CVDMT1sVnKQjDABEBAAH/AwMC9eYJDAVWYvZgblW5AeR5iAl+joX+vltC2xUcf43/4eZoPxjs+UlGDTPF/9p+bo2JMZ838x7Q1ur6XNjjQJhEcF0Kz+64eeEl+0UXrCZPsfDflwi2O+ww+wPxNr7vfYRhU8Fa5OOleSmrzTBKbpQr4kl1n/C1yimKY3JajoYrbchJ9yc1B6G3KmLjLGJn+PyBGiS49BOwR7/cMNG0K38O66a1CHTpNC8OZX9jiAgzNOaPMBEpRaaI2cfc/HUU3L2bGoWp7VVEeQULwFhazqzQR569pFy0tt82S15NmzYMP/qJRoZIZB20pC2W74c4NwLqX7BRrnHYHjrSYLN/g10b7pihi2eJgo3swTVcz56Yu9np2q1nHpmP9HV1LPG2Iz0P6h/6ecSldtxlWaRaS31sctuxdvswoaywGypxq1eb9HWTf1nCmPweXtsEbnJNi9xM8a+iUCTczZLTrfwLQzId3nFk9GNfwutJFqNYB5xEsDpyFYeogkmIDAxbNBofQesrQTD05FLjoJITS/yW6+8lbpDOafbS+5bu9T2cqhC+hGZ6a6rX4htTUoNc6LsdKz2Ks6A1zVyO6tLeGa+xBX4fsqH4qXeowB5fVJiJIN/cfDZiGPAPqXMI0Xk819z5KBxeSu9FzfwX/j4mDS54XyaGEAjWFg+8sXRmW8farHoJy15QYF3T+EpJqzgX92vw8XCNffrRXgCdlTrFK89BXcdDtToGU1kVeBjmCn/xxIfdzh2yEsTaScUsqKNTumdOYXWCDaR8zT/BXmmPu7RRpwPDld4ybSRyHZds9nbnChCl47WyWIZIiYI/WfSo6PD6Xjv5ON7AaiC9ZzXOwsGbAwuRPZvZ6H4OAMaUN6ZcSuHYTB1m56rXO/kAoAMq4bQNdG90b0BtYWlsLmNvbYkBHAQQAQIABgUCW+lhqQAKCRAFjAbxtxrgH2GRCACGtxdXczNKgtfWNnIGZ2lRbpYKcvKAyl+jq45Z6/PamjPo1Jv+mKQ33Q8+bC23Pu9gX+8vTKqUQpJxxuHQ7FSyigtKL0ODACt1fqlI4P5GWH01y4NC1P1Vwfvr/C3HktOFxuqKgmq2JoQTdjoGBZGpOHKYWARbg667MfcdA/tQwd+XpEDLeKC16FQx9d/B1rTG9KbcVBoYPQM0zpOj990rLbO4KtdS7wAqqcsBCy+wSaEyVQJfG6OJHcjB89nr/OwLnL2fTBgVBPPWmgyTK3XQs7AdIe0BPGmB6H+kWXmlmPm9F71Cmz2iTvrvI5O//m0FvsoSXjYvS2OXEB+Wi0Yc=RkKT-----END PGP PRIVATE KEY BLOCK-----
### Details for `Private key pgp`[](#details-for-private-key-pgp "Direct link to details-for-private-key-pgp")
* **Family:** PrivateKey
* **Category:** Private key
* **High recall:** True
* **Validity check available:** False
* **Minimum number of matches:** 1
* **Occurrences found for one million commits:** 4.32
* **Prefixed:** True
* **PreValidators**:
- type: ContentWhitelistPreValidator patterns: - '-----begin pgp private key block-----'
### Examples[](#examples-1 "Direct link to Examples")
- text: > -----BEGIN PGP PRIVATE KEY BLOCK----- Version: BCPG C# v1.6.1.0 lQOsBFvpYakBCACibZLLmzTZD5DFydo2JQgzNdDWbgBocUMiXJJWE2Bq+X1O97Oz IiDnXVOJf723Mq19i4rLzg+Eo7GDD9jZ5gK2xvfENDbG1IUr4KKY+CCJU5sVG5ns o9XedvkBsZjQp9eOfjE21Wq6FY6YoMvJY/6Xx0wfts/upbP7a9hnF7JWH3t4uIXs EixUvu4I85sSA8VMmv3WTrQxeiyrXPEDtTv8yXFC479c4crJU5Rq5ZsC1UxlYPLc uKNlJGEVuMX/wrCc/XdPq09FycPvqs9FaO7TNHTMBLGKm/AfsYSvoc8cMhPiav/S alp7UEGo8JBxgjvASF3JDw4CVDMT1sVnKQjDABEBAAH/AwMC9eYJDAVWYvZgblW5 AeR5iAl+joX+vltC2xUcf43/4eZoPxjs+UlGDTPF/9p+bo2JMZ838x7Q1ur6XNjj QJhEcF0Kz+64eeEl+0UXrCZPsfDflwi2O+ww+wPxNr7vfYRhU8Fa5OOleSmrzTBK bpQr4kl1n/C1yimKY3JajoYrbchJ9yc1B6G3KmLjLGJn+PyBGiS49BOwR7/cMNG0 K38O66a1CHTpNC8OZX9jiAgzNOaPMBEpRaaI2cfc/HUU3L2bGoWp7VVEeQULwFha zqzQR569pFy0tt82S15NmzYMP/qJRoZIZB20pC2W74c4NwLqX7BRrnHYHjrSYLN/ g10b7pihi2eJgo3swTVcz56Yu9np2q1nHpmP9HV1LPG2Iz0P6h/6ecSldtxlWaRa S31sctuxdvswoaywGypxq1eb9HWTf1nCmPweXtsEbnJNi9xM8a+iUCTczZLTrfwL QzId3nFk9GNfwutJFqNYB5xEsDpyFYeogkmIDAxbNBofQesrQTD05FLjoJITS/yW 6+8lbpDOafbS+5bu9T2cqhC+hGZ6a6rX4htTUoNc6LsdKz2Ks6A1zVyO6tLeGa+x BX4fsqH4qXeowB5fVJiJIN/cfDZiGPAPqXMI0Xk819z5KBxeSu9FzfwX/j4mDS54 XyaGEAjWFg+8sXRmW8farHoJy15QYF3T+EpJqzgX92vw8XCNffrRXgCdlTrFK89B XcdDtToGU1kVeBjmCn/xxIfdzh2yEsTaScUsqKNTumdOYXWCDaR8zT/BXmmPu7RR pwPDld4ybSRyHZds9nbnChCl47WyWIZIiYI/WfSo6PD6Xjv5ON7AaiC9ZzXOwsGb AwuRPZvZ6H4OAMaUN6ZcSuHYTB1m56rXO/kAoAMq4bQNdG90b0BtYWlsLmNvbYkB HAQQAQIABgUCW+lhqQAKCRAFjAbxtxrgH2GRCACGtxdXczNKgtfWNnIGZ2lRbpYK cvKAyl+jq45Z6/PamjPo1Jv+mKQ33Q8+bC23Pu9gX+8vTKqUQpJxxuHQ7FSyigtK L0ODACt1fqlI4P5GWH01y4NC1P1Vwfvr/C3HktOFxuqKgmq2JoQTdjoGBZGpOHKY WARbg667MfcdA/tQwd+XpEDLeKC16FQx9d/B1rTG9KbcVBoYPQM0zpOj990rLbO4 KtdS7wAqqcsBCy+wSaEyVQJfG6OJHcjB89nr/OwLnL2fTBgVBPPWmgyTK3XQs7Ad Ie0BPGmB6H+kWXmlmPm9F71Cmz2iTvrvI5O//m0FvsoSXjYvS2OXEB+Wi0Yc =RkKT -----END PGP PRIVATE KEY BLOCK-----
#### Was this page helpful?
[](#)
[](#)
* [Description](#description)
* [General](#general)
* [Revoke the secret](#revoke-the-secret)
* [Check for suspicious activity](#check-for-suspicious-activity)
* [Details for `Base64 private key pgp`](#details-for-base64-private-key-pgp)
* [Examples](#examples)
* [Details for `Private key pgp`](#details-for-private-key-pgp)
* [Examples](#examples-1)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Elliptic Curve Private Key | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Elliptic Curve Private Key
==========================
Description[](#description "Direct link to Description")
----------------------------------------------------------
### General[](#general "Direct link to General")
* **Summary**: The elliptic-curve cryptography (ECC) algorithm can be used to authenticate to services. It works with a public and private key set. The client uses the private key to authenticate to the service that has the public key. Only the private key is sensitive. The public key is not sensitive and can be distributed freely. More details about cryptographic keys can be found in this [FAQ](/secrets-detection/secrets-detection-engine/frequently_asked_questions#are-cryptographic-keys-sensitive-objects)
.
### Revoke the secret[](#revoke-the-secret "Direct link to Revoke the secret")
Revoking the key depends on the service being used.
### Check for suspicious activity[](#check-for-suspicious-activity "Direct link to Check for suspicious activity")
Checking for suspicious activity depends on the service being used.
### Details for `Base64 private key elliptic`[](#details-for-base64-private-key-elliptic "Direct link to details-for-base64-private-key-elliptic")
* **Family:** PrivateKey
* **Category:** Private key
* **High recall:** True
* **Validity check available:** False
* **Minimum number of matches:** 1
* **Occurrences found for one million commits:** 4.66
* **Prefixed:** True
* **PreValidators**:
- type: ContentWhitelistPreValidator patterns: - ls0tls1crudjtibfqybquklwqvrfietfws0tls0t - 0tls0tqkvhsu4grumgufjjvkfursblrvktls0tl - tls0tlujfr0loievdifbssvzbveugs0vzls0tls
### Examples[](#examples "Direct link to Examples")
LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tIFByb2MtVHlwZTogNCxFTkNSWVBURUQgREVLLUluZm86IEFFUy0xMjgtQ0JDLEZDQjY2NjY1NDcyMjZCOTA4NDFFMDkzMzVDOTdBMUEyCld1a3BBM0xTSTZzV2pKcUNPVG5hbHlTOURrZ3dLWWNVcWxZdllwVnNQUk54SUtvZVFHNm9URXVod01icnJ6djYgVEZHbzdZSkE1SkcrMHJaOUcxd3VTT3lNZERCdW1TbkY2bzhpd1pmQnZYSlJzRDNtdytBR1p4OGxBbnd0bHluRSBqY0ZPQWtUa3o0TktpTmd5ZGlDekNNUXg4dmRsNVBWSVFCWWllZ0NHVDBvPSAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCg==
Here's the decoded string:
-----BEGIN EC PRIVATE KEY-----Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,FCB6666547226B90841E09335C97A1A2WukpA3LSI6sWjJqCOTnalyS9DkgwKYcUqlYvYpVsPRNxIKoeQG6oTEuhwMbrrzv6TFGo7YJA5JG+0rZ9G1wuSOyMdDBumSnF6o8iwZfBvXJRsD3mw+AGZx8lAnwtlynEjcFOAkTkz4NKiNgydiCzCMQx8vdl5PVIQBYiegCGT0o=-----END EC PRIVATE KEY-----
### Details for `Private key elliptic`[](#details-for-private-key-elliptic "Direct link to details-for-private-key-elliptic")
* **Family:** PrivateKey
* **Category:** Private key
* **High recall:** True
* **Validity check available:** False
* **Minimum number of matches:** 1
* **Occurrences found for one million commits:** 24.46
* **Prefixed:** True
* **PreValidators**:
- type: ContentWhitelistPreValidator patterns: - '-----begin ec private key-----'
### Examples[](#examples-1 "Direct link to Examples")
- text: > -----BEGIN EC PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,FCB6666547226B90841E09335C97A1A2 WukpA3LSI6sWjJqCOTnalyS9DkgwKYcUqlYvYpVsPRNxIKoeQG6oTEuhwMbrrzv6 TFGo7YJA5JG+0rZ9G1wuSOyMdDBumSnF6o8iwZfBvXJRsD3mw+AGZx8lAnwtlynE jcFOAkTkz4NKiNgydiCzCMQx8vdl5PVIQBYiegCGT0o= -----END EC PRIVATE KEY-----
#### Was this page helpful?
[](#)
[](#)
* [Description](#description)
* [General](#general)
* [Revoke the secret](#revoke-the-secret)
* [Check for suspicious activity](#check-for-suspicious-activity)
* [Details for `Base64 private key elliptic`](#details-for-base64-private-key-elliptic)
* [Examples](#examples)
* [Details for `Private key elliptic`](#details-for-private-key-elliptic)
* [Examples](#examples-1)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# RSA Private Key | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
RSA Private Key
===============
Description[](#description "Direct link to Description")
----------------------------------------------------------
### General[](#general "Direct link to General")
* **Summary**: The RSA algorithm can be used to authenticate to services. It works with a public and private key set. The client uses the private key to authenticate to the service that has the public key. Only the private key is sensitive. The public key is not sensitive and can be distributed freely. More details about cryptographic keys can be found in this [FAQ](/secrets-detection/secrets-detection-engine/frequently_asked_questions#are-cryptographic-keys-sensitive-objects)
.
### Revoke the secret[](#revoke-the-secret "Direct link to Revoke the secret")
Revoking the key depends on the service being used.
### Check for suspicious activity[](#check-for-suspicious-activity "Direct link to Check for suspicious activity")
Checking for suspicious activity depends on the service being used.
### Details for `Base64 private key rsa`[](#details-for-base64-private-key-rsa "Direct link to details-for-base64-private-key-rsa")
* **Family:** PrivateKey
* **Category:** Private key
* **High recall:** True
* **Validity check available:** False
* **Minimum number of matches:** 1
* **Occurrences found for one million commits:** 18.4
* **Prefixed:** True
* **PreValidators**:
- type: ContentWhitelistPreValidator patterns: - ls0tls1crudjtibsu0egufjjvkfursblrvktls0tl - 0tls0tqkvhsu4gulnbifbssvzbveugs0vzls0tls - tls0tlujfr0loifjtqsbquklwqvrfietfws0tls0t
### Examples[](#examples "Direct link to Examples")
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLSBNSUlFcFFJQkFBS0NBUUVBMHBqMzJMYXBEeHN2c09kZ1ZXemtaTWRwL2s3UitLSmh1WExVeEZUdVJRRmxCRGNjIG1JUGJrS3pjSlpPOHBUWGxScnFhNFRpT0xtZFNNMUFBVzRjSVg2eE5Zak82VjZYeDd3c1hudGcyWWxZbE41OWUgbGJhajA4Vlk1OVhSd1RETnFCbklOVVZHZEpLeTJxeGUvTlVmMCt2dHA5RmJtczRhS1l5b1A2RzZ6VlV0VmpMaSB2WnpHOCszekVKbEhKelR1NVRUdXJxWUx4UFNJSkNTeENGV3VxY21pTzd3RnIvSWR0emJ5Z21JM0Q0ZGxDUDUxIGF6WjRQblhZVlhCYjZUZUIwRllFQzdrQWxTTUZiS1ZSa3VSQXlyTFFieEpXSk5RT01GUk80WFJ5YUNFYlpLdE8gNWlnNnp0OEFuOG5jZmNOTGdZQXN2TE9ncEJ5cStrVS9OeTk4Q3dJREFRQUJBb0lCQVFERFFva3FLZEg5NjVzQSBUc2NHN1h1bDVTN2xWM2RmTEUrbmZreS83Rzh2RStmeFRKZjY0T2JHOFQ3OHFFb1VkREFzci8vQ0tvbkpoSXEyIGdNcVVFbE0xUWJCT0NPQVJQQTloTDh1cXY1Vk0vOHBxRkIzQ2VpRFR6UHB0bWRadFpTNkpXYjVEaGdPWk9oc1MgblJkRkhPWHh1NklTSXc3b0xZZ2NWZ241Vlo2NW1Uek42eUI3cEtzWWtibTBOY0pjbUxuZnVHYnBRRVAzV21DOSBYNHdPN2dhbEtkSFh1U3hSZGNKeENhZzJrMFc3UzRVQWJwMXRQbVJBZURkT1hxYkdMN2h1MTRyVVpZdGtpdVJQIDU0NkdEdk92K21lSHBESnZlMWhaMjBDSDJrUlZxNERDNjRwclBOZlJKMWV4U2Q5NHZsaG9rV0w2U3pUWEl0d20gTDhUVW5IZUJBb0dCQVBUaTZXcWJWY0w5VXkycUpBOGZKZzdvTjR5US9nb09oK21sVzNGc2RpZzBWc1FqeFdXSSBmdGIvdER2NlV5SHc1ME1zNjZnVCtoNGRXZXBGVkZEUGIzOEhBaG9VL1J2bU5DSFdkMzNObWhkMXFmMmpPUWlSIFE5cTJxSjBnRmdLRmxyYkpOVE9rYUZuaTJVZEo3eVNTOTM3QzJyZE9tNUdUT2FDT0RsNk00VWpSQW9HQkFOd24gc0ZkVC9IZVkybHg4NCtqTXhyelZPZU5VcGVseWU5RytWWWs1cG9JTUJTWFg0UW0wVjRFaG1CT0E0ZEVHd2ZoUiB5Vy9wMVRHMHV6dk91MmlnVVZ4MlljYXhVWk1MQlNueSsrYXdVY25BYklvTjE3NXZxUzB6aEdLZktnc0sxYWszIC84UDMyek1tMXZTejNaUi8rdHpnY2F5V21PRThPMUNmdytaa3MyNGJBb0dCQUlla2pLQVZUSXJHSU9XaFlYblMgeWhUbHdhY2x4T0V6TFV0WTRXN1JJaDJnNkJLYXNjTk11TjFFSThRNUl3VWcyQ2hZWUd2b0xObXpibE9hZFZxUiBtL09qb1NGclVNdThWbElMNW9JVGVXL1hLQUtxLzNOa2EwNWhjTUlmdkxGRzU3VjFlL2VQOEpFaFd6TG1uQVVKIE52ZkszTFUrWUdOaFJrRk5qbDRHOE42UkFvR0JBSk1tQS91YXF6alU5YjZ6eXpHakRZTFJraXVjUEhqWWlHSWMgc2RkU3JUUm5ERm5LL1NNYll4RndmdEVxWjhUcW0yTjZad1ZpYVprYmo3bmQ1KzE2bW1jT3lUT2crVUVyTUh4bCBhSEU4a0s0azYyY3E4WFRiOVZ1OC8xTmJ4eUl5VDdVWE5PQ3JIZHdHcmM1SkdtVlRWVDJrMXRYZ29yYUpKNnd2IDNTUjFVbWpaQW9HQVJWMjZ3NlZNUUtWMFk0bnRuU0lvR1lXTzkvMTVnU2UySDNEZStJUHM0THlPUDcxNElzaSsgMkpjTzRRUHZnUmZkNUk1Rlk2RlRpN1QwR3oyL0RYSGdndjlEWE05UTJ5WE1oViszdGtUdU5GZUR3Qnc3cVJHeSBtQ3dPY0F3SEo2R3RDTnZCRGxwb3Q2U2F1SEVLS3B6UW9idHE3Z2lJRVUzYVNZUjJ1bk5nNHdBPSAtLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ
Here's the decoded string:
-----BEGIN RSA PRIVATE KEY-----MIIEpQIBAAKCAQEA0pj32LapDxsvsOdgVWzkZMdp/k7R+KJhuXLUxFTuRQFlBDccmIPbkKzcJZO8pTXlRrqa4TiOLmdSM1AAW4cIX6xNYjO6V6Xx7wsXntg2YlYlN59elbaj08VY59XRwTDNqBnINUVGdJKy2qxe/NUf0+vtp9Fbms4aKYyoP6G6zVUtVjLivZzG8+3zEJlHJzTu5TTurqYLxPSIJCSxCFWuqcmiO7wFr/IdtzbygmI3D4dlCP51azZ4PnXYVXBb6TeB0FYEC7kAlSMFbKVRkuRAyrLQbxJWJNQOMFRO4XRyaCEbZKtO5ig6zt8An8ncfcNLgYAsvLOgpByq+kU/Ny98CwIDAQABAoIBAQDDQokqKdH965sATscG7Xul5S7lV3dfLE+nfky/7G8vE+fxTJf64ObG8T78qEoUdDAsr//CKonJhIq2gMqUElM1QbBOCOARPA9hL8uqv5VM/8pqFB3CeiDTzPptmdZtZS6JWb5DhgOZOhsSnRdFHOXxu6ISIw7oLYgcVgn5VZ65mTzN6yB7pKsYkbm0NcJcmLnfuGbpQEP3WmC9X4wO7galKdHXuSxRdcJxCag2k0W7S4UAbp1tPmRAeDdOXqbGL7hu14rUZYtkiuRP546GDvOv+meHpDJve1hZ20CH2kRVq4DC64prPNfRJ1exSd94vlhokWL6SzTXItwmL8TUnHeBAoGBAPTi6WqbVcL9Uy2qJA8fJg7oN4yQ/goOh+mlW3Fsdig0VsQjxWWIftb/tDv6UyHw50Ms66gT+h4dWepFVFDPb38HAhoU/RvmNCHWd33Nmhd1qf2jOQiRQ9q2qJ0gFgKFlrbJNTOkaFni2UdJ7ySS937C2rdOm5GTOaCODl6M4UjRAoGBANwnsFdT/HeY2lx84+jMxrzVOeNUpelye9G+VYk5poIMBSXX4Qm0V4EhmBOA4dEGwfhRyW/p1TG0uzvOu2igUVx2YcaxUZMLBSny++awUcnAbIoN175vqS0zhGKfKgsK1ak3/8P32zMm1vSz3ZR/+tzgcayWmOE8O1Cfw+Zks24bAoGBAIekjKAVTIrGIOWhYXnSyhTlwaclxOEzLUtY4W7RIh2g6BKascNMuN1EI8Q5IwUg2ChYYGvoLNmzblOadVqRm/OjoSFrUMu8VlIL5oITeW/XKAKq/3Nka05hcMIfvLFG57V1e/eP8JEhWzLmnAUJNvfK3LU+YGNhRkFNjl4G8N6RAoGBAJMmA/uaqzjU9b6zyzGjDYLRkiucPHjYiGIcsddSrTRnDFnK/SMbYxFwftEqZ8Tqm2N6ZwViaZkbj7nd5+16mmcOyTOg+UErMHxlaHE8kK4k62cq8XTb9Vu8/1NbxyIyT7UXNOCrHdwGrc5JGmVTVT2k1tXgoraJJ6wv3SR1UmjZAoGARV26w6VMQKV0Y4ntnSIoGYWO9/15gSe2H3De+IPs4LyOP714Isi+2JcO4QPvgRfd5I5FY6FTi7T0Gz2/DXHggv9DXM9Q2yXMhV+3tkTuNFeDwBw7qRGymCwOcAwHJ6GtCNvBDlpot6SauHEKKpzQobtq7giIEU3aSYR2unNg4wA=-----END RSA PRIVATE KEY-----
### Details for `Private key rsa`[](#details-for-private-key-rsa "Direct link to details-for-private-key-rsa")
* **Family:** PrivateKey
* **Category:** Private key
* **High recall:** True
* **Validity check available:** False
* **Minimum number of matches:** 1
* **Occurrences found for one million commits:** 614.31
* **Prefixed:** True
* **PreValidators**:
- type: ContentWhitelistPreValidator patterns: - '-----begin rsa private key-----'
### Examples[](#examples-1 "Direct link to Examples")
[ { 'text': '-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA0pj32LapDxsvsOdgVWzkZMdp/k7R+KJhuXLUxFTuRQFlBDcc mIPbkKzcJZO8pTXlRrqa4TiOLmdSM1AAW4cIX6xNYjO6V6Xx7wsXntg2YlYlN59e lbaj08VY59XRwTDNqBnINUVGdJKy2qxe/NUf0+vtp9Fbms4aKYyoP6G6zVUtVjLi vZzG8+3zEJlHJzTu5TTurqYLxPSIJCSxCFWuqcmiO7wFr/IdtzbygmI3D4dlCP51 azZ4PnXYVXBb6TeB0FYEC7kAlSMFbKVRkuRAyrLQbxJWJNQOMFRO4XRyaCEbZKtO 5ig6zt8An8ncfcNLgYAsvLOgpByq+kU/Ny98CwIDAQABAoIBAQDDQokqKdH965sA TscG7Xul5S7lV3dfLE+nfky/7G8vE+fxTJf64ObG8T78qEoUdDAsr//CKonJhIq2 gMqUElM1QbBOCOARPA9hL8uqv5VM/8pqFB3CeiDTzPptmdZtZS6JWb5DhgOZOhsS nRdFHOXxu6ISIw7oLYgcVgn5VZ65mTzN6yB7pKsYkbm0NcJcmLnfuGbpQEP3WmC9 X4wO7galKdHXuSxRdcJxCag2k0W7S4UAbp1tPmRAeDdOXqbGL7hu14rUZYtkiuRP 546GDvOv+meHpDJve1hZ20CH2kRVq4DC64prPNfRJ1exSd94vlhokWL6SzTXItwm L8TUnHeBAoGBAPTi6WqbVcL9Uy2qJA8fJg7oN4yQ/goOh+mlW3Fsdig0VsQjxWWI ftb/tDv6UyHw50Ms66gT+h4dWepFVFDPb38HAhoU/RvmNCHWd33Nmhd1qf2jOQiR Q9q2qJ0gFgKFlrbJNTOkaFni2UdJ7ySS937C2rdOm5GTOaCODl6M4UjRAoGBANwn sFdT/HeY2lx84+jMxrzVOeNUpelye9G+VYk5poIMBSXX4Qm0V4EhmBOA4dEGwfhR yW/p1TG0uzvOu2igUVx2YcaxUZMLBSny++awUcnAbIoN175vqS0zhGKfKgsK1ak3 /8P32zMm1vSz3ZR/+tzgcayWmOE8O1Cfw+Zks24bAoGBAIekjKAVTIrGIOWhYXnS yhTlwaclxOEzLUtY4W7RIh2g6BKascNMuN1EI8Q5IwUg2ChYYGvoLNmzblOadVqR m/OjoSFrUMu8VlIL5oITeW/XKAKq/3Nka05hcMIfvLFG57V1e/eP8JEhWzLmnAUJ NvfK3LU+YGNhRkFNjl4G8N6RAoGBAJMmA/uaqzjU9b6zyzGjDYLRkiucPHjYiGIc sddSrTRnDFnK/SMbYxFwftEqZ8Tqm2N6ZwViaZkbj7nd5+16mmcOyTOg+UErMHxl aHE8kK4k62cq8XTb9Vu8/1NbxyIyT7UXNOCrHdwGrc5JGmVTVT2k1tXgoraJJ6wv 3SR1UmjZAoGARV26w6VMQKV0Y4ntnSIoGYWO9/15gSe2H3De+IPs4LyOP714Isi+ 2JcO4QPvgRfd5I5FY6FTi7T0Gz2/DXHggv9DXM9Q2yXMhV+3tkTuNFeDwBw7qRGy mCwOcAwHJ6GtCNvBDlpot6SauHEKKpzQobtq7giIEU3aSYR2unNg4wA= -----END RSA PRIVATE KEY-----\n', },]
