What is ggscout?

GitGuardian Scout is an application that allows you to collect the secrets of your Non-Human Identities (NHIs) and their metadata from your Secret Managers.

Once the data is available in your GitGuardian dashboard, the reconciliation with your Secret Incidents will help you address three main use cases:

• Extend the detection coverage By enumerating new secrets from the vault, you will be able to assess if they were compromised in your perimeter.
• Help in the prioritization process By leveraging vaulted secrets metadata, you will get more context such as the path, lease time, etc… and you will ultimately prioritize more effectively incident remediation.
• Bootstrap incident remediation By identifying unvaulted secrets, you will have the ability to insert them in the vault, and streamline the remediation with your developers.

No secrets get out of your environment!

Secrets values will never leave your environment in clear!

Secrets values are hashed using the HMSL hashing algorithm before they are sent to your GitGuardian workspace. Other non-sensitive metadata like the secret names, paths in the vault, creation date, lease time, etc... are also collected to help you in the remediation process.

Safely collect secrets to ease incident remediation

Once you deployed and configured the Scout in your environment, it runs as follows:

1. It collects the secrets and associated metadata from the Secret Managers you configured.
2. It hashes the secrets using the HMSL hashing algorithm.
3. It sends the collected data to GitGuardian and reconciles it with existing secrets incidents.

That’s it, you can start leveraging these capabilities from your GitGuardian Platform!

Safely store unvaulted secrets

With ggscout, you will be able to identify unvaulted secrets from your incidents list.
What’s more, you will also be able to push these secrets to your Secret Managers and bootstrap the remediation of these incidents!
Here is the standard scenario:

• Once a secret incident is prioritized, you can insert the secret within your Secret Manager
• Your developers fix their code by properly invoking the secret from the right path provided in the Secret Incident detail
• Once the code fixing is done, revoke the right secret from the vault using the hyperlink provided in the Secret Incident detail

ggscout supports this entire process using the following simple flow:

1. ggscout retrieves the secret incident that has not yet been vaulted.
2. ggscout writes the secret to the specified location.

This capability is optional

You can choose not to grant write access.
You can also restrict the locations where the scout can write secrets (e.g., a temporary path specific to ggscout).

Keep full authority on ggscout execution

Transparency matters!

No sensitive information ever leave your infrastructure.

Having an external program like ggscout allows you to:

• Have your team control its execution and accesses (e.g. having partial accesses, having one instance for read access and another for write access)
• Have your team monitor what data is being processed

ggscout is auditable.

• You can run the fetch-only mode and write a JSON report on your disk so that you can audit the data collected by ggscout, and ensure no secret values in clear are collected.
  The data available in the report is exactly the data sent to the GitGuardian in default mode.
• You can request access to the source code