Skip to main content

GitGuardian Bridge

GitGuardian Bridge extends GitGuardian SaaS with secure access to your private infrastructure through encrypted tunnels. This approach allows you to leverage the full benefits of GitGuardian's cloud platform while maintaining secure access to your internal resources.

Built with security at its core, GitGuardian Bridge uses outbound-only connections, mutual TLS authentication, end-to-end encryption, minimal attack surface with distroless container images, and provides complete audit logging for full compliance.

info

GG Bridge is only available for:

  • Workspaces under Enterprise plan
  • US SaaS customers only

If you're interested in Europe SaaS support, please express your interest at our roadmap page.

What is GitGuardian Bridge?

GitGuardian Bridge creates an encrypted, outbound-only tunnel from your private network to GitGuardian SaaS, allowing you to:

  • Scan private repositories without exposing them to the internet
  • Monitor self-hosted services while maintaining network isolation
  • Meet compliance requirements by keeping sensitive infrastructure private
  • Support multiple networks with separate bridge configurations

Cost considerations

GitGuardian Bridge has the same egress cost implications as direct GitGuardian SaaS access. Consider data volume when scanning large datasets, and deploy your bridge close to data sources to minimize network transfer costs.

Supported integrations

GitGuardian Bridge works with:

ServiceType
GitHub Enterprise ServerVersion Control
GitLab Enterprise EditionVersion Control
Bitbucket Data CenterVersion Control
Azure DevOps ServerVersion Control
JFrog ArtifactoryContainer Registry
Azure Container RegistryContainer Registry
Confluence Data CenterDocumentation
Microsoft OneDriveDocumentation
Microsoft SharePoint OnlineDocumentation
Jira Data CenterTicketing
ServiceNow (on-premise)Ticketing
Bring Your Own SourcesCustom Sources
Custom webhooksNotifications
Splunk EnterpriseNotifications
Custom validity endpointsSecret Validation

How to set up GitGuardian Bridge

Step 1: Request bridge access

Contact support@gitguardian.com to request bridge functionality for your account. Specify how many bridges you need (typically one per isolated network segment).

Step 2: Create your bridge

  1. Log into GitGuardian Dashboard and navigate to Settings > Security > GitGuardian