#### Was this page helpful?
[](#)
[](#)
* [Description](#description)
* [General](#general)
* [Revoke the secret](#revoke-the-secret)
* [Check for suspicious activity](#check-for-suspicious-activity)
* [Details for `Base64 private key rsa`](#details-for-base64-private-key-rsa)
* [Examples](#examples)
* [Details for `Private key rsa`](#details-for-private-key-rsa)
* [Examples](#examples-1)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Overview | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Overview
========
GitGuardian specializes in detecting secrets within source code, yet we also plan to expand to monitoring other sources such as messaging systems, project management boards, wikis, etc.
### CI/CD integrations: secrets detection in your CI/CD workflow.[](#cicd-integrations-secrets-detection-in-your-cicd-workflow "Direct link to CI/CD integrations: secrets detection in your CI/CD workflow.")
GitGuardian integrates with the most common CI tools via our CLI application: [`ggshield`](/ggshield-docs/getting-started)
.
GitGuardian currently supports:
* [Azure pipelines](/ggshield-docs/integrations/cicd-integrations/azure-pipelines)
* [Bitbucket pipelines](/ggshield-docs/integrations/cicd-integrations/bitbucket-pipelines)
* [Circle CI](/ggshield-docs/integrations/cicd-integrations/circle-ci)
* [Drone CI](/ggshield-docs/integrations/cicd-integrations/drone-ci)
* [GitHub Actions](/ggshield-docs/integrations/cicd-integrations/github-actions)
* [GitLab pipelines](/ggshield-docs/integrations/cicd-integrations/gitlab-pipelines)
* [Jenkins CI](/ggshield-docs/integrations/cicd-integrations/jenkins-ci)
* [Travis CI](/ggshield-docs/integrations/cicd-integrations/travis-ci)
### Git hooks: prevent secrets from reaching your VCS.[](#git-hooks-prevent-secrets-from-reaching-your-vcs "Direct link to Git hooks: prevent secrets from reaching your VCS.")
GitGuardian's CLI application, [ggshield](/ggshield-docs/getting-started)
enables you to integrate secrets detection in git workflow and shift left your security.
GitGuardian currently supports the following hooks:
* [pre-commit](/ggshield-docs/integrations/git-hooks/pre-commit)
* [pre-push](/ggshield-docs/integrations/git-hooks/pre-push)
* [pre-receive](/ggshield-docs/integrations/git-hooks/pre-receive)
### Docker[](#docker "Direct link to Docker")
GitGuardian's CLI application, [ggshield](/ggshield-docs/getting-started)
enables you to [scan Docker images](/ggshield-docs/integrations/docker/docker_image)
.
### Monitoring other sources[](#monitoring-other-sources "Direct link to Monitoring other sources")
GitGuardian intends to progressively support more data sources for secrets scanning in the future. Since version 1.14.1, ggshield supports a new docset input format. Refer to the [corresponding documentation](/ggshield-docs/integrations/other-data-sources/)
for more details.
If GitGuardian does not yet support one of the sources you would like to monitor, you can build your own integration by leveraging our [public API for secrets detection](/api-docs/introduction)
.
### Troubleshooting connectivity problems[](#troubleshooting-connectivity-problems "Direct link to Troubleshooting connectivity problems")
In case you experience connectivity problems with your GitGuardian instance, please refer to this [section of GitGuardian internal monitoring documentation](/platform/monitor-perimeter/monitored-perimeter#troubleshooting-connectivity-problems)
.
#### Was this page helpful?
[](#)
[](#)
* [CI/CD integrations: secrets detection in your CI/CD workflow.](#cicd-integrations-secrets-detection-in-your-cicd-workflow)
* [Git hooks: prevent secrets from reaching your VCS.](#git-hooks-prevent-secrets-from-reaching-your-vcs)
* [Docker](#docker)
* [Monitoring other sources](#monitoring-other-sources)
* [Troubleshooting connectivity problems](#troubleshooting-connectivity-problems)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Configuration | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Configuration
=============
Dependencies between the dashboard and ggshield[](#dependencies-between-the-dashboard-and-ggshield "Direct link to Dependencies between the dashboard and ggshield")
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
The following paragraph describes how the GitGuardian REST API and ggshield (CLI) work in relation to the dashboard and how you can customize the dashboard experience to best fit your approach to secrets scanning in developer workflows.
Here is the complete list of settings and interactions between the dashboard and the API or CLI:
* **Ignored secret incidents**
Secrets for which the related incident has been ignored on your GitGuardian dashboard will no longer be raised by ggshield.
* **Resolved secret incidents**
If the [Regression setting is OFF](https://dashboard.gitguardian.com/settings/workspace/general)
, secrets for which the related incident has been resolved on your GitGuardian dashboard will no longer be raised by ggshield. However, if the Regression setting is turned ON, ggshield will raise them.
* **Disabled/enabled detectors**
Secrets associated with detectors you have disabled on your GitGuardian dashboard will not be raised by ggshield.
* **Activated/de-activated validity checks for secret**
ggshield follows the [validity check setting](/secrets-detection/remediate/investigate-incidents#enabling-and-disabling-validity-checks)
of your GitGuardian dashboard. If this setting is turned OFF, ggshield will no longer perform validity checks, and neither will your dashboard.
* **Filepath exclusions**
Secrets found in a [filepath excluded on your GitGuardian dashboard](/secrets-detection/detect/customize-detection#filepath-exclusions)
will not be raised by ggshield.
**For each secret found with ggshield, we indicate whether it is known by your GitGuardian dashboard**. If a secret incident already exists on your GitGuardian dashboard, ggshield will also print the URL of the associated secret incident to your console.
This information can be leveraged by using the [`--ignore-known-secrets` option](/ggshield-docs/reference/secret/scan/overview)
, which makes ggshield ignore secrets that are already known to your dashboard.
General Configuration[](#general-configuration "Direct link to General Configuration")
----------------------------------------------------------------------------------------
When it comes to configuration, you can fine-tune ggshield's behavior using three sources of parameters. From higher priority to lower priority:
* CLI options
* Environment variables
* Configuration files This means that CLI options override environment variables, which override settings set in configuration files.
### CLI options[](#cli-options "Direct link to CLI options")
A few configuration parameters are available as CLI options. We recommend using `--help` with the command you intend to use to get more insights on what behaviors can be configured this way.
### Environment Variables[](#environment-variables "Direct link to Environment Variables")
Some of ggshield's behaviors can be tuned via environment variables. When starting up, ggshield will attempt to load environment variables from different environment files in the following order:
* the file pointed by the `GITGUARDIAN_DOTENV_PATH` environment variable.
* A `.env` file at the current working directory.
* A `.env` file at the root of the current git directory.
Only one of the env files will be loaded out of the three.
#### List of supported environment variables[](#list-of-supported-environment-variables "Direct link to List of supported environment variables")
* `GITGUARDIAN_API_KEY`: API Key for the GitGuardian API. Use this if you don't want to use the `ggshield auth` commands.
* `GITGUARDIAN_INSTANCE`: Custom URL of the GitGuardian dashboard. The API URL will be inferred from it.
* `GITGUARDIAN_DONT_LOAD_ENV`: If set to any value then environment variables won't be loaded from a file.
* `GITGUARDIAN_DOTENV_PATH`: If set to a path, ggshield will attempt to load the environment from the specified file.
* `GITGUARDIAN_TIMEOUT`: If set to a float, `ggshield secret scan pre-receive` will timeout after the specified value. Set to 0 to disable the timeout.
* `GITGUARDIAN_MAX_COMMITS_FOR_HOOK`: If set to an int, `ggshield secret scan pre-receive` and `ggshield secret scan pre-push` will not scan more than the specified value of commits in a single scan.
* `GITGUARDIAN_CRASH_LOG`: If set to True, ggshield will display a full traceback when crashing.
* `GITGUARDIAN_LOG_FILE`: If set to a file, ggshield will send log output to it. You can also set it to `-` to send output to stderr. Equivalent to the [`--log-file` option](/ggshield-docs/reference/overview#options)
.
### Configuration files[](#configuration-files "Direct link to Configuration files")
Configuration files selection in `ggshield` follows a global to local hierarchy.
`ggshield` will first search for a **global** configuration file in the user's home directory:
* `~/.gitguardian.yaml` on Linux or MacOS
* `%USERPROFILE%\.gitguardian.yaml` on Windows
`ggshield` will then search for a **local** configuration file in the current working directory (i.e.: `./.gitguardian.yaml`).
Alternatively, the `--config-path` or `-c` option can be used to specify a custom configuration file:
ggshield --config-path ~/Desktop/custom_config.yaml secret scan path -r .
In this case, neither local nor global configuration files will be evaluated.
A sample configuration file can be found hereunder:
# Required, otherwise ggshield considers the file to use the deprecated v1 formatversion: 2# Set to true if the desired exit code for the CLI is always 0, otherwise the# exit code will be 1 if incidents are found.exit_zero: false # default: falseverbose: false # default: falseinstance: https://dashboard.gitguardian.com # default: https://dashboard.gitguardian.com# Maximum commits to scan in a hook.max_commits_for_hook: 50 # default: 50# Accept self-signed certificates for the API.allow_self_signed: false # default: falsesecret: # Exclude files and paths by globbing ignored_paths: - '**/README.md' - 'doc/*' - 'LICENSE' # Ignore security incidents with the SHA256 of the occurrence obtained at output or the secret itself ignored_matches: - name: match: 530e5a4a7ea00814db8845dd0cae5efaa4b974a3ce1c76d0384ba715248a5dc1 - name: credentials match: MY_TEST_CREDENTIAL show_secrets: false # default: false ignore_known_secrets: false # default: false # Detectors to ignore. ignored_detectors: # default: [] - Generic Password
Size limits and API call volume consideratons[](#size-limits-and-api-call-volume-consideratons "Direct link to Size limits and API call volume consideratons")
----------------------------------------------------------------------------------------------------------------------------------------------------------------
`ggshield` relies on the GitGuardian API to perform secret scanning. The maximum size for a document that can be scanned is 1MB. Any files larger than 1MB will be ignored. Using the `--verbose` option will show information about any files skipped when performing a secret scan.
The GitGuardian API limits batches of files per call to a maximum of 20 documents. If a repository or folder contains more than 20 documents, `ggshield` will bundle files into groups of 20 or fewer to be scanned per API call. Scanning repositories containing more than 20 documents will result in multiple API calls.
You can explore this topic further in the [GitGuardian API reference documentation](https://api.gitguardian.com/docs#tag/Scan-Methods)
.
Specificities for on-premise configuration[](#specificities-for-on-premise-configuration "Direct link to Specificities for on-premise configuration")
-------------------------------------------------------------------------------------------------------------------------------------------------------
`ggshield` can also be configured to run on your on-premise GitGuardian instance.
First, you need to point ggshield to your instance, by either defining the `instance` key in your `.gitguardian.yaml` configuration file or by defining the `GITGUARDIAN_INSTANCE` environment variable.
Then, you need to authenticate against your instance using the `ggshield auth login --instance https://mygitguardianinstance.mycorp.local` command using the `--instance` option, or by obtaining an API key from your dashboard administrator and storing it in the `GITGUARDIAN_API_KEY` environment variable.
#### Was this page helpful?
[](#)
[](#)
* [Dependencies between the dashboard and ggshield](#dependencies-between-the-dashboard-and-ggshield)
* [General Configuration](#general-configuration)
* [CLI options](#cli-options)
* [Environment Variables](#environment-variables)
* [Configuration files](#configuration-files)
* [Size limits and API call volume consideratons](#size-limits-and-api-call-volume-consideratons)
* [Specificities for on-premise configuration](#specificities-for-on-premise-configuration)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Remediate incidents | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Remediate incidents
===================
Guidelines (& misconceptions)[](#guidelines--misconceptions "Direct link to Guidelines (& misconceptions)")
-------------------------------------------------------------------------------------------------------------
It is crucial development teams fully understand the problem of secrets-in-code, beyond the simple act of exposing a secret in plain text and committing it to the shared codebase.
Developers need to acknowledge the threats and consequences of secrets sprawl, and picture how collaborating with security teams can strengthen the overall security posture – without compromising speed and productivity.
Collaborating with developers[](#collaborating-with-developers "Direct link to Collaborating with developers")
----------------------------------------------------------------------------------------------------------------
Involving developers is crucial for the remediation. Developers also have knowledge about the secret itself, since they are the ones who used it. They also understand the system's architecture and the services that may depend on the secret. They can provide insight into affected services and the best way to mitigate issues. This knowledge is essential in creating an effective and efficient remediation plan.
GitGuardian's goal is to enable easy collaboration with your developers by providing flexible ways to share your incidents.
### Share the incident[](#share-the-incident "Direct link to Share the incident")
You can collaborate by sharing the incident in two ways:
* Internally, with users registered on the dashboard, via the "Grant access" action. This option is only available for Business workspaces.
* Externally, with non-registered users, via the "Public sharing" action.

