home
Admin tools
GitGuardian Scout (ggscout)
Collect and monitor vaulted secrets in your production environment and leverage vaulted insights to bootstrap incident remediation!
Overview
GitGuardian Scout (ggscout) is a command-line application that creates an inventory of secrets stored in your Secrets Managers and reconciles this inventory with secrets detected by GitGuardian across your infrastructure.
When a secret is leaked or exposed, the critical questions are: Is this secret in production? Where is it used? How urgent is the remediation? ggscout provides the answers by:
- Creating a complete inventory of your production secrets from HashiCorp Vault, AWS Secrets Manager, and other Secrets Managers
- Hashing secrets locally using the HMSL algorithm - secrets never leave your infrastructure in clear text
- Enriching incidents with metadata (vault paths, lease times, associated applications) to improve prioritization
- Identifying unvaulted secrets and optionally pushing them to your Secrets Manager to streamline remediation
Key Benefits
- Security-First Design: All secrets are hashed locally before transmission - no clear-text secrets ever leave your infrastructure
- Flexible Deployment: Run as a CLI for testing, via Docker for scheduled jobs, or on Kubernetes for production
- Comprehensive Integrations: Supports HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, and more
- Auditable: Run in fetch-only mode to audit exactly what data is collected and sent to GitGuardian
Getting Started
New to ggscout? Start with What is ggscout? to understand the problem it solves and how it works. Then follow the Deploy and configure ggscout guide to get started with a quick local test or production deployment.
