Secret synchronization
The sync-secrets
command allows ggscout to receive secrets from your GitGuardian platform and write them directly into your integrated secrets managers. This enables a secure way to provision secrets discovered elsewhere into your vault infrastructure.
How sync-secrets Works
- GitGuardian identifies unvaulted secrets in your monitored sources
- You mark secrets for vaulting through the GitGuardian platform
- ggscout receives sync instructions from GitGuardian when running
sync-secrets
- ggscout writes the secrets to your configured destination integrations
Example Workflow
- Secret Discovery: GitGuardian finds a leaked secret in your code. Thanks to the inventory provided by ggscout, you can see that this secret is not vaulted.
- Platform Review: Security team reviews the secret in GitGuardian platform
- Mark for Vaulting: Team marks the secret to be moved to HashiCorp Vault
- Automatic Sync: ggscout
sync-secrets
command receives the instruction - Vault Writing: Secret is securely written to the specified Vault path
- Confirmation: GitGuardian platform is notified of successful vaulting
Requirements
To use the sync-secrets
command, you need:
- GitGuardian API token with
nhi:write-vault
scope - See GitGuardian Authentication for setup instructions - Integration configured in
read/write
orwrite
mode - Only certain integrations support writing - Proper write permissions in your destination secrets manager
Command Usage
# Write secrets from GitGuardian directly into your destination integration
ggscout sync-secrets config.toml
The sync-secrets command is typically run on a schedule (every minute in production deployments) to ensure secrets are synchronized promptly when requested through the GitGuardian platform.
Integration Write Support
Not all integrations support writing secrets. The table below shows which integrations support the sync-secrets
command:
Integration Type | Integration Name | Write Support | Notes |
---|---|---|---|
Secrets Managers | HashiCorp Vault (hashicorpvault ) |