More details are available in our dedicated [Collaboration and sharing section](/platform/collaboration-and-sharing/incident-permissions-and-sharing)
.
### Collect the feedback[](#collect-the-feedback "Direct link to Collect the feedback")
The feedback form enables you to collect standardized feedback about an incident. To fill out the form, registered users require the "Can edit" incident permission. They can also edit or delete their own feedback.

Whenever feedback is submitted for an incident, whether by a registered user or a non-registered user, an email notification is sent:
* to the incident assignee, if applicable.
* to all users with access to the incident, if there is no assignee.
Every action taken by the developer will be logged in the incident details timeline.
> The feedback form is not customizable yet.
Remediation workflow[](#remediation-workflow "Direct link to Remediation workflow")
-------------------------------------------------------------------------------------
### Default remediation workflow[](#default-remediation-workflow "Direct link to Default remediation workflow")
Remediating an incident can be complex. That is why a remediation workflow is displayed by default on an incident's details page.

This workflow is intended to guide anyone involved in the remediation of a hardcoded secret incident. It describes the steps that must be followed to mitigate the risks of exposure.
### Custom remediation workflow[](#custom-remediation-workflow "Direct link to Custom remediation workflow")
GitGuardian provides a remediation workflow by default. As each organization has its own context and remediation policies, you have the ability to customize the remediation workflow.
#### Managing the remediation workflow[](#managing-the-remediation-workflow "Direct link to Managing the remediation workflow")
As a workspace Manager, you can manage the remediation workflow in the [Secrets detection section of your settings](https://dashboard.gitguardian.com/settings/secrets/general)
.
From here, you can create, edit or delete a custom remediation workflow. You may also have the ability to switch between the default GitGuardian remediation workflow and your custom remediation workflow.
Alternatively, you can access this section directly by clicking the `Edit workflow` button on any remediation workflow in an incident's details page.
#### Creating a new custom remediation workflow[](#creating-a-new-custom-remediation-workflow "Direct link to Creating a new custom remediation workflow")
By default, there is no custom remediation workflow on your workspace. You can create one by clicking the `Create custom workflow` button.

You will be asked to create each step of your remediation workflow:

##### Remediation workflow steps[](#remediation-workflow-steps "Direct link to Remediation workflow steps")
Each step is composed of:
* **A title** _(mandatory)_
* **A description** _(optional, Markdown syntax is not yet supported)_
* **A link** _(optional, this link is a good way to provide direct access to an external resource specific to your company)_

Once the fields are filled in, simply click on the `Add step` button to validate the creation of your step. Repeat the process to add any other steps. Note that you can create a maximum of 20 steps for a custom remediation workflow.
#### Activating a remediation workflow[](#activating-a-remediation-workflow "Direct link to Activating a remediation workflow")
Once a custom remediation workflow has been created, you are free to select between the default GitGuardian remediation workflow and your own custom remediation workflow.

Once activated, the selected remediation workflow will be immediately displayed on all your incident's details pages. It will also affect any shared incident pages.
#### Editing a custom remediation workflow[](#editing-a-custom-remediation-workflow "Direct link to Editing a custom remediation workflow")
Once created, a custom remediation workflow can be edited by:
* **Adding** a new step with the `Next Step` button
* **Editing** a step with the pen button close to it
* **Deleting** a step with the thrash button close to it
* **Reordering** steps by dragging & dropping them

Any modification will be taken into account in real-time.
#### Deleting your custom remediation workflow[](#deleting-your-custom-remediation-workflow "Direct link to Deleting your custom remediation workflow")
You can delete your custom remediation workflow with the red `Delete workflow` button. By doing this, the default GitGuardian remediation workflow will be activated automatically. This will also allow you to create a new custom remediation workflow.
### Custom messages when using GitGuardian CLI (ggshield)[](#custom-messages-when-using-gitguardian-cli-ggshield "Direct link to Custom messages when using GitGuardian CLI (ggshield)")
When GitGuardian CLI detects secrets in developers' code, whether in pre-commit or other stages, it is highly beneficial to provide them with clear instructions on using secrets in their code according to company standards (Vaults, Environment variables, ..).
Security teams have the ability to customize these messages, which will be disseminated through the CLI at different stages of the Software Development Life Cycle such as pre-commit, pre-push, and pre-receive.
[Learn more here](/ggshield-docs/reference/secret/custom-remediation-messages)
#### Was this page helpful?
[](#)
[](#)
* [Guidelines (& misconceptions)](#guidelines--misconceptions)
* [Collaborating with developers](#collaborating-with-developers)
* [Share the incident](#share-the-incident)
* [Collect the feedback](#collect-the-feedback)
* [Remediation workflow](#remediation-workflow)
* [Default remediation workflow](#default-remediation-workflow)
* [Custom remediation workflow](#custom-remediation-workflow)
* [Custom messages when using GitGuardian CLI (ggshield)](#custom-messages-when-using-gitguardian-cli-ggshield)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Getting started | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Getting started
===============

