Services and listening port:
|nginx||web server||0.0.0.0:443 and 0.0.0.0:80|
|redis||cache and configuration||127.0.0.1:6379|
|postgresql||database and storage||127.0.0.1:5432|
We recommend to drop all incoming traffic except on port TCP 80, TCP 443 and TCP 8800.
TCP port 443 is used to access the dashboard, but also for webhooks of your VCS. Please make sure https traffic is allowed both ways between GitGuardian and your VCS.
The following is a list of features that will make outbound requests.
- Secret detector checkers
- GitLab source
- GitHub Enterprise source
- GitHub source
- Slack notifier
- Custom webhook notifier
- Email notifications (either SMTP or Sendgrid)
If you have a internal network behind a firewall, you can easily connect to an internal VCS (eg: self-hosted GitLab).
However, if you want to connect to github.com, therefore requiring internet access, you will need to open a wide incoming access to the HTTPS port of your GitGuardian instance.
It is possible to restrict trafic to github.com IP addresses, but this is not recommmended by GitHub. You can use a Web Application Firewall (WAF) or a proxy to monitor closely the incoming trafic on the GitGuardian instance.
In this scenario, the GitGuardian instance needs an open 443 egress port to get updates.
If in addition to an internal network, you have a DMZ and you want to integrate with github.com, you can put the GitGuardian instance in the DMZ. This makes it easier to access github.com but you will need to expose your internal VCS outside of your internal network, so that the GitGuardian instance can access it.
In this scenario, the GitGuardian need an open 443 egress port to get updates.
In this scenario, the GitGuardian instance is completely isolated from the Internet. It is offline and airgapped. This means no github.com monitoring is possible. But this also means, you don't need an open 443 egress port to get updates.
This Airgap functionnality is not available by default. Please contact your sales representative if you want to enable it.