Validate and roll out
Validate through Pilot phase on 10-20 machines
Before broad rollout, deploy to 10–20 closely monitored machines and confirm all of the following:
ggshieldinstalls successfully.ggshield --versionworks.ggshield plugin listshowsmachine_scanfor the scan user.- The scheduled job runs without user interaction.
ggshield machine inventoryexits successfully.- Scan duration is acceptable.
- Users do not report noticeable performance issues.
- The SAT does not appear in logs, command lines, or output.
Only continue to percentage-based rollout after this first group is healthy.
Confirm visibility in the Endpoints dashboard
In your GitGuardian dashboard, open Endpoints and verify the pilot machines appear as expected:
- The machines table lists each pilot endpoint with a latest endpoint scan time (not Never scanned).
- Fleet KPIs reflect the pilot group (for example, Recently scanned or Active counts increase after scans run).
- Opening a machine shows Local scanning with severity counts and a ggshield scanner version on the latest scan.
- The Overview tab Discovered secrets table loads for machines where the scan found credentials (an empty table is acceptable on a clean test machine).
- Optional: if AI Agents is enabled on your workspace, the tab loads without error for a scanned machine.
For CLI and MDM checks above, see Deploy ggshield at scale with a service account token. For capability context, see Core concepts.
Roll out at scale
Here is the suggested rollout path:
10-20 monitored machines → 1% → 10% → 25% → 50% → 100%
| | | | |
+-------------+-----+------+-------+-- pause / rollback gates
We recommend the following approaches for a successful scaled rollout:
- Split waves by region, timezone, business unit, OS, or device type.
- Spread first scans across hours or days, not minutes.
- Use package caching or internal distribution for very large fleets.
- Monitor errors and endpoint impact before each increase.
- Keep rollback simple: disable the scheduled scan first, then remove components if required.