`ggshield` is a CLI application that runs in your local environment or in a CI environment to help you detect more than 400+ types of secrets.
> ggshield is open source on GitHub and accessible [here](https://github.com/GitGuardian/ggshield)
> .
`ggshield` can run:
* **in your local environment** to scan local files and repositories or as a pre-commit hook.
* **in a CI environment**,
* **in a pre-receive hook**, if you have a self-managed VCS instance
**Note :** `ggshield` uses our [public API](https://api.gitguardian.com/doc)
through [py-gitguardian](/platform/gitguardian-suite/python-sdk)
to scan files. Only metadata such as call time, request size and scan mode is stored when launching a scan with ggshield, therefore secrets incidents will not be displayed on your dashboard and **your files and secrets won't be stored**.
Step 1: Install ggshield[](#step-1-install-ggshield "Direct link to Step 1: Install ggshield")
------------------------------------------------------------------------------------------------
### Requirements[](#requirements "Direct link to Requirements")
`ggshield` works on macOS, Linux and Windows.
It requires **Python 3.8 and newer** (except for standalone packages) and git.
Some commands require additional programs:
* docker: to scan docker images.
* pip: to scan pypi packages.
### macOS[](#macos "Direct link to macOS")
#### Homebrew[](#homebrew "Direct link to Homebrew")
You can install `ggshield` using Homebrew:
$ brew install gitguardian/tap/ggshield
Upgrading is handled by Homebrew.
#### Standalone .pkg package[](#standalone-pkg-package "Direct link to Standalone .pkg package")
Alternatively, you can download and install a standalone .pkg package from [`ggshield` release page](https://github.com/GitGuardian/ggshield/releases)
.
This package _does not_ require installing Python, but you have to manually download new versions.
### Linux[](#linux "Direct link to Linux")
#### Deb and RPM packages[](#deb-and-rpm-packages "Direct link to Deb and RPM packages")
Deb and RPM packages are available on [Cloudsmith](https://cloudsmith.io/~gitguardian/repos/ggshield/packages/)
.
Setup instructions:
* [Deb packages](https://cloudsmith.io/~gitguardian/repos/ggshield/setup/#formats-deb)
* [RPM packages](https://cloudsmith.io/~gitguardian/repos/ggshield/setup/#formats-rpm)
Upgrading is handled by the package manager.
### Windows[](#windows "Direct link to Windows")
#### Standalone .zip archive[](#standalone-zip-archive "Direct link to Standalone .zip archive")
We provide a standalone .zip archive on [`ggshield` release page](https://github.com/GitGuardian/ggshield/releases)
.
Unpack the archive on your disk, then add the directory containing the `ggshield.exe` file to `%PATH%`.
This archive _does not_ require installing Python, but you have to manually download new versions.
### All operating systems[](#all-operating-systems "Direct link to All operating systems")
`ggshield` can be installed on all supported operating systems via its [PyPI package](https://pypi.org/project/ggshield)
.
#### Using pipx[](#using-pipx "Direct link to Using pipx")
The recommended way to install `ggshield` from PyPI is to use [pipx](https://pipx.pypa.io)
, which will install it in an isolated environment:
$ pipx install ggshield
To upgrade your installation, run:
$ pipx upgrade ggshield
#### Using pip[](#using-pip "Direct link to Using pip")
You can also install `ggshield` from PyPI using pip, but this is not recommended because the installation is not isolated, so other applications or packages installed this way may affect your `ggshield` installation. This method will also not work if your Python installation is declared as externally managed (for example when using the system Python on operating systems like Debian 12):
$ pip install --user ggshield
To upgrade your installation, run:
$ pip install --user --upgrade ggshield
Step 2: Authenticate with your GitGuardian workspace[](#step-2-authenticate-with-your-gitguardian-workspace "Direct link to Step 2: Authenticate with your GitGuardian workspace")
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
`ggshield` requires an API key to authenticate the CLI with your GitGuardian workspace. There are 2 different types of API keys:
* **Service Accounts:** a special type of token intended to represent a non-human user that needs to authenticate and be authorized for scenarios such as secrets scanning in CI pipelines or batch processing open incidents.
* **Personal Access Tokens:** a token intended for the use of the GitGuardian API and command-line application ggshield by individual developers on their local workstations (e.g. pre-commit or pre-push git hooks).
### Option 1: Automatically[](#option-1-automatically "Direct link to Option 1: Automatically")
If you want to set up **ggshield for use on your local workstation (e.g. to scan repos or in a pre-commit or pre-push git hook)**, we recommend running the following command:
ggshield auth login
This will open a new window in your web browser. Simply follow the steps to login to your workspace (or create a new account) and GitGuardian will automatically provision a personal access token and store it in your configuration.
You can find more details in the [login command reference section](/ggshield-docs/reference/auth/login)
.
### Option 2: Manually[](#option-2-manually "Direct link to Option 2: Manually")
You can also provision your API key manually. This is useful when you want to set up **ggshield in your CI environment** for example.
#### Create your API key[](#create-your-api-key "Direct link to Create your API key")
To create your API key manually, please follow the steps described in the [API authentication section](/api-docs/authentication)
. Once you have your API key ready, follow the rest of the guide on this page.
#### Source your API key in your environment[](#source-your-api-key-in-your-environment "Direct link to Source your API key in your environment")
Alternatively, you can create your personal access token manually and store it in the `GITGUARDIAN_API_KEY` environment variable to complete the setup.
If you're using an on-premise version of GitGuardian, you also need to set the `GITGUARDIAN_INSTANCE` environment variable with your on-premise instance URL (eg: `https://dashboard.gitguardian.mycorp.local`).
Step 3: Scan your first content with ggshield[](#step-3-scan-your-first-content-with-ggshield "Direct link to Step 3: Scan your first content with ggshield")
---------------------------------------------------------------------------------------------------------------------------------------------------------------
You can scan one of your repositories for secrets with the following command:
ggshield secret scan repo /path/to/your/repo
You can also run `ggshield -h` to get help on the CLI.
Go further with ggshield[](#go-further-with-ggshield "Direct link to Go further with ggshield")
-------------------------------------------------------------------------------------------------
> If you are looking to configure a CI/CD integration, take a look at our [CI/CD Integrations page](/ggshield-docs/integrations/overview#cicd-integrations-secrets-detection-in-your-cicd-workflow)
> .
> If you are looking to use GitGuardian at the git hooks level (pre-commit, pre-receive), take a look at our [Git hooks documentation page](/ggshield-docs/integrations/overview#git-hooks-prevent-secrets-from-reaching-your-vcs)
> .
#### Was this page helpful?
[](#)
[](#)
* [Step 1: Install ggshield](#step-1-install-ggshield)
* [Requirements](#requirements)
* [macOS](#macos)
* [Linux](#linux)
* [Windows](#windows)
* [All operating systems](#all-operating-systems)
* [Step 2: Authenticate with your GitGuardian workspace](#step-2-authenticate-with-your-gitguardian-workspace)
* [Option 1: Automatically](#option-1-automatically)
* [Option 2: Manually](#option-2-manually)
* [Step 3: Scan your first content with ggshield](#step-3-scan-your-first-content-with-ggshield)
* [Go further with ggshield](#go-further-with-ggshield)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Configure SCIM | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Configure SCIM
==============
System for Cross-domain Identity Management (SCIM) enables user lifecycle management, allowing you to synchronize and manage users directly from your Identity Provider (IdP). SCIM can automatically activate, deactivate, and delete users in GitGuardian based on changes in your IdP.
info
Only user deprovisioning is available. User and team provisioning will be supported in the near future.
Prerequisites[](#prerequisites "Direct link to Prerequisites")
----------------------------------------------------------------
* SCIM requires [Single Sign-On (SSO)](/platform/enterprise-administration/saml-sso-configuration)
to be configured first.
* SCIM is only supported for Okta and Microsoft Entra ID at the moment.
SCIM Features[](#scim-features "Direct link to SCIM Features")
----------------------------------------------------------------
GitGuardian supports:
* **User Activation**: Automatically reactivate users to your workspace when they are authorized in your IdP.
* **User Deactivation**: Automatically deactivate users in GitGuardian when they are removed or deactivated in your IdP.
* **User Deletion**: Automatically delete users in GitGuardian when they are deleted from your IdP.
Enable SCIM in GitGuardian[](#enable-scim-in-gitguardian "Direct link to Enable SCIM in GitGuardian")
-------------------------------------------------------------------------------------------------------
1. Navigate to **Settings > [Authentication](https://dashboard.gitguardian.com/settings/workspace/auth)
** in your GitGuardian workspace.
2. Under **SCIM**, toggle the option to enable SCIM integration. 
3. Follow instructions of the **Set up SCIM with Your IdP** section.
Once SCIM is enabled, your users can be synchronized with your IdP, and user deprovisioning can occur automatically.
Unlinked Members
You may see a message indicating that some users are **not linked to your IdP**. These users won't be managed by SCIM.
* **Review the Members List**: Check the unlinked users.
* **Deactivate if Necessary**: Manually deactivate any users who shouldn't have access.
This typically happens for users added before SCIM was enabled or not assigned in your IdP. SCIM only manages linked users.
Set up SCIM in your IdP[](#set-up-scim-in-your-idp "Direct link to Set up SCIM in your IdP")
----------------------------------------------------------------------------------------------
To configure SCIM, you will need to provide the SCIM endpoint and configure the corresponding SCIM settings in your IdP. Here's a high-level overview for common IdPs:
Follow the specific steps for your IdP to enable SCIM integration. Most IdPs provide an option to configure SCIM via their API or dashboard settings. You will need to provide:
* **GitGuardian SCIM Endpoint**: `https://api.gitguardian.com/v1/scim/v2` (or `https://gitguardian.mycorp.local/exposed/v1/scim/v2` for self-hosted)
* **API Token**: Use a GitGuardian [service account](https://dashboard.gitguardian.com/api/service-accounts)
token with `members:write` and `teams:write` permissions.
Each IdP’s SCIM configuration page will have specific instructions. Refer to the documentation for your IdP for details on how to enter the SCIM endpoint and configure API credentials.
Google & Keycloak Users
Google only supports automatic provisioning for specific apps, so SCIM cannot be used for provisioning with Google at this time. However, we are planning to support SCIM for Google and publish our app in the future.
The [scim-for-keycloak plugin](https://scim-for-keycloak.de/)
has a bug that causes confusion with the `externalId` value, which is used for making SCIM requests to GitGuardian, so it won't work with our SCIM integration. For more details, see the issue [here](https://github.com/Captain-P-Goldfish/scim-for-keycloak/issues/126)
.
Set up procedures[](#set-up-procedures "Direct link to Set up procedures")
----------------------------------------------------------------------------
### Okta[](#okta "Direct link to Okta")
Important Note
If users are assigned to the Okta app before SCIM is enabled, they won’t be deactivated in GitGuardian when later unassigned. To ensure proper deactivation:
1. Duplicate the original Okta group (same members).
2. Assign the duplicate group to the app.
3. Unassign the original group from the app.
1. In **Okta**, navigate to the **General** settings of your GitGuardian app and check the box for **Enable SCIM provisioning**. 
2. In the **Provisioning** settings of your Okta app, configure the following:
* Set the **SCIM Connector Base URL** to:
`https://api.gitguardian.com/v1/scim/v2` (or `https://gitguardian.mycorp.local/exposed/v1/scim/v2` for self-hosted).
* Use **email** as the unique identifier field for users.
* Enable the **Push Profile Updates** setting.
* Select **HTTP Header** for authentication mode and add the **service account token** in the **Authorization HTTP header**. 
3. Finally, check the **Deactivate Users** option under the **Provisioning to app** settings to ensure users are deactivated properly in GitGuardian when unassigned in Okta. 
### Microsoft Entra ID[](#microsoft-entra-id "Direct link to Microsoft Entra ID")
important note
When a user is unassigned from the GitGuardian app in Entra ID, no deactivation request is sent. To deactivate, the user must be disabled in Entra ID.
1. In **Microsoft Entra ID** (formerly Azure Active Directory), navigate to the **Enterprise Applications** section.
2. Select your GitGuardian app, then go to **Provisioning** and set the **Provisioning Mode** to **Automatic**.
3. Provide the SCIM **API Token** and **GitGuardian SCIM Endpoint**:
`https://api.gitguardian.com/v1/scim/v2` (or `https://gitguardian.mycorp.local/exposed/v1/scim/v2` for self-hosted).
4. In the **Attribute Mappings** section, configure the following mappings to match GitGuardian's SCIM requirements:
* Target Object Actions: Set actions to `Update` and `Delete` for the target object.
* Attribute Mappings:
* `userName`: Map this to `userPrincipalName`
* `active`: Map this to `Switch([IsSoftDeleted], , "False", "True", "True", "False")`
* `name.givenName`: Map this to `givenName`
* `name.familyName`: Map this to `surname`
* `externalId`: Map this to `userPrincipalName`
5. Save the mapping and sync the users.
FAQ[](#faq "Direct link to FAQ")
----------------------------------
**What actions does SCIM support in GitGuardian?**
SCIM in GitGuardian supports:
* **User Activation**: Automatically reactivate users to your workspace.
* **User Deactivation**: Automatically deactivate users when removed from the IdP.
* **User Deletion**: Automatically delete users when deleted from the IdP.
**Can I use SCIM for provisioning teams?**
Currently, SCIM supports user activation, deactivation, and deletion. Team provisioning will be available in a future release.
**How do I link GitGuardian to my IdP for SCIM?**
You will need to configure SCIM in your IdP by entering the provided SCIM endpoint and API token. Each IdP has its own process for linking SCIM integrations. Follow the relevant setup instructions for your IdP.
**Does GitGuardian support Just-In-Time (JIT) provisioning with SCIM?**
SCIM currently supports user deprovisioning (deactivation and deletion) but does not handle provisioning. JIT provisioning via SSO is used for user provisioning at the moment, while SCIM gives you more control over the user lifecycle for deactivation and deletion.
#### Was this page helpful?
[](#)
[](#)
* [Prerequisites](#prerequisites)
* [SCIM Features](#scim-features)
* [Enable SCIM in GitGuardian](#enable-scim-in-gitguardian)
* [Set up SCIM in your IdP](#set-up-scim-in-your-idp)
* [Set up procedures](#set-up-procedures)
* [Okta](#okta)
* [Microsoft Entra ID](#microsoft-entra-id)
* [FAQ](#faq)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Microsoft Teams | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Microsoft Teams
===============
This notifier sends a message to a Microsoft Teams channel in case an incident is detected.
To set up your Microsoft Teams integration, provide a Microsoft Teams channel ID in the Teams settings section.
### How to integrate[](#how-to-integrate "Direct link to How to integrate")
1. Go to the [Microsoft Teams app store](https://teams.microsoft.com/l/app/61d2bd20-544a-4dff-854d-9b2f6e1c774d?source=app-details-dialog)
and add the **GitGuardian app**. 
2. Select the channel where you want to send alerts.

A welcome message is sent to your channel:

3. Copy the link to the channel:
* Right-click the channel name.

* Select **Get link to channel**.

4. Add the integration to your team in the [Microsoft Teams integration section](https://dashboard.gitguardian.com/settings/integrations/alert_ms_teams)
of your dashboard settings. 
5. Paste the copied link.

