Integrate Gerrit
Monitor Gerrit repositories for exposed secrets in source files, configuration files, and commit histories.
Why monitor Gerrit?
Gerrit is widely used for enterprise code review workflows, often hosting sensitive internal repositories. When developers commit credentials or API tokens, those secrets become part of the permanent git history and can be exposed to anyone with repository access, putting internal systems and infrastructure at risk.
Capabilities
| Feature | Support | Details |
|---|---|---|
| Historical Scanning | ✅ (Supported) | Complete repository history analysis |
| Real-time Detection | ⚠️ (Requires plugin) | Instant detection via the Gerrit webhook plugin |
| Monitored Perimeter | ✅ (Supported) | Granular monitoring of your repositories |
| Team Perimeter | ✅ (Supported) | Team-based access control |
| Presence Check | ✅ (Supported) | Verify if secrets are still accessible |
| File Attachments | ❌ (Not Supported) | Not applicable for code repositories |
What we scan:
- Source code files, configuration files, and raw text files
- All repository branches and commit history
Without the Gerrit webhook plugin, only historical scanning is available. Real-time detection of new commits requires the plugin to be installed on your Gerrit instance. See Real-time scanning for details.
Setup
Prerequisites:
- Owner or Manager account on your GitGuardian Dashboard
- A Gerrit HTTP username and HTTP password (not your SSH or Git credentials - generate these in your Gerrit account settings under HTTP Credentials)
- Gerrit admin access to the instance you want to monitor
- Network connectivity between GitGuardian and your self-hosted services. Check out GitGuardian Bridge to enable secure connections between GitGuardian SaaS and your self-hosted services in private networks.
Connect your Gerrit instance
-
Navigate to Settings > Integrations > Sources.
-
Click Configure for Gerrit.
-
Submit your Gerrit instance URL, HTTP username, and HTTP password.
cautionThe Gerrit instance URL must be prefixed with
https://. Instances without a secure connection won't be monitored. -
GitGuardian will instantly start scanning your Gerrit instance. You can see the repositories monitored in your Gerrit settings page by clicking on See my Gerrit perimeter.
We recommend using a dedicated bot user to generate the HTTP credentials. This avoids disruption if an individual user's account is removed.
Optional: read replica
If your Gerrit instance has a read replica configured, you can provide its URL during setup. GitGuardian will use the replica for cloning repositories to reduce load on your primary Gerrit server. All API calls always use the primary instance URL.
Historical scanning
By default, GitGuardian performs a historical scan of the full commit history for each repository added to your perimeter.
Scanning of Gerrit changes (patchsets) is not enabled by default. If you need GitGuardian to include Gerrit change patchsets in the historical scan, contact GitGuardian support to activate this option for your workspace.
GitGuardian uses the Gitiles plugin to link detected secrets back to the relevant commit diff in your Gerrit instance. Most public and self-hosted Gerrit instances have this plugin available by default.
Real-time scanning
Real-time scanning detects new secrets as soon as commits are pushed to Gerrit. This requires the Gerrit webhook plugin to be installed on your Gerrit instance.
Without the webhook plugin: Only historical scanning is available. New commits pushed to Gerrit will not be scanned in real time.
With the webhook plugin: GitGuardian receives push events immediately and scans new commits as they arrive.
To enable the webhook plugin, refer to the Gerrit webhook plugin documentation and configure it to send events to your GitGuardian webhook URL shown in the integration settings.
Understanding scanning capabilities
Historical scanning
Uncover your secret debt: When you first integrate this source, GitGuardian performs a comprehensive scan of your entire repository history, based on your configured perimeter. This reveals secrets that may have been exposed weeks, months, or even years ago — helping you address your existing security debt.
Real-time scanning
Catch new exposures instantly: Once the webhook plugin is installed, GitGuardian continuously monitors your repositories through event-based detection. New commits containing secrets are detected immediately, allowing you to respond quickly to new exposures.
Customize your monitored perimeter
Once you have set up your Gerrit integration, you can configure which repositories to monitor in the Gerrit settings section of your workspace.
If you deselect a repository from your monitored perimeter:
- GitGuardian will no longer scan new commits for that repository.
- You won't receive any alerts related to this repository.
- You can re-enable monitoring at any time by selecting it again.
