Investigate incidents
For every incident, GitGuardian will provide you with the following metadata about the secret and its occurrences:
- Type of secret (raised by the detector)
- Date (at which the occurrence of the secret was committed)
- Commit author email (involved developer)
- Repository name
- File name and extension
- Commit SHA-1 hash
- Git history presence (when possible)
- Validity (when possible - see dedicated section)
- Additional tags (e.g., Default branch, From historical scan, Publicly exposed, Publicly leaked, Vaulted, Regression, Test file, etc.)
Secret presence checks
With the presence check, it is possible to verify the presence (and thus reachability) of every occurrence of the secret in your repositories. For each incident, GitGuardian will display the dates at which each occurrence was first and last seen and if it is still present in the repository.
Once you have fully deleted the repository or rewritten the git history, return to your incident's page to obtain the secret's occurrence proof of deletion (see screenshot below). Once an occurrence is no longer visible in the git history, GitGuardian will stop checking for its presence.
GitGuardian will regularly check for the presence of occurrences, to the best of its ability and considering existing VCS API rate limits, to mirror the state of your git repository. You can also manually run the presence check should you need to force update the status of the occurrences of an incident.
The frequency of these automated checks depends on your plan and the status and age of secret incidents:
| Plan | Incident status | Incident age | Frequency |
|---|---|---|---|
| Business | Open | Less than a year old | Daily |
| Free | Open | Less than a year old | Weekly |
| Business | Open | More than a year old | Weekly |
| Free | Open | More than a year old | Monthly |
| Business | Ignored | Less than a year old | Half-yearly |
| Free | Ignored | Less than a year old | Never |
| Business | Ignored | More than a year old | Never |
| Free | Ignored | More than a year old | Never |
| Business | Resolved | Less than a year old | Monthly |
| Free | Resolved | Less than a year old | Half-yearly |
| Business | Resolved | More than a year old | Half-yearly |
| Free | Resolved | More than a year old | Never |
If you host GitGuardian on-premise, you can change these frequencies in your admin area.
⚠️ Presence checks and orphan commits
When you delete a repository, all its commits are permanently deleted. However, using
git push --forceto remove a specific commit in a repository does not permanently delete it. It becomes an orphan commit, still existing but no longer referenced by any branch. It's impossible to see orphan commits in a pull request or in an existing branch unless you have access to the unique id (sha) of the commit. GitGuardian considers a secret's occurrence in an orphan commit as present. VCSs provide garbage collection, completely emptying the bin of orphan commits. In the case of:
- GitHub, contacting the support to run the garbage collection is necessary
- GitLab, the frequency of garbage collection is decided by the VCS admin
When you decide to unmonitor a repository, GitGuardian consequently loses access to that repository, which in turn prompts the presence check to lose its ability to update values with regards to its corresponding occurrences. GitGuardian will display an icon to indicate that the repository is no longer monitored.
For incidents containing occurrences related to more than one repository, the presence check will continue to work for the rest of the occurrences linked to the monitored sources until the last monitored source gets removed from the perimeter.
Secret leak checks
With the leak check, it is possible to check whether your secret has been detected on a public place outside your perimeter (GitHub public repositories, issues, and gists your organization does not own). When this occurs, the situation is extremely serious, indicating that your secret is compromised and may be found by anyone on GitHub. Note that for security reasons, GitGuardian only manipulates a hashed version of your secrets.
Such secret incidents are identified with the Publicly leaked tag. You can filter these incidents using this tag in order to better prioritize your incidents.
The leak check feature is not supported for multi-match secrets.
Secrets detected as publicly leaked in more than 10 places are considered false positives (e.g. standard test credentials) and are not tagged as Publicly leaked.
GitGuardian regularly updates the leak status of your secret incidents and determines the places on public GitHub (repositories, issues and gists) where the secret has been detected. You can also run the leak check manually, should you need to force update the leak status of the secret incident.
The frequency of these automated checks depends on your plan, incident status and secret validity:
| Plan | Incident status | Secret validity | Incident age | Frequency |
|---|---|---|---|---|
| Business | Opened | Not invalid | Less than a year old | Daily |
| Business | Opened | Not invalid | More than a year old | Weekly |
| Business | Resolved | Not invalid | Any | Monthly |
| Business | Ignored | Not invalid | Any | Never |
| Business | Opened | Invalid | Any | Never |
| Business | Resolved | Invalid | Any | Never |
| Business | Ignored | Invalid | Any | Never |
From the sidebar, you can consult the list of places (up to 10) where your secret has been publicly leaked.
For each place, we provide:
- the type of place (GitHub repository, issue or gist)
- a link to the original source
This gives you more context to check the leak and better qualify your secret incident.
The leak check feature is exclusively available for workspaces under the Business plan, and is not available for GitGuardian self-hosted instances. If you are interested in public monitoring and would like to find out more, you can look at our GitGuardian Public Monitoring product to extend the secret detection to the entire GitHub public space.
You may encounter two fields, secret_hash and hmsl_hash, when working with secret incidents, for instance.
- The
secret_hashfield is an internal identifier for each detected secret. - The
hmsl_hashis associated with GitGuardian’s Has My Secret Leaked service. GitGuardian uses the HMSL hashing algorithm to compare your secret—securely and privately—with secrets previously found on public GitHub. This allows GitGuardian to check if your secret has appeared publicly, without exposing the actual secret value. The same hash algorithm is also used with ggscout to identify vaulted secrets.