6. Your integration is now successfully configured. 
#### Was this page helpful?
[](#)
[](#)
* [How to integrate](#how-to-integrate)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Encrypted Private Key | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Encrypted Private Key
=====================
Description[](#description "Direct link to Description")
----------------------------------------------------------
### General[](#general "Direct link to General")
* **Summary**: This detector find encrypted private keys. Encrypted private keys are keys that have been encrypted (usually with a passphrase). These keys can be RSA, DSA, Elliptic, or any private key. More details about cryptographic keys can be found in this [FAQ](/secrets-detection/secrets-detection-engine/frequently_asked_questions#are-cryptographic-keys-sensitive-objects)
.
### Revoke the secret[](#revoke-the-secret "Direct link to Revoke the secret")
Revoking the key depends on the service being used.
### Check for suspicious activity[](#check-for-suspicious-activity "Direct link to Check for suspicious activity")
Checking for suspicious activity depends on the service being used.
### Details for `Base64 private key encrypted`[](#details-for-base64-private-key-encrypted "Direct link to details-for-base64-private-key-encrypted")
* **Family:** PrivateKey
* **Category:** Private key
* **High recall:** True
* **Validity check available:** False
* **Minimum number of matches:** 1
* **Occurrences found for one million commits:** 0.12
* **Prefixed:** True
* **PreValidators**:
- type: ContentWhitelistPreValidator patterns: - ls0tls1crudjtibftknswvburuqgufjjvkfursblrvktls0tl - 0tls0tqkvhsu4gru5dullqveveifbssvzbveugs0vzls0tls - tls0tlujfr0loievoq1jzufrfrcbquklwqvrfietfws0tls0t
### Examples[](#examples "Direct link to Examples")
LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLSBNSUlCclRCWEJna3Foa2lHOXcwQkJRMHdTakFwQmdrcWhraUc5dzBCQlF3d0hBUUlWZEh5dmVwVnlYTUNBZ2dBIE1Bd0dDQ3FHU0liM0RRSUpCUUF3SFFZSllJWklBV1VEQkFFcUJCQUFLeHQrSFViTFhIdVNIN3RZeHRnSEJJSUIgVUQ0bmNPRktqcmJvS3grODk3UVRFd0g3VTVRWEFjZU1RU0E2T1NwUDRSTXFXemQrRFN1UTJBaFc5bnkrSnVoWiBjdWF5UXZYa0lPeWsvTFVDeTFpbG0zZmhiTjIrZ0tpSDhnaEpzWnplQU5uV0J1WDhkNmU2YUVNTFBudjEwMURtIE16U3ovS0lWK1N3N2x0VUROR282QWRtd29vNEZGZlM4RXRUc0hlMk5rcWdsaUVKaWdXdU9PZlp2bGU0NUJSNlcgTFdBU1hwdFZDMytkSStjc0tQbERRaTV4Z2p2NjVNcEV6amM5bW1rY1Z4UnhxNWxEblphejFvM3ErTUpqWWxGVSBPTnpxR1FDMzdUSjArZ2pGSzJFVEJvVi9HNmMyaVVYZU5aQjhEYWJUOVBCS1g2VGJ0YW9ZZkNuSi93a0s5Tk9UIDF2a0pzSzFDeE9BVWhaQ0gyVTRPaGNwVnNLb1JGT2RJQmwrTmJkQlI2azBnSzZGMEd3YnBBNlZwZmd1YjVoeTIga1BwK2trckMraDhFY3RBbHArK3ZJb0ovRjZUQW5uMEc2NWMzQVZZRWs4NFJVVERnakRvY2k2dTc0S2JwUS9tZCB2UT09IC0tLS0tRU5EIEVOQ1JZUFRFRCBQUklWQVRFIEtFWS0tLS0tCg==
Here's the decoded string:
-----BEGIN ENCRYPTED PRIVATE KEY-----MIIBrTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIVdHyvepVyXMCAggAMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBAAKxt+HUbLXHuSH7tYxtgHBIIBUD4ncOFKjrboKx+897QTEwH7U5QXAceMQSA6OSpP4RMqWzd+DSuQ2AhW9ny+JuhZcuayQvXkIOyk/LUCy1ilm3fhbN2+gKiH8ghJsZzeANnWBuX8d6e6aEMLPnv101DmMzSz/KIV+Sw7ltUDNGo6Admwoo4FFfS8EtTsHe2NkqgliEJigWuOOfZvle45BR6WLWASXptVC3+dI+csKPlDQi5xgjv65MpEzjc9mmkcVxRxq5lDnZaz1o3q+MJjYlFUONzqGQC37TJ0+gjFK2ETBoV/G6c2iUXeNZB8DabT9PBKX6TbtaoYfCnJ/wkK9NOT1vkJsK1CxOAUhZCH2U4OhcpVsKoRFOdIBl+NbdBR6k0gK6F0GwbpA6Vpfgub5hy2kPp+kkrC+h8EctAlp++vIoJ/F6TAnn0G65c3AVYEk84RUTDgjDoci6u74KbpQ/mdvQ==-----END ENCRYPTED PRIVATE KEY-----
### Details for `Private key encrypted`[](#details-for-private-key-encrypted "Direct link to details-for-private-key-encrypted")
* **Family:** PrivateKey
* **Category:** Private key
* **High recall:** True
* **Validity check available:** False
* **Minimum number of matches:** 1
* **Occurrences found for one million commits:** 24.19
* **Prefixed:** True
* **PreValidators**:
- type: ContentWhitelistPreValidator patterns: - '-----begin encrypted private key-----'
### Examples[](#examples-1 "Direct link to Examples")
- text: >-----BEGIN ENCRYPTED PRIVATE KEY-----MIIBrTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIVdHyvepVyXMCAggAMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBAAKxt+HUbLXHuSH7tYxtgHBIIBUD4ncOFKjrboKx+897QTEwH7U5QXAceMQSA6OSpP4RMqWzd+DSuQ2AhW9ny+JuhZcuayQvXkIOyk/LUCy1ilm3fhbN2+gKiH8ghJsZzeANnWBuX8d6e6aEMLPnv101DmMzSz/KIV+Sw7ltUDNGo6Admwoo4FFfS8EtTsHe2NkqgliEJigWuOOfZvle45BR6WLWASXptVC3+dI+csKPlDQi5xgjv65MpEzjc9mmkcVxRxq5lDnZaz1o3q+MJjYlFUONzqGQC37TJ0+gjFK2ETBoV/G6c2iUXeNZB8DabT9PBKX6TbtaoYfCnJ/wkK9NOT1vkJsK1CxOAUhZCH2U4OhcpVsKoRFOdIBl+NbdBR6k0gK6F0GwbpA6Vpfgub5hy2kPp+kkrC+h8EctAlp++vIoJ/F6TAnn0G65c3AVYEk84RUTDgjDoci6u74KbpQ/mdvQ==-----END ENCRYPTED PRIVATE KEY-----
#### Was this page helpful?
[](#)
[](#)
* [Description](#description)
* [General](#general)
* [Revoke the secret](#revoke-the-secret)
* [Check for suspicious activity](#check-for-suspicious-activity)
* [Details for `Base64 private key encrypted`](#details-for-base64-private-key-encrypted)
* [Examples](#examples)
* [Details for `Private key encrypted`](#details-for-private-key-encrypted)
* [Examples](#examples-1)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# OpenSSH Private Key | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
OpenSSH Private Key
===================
Description[](#description "Direct link to Description")
----------------------------------------------------------
### General[](#general "Direct link to General")
* **Summary**: The OpenSSH private key format can contain different types of private key such as RSA and DSA keys and therefore can work just like them. More details about cryptographic keys can be found in this [FAQ](/secrets-detection/secrets-detection-engine/frequently_asked_questions#are-cryptographic-keys-sensitive-objects)
.
### Revoke the secret[](#revoke-the-secret "Direct link to Revoke the secret")
Revoking the key depends on the service being used.
### Check for suspicious activity[](#check-for-suspicious-activity "Direct link to Check for suspicious activity")
Checking for suspicious activity depends on the service being used.
### Details for `Base64 private key openssh`[](#details-for-base64-private-key-openssh "Direct link to details-for-base64-private-key-openssh")
* **Family:** PrivateKey
* **Category:** Private key
* **High recall:** True
* **Validity check available:** False
* **Minimum number of matches:** 1
* **Occurrences found for one million commits:** 0.52
* **Prefixed:** True
* **PreValidators**:
- type: ContentWhitelistPreValidator patterns: - ls0tls1crudjtibpuevou1niifbssvzbveugs0vzls0tls - 0tls0tqkvhsu4gt1bftlntscbquklwqvrfietfws0tls0t - tls0tlujfr0loie9qru5tu0ggufjjvkfursblrvktls0tl
### Examples[](#examples "Direct link to Examples")
LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0gYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVyBReU5UVXhPUUFBQUNDNUtmcjhweG4wMUlnNVlicnZqS0s0a0M5SlVnTmJxT0N0TVkxT2RseHFkd0FBQUtoR2MvRUxSblB4IEN3QUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDQzVLZnI4cHhuMDFJZzVZYnJ2aktLNGtDOUpVZ05icU9DdE1ZMU9kbHhxZHcgQUFBRUQwaVRDT3B0ZzJNenpKMnJnb3Y4NE5qcHBrZW5URTJZbXdRbFVRQ2cvdk43a3ArdnluR2ZUVWlEbGh1dStNb3JpUSBMMGxTQTF1bzRLMHhqVTUyWEdwM0FBQUFIM1JvYVdKaGRXeDBRSFJvYVdKaGRXeDBMVWx1YzNCcGNtOXVMVGMxTnpBQkFnIE1FQlFZPSAtLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K
Here's the decoded string:
-----BEGIN OPENSSH PRIVATE KEY-----b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZWQyNTUxOQAAACC5Kfr8pxn01Ig5YbrvjKK4kC9JUgNbqOCtMY1OdlxqdwAAAKhGc/ELRnPxCwAAAAtzc2gtZWQyNTUxOQAAACC5Kfr8pxn01Ig5YbrvjKK4kC9JUgNbqOCtMY1OdlxqdwAAAED0iTCOptg2MzzJ2rgov84NjppkenTE2YmwQlUQCg/vN7kp+vynGfTUiDlhuu+MoriQL0lSA1uo4K0xjU52XGp3AAAAH3RoaWJhdWx0QHRoaWJhdWx0LUluc3Bpcm9uLTc1NzABAgMEBQY=-----END OPENSSH PRIVATE KEY----
### Details for `Private key openssh`[](#details-for-private-key-openssh "Direct link to details-for-private-key-openssh")
* **Family:** PrivateKey
* **Category:** Private key
* **High recall:** True
* **Validity check available:** False
* **Minimum number of matches:** 1
* **Occurrences found for one million commits:** 58.95
* **Prefixed:** True
* **PreValidators**:
- type: ContentWhitelistPreValidator patterns: - '-----begin openssh private key-----'
### Examples[](#examples-1 "Direct link to Examples")
- text: > -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACC5Kfr8pxn01Ig5YbrvjKK4kC9JUgNbqOCtMY1OdlxqdwAAAKhGc/ELRnPx CwAAAAtzc2gtZWQyNTUxOQAAACC5Kfr8pxn01Ig5YbrvjKK4kC9JUgNbqOCtMY1Odlxqdw AAAED0iTCOptg2MzzJ2rgov84NjppkenTE2YmwQlUQCg/vN7kp+vynGfTUiDlhuu+MoriQ L0lSA1uo4K0xjU52XGp3AAAAH3RoaWJhdWx0QHRoaWJhdWx0LUluc3Bpcm9uLTc1NzABAg MEBQY= -----END OPENSSH PRIVATE KEY-----
#### Was this page helpful?
[](#)
[](#)
* [Description](#description)
* [General](#general)
* [Revoke the secret](#revoke-the-secret)
* [Check for suspicious activity](#check-for-suspicious-activity)
* [Details for `Base64 private key openssh`](#details-for-base64-private-key-openssh)
* [Examples](#examples)
* [Details for `Private key openssh`](#details-for-private-key-openssh)
* [Examples](#examples-1)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Putty Private Key | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Putty Private Key
=================
Description[](#description "Direct link to Description")
----------------------------------------------------------
### General[](#general "Direct link to General")
* **Documentation**: [https://documentation.help/PuTTY/pubkey-puttygen.html](https://documentation.help/PuTTY/pubkey-puttygen.html)
* **Summary**: PuTTY is a free Windows Telnet and SSH client. It provides a quick and simple way to connect to remote hosts. By default, PuTTY does not support the native format for SSH private keys (.pem files), but it provides a tool called `PuTTYgen` to convert the keys in the desired format (`.ppk` files). This detector aims at catching those files.More details about cryptographic keys can be found in this [FAQ](/secrets-detection/secrets-detection-engine/frequently_asked_questions#are-cryptographic-keys-sensitive-objects)
.
### Revoke the secret[](#revoke-the-secret "Direct link to Revoke the secret")
### Check for suspicious activity[](#check-for-suspicious-activity "Direct link to Check for suspicious activity")
### Details for `Putty private key`[](#details-for-putty-private-key "Direct link to details-for-putty-private-key")
* **Family:** PrivateKey
* **Category:** Private key
* **High recall:** True
* **Validity check available:** False
* **Minimum number of matches:** 1
* **Occurrences found for one million commits:** 2.2
* **Prefixed:** True
* **PreValidators**:
- type: ContentWhitelistPreValidator patterns: - 'private-lines\:'
### Examples[](#examples "Direct link to Examples")
- text: "Public-Lines: 2\nAAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGy1qMgVWUX\nWuwutzBih9BLjlgkHkIRzzGiVMALRg7hwlXUWmhhI46KzdS9yWu1jZ7hxH6EaDOO\nPrivate-Lines: 2\nF228r/oPiCTtvKkXn9X2ZbsRsDaZSqon/apnpteXJRLqn+CocudYFp8eXOEp/Yj\n7N3k99xbStzH//ejc6EELug8uD7R0dCq3bUe7G7Lf1=\nPrivate-MAC: c9df7f8d46e853c618cdb1f2c246b70d2aea7c73" apikey: "F228r/oPiCTtvKkXn9X2ZbsRsDaZSqon/apnpteXJRLqn+CocudYFp8eXOEp/Yj\n7N3k99xbStzH//ejc6EELug8uD7R0dCq3bUe7G7Lf1="- text: "Public-Lines: 2\nAAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGy1qMgVWUX\nWuwutzBih9BLjlgkHkIRzzGiVMALRg7hwlXUWmhhI46KzdS9yWu1jZ7hxH6EaDOO\nPrivate-Lines: 2\nF228r/oPiCTtvKkXn9X2ZbsRsDaZSqon/apnpteXJRLqn+CocudYFp8eXOEp/Yj\n7N3k99xbStzH//ejc6EELug8uD7R0dCq3bUe7G7Lf1=\nPrivate-MAC: c9df7f8d46e853c618cdb1f2c246b70d2aea7c73" apikey: "F228r/oPiCTtvKkXn9X2ZbsRsDaZSqon/apnpteXJRLqn+CocudYFp8eXOEp/Yj\n7N3k99xbStzH//ejc6EELug8uD7R0dCq3bUe7G7Lf1="
#### Was this page helpful?
[](#)
[](#)
* [Description](#description)
* [General](#general)
* [Revoke the secret](#revoke-the-secret)
* [Check for suspicious activity](#check-for-suspicious-activity)
* [Details for `Putty private key`](#details-for-putty-private-key)
* [Examples](#examples)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Overview | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Overview
========
The GitGuardian CLI, ggshield, provides security guardrails at every stage of your Software Development Lifecycle (SDLC).
Find and fix more than 350+ types of hardcoded secrets and 70+ Infrastructure-as-Code security misconfigurations.
ggshield [COMMAND] [SUBCOMMAND] [OPTIONS]
Core commands[](#core-commands "Direct link to Core commands")
----------------------------------------------------------------
* [ggshield auth](/ggshield-docs/reference/auth/login)
* [ggshield secret scan](/ggshield-docs/reference/secret/scan/overview)
* [ggshield honeytoken create](/ggshield-docs/reference/honeytoken/create)
Additional commands[](#additional-commands "Direct link to Additional commands")
----------------------------------------------------------------------------------
* [ggshield secret ignore](/ggshield-docs/reference/secret/ignore)
* [ggshield api-status](/ggshield-docs/reference/api-status)
* [ggshield install](/ggshield-docs/reference/install)
* [ggshield quota](/ggshield-docs/reference/quota)
Options[](#options "Direct link to Options")
----------------------------------------------
* `-h`, `--help`: Show this message and exit.
* `--allow-self-signed`: Ignore SSL verification.
* `-c`, `--config-path `: set a custom config file. Ignores local and global config files.
* `-v`, `--verbose`: Verbose display mode.
* `--version`: Show the version.
* `--check-for-updates` / `--no-check-for-updates`: After executing commands, check or not if a new version of ggshield is available.
* `--log-file `: Send log output to FILE. Use `-` to redirect to stderr instead.
* `--debug`: Show debug information.
JSON outputs[](#json-outputs "Direct link to JSON outputs")
-------------------------------------------------------------
Many ggshield commands come with a `--json` option to output a JSON document. The format of these JSON outputs are documented as JSON schemas in the [doc/schemas folder of ggshield repository](https://github.com/GitGuardian/ggshield/tree/main/doc/schemas)
.
Exit codes[](#exit-codes "Direct link to Exit codes")
-------------------------------------------------------
Depending on the outcome of the command, ggshield exit code will be one of these:
| Code | Meaning |
| --- | --- |
| 0 | No problem found. If the command was a scan, it ran successfully and did not find any issue to report. |
| 1 | The command ran successfully, but it found issues to report. For example, a `secret scan` command found leaked secrets. |
| 2 | Usage error: the command did not receive the parameters it expected. |
| 3 | Authentication error: the command tried to log on a server, but the server rejected it. |
| 128 | Unexpected error. |
#### Was this page helpful?
[](#)
[](#)
* [Core commands](#core-commands)
* [Additional commands](#additional-commands)
* [Options](#options)
* [JSON outputs](#json-outputs)
* [Exit codes](#exit-codes)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Prioritize incidents | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Prioritize incidents
====================
One of the key challenges of a secrets detection and remediation program is **prioritizing incidents and identifying where you should focus remediation efforts.**
GitGuardian focuses on the precision of its secrets detection engine (to raise the highest percentage of true positives). You can refer to our [dedicated documentation for the GitGuardian secrets detection engine](/secrets-detection/home)
for further information. That being said, the severity of a secret incident is still a notion that is hard to grasp from an external standpoint. That is why GitGuardian tries to give as much factual information as possible in order to help you categorize the severity of the secret incident.
1\. Prioritize with the incidents table[](#1-prioritize-with-the-incidents-table "Direct link to 1. Prioritize with the incidents table")
-------------------------------------------------------------------------------------------------------------------------------------------
You can find a table of all your incidents in the Incident section. Our aim is to help you navigate this table in the most efficient way possible.
### Using saved views[](#using-saved-views "Direct link to Using saved views")
Prioritizing incidents efficiently is crucial for effective remediation. The [Saved views](/platform/collaboration-and-sharing/saved-views)
feature allows you to quickly access and manage your preferred filter sets, focusing on the most important incidents without repeatedly adjusting filters.
Some view are pre-set by GitGuardian, providing a starting point for effective incident management:
* **Open**: View all incidents that are currently open and require attention.
* **Critical**: Focus on open incidents that have severity set as critical, to ensure they are prioritized.
* **My open incidents**: Display incidents assigned to the current user, allowing for personalized incident management.
* **Closed but valid**: Review incidents that have been resolved or ignored while the secret is still marked as valid.
Users can also create their own custom views to fit their specific remediation processes.
### Most recent incidents[](#most-recent-incidents "Direct link to Most recent incidents")
By default, the table of incidents is sorted by "most recent" incidents. As a matter of fact, **secrets that were detected most recently have the highest probability of being valid and thus harmful**. The date of an incident is the date of its first occurrence.
It is especially important to note here that **GitGuardian creates secrets incidents during historical scans**. The date of those incidents is the date of the commit where the secret exposure happened, not the date of the historical scan. Such incidents will be marked with the "From historical scan" tag.
Therefore, you can end up with very old incidents as you run GitGuardian on your git history. That is why, we allow you to modify the time frame of the listed incidents and set it to **All time**. By default, this time frame is set to Last Month.
### Secret preview[](#secret-preview "Direct link to Secret preview")
You can **quickly preview the actual secret from the incidents table** with a simple hover. If you would like to further investigate, you can click on the secret incident and visit its dedicated page.
Be cautious: **sometimes the broader context of a secret can be much more harmful than the secret itself**. We always recommend going beyond the secret preview and conducting an in-depth investigation before making a decision on a particular incident.

### Secret validity[](#secret-validity "Direct link to Secret validity")
The table of incidents indicates for each incident if the exposed secret is still valid or not. You can also filter your incidents to view valid secrets only. This can help you prioritize your incidents and focus on secrets that can still be exploited. We recommend you take care of exposed and valid credentials as soon as possible, since they represent a higher risk of exploitation.

For more details on this feature, please refer to the dedicated section on [validity checkers](/secrets-detection/remediate/investigate-incidents#secret-validity-checks)
.
### Occurrences count and presence in git history[](#occurrences-count-and-presence-in-git-history "Direct link to Occurrences count and presence in git history")
The table of incidents also indicates the number of occurrences for each incident. **The severity of an incident should not be determined simply by its number of occurrences**. This informs you about the potential sprawl of the secret but keep in mind that a secret that is present in more than one place is often not an harmful secret.
The total count is split between the occurrences of the incident present in your git repository and the ones that have been rendered non-existent (following the deletion of a repository or rewriting of the git history).

Removing any trace of the secret in your git repositories may be one of your requirements for full incident remediation. If that is the case, it is possible to filter your incidents to only view the ones for which at least one occurrence is still present or in other words, the ones for which remediation is incomplete.

### Tags[](#tags "Direct link to Tags")
For each incident, we try to give you as much contextual information as possible. **Tags are meant to help you quickly evaluate each incident**. In the incidents table, you will see all the tags associated with occurrences of an incident. The different tags are:
* **Default branch**: at least one occurrence of the incident is found in the default branch of a repository.
* **Publicly exposed**: one of the occurrences of the incident was detected on a public repository on GitHub.com.
* **Publicly leaked**: The secret has been detected in a public place outside your perimeter _(GitHub public repositories, GitHub issues, GitHub gists your organization does not own)_.
* **From historical scan**: one of the occurrences of the incident was detected thanks to a historical scan, as opposed to being detected in real-time.
* **Regression**: the incident was once resolved but GitGuardian detected a new occurrence.
* **Sensitive file**: one of the occurrences of the incident happened on a potential sensitive file.
* **Tagged as false positive in check runs**: one of the occurrences of the incident has been tagged as a false positive in GitHub by one of your developers.
* **Test file**: one of the occurrences of the incident happened on a potential test file.
info
About the **Default branch** tag. After this feature is activated on your workspace, the tag will be automatically applied to future incidents. For incidents raised by GitGuardian before July 2023, or repositories where the default branch has been modified at the VCS level, a full scan of your repositories needs to be re-run.
Please visit the [perimeter](https://dashboard.gitguardian.com/perimeter)
page to run a historical scan.

### Severity[](#severity "Direct link to Severity")
#### Manual severity assignment[](#manual-severity-assignment "Direct link to Manual severity assignment")
To help you prioritize incidents during triage, you can set a severity for each incident. You can define the severity of an incident either in its dedicated remediation page, or directly from the table of incidents.
The different severity levels are:
* **Critical**: concerns a critical service. **Must be tackled as quickly as possible.**
* **High**: concerns an important service with a potentially broad impact.
* **Medium**: concerns an important service with a potentially limited impact.
* **Low**: concerns a minor service with a potentially broad impact.
* **Info**: concerns a minor service with a potentially limited impact.
* **Unknown**: default level applied by GitGuardian to new incidents.

