Remediation scenarios and workflows
This guide covers different remediation scenarios you'll encounter and provides practical workflows for each. Choose the approach that matches your specific situation and organizational constraints.
Understanding incident types
Not all incidents are created equal. The remediation approach depends heavily on when and how the secret was detected:
Real-time incidents
Real-time incidents are detected as they happen - when developers commit secrets to repositories you're actively monitoring.
Characteristics:
- Recent exposure (minutes to hours old)
- Developer context is fresh and available
- Higher probability of being valid and actively used
- Opportunity for immediate intervention
Key considerations:
- Developer is likely still working on the code
- Secret may be needed for current development work
- Faster remediation possible with developer involvement
- Prevention opportunity through education
Historical incidents
Historical incidents are discovered during scans of existing repositories - secrets that have been present for days, months, or years.
Characteristics:
- Older exposure (potentially years old)
- Developer context may be lost
- Unknown validity and current usage
- May require investigation to understand impact
Key considerations:
- Original developer may no longer be available
- Secret usage patterns may have changed
- Potential for widespread distribution
- Requires systematic prioritization approach
Remediation scenarios
Depending on the incident nature and the context surfaced, you might fall in one of these different scenarios:
Scenario 1: Emergency response (public exposure)
Use for: Secrets detected in public repositories with immediate security impact.
Approach:
- Rapid assessment - Confirm ownership and access level
- Immediate revocation - Disable secret immediately
- Impact containment - Update critical systems
- Post-incident analysis - Understand how exposure occurred
Timeline: 5-15 minutes
Success factors: Clear escalation paths, revocation procedures
Scenario 2: Real-time incident with active developer
Use for: Newly detected secrets where the developer is available and context is fresh.
Approach:
- Immediate engagement - Contact developer while context is fresh
- Quick assessment - Understand intended use and scope
- Guided remediation - Walk through proper secret management
- Prevention - Education to prevent future occurrences
Timeline: 15-30 minutes
Success factors: Developer availability, clear communication, established processes
Scenario 3: Historical incident requiring investigation
Use for: Older secrets with unknown context, validity, or current usage.
Approach:
- Systematic prioritization - Focus on high-impact secrets first
- Context reconstruction - Investigate purpose and current usage
- Stakeholder identification - Find current owners/users
- Phased remediation - Address in priority order
Timeline: Hours to days per incident
Success factors: Good investigation tools, clear prioritization criteria
Scenario 4: Bulk remediation (post-historical scan)
Use for: Large volumes of historical incidents requiring systematic approach.
Approach:
- Automated triage - Use filters and automation to categorize
- Batch processing - Group similar incidents for efficiency
- Team coordination - Distribute work across teams
- Progress tracking - Monitor completion rates and blockers
Timeline: Weeks to months
Success factors: Automation tools, team coordination, management support
Workflow selection guide
| Situation | Primary Scenario | Secondary Considerations |
|---|---|---|
| New commit detected with secret | Real-time with active developer | Check if public repository |
| Historical scan reveals 500+ incidents | Bulk remediation | Prioritize by criticality first |
| Secret found in public GitHub | Emergency response | May also need bulk approach if widespread |
| Valid secret, unknown usage | Historical investigation | Consider developer engagement if possible |
| Test/dummy secret | Quick resolution | May use bulk processing |
Platform features supporting scenarios
Our platform comes with several integrated features which can help you in addressing these different scenarios:
Emergency response
- Integrated revocation - Disable secrets directly from GitGuardian
- Public leak detection - Identify external exposure
- Priority alerts - Escalate critical incidents immediately
Real-time workflow
- Instant notifications - Alert relevant stakeholders immediately
- Developer sharing - Provide direct access to incident details
- Feedback collection - Gather developer input on false positives
- Auto-healing - Allow developers to resolve incidents independently
Historical workflow
- Bulk operations - Process multiple incidents efficiently
- Advanced filtering - Find high-priority incidents quickly
- Presence checking - Verify if secrets still exist in repositories
- Validity checking - Test if secrets are still active
Next steps
Choose the detailed workflow that matches your situation:
- Real-time incidents - Handle new detections with developer engagement
- Historical incidents - Systematic approach for existing secrets
- Platform features - Deep dive into GitGuardian capabilities
- Investigation guide - Thorough analysis techniques