#### Automated severity scoring[](#automated-severity-scoring "Direct link to Automated severity scoring")
info
Only Managers and Owner can activate this feature.
Manual severity assignment requires a case-by-case examination of your open incidents and can be time-consuming for your teams. GitGuardian's severity scoring feature automates this approach, where and when applicable, to the incidents in your workspace so that you can save time on their triaging and prioritization.
tip
Automated severity scoring comes in handy after running a historical scan on your perimeter that surfaces hundreds or thousands of incidents. It can help you focus your remediation efforts on the most critical incidents first!
To activate the automated severity scoring feature, go to the [Severity rules pages in the Secrets section of your GitGuardian workspace settings](https://dashboard.gitguardian.com/settings/secrets/severity-rules)
.
You can see the coverage of the automated severity scoring engine. GitGuardian computes this by dividing the total number of incidents for which it has automatically assigned a severity by the total number of open incidents in your workspace.

GitGuardian determines the severity of each incident by following a predefined ruleset that can be customized. The rules are evaluated sequentially for each incident from the first to the last. The severity assigned will be that of the first rule whose conditions are met. In case of multiple occurrences for an incident, the rules engine will evaluate all of them and assign the highest severity among them. You can inspect this ruleset in the [Severity rules page of the Secrets section of your settings](https://dashboard.gitguardian.com/settings/secrets/severity-rules)
.

Each rule of the ruleset is composed of the following:
* A **name** identifying the rule
* A **description** of the rule
* A **severity** to be assigned automatically in case of a match
* A **set of conditions** defining the rule
* The **total number of incidents** for which the rule has set the severity
As a Manager or Owner or the workspace, you can customize this ruleset by clicking on the **Edit ruleset** button. This allows you to maximize the coverage of automatically scored incidents by defining a ruleset related to your own context.

info
The default ruleset designed by GitGuardian can benefit from regular updates. Once customized, the ruleset will not benefit from these updates as you become the manager of these rules.
Once entered the edit mode of the ruleset, you can:
* **Add a new rule** by clicking on the `New rule` button _(up to 20 rules)_
* **Edit a rule** by clicking on the pen icon of the rule
* **Delete a rule** by clicking on the bin icon of the rule _(You can't empty your entire ruleset)_
* **Reorder rules** by dragging them in relation to each other

Creating or editing a rule allows you to define the:
* **Name** identifying the rule
* **Description** of the rule _(optional)_
* **Set of conditions** defining the rule _(up to 20 conditions)_
* **Severity** to be assigned automatically in case of a match

Once you have customized your ruleset, don't forget to save it by clicking on the `Save changes` button. This will result in a new scoring of your open incidents based on your fresh new ruleset. The scoring time depends on the number of your secret incidents and occurrences.
If you wish, you can always reset to the default ruleset defined by GitGuardian by selecting the `Reset to default` option in the `...` menu. This will allow you to benefit from GitGuardian's ruleset updates again. You can also manually recompute your severity scoring by selecting the `Recompute severity scoring` option.

In the incidents table view, hovering over the severity badge of an incident will display a tooltip indicating whether it was set manually or automatically. In the latter case, the rule that matched will also be indicated. You can always override the automated severity set by GitGuardian by selecting a severity of your choice.

On the details page of a critical or high incident, you will find a banner indicating the automated severity score and its corresponding rule.

In case GitGuardian cannot determine the severity of the incident, it will also inform you in the same banner, and you can assign one directly from there – using the dropdown menu.
2\. Explore with the incident page[](#2-explore-with-the-incident-page "Direct link to 2. Explore with the incident page")
----------------------------------------------------------------------------------------------------------------------------
Each incident has a dedicated page in which you can find additional information to help you investigate.
caution
This specific feature is unfortunately not available for self-hosted installations at the moment.
### Impacted perimeter[](#impacted-perimeter "Direct link to Impacted perimeter")
The Impacted Perimeter feature addresses the critical need for comprehensive secret management in modern software development. It provides a quick overview and detailed breakdown of secret occurrences across your codebase and other data sources, enabling teams to rapidly assess vulnerabilities and prioritize remediation efforts. By tracking the status of secrets from detection through remediation, this feature enhances security awareness, streamlines the fix process, and supports compliance efforts.
The **Impacted perimeter** is divided in two sections to get either a quick or detailed view of the impact of the incident on your perimeter.
**Secret presence** helps you get a glimpse of the incident status across your perimeter by showing the following metrics:
* **requiring code fix** which counts the number of _files containing at least one mention of the secret in the last commit of the default branch_
* the number of occurrences present **overall** or in **other data sources**
* [secret leak checks](/secrets-detection/remediate/investigate-incidents#secret-leak-checks)
indicates if occurrences have been publicly leaked
The **Vulnerable sources** part lists in details the occurrences of the secret for each impacted source, either requiring code fix or not.
N.B. non-monitored and deleted sources are also included.

#### Occurrences requiring code fix[](#occurrences-requiring-code-fix "Direct link to Occurrences requiring code fix")
Occurrences requiring code fix matter particularly as they are _present in the current state of the code when browsing the VCS or when cloning the repository_. It is the current state of the repository that is monitored here. It is possible to change the default branch monitored by updating the default branch directly in the VCS.
Therefore, vulnerable files are listed on top in the **files requiring code fix** section, with a link to the file in the VCS.
As it is important to fix them as a priority, the **files pending merge** section keeps track of the code fixing. To do so we monitor the pull requests of the source and check if they are about to remediate an incident (i.e. remove at least one mention of the secret), and if so list them and the associated files.
Once merged, the pull request is listed next to the files fixed in the **files fixed** section.
The pull request names can be clicked to view them in more details on the VCS website.
Feature limitations:
* _The number of files in the PR is limited to 200 for GitHub_ to avoid making too many API calls; above that limit the feature won't work properly.
* Currently, the feature _only works for GitHub and GitLab_.
#### All occurrences[](#all-occurrences "Direct link to All occurrences")
The table of occurrences provides you with the following detailed information:
* when the occurrence happened
* who is the developer responsible for the leak (git name, git email)
* where the occurrence took place (commit, file)
* when the occurrence was last seen by GitGuardian and if it still visible in your git history
* the tags associated with the occurrence
For the needs of conducting further investigation, each occurrence has its own menu, with a link to the actual place of the secret occurrence on the VCS, if still present.

#### Patch[](#patch "Direct link to Patch")
For each occurrence of a given secret incident, you have access to **the patch of the commit where the secret has been detected**. The patch is composed of:
* the lines of code added by the commit
* the lines of code deleted by the commit
* the contextual lines surrounding the added or deleted lines. These lines are also monitored by GitGuardian since they are part of the commit.
A secret can consist of several components. For example, an AWS secret is the combination of `client_id` and `client_secret`. You can easily navigate and understand these multiple secret components with the patch in your GitGuardian workspace.

N.B. In the screenshot the secret is obfuscated because the [privacy mode](/platform/security-data-privacy/privacy-mode)
is enabled
From our experience, **lots of valuable information can be found around the patch of a secret** (other secrets, sensitive data, ...).
#### Was this page helpful?
[](#)
[](#)
* [1\. Prioritize with the incidents table](#1-prioritize-with-the-incidents-table)
* [Using saved views](#using-saved-views)
* [Most recent incidents](#most-recent-incidents)
* [Secret preview](#secret-preview)
* [Secret validity](#secret-validity)
* [Occurrences count and presence in git history](#occurrences-count-and-presence-in-git-history)
* [Tags](#tags)
* [Severity](#severity)
* [2\. Explore with the incident page](#2-explore-with-the-incident-page)
* [Impacted perimeter](#impacted-perimeter)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Azure pipelines | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Azure pipelines
===============
Prelude[](#prelude "Direct link to Prelude")
----------------------------------------------
GitGuardian CI/CD integration with Azure Pipelines is performed through our CLI application: [`ggshield`](/ggshield-docs/getting-started)
.
`ggshield` is a wrapper around the GitGuardian API for secrets detection, an API key is required for authentication.
> ⚠ Azure Pipelines does not support commit ranges outside of GitHub Pull Requests, therefore on push events in a regular branch only your latest commit will be scanned. This limitation doesn't apply to GitHub Pull Requests where all the commits in the pull request will be scanned.
Preview[](#preview "Direct link to Preview")
----------------------------------------------

Installation[](#installation "Direct link to Installation")
-------------------------------------------------------------
> [Service accounts](/api-docs/service-accounts)
> are recommended to run this integration.
>
> Please note that service accounts are only available for workspaces under our Business plan, and their administration is restricted to Managers. If your workspace is under the Free plan, you can still use a [personal access token](/api-docs/personal-access-tokens)
> to run this integration.
1. Create a service account from the [API section](https://dashboard.gitguardian.com/workspace/api/service-accounts)
of your GitGuardian workspace (or a [personal access token](https://dashboard.gitguardian.com/api/personal-access-tokens)
if you are on the Free plan).
2. Add this API key to the `gitguardianApiKey` secret variable in your pipeline settings.
* [How to define secret variables in Azure Pipelines](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch#secret-variables)
3. Add a new job using ggshield to your Azure pipeline
jobs: - job: GitGuardianShield pool: vmImage: 'ubuntu-latest' container: gitguardian/ggshield:latest steps: - script: ggshield secret scan ci env: GITGUARDIAN_API_KEY: $(gitguardianApiKey)
#### Was this page helpful?
[](#)
[](#)
* [Prelude](#prelude)
* [Preview](#preview)
* [Installation](#installation)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Base64 Generic high entropy secret | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Base64 Generic high entropy secret
==================================
Description[](#description "Direct link to Description")
----------------------------------------------------------
### General[](#general "Direct link to General")
The `base64 generic high entropy detector` aims at catching **any high entropy strings being assigned to a sensitive variable in base64-encoded text**. It is applying similar validation steps and specifications as the [`generic high entropy detector`](/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret)
but adapts them to be applied in base64-encoded text.
### Specifications[](#specifications "Direct link to Specifications")
#### About Base64-encoded text[](#about-base64-encoded-text "Direct link to About Base64-encoded text")
[Base64 is a binary-to-text encoding scheme](https://en.wikipedia.org/wiki/Base64)
. It is mainly used to send binary data across channels that only reliably support text content. Base64 is also applied on text, for example in [JSON Web Token](https://en.wikipedia.org/wiki/JSON_Web_Token)
or to obfuscate it.
Base64 is not an encryption algorithm, encoding and decoding do not rely on a secret key but Base64 is commonly used to encode to text the results of encryption algorithms. This detector will only look for generic secrets inside Base64 encoded-text representing unicode text.
### Revoke the secret[](#revoke-the-secret "Direct link to Revoke the secret")
This detector catches generic secrets, hence GitGuardian cannot infer the concerned service. To properly revoke the secret :
1. Understand what service is impacted. Decoding the whole Base64 text may be required.
2. Refer to the corresponding documentation to know how to revoke and rotate the secret.
### Examples[](#examples "Direct link to Examples")
**Examples that WILL be caught**
# base64(api_key = rca.pibsaorcibu234lbu43)- text: | YXBpX2tleSA9IHJjYS5waWJzYW9yY2lidTIzNGxidTQz apikey: HJjYS5waWJzYW9yY2lidTIzNGxidTQz# base64({"api-key": "asnbtueaorueobu435nstau"})- text: | eyJhcGkta2V5IjogImFzbmJ0dWVhb3J1ZW9idTQzNW5zdGF1In0K apikey: mFzbmJ0dWVhb3J1ZW9idTQzNW5zdGF1# base64(token: asnbtueaorueobu435nstau)- text: | dG9rZW46IGFzbmJ0dWVhb3J1ZW9idTQzNW5zdGF1Cg== apikey: GFzbmJ0dWVhb3J1ZW9idTQzNW5zdGF1# base64(authorization = asnbtueaorueobu435nstau)- text: | YXV0aG9yaXphdGlvbiA9IGFzbmJ0dWVhb3J1ZW9idTQzNW5zdGF1 apikey: GFzbmJ0dWVhb3J1ZW9idTQzNW5zdGF1
**Examples that WILL NOT be caught**
* The high entropy string is too short :
# base64(api_key = hj65_klhz/trlu)- text: | YXBpX2tleSA9IGhqNjVfa2xoei90cmx1
* The entropy of the string is not high enough
# base64(secret = xob1xob1xob1xob1xob1xob1xob1)- text: | c2VjcmV0ID0geG9iMXhvYjF4b2IxeG9iMXhvYjF4b2IxeG9iMQ==
* The assigned variable is not considered sensitive
# base64(object_id = hj65_klhz/trlupok76)- text: | b2JqZWN0X2lkID0gaGo2NV9rbGh6L3RybHVwb2s3Ng==
For more examples, see [the examples of the `generic high entropy detector`](/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret#examples)
encoded in Base64 \[.\
\
### Details for `Base64 Generic high entropy secret`[](#details-for-base64-generic-high-entropy-secret "Direct link to details-for-base64-generic-high-entropy-secret")\
\
* **High Recall:** False\
\
* **Validity Check:** False\
\
* **Minimum Number of Matches:** 1\
\
* **Occurrences found for one million commits:** 70\
\
* **Prefixed:** False\
\
* **PreValidators**: \
Here is a list of the validation steps the document must pass before being analyzed.\
\
\
- type: FilenameBanlistPreValidator banlist_extensions: [] banlist_filenames: - hash - list/k.txt$ - list/plex.txt$ - \.csproj$ - tg/mtproto\.json check_binaries: false- type: ContentWhitelistPreValidator patterns: - '[a-z0-9+/]{28,10000}={0,2}'- type: Base64ContentWhitelistPreValidator keywords: - secret - token - apikey - api-key - api_key - api.key - credential - auth\
\
* **PostValidators**: \
Identical to post-validators of the [`generic high entropy detector`](/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret#banlist)\
but applied on the decoded text.\
\
#### Was this page helpful?\
\
[](#)\
[](#)\
\
* [Description](#description)\
* [General](#general)\
\
* [Specifications](#specifications)\
\
* [Revoke the secret](#revoke-the-secret)\
\
* [Examples](#examples)\
\
* [Details for `Base64 Generic high entropy secret`](#details-for-base64-generic-high-entropy-secret)\
\
\
[](https://www.gitguardian.com/)\
\
[](https://www.gitguardian.com/legal/public-security-policy)\
[](https://www.gitguardian.com/legal/public-security-policy)\
\
[](https://twitter.com/gitguardian?lang=en)\
[](https://www.linkedin.com/company/gitguardian/)\
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)\
[](https://github.com/GitGuardian)\
[](https://www.facebook.com/GitGuardian/)\
\
Something we didn’t cover?\
--------------------------\
\
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)\
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)\
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)\
[\
\
API status\
==========](https://status.gitguardian.com/)\
\
Subscribe to our newsletter\
---------------------------\
\
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)\
\
Thank you! Your submission has been received!\
\
Oops! Something went wrong while submitting the form.
---
# Docker images | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Docker images
=============
Prelude[](#prelude "Direct link to Prelude")
----------------------------------------------
`ggshield` docker scanning tool (`ggshield secret scan docker`) is used to scan local docker images for secrets present in the image's creation process (`dockerfile` and build arguments) and in the image's layers' filesystem.
`ggshield` is a wrapper around GitGuardian API for secrets detection that requires an API key to work.
If the image is not available locally on the user's machine, GitGuardian CLI will attempt to pull the image using `docker pull `.
Preview[](#preview "Direct link to Preview")
----------------------------------------------

Usage[](#usage "Direct link to Usage")
----------------------------------------
* `Docker`: scan a Docker image after exporting its filesystem and manifest with the `docker save` command.
Usage: ggshield secret scan docker [OPTIONS] IMAGE_NAME ggshield will try to pull the image if it's not available locallyOptions: -h, --help Show this message and exit.
Example: `ggshield secret scan docker gitguardian/ggshield`
Example integration (GitHub Actions)[](#example-integration-github-actions "Direct link to Example integration (GitHub Actions)")
-----------------------------------------------------------------------------------------------------------------------------------
In this example integration we build and push the ggshield image on GitHub Actions and then scan this image.
name: cion: push: branches: - 'master'jobs: docker: runs-on: ubuntu-latest services: registry: image: registry:2 ports: - 5000:5000 container: gitguardian/ggshield:latest steps: - name: Checkout uses: actions/checkout@v2 - name: Set up QEMU uses: docker/setup-qemu-action@v1 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 with: driver-opts: network=host - name: Build and push to local registry uses: docker/build-push-action@v2 with: context: . push: true tags: localhost:5000/gitguardian/ggshield:latest - name: Scan image run: | ggshield secret scan docker localhost:5000/gitguardian/ggshield:latest
#### Was this page helpful?
[](#)
[](#)
* [Prelude](#prelude)
* [Preview](#preview)
* [Usage](#usage)
* [Example integration (GitHub Actions)](#example-integration-github-actions)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Pre-commit | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Pre-commit
==========
Prelude[](#prelude "Direct link to Prelude")
----------------------------------------------
A pre-commit hook is a client-side git hook that runs right before the commit is created. Please refer to [our learning center](https://www.gitguardian.com/glossary/git-hooks)
for more information.
GitGuardian pre-commit hook is performed through our CLI application: [`ggshield`](/ggshield-docs/getting-started)
. `ggshield` is a wrapper around GitGuardian API for secrets detection that requires an API key to work.
Preview[](#preview "Direct link to Preview")
----------------------------------------------

info
Customize the remediation message and add your own to offer developers precise guidance for resolving their code issues and continuing their work.
**[Read more here - GitGuardian CLI custom remediation message](/ggshield-docs/reference/secret/custom-remediation-messages)
**
Installation[](#installation "Direct link to Installation")
-------------------------------------------------------------
### The pre-commit framework[](#the-pre-commit-framework "Direct link to The pre-commit framework")
In order to use `ggshield` with the [pre-commit](https://pre-commit.com/)
framework, you need to perform the following steps.
1. Make sure you have pre-commit installed:
$ pip install pre-commit
2. Create a `.pre-commit-config.yaml` file in your repository's root path with the following content:
repos: - repo: https://github.com/gitguardian/ggshield rev: v1.35.0 hooks: - id: ggshield language_version: python3 stages: [pre-commit]
3. Then install the hook with the command:
$ pre-commit installpre-commit installed at .git/hooks/pre-commit
Now you're good to go!
> Note: If you want to skip all the pre-commit checks, you can add the `-n` parameter as follows:
$ git commit -m "commit message" -n
> Alternatively if you only want to skip ggshield, you can use SKIP=ggshield before the command:
$ SKIP=ggshield git commit -m "commit message"
### Global pre-commit hook[](#global-pre-commit-hook "Direct link to Global pre-commit hook")
To install pre-commit globally (for all current and future repos):
1. Sign in to your GitGuardian workspace and create a Personal Access Token from your [personal settings](https://dashboard.gitguardian.com/api/personal-access-tokens)
.
2. Add this Personal Access Token (API key) to the `GITGUARDIAN_API_KEY` environment variable of your development environment.
3. Execute the following command:
$ ggshield install --mode global
It will:
* verify if a global hook folder is defined in the global git configuration.
* create the `~/.git/hooks` folder (if needed).
* create a `pre-commit` file which will be executed before every commit.
* give executable access to this file.
### Local pre-commit hook[](#local-pre-commit-hook "Direct link to Local pre-commit hook")
You can install the hook locally on desired repositories:
1. Sign in to your GitGuardian workspace and create a Personal Access Token from your [personal settings](https://dashboard.gitguardian.com/api/personal-access-tokens)
.
2. Add this Personal Access Token (API key) to the `GITGUARDIAN_API_KEY` environment variable in your repository.
3. Go in the repository and execute the following command:
$ ggshield install --mode local
Notes:
* If a pre-commit executable file already exists, it will not be overridden. You can force overriding with the `--force` option:
$ ggshield install --mode local --force
* If you already have a pre-commit executable file and you want to use ggshield, all you need to do is to add this line in the file:
$ ggshield secret scan pre-commit
* If you want to try pre-commit scanning through the docker image:
$ docker run -e GITGUARDIAN_API_KEY -v $(pwd):/data --rm gitguardian/ggshield ggshield secret scan pre-commit
#### Was this page helpful?
[](#)
[](#)
* [Prelude](#prelude)
* [Preview](#preview)
* [Installation](#installation)
* [The pre-commit framework](#the-pre-commit-framework)
* [Global pre-commit hook](#global-pre-commit-hook)
* [Local pre-commit hook](#local-pre-commit-hook)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Jira Data Center | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Jira Data Center
================
GitGuardian provides an integration with Jira Data Center to empower users to synchronize their GitGuardian incidents with Jira Data Center issues. This integration aims to streamline incident remediation processes and strengthen alignment with your Software Development Lifecycle (SDLC).
Benefits[](#benefits "Direct link to Benefits")
-------------------------------------------------
This feature streamlines the process of creating issues from GitGuardian incidents:
* Supports both manual and automatic issue creation upon incident detection.
* Enables issue creation directly in the Jira project linked to the GitGuardian Team.
* Provides customizable templates that utilize Jira custom fields and GitGuardian variables for tailored issue descriptions.
* Includes an auto-resolve feature that automatically closes GitGuardian incidents when the corresponding Jira issues are resolved.
Installation[](#installation "Direct link to Installation")
-------------------------------------------------------------
1. Make sure you're logged as an administrator in the Jira Data Center site you want to install
2. Go to the **Profile** page 
3. Go to the **Personal Access Tokens** section and click **Create token** to create a new PAT 
4. Provide a **Token Name**, an optional **Expiry date** and click **Create**
5. Copy your new PAT and click **Close**
6. The integration is available in the settings under [Integrations > Destinations](https://dashboard.gitguardian.com/settings/integrations/destinations)
. It's located in the Issue Tracking section at the bottom of the page. Be careful not to confuse it with the Jira Data Center integration for secret scanning. 
7. Paste your **Jira Data Center site URL**, your **Administrator Personal Access Token** and click **Add**
info
Jira allows the creation of up to 10 PATs. GitGuardian automatically renews PATs before they expire. To do this, you must have at least 2 PAT slots free. Otherwise, an error message will warn you that the integration is no longer functional.
### Project selection[](#project-selection "Direct link to Project selection")
Select Jira projects for synchronization.

* Choose only projects necessary for GitGuardian.
* Avoid creating overly long project lists to simplify selection during manual issue creation.
* Prevent issues in unrelated projects by refining project choices.
### Creating templates and configuring Jira for teams[](#creating-templates-and-configuring-jira-for-teams "Direct link to Creating templates and configuring Jira for teams")
The integration allows you to create templates for automatic issue creation, tailored to your workspace plan:
* **Free Plan Users:** One template applicable to all incidents.
* **Business Plan Users:** Create multiple templates, each assigned to specific teams.
Templates automatically apply to new incidents. A team-specific template is used only for incidents linked to that team. To apply a template across all incidents, associate it with the "All-incidents team."
#### Template functionality[](#template-functionality "Direct link to Template functionality")
The templates are automatically generated based on the Jira template defined for the selected issue type.
* **Required Fields:** Clearly marked as mandatory in the GitGuardian template.
* **Optional Fields:** Can be added as needed.
* **Dynamic UI:** Automatically adjusts based on the type of each field.
#### Supported Jira custom fields[](#supported-jira-custom-fields "Direct link to Supported Jira custom fields")
The integration supports the following Jira custom fields:
* **Selection Fields:** Single/multiple choice, Radio Buttons, Checkboxes
* **Date & Labels:** Date Picker, Labels
* **Text Fields:** Single-line, Multi-line
* **Special Fields:** URL Field, Priority
For unsupported fields, contact our **[support team](mailto:support@gitguardian.com)
**.
#### Steps to create a template[](#steps-to-create-a-template "Direct link to Steps to create a template")
1. Begin by adding an integration to the desired team.

2. Choose the Jira project and the corresponding issue type for the template.

3. Adjust fields as needed and save the template by clicking **Add Integration**.

4. View the configured template under the selected team, including its association with the chosen Jira project.

Additional features[](#additional-features "Direct link to Additional features")
----------------------------------------------------------------------------------
### Issue update[](#issue-update "Direct link to Issue update")
By default, updates from GitGuardian incidents (e.g., status changes, comments, severity changes) are added as comments in Jira issues. This feature can be disabled.
### Auto-resolve[](#auto-resolve "Direct link to Auto-resolve")
When enabled, specify the Jira status that triggers automatic closure of associated incidents. The incident will be marked as resolved when the Jira issue reaches the defined status.

Note: Reopening Jira issues will not reopen incidents.
Manual issue creation[](#manual-issue-creation "Direct link to Manual issue creation")
----------------------------------------------------------------------------------------
It is possible to manually create Jira tickets for incidents that were created **before the Jira/GitGuardian integration was configured** to automatically create tickets for new incidents. Users can do this from either the **incident page** or the **incident list page**, provided that a template is assigned to the user’s team.

The Jira issue will be accessible from the incident page.
caution
Bulk issue creation is not supported.
Uninstallation[](#uninstallation "Direct link to Uninstallation")
-------------------------------------------------------------------
1. Navigate to Settings > Integrations > Destinations > [Jira Data Center](https://dashboard.gitguardian.com/settings/integrations/jira_data_center_notifier)
.
2. Click **Delete** in the site configuration panel.

3. Confirm removal in GitGuardian.
Troubleshooting[](#troubleshooting "Direct link to Troubleshooting")
----------------------------------------------------------------------
If issue creation fails, verify:
* Jira integration user permissions.
* Existence of project/issue types in templates.
* Mandatory fields added to Jira projects after template creation.
* Fields in templates that were deleted from Jira.
For assistance, contact **[support](mailto:support@gitguardian.com)
**.
#### Was this page helpful?
[](#)
[](#)
* [Benefits](#benefits)
* [Installation](#installation)
* [Project selection](#project-selection)
* [Creating templates and configuring Jira for teams](#creating-templates-and-configuring-jira-for-teams)
* [Additional features](#additional-features)
* [Issue update](#issue-update)
* [Auto-resolve](#auto-resolve)
* [Manual issue creation](#manual-issue-creation)
* [Uninstallation](#uninstallation)
* [Troubleshooting](#troubleshooting)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Detect secrets in GitHub PRs | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Detect secrets in GitHub PRs
============================
Overview[](#overview "Direct link to Overview")
-------------------------------------------------
[GitHub Check Runs](https://docs.github.com/en/rest/checks/runs)
will be triggered on GitHub pull requests on repositories monitored by GitGuardian. Secret scans in the context of GitHub Check Runs will run server-side on the VCS, at the post-receive stage.
GitGuardian secret scans run **on each individual commit that makes up the pull request, and not only the final state of the code** in the pull request. This deep scanning helps uncover cases where one commit A adds a secret and one commit B removes the same secret within the same pull request.
This allows the individual developer to get notified when an incident is detected by GitGuardian, **directly in the GitHub interface**. This is particularly useful when a developer opens a pull request to merge an individual branch into a collaborative one. The Check Run will alert the developer before the commits are merged, **limiting the incident to their branch and giving them the opportunity of easier remediation**. The result is secrets-free collaborative branches such as the ones used for QA, staging, and production environments.
How it looks[](#how-it-looks "Direct link to How it looks")
-------------------------------------------------------------
In the GitHub UI, a GitGuardian check run presents **a table with all findings and their relevant details**:
* the **id** of the corresponding secret incident on GitGuardian
* the **status** of the corresponding secret incident on GitGuardian
Keep in mind that if secret incidents are closed on the GitGuardian dashboard, they will no longer be raised by GitHub checkruns.
* the secret type
* the commit sha
* the filename
* and also links to the GitGuardian dashboard if the user wishes to view the incident there and act on it (change status, leave notes, resolve, etc.).


Secrets incidents detected during check runs and raised in the GitGuardian dashboard also link back to the original GitHub pull request.

> Please note that only GitHub pull requests created after February 10th, 2022 will be visible.
Manage your GitHub check runs[](#manage-your-github-check-runs "Direct link to Manage your GitHub check runs")
----------------------------------------------------------------------------------------------------------------
### Activate or deactivate the GitGuardian check runs[](#activate-or-deactivate-the-gitguardian-check-runs "Direct link to Activate or deactivate the GitGuardian check runs")
As a workspace Manager, you can decide to turn the GitHub Check Runs On or Off for the monitored repositories directly in your [GitHub settings page](https://dashboard.gitguardian.com/settings/integrations/github)
or [GitHub Enterprise settings page](https://dashboard.gitguardian.com/settings/integrations/github_enterprise_server)
.

> Note: If you have integrated both GitHub.com and GitHub Enterprise, you will have two different check runs settings.
### Choose the conclusion of check runs when secrets are detected[](#choose-the-conclusion-of-check-runs-when-secrets-are-detected "Direct link to Choose the conclusion of check runs when secrets are detected")
You also have the option to determine the conclusion of the GitHub check runs when secrets are detected. You can choose between two options:
* either `Failed`
This conclusion will **prevent your developers from merging the pull request** if you have protected branches in place, ensuring that your secrets do not make it to production.
To prevent full blockages, GitGuardian provides skip action buttons for developers to bypass blocking check runs. More details can be found below.
* or `Neutral`
This conclusion **does not block pull requests**.
Developers will be notified of secret presence, especially if you enable GitGuardian to post a comment to enhance visibility of detected secrets in the pull request. Refer to the section below for more information.

### Enable or disable skip actions[](#enable-or-disable-skip-actions "Direct link to Enable or disable skip actions")
When the conclusion of the checkruns if secrets are detected is "Failed", pull requests are unable to be merged. However, since the detection of secrets is probabilistic, **GitGuardian offers skip action buttons to prevent complete hindrance to developers**.
These skip actions mirror the ignore reasons available on the dashboard, with the understanding that skipping a checkrun containing a secret is akin to ignoring the associated incident. The available skip actions include:
* `Skip: false positive`
* `Skip: test credential`
* `Skip: low risk`

When a skip action is taken, the corresponding secret incident is tagged to inform dashboard users that a developer intentionally skipped the checkrun after encountering the secret alert. The tags for skipped incidents include:
* `Skipped in check run as false positive`
* `Skipped in check run as test credential`
* `Skipped in check run as low risk`

As a workspace manager, you have the option to disable the ability to skip check runs entirely in [your settings](https://dashboard.gitguardian.com/settings/integrations/github)
.

### Post a comment in the pull request timeline[](#post-a-comment-in-the-pull-request-timeline "Direct link to Post a comment in the pull request timeline")
To extend the visibility of checkrun results and ensure your developers do not miss it, GitGuardian posts a comment when a secret is detected.

Such behavior can be enabled or disabled in [your settings](https://dashboard.gitguardian.com/settings/integrations/github)
by workspace Managers:

### Customize remediation guidelines[](#customize-remediation-guidelines "Direct link to Customize remediation guidelines")
As a workspace Manager, you can customize the remediation guidelines. These guidelines will be displayed in the GitHub interface both in the check run body and in the comment posted on the pull request timeline.

Dependencies[](#dependencies "Direct link to Dependencies")
-------------------------------------------------------------
### GitHub branch protection rule "Require status checks to pass before merging"[](#github-branch-protection-rule-require-status-checks-to-pass-before-merging "Direct link to GitHub branch protection rule "Require status checks to pass before merging"")
When you set up the **Require status checks to pass before merging** branch protection rule on GitHub and require GitGuardian security checks to pass, there are important things you should know:

* Your **repository must be actively monitored by GitGuardian**.
If it is not, GitHub will be waiting for a check run from GitGuardian that will never be provided, causing a perpetual pending check run.

* If the check run conclusion is `Failed`, GitHub will display a specific warning.
The `Neutral` conclusion is considered the same as a successful check run.

### Working with forked repositories[](#working-with-forked-repositories "Direct link to Working with forked repositories")
In a fork process, there are two repositories:
1. **Forked repository**: Your personal copy of the upstream repo, marked as `fork = true` on GitHub.
2. **Upstream repository**: The original repository.
#### Forked repositories[](#forked-repositories "Direct link to Forked repositories")
By default, GitGuardian does **not** generate check runs on monitored forked repositories to prevent rate limiting errors.
This issue arises because many forked repositories automatically generate numerous pull requests to stay up-to-date with their upstream repositories, which often have high activity levels. These automated pull requests are resource-intensive and can lead to rate limiting errors during GitGuardian check runs.
However, managers of workspaces under the Business plan have the option to [enable GitGuardian check runs on their monitored forked repositories](https://dashboard.gitguardian.com/settings/integrations/github)
.

#### Upstream repositories[](#upstream-repositories "Direct link to Upstream repositories")
Check runs are created on monitored upstream repositories.
However, when a pull request originating from a forked repository contains secrets, GitGuardian cannot propose the usual "Skip" actions buttons. In this scenario, GitGuardian provides a simple `Skip` button to avoid blocking the developer.

Going further: customizing check runs on a per-repository basis[](#going-further-customizing-check-runs-on-a-per-repository-basis "Direct link to Going further: customizing check runs on a per-repository basis")
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
GitGuardian offers you the ability to customize the behavior of GitGuardian check runs at the repository level by utilizing GitHub's native features to override the configuration set on the GitGuardian dashboard.
### Using GitHub custom properties[](#using-github-custom-properties "Direct link to Using GitHub custom properties")
[GitHub custom properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization)
allow you to customize check runs both at the organisation level and the repository level:
* whether the checkrun is present or not
* specifying the conclusion as either `Failed` or `Neutral` when secrets are detected.
* whether the [skip actions](/secrets-detection/secrets-detection-in-sdlc/detect-secrets-in-real-time-in-github#enable-or-disable-skip-actions)
are available or not.

> It is crucial to use the exact names of the custom properties given below to ensure the feature functions properly.
#### Overriding check runs presence[](#overriding-check-runs-presence "Direct link to Overriding check runs presence")
| GitGuardian global configuration | Custom property `gitguardian-check-runs-enabled` | | |
| --- | --- | --- | --- |
| | `true` | `false` | `null` |
| Check runs are activated ✅ | check runs will be present ✅ | check runs won’t be present 🚫 | check runs will be present ✅ |
| Check runs are deactivated 🚫 | check runs will be present ✅ | check runs won’t be present 🚫 | check runs won’t be present 🚫 |
#### Overriding check runs conclusion[](#overriding-check-runs-conclusion "Direct link to Overriding check runs conclusion")
| GitGuardian global configuration | Custom property `gitguardian-check-runs-secrets-conclusion` | | |
| --- | --- | --- | --- |
| | `neutral` | `failed` | `null` or other |
| Check runs conclusion if secrets is Neutral ⬛ | check runs conclusion if secrets will be Neutral ⬛ | check runs conclusion if secrets will be Failed ❌ (blocking the PR) | check runs conclusion if secrets will be Neutral ⬛ |
| Check runs conclusion if secrets is Failure ❌ | check runs conclusion if secrets will be Neutral ⬛ | check runs conclusion if secret will be Failed ❌ (blocking the PR) | check runs conclusion if secret will be Failed ❌ (blocking the PR) |
#### Overriding check runs skip actions presence when the conclusion is Failed[](#overriding-check-runs-skip-actions-presence-when-the-conclusion-is-failed "Direct link to Overriding check runs skip actions presence when the conclusion is Failed")
| GitGuardian global configuration | Custom property `gitguardian-check-runs-actions-enabled` | | |
| --- | --- | --- | --- |
| | `true` | `false` | `null` |
| Skip action buttons are enabled ✅ | skip action buttons will be present ✅ | skip action buttons won’t be present 🚫 | skip action buttons will be present ✅ |
| Skip action buttons are disabled 🚫 | skip action buttons will be present ✅ | skip action buttons won’t be present 🚫 | skip action buttons won’t be present 🚫 |
### Using GitHub labels for GitHub Enterprise Server < 3.13[](#using-github-labels-for-github-enterprise-server--313 "Direct link to Using GitHub labels for GitHub Enterprise Server < 3.13")
info
[Custom properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization)
are available starting from GitHub Enterprise Server version 3.13.
If you are using a GitHub Enterprise Server version earlier than 3.13, you will need to use [GitHub labels](https://docs.github.com/en/issues/using-labels-and-milestones-to-track-work/managing-labels)
to customize your check runs.
Please get in touch with your account manager to have this feature activated.
On GitHub Enterprise Server < 3.13, [GitHub labels](https://docs.github.com/en/issues/using-labels-and-milestones-to-track-work/managing-labels)
allow you to customize check runs at the repository level:
* whether the check run is present or not.
* specifying the conclusion as either `Failed` or `Neutral` when secrets are detected.
* whether the [skip actions](/secrets-detection/secrets-detection-in-sdlc/detect-secrets-in-real-time-in-github#enable-or-disable-skip-actions)
are available or not.

> You are free to customize the label's description and color, but it is essential that the label name remains exact.
#### Overriding check runs presence[](#overriding-check-runs-presence-1 "Direct link to Overriding check runs presence")
| GitGuardian global configuration | GitHub Enterprise repository labels | | | |
| --- | --- | --- | --- | --- |
| | `gitguardian:check-runs-enabled` | `gitguardian:check-runs-disabled` | No labels | Both labels present |
| Check runs are activated ✅ | check runs will be present ✅ | check runs won’t be present 🚫 | check runs will be present ✅ | check runs will be present ✅ |
| Check runs are deactivated 🚫 | check runs will be present ✅ | check runs won’t be present 🚫 | check runs won’t be present 🚫 | check runs will be present ✅ |
#### Overriding check runs conclusion[](#overriding-check-runs-conclusion-1 "Direct link to Overriding check runs conclusion")
| GitGuardian global configuration | GitHub Enterprise repository labels | | | |
| --- | --- | --- | --- | --- |
| | `gitguardian:check-runs-secrets-conclusion-neutral` | `gitguardian:check-runs-secrets-conclusion-failed` | No labels | Both labels present |
| Check runs conclusion if secrets is Neutral ⬛ | check runs conclusion if secrets will be Neutral ⬛ | check runs conclusion if secrets will be Failed ❌ (blocking the PR) | check runs conclusion if secrets will be Neutral ⬛ | check runs conclusion if secrets will be Neutral ⬛ |
| Check runs conclusion if secrets is Failure ❌ | check runs conclusion if secrets will be Neutral ⬛ | check runs conclusion if secret will be Failed ❌ (blocking the PR) | check runs conclusion if secret will be Failed ❌ (blocking the PR) | check runs conclusion if secrets will be Neutral ⬛ |
#### Overriding check runs skip actions presence when the conclusion is Failed[](#overriding-check-runs-skip-actions-presence-when-the-conclusion-is-failed-1 "Direct link to Overriding check runs skip actions presence when the conclusion is Failed")
| GitGuardian global configuration | GitHub Enterprise repository labels | | | |
| --- | --- | --- | --- | --- |
| | `gitguardian:check-runs-actions-enabled` | `gitguardian:check-runs-actions-disabled` | No labels | Both labels present |
| Skip action buttons are enabled ✅ | skip action buttons will be present ✅ | skip action buttons won’t be present 🚫 | skip action buttons will be present ✅ | skip action buttons will be present ✅ |
| Skip action buttons are disabled 🚫 | skip action buttons will be present ✅ | skip action buttons won’t be present 🚫 | skip action buttons won’t be present 🚫 | skip action buttons will be present ✅ |
#### Was this page helpful?
[](#)
[](#)
* [Overview](#overview)
* [How it looks](#how-it-looks)
* [Manage your GitHub check runs](#manage-your-github-check-runs)
* [Activate or deactivate the GitGuardian check runs](#activate-or-deactivate-the-gitguardian-check-runs)
* [Choose the conclusion of check runs when secrets are detected](#choose-the-conclusion-of-check-runs-when-secrets-are-detected)
* [Enable or disable skip actions](#enable-or-disable-skip-actions)
* [Post a comment in the pull request timeline](#post-a-comment-in-the-pull-request-timeline)
* [Customize remediation guidelines](#customize-remediation-guidelines)
* [Dependencies](#dependencies)
* [GitHub branch protection rule "Require status checks to pass before merging"](#github-branch-protection-rule-require-status-checks-to-pass-before-merging)
* [Working with forked repositories](#working-with-forked-repositories)
* [Going further: customizing check runs on a per-repository basis](#going-further-customizing-check-runs-on-a-per-repository-basis)
* [Using GitHub custom properties](#using-github-custom-properties)
* [Using GitHub labels for GitHub Enterprise Server < 3.13](#using-github-labels-for-github-enterprise-server--313)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Detect secrets on developer workstations | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Detect secrets on developer workstations
========================================
Overview[](#overview "Direct link to Overview")
-------------------------------------------------
Secrets detection can be integrated very early on in the development process. GitGuardian empowers developers, with [ggshield (our command-line interface application)](/ggshield-docs/home)
to scan their commits for hardcoded secrets before pushing them.
The cost of fixing hardcoded secrets is much lower at this stage than once they have reached the central/shared repository, hence the importance of shifting security left and providing developers with early and frequent feedback.
ggshield can be integrated into git hooks to automatically scan code before committing staged changes (pre-commit hook) or before pushing code to the shared repository (pre-push hook).
What are git hooks?
Like many Version Control Systems, git has a way to fire off custom scripts when certain actions are triggered. There are two groups of these hooks: client-side and server-side. Client-side hooks are triggered by operations such as committing and merging, while server-side hooks run on network operations such as receiving pushed commits. The custom scripts running in git hooks can be used for a variety of purposes like linting, testing, and running security scans on your code.
Getting started with ggshield[](#getting-started-with-ggshield "Direct link to Getting started with ggshield")
----------------------------------------------------------------------------------------------------------------
1. Set up [ggshield on your workstation](/ggshield-docs/getting-started)
2. Configure the git hooks with ggshield:
* [pre-commit hook](/ggshield-docs/integrations/git-hooks/pre-commit)
* [pre-push hook](/ggshield-docs/integrations/git-hooks/pre-push)
Additional resources[](#additional-resources "Direct link to Additional resources")
-------------------------------------------------------------------------------------
* [How To Use ggshield To Avoid Hardcoded Secrets \[cheat sheet included\]](https://blog.gitguardian.com/how-to-use-ggshield-to-avoid-hardcoded-secrets-cheat-sheet-included/)
* [Using ggshield Throughout The Software Development Lifecycle - A Developer's View of GitGuardian \[video\]](https://www.youtube.com/watch?v=diuBTBjx7Qc)
#### Was this page helpful?
[](#)
[](#)
* [Overview](#overview)
* [Getting started with ggshield](#getting-started-with-ggshield)
* [Additional resources](#additional-resources)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# Detect secrets in CI pipelines | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
Detect secrets in CI pipelines
==============================
Overview[](#overview "Direct link to Overview")
-------------------------------------------------
For vulnerabilities that are only exploitable during runtime like buffer overflows, SQL injections, or cross-site scripting, application security testing in the CI pipelines often translates into considerably shorter fix times. In the case of hardcoded credentials, the situation is different. No gains are to be expected in terms of remediation when comparing incidents that surface here against those that are found through the VCS integration (as a matter of fact, incidents detected during CI scans are also raised in the GitGuardian dashboard, since the remote branches live in the centralized repository).
You should regard secrets that enter centralized remote repositories as compromised, no matter how they found their way inside. The remediation process needs to get triggered in full in such a case; you should revoke and rotate the credentials before re-running security checks again.
### Advantages[](#advantages "Direct link to Advantages")
Automating security testing in the CI pipelines is a great strategy to quickly raise the awareness of both developer and DevOps engineering teams around the problem of hardcoded secrets.
### Integrate ggshield in CI workflows[](#integrate-ggshield-in-ci-workflows "Direct link to Integrate ggshield in CI workflows")
1. [Create a service account](/api-docs/service-accounts)
for the GitGuardian API
2. Set up CI/CD Integrations with ggshield
1. [Jenkins CI](/ggshield-docs/integrations/cicd-integrations/jenkins-ci)
2. [GitHub Actions](/ggshield-docs/integrations/cicd-integrations/github-actions)
3. [GitLab CI/CD](/ggshield-docs/integrations/cicd-integrations/gitlab-pipelines)
4. [Azure pipelines](/ggshield-docs/integrations/cicd-integrations/azure-pipelines)
5. [Bitbucket pipelines](/ggshield-docs/integrations/cicd-integrations/bitbucket-pipelines)
6. [Circle CI](/ggshield-docs/integrations/cicd-integrations/circle-ci)
7. [Drone CI](/ggshield-docs/integrations/cicd-integrations/drone-ci)
8. [Travis CI](/ggshield-docs/integrations/cicd-integrations/travis-ci)
9. [Scan Docker images](/ggshield-docs/integrations/docker/docker_image)
after the build job
#### Was this page helpful?
[](#)
[](#)
* [Overview](#overview)
* [Advantages](#advantages)
* [Integrate ggshield in CI workflows](#integrate-ggshield-in-ci-workflows)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# IP allowlist for workspace access | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
IP allowlist for workspace access
=================================
The IP Allowlist enables customers to restrict access to their workspace, including both the dashboard and the public API, to trusted IP addresses or IP ranges. This feature is designed to enhance security by ensuring that only approved IPs can interact with your GitGuardian resources.
Business accounts only
This feature is reserved to workspaces with Business access (Business or Business trial plans). After the end of a Business trial, any IP restriction will be lifted.
Not available on self-hosted environments
This feature is not supported on self-hosted environments, as there are alternative methods to restrict access in those scenarios.
Configuring the IP allowlist[](#configuring-the-ip-allowlist "Direct link to Configuring the IP allowlist")
-------------------------------------------------------------------------------------------------------------
Configuring and enabling the allowlist can be done only by workspace managers.
1. Navigate to Settings > Authentication > IP allowlist
2. Add IP addresses or ranges: in the IP Allowlist management section, enter the IP addresses or IP ranges (in CIDR notation) that you wish to allow, and enter a description. Note that only IPv4 addresses are supported.
3. Enable IP Allowlist: once the necessary IP addresses or ranges are added, toggle the IP restriction option to enable it.
Workspace managers can subsequently edit or delete IP addresses or IP ranges through the same settings section.

Blocked Resources[](#blocked-resources "Direct link to Blocked Resources")
----------------------------------------------------------------------------
Once the IP Allowlist is enabled, the restriction applies to all resources within your GitGuardian workspace:
* **UI:** Users without an allowed IP address will be blocked from accessing the dashboard.
* **API and ggshield:** The API, and as a consequence the ggshield cli that relies on it, will be subject to the same IP restrictions.
caution
If you are using ggshield in CI/CD pipelines or in pre-receive hooks, you must ensure that the IPs from your version control system (VCS) or CI/CD runners are added to the allowlist to avoid any disruptions.
#### Was this page helpful?
[](#)
[](#)
* [Configuring the IP allowlist](#configuring-the-ip-allowlist)
* [Blocked Resources](#blocked-resources)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---
# GitLab OAuth Application Token | GitGuardian documentation
[Skip to main content](#__docusaurus_skipToContent_fallback)
On this page
GitLab OAuth Application Token
==============================
Description[](#description "Direct link to Description")
----------------------------------------------------------
### General[](#general "Direct link to General")
* **Documentation**: [https://docs.gitlab.com/ee/integration/oauth\_provider.html](https://docs.gitlab.com/ee/integration/oauth_provider.html)
* **Summary**: GitLab can be used as an OAuth 2 authentication identity provider by adding the following types of OAuth 2 applications to an instance: user owned application, group owned application, or instance-wide application.
* **IPs allowlist**: This feature isn't specified.
* **Scopes**: Different permission levels are associated by default with each type of application and can be further specified (see full [documentation](https://docs.gitlab.com/ee/user/permissions.html)
).
### Revoke the secret[](#revoke-the-secret "Direct link to Revoke the secret")
A token can be revoked using [`revoke` endpoint](https://docs.gitlab.com/ee/api/oauth2.html#revoke-a-token)
.
### Check for suspicious activity[](#check-for-suspicious-activity "Direct link to Check for suspicious activity")
This feature isn't specified.
### Details for `Gitlab oauth application token`[](#details-for-gitlab-oauth-application-token "Direct link to details-for-gitlab-oauth-application-token")
* **Family:** Api
* **Category:** Version control platform
* **Company:** GitLab
* **High recall:** True
* **Validity check available:** False
* **Minimum number of matches:** 1
* **Occurrences found for one million commits:** 1.821
* **Prefixed:** True
* **PreValidators**:
- type: ContentWhitelistPreValidator patterns: - gloas-
### Examples[](#examples "Direct link to Examples")
- text: | +GITLAB_CLIENT_SECRET=gloas-74923caa0ca5708d7b3761335c6043cb5343ae1ee2a9da3dba9539183710cf20 apikey: gloas-74923caa0ca5708d7b3761335c6043cb5343ae1ee2a9da3dba9539183710cf20- text: | +GITLAB_APP_SECRET=gloas-9fbfc0e6d3c6425128a94df258b27a5e39f3bd4b33d108d8a017bf9a3c7774d2 apikey: gloas-9fbfc0e6d3c6425128a94df258b27a5e39f3bd4b33d108d8a017bf9a3c7774d2- text: | +spring.security.oauth2.client.registration.gitlab.client-secret=gloas-36c3c720c9025afca1dc3e6423ec9fd09a0de3d206bb80385764a29c111229a4 apikey: gloas-36c3c720c9025afca1dc3e6423ec9fd09a0de3d206bb80385764a29c111229a4
#### Was this page helpful?
[](#)
[](#)
* [Description](#description)
* [General](#general)
* [Revoke the secret](#revoke-the-secret)
* [Check for suspicious activity](#check-for-suspicious-activity)
* [Details for `Gitlab oauth application token`](#details-for-gitlab-oauth-application-token)
* [Examples](#examples)
[](https://www.gitguardian.com/)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://www.gitguardian.com/legal/public-security-policy)
[](https://twitter.com/gitguardian?lang=en)
[](https://www.linkedin.com/company/gitguardian/)
[](https://www.youtube.com/channel/UCHGxYyzf4eXzpMz5kyqVZSQ)
[](https://github.com/GitGuardian)
[](https://www.facebook.com/GitGuardian/)
Something we didn’t cover?
--------------------------
[\
\
See our Roadmap\
===============](https://roadmap.gitguardian.com/)
[\
\
Subscribe on GitHub\
===================](https://github.com/GitGuardian)
[\
\
Submit a request\
================](https://roadmap.gitguardian.com/tabs/10-ongoing/submit-idea)
[\
\
API status\
==========](https://status.gitguardian.com/)
Subscribe to our newsletter
---------------------------
By submitting this form, I agree to GitGuardian’s [Privacy Policy](https://www.gitguardian.com/legal/privacy-policy)
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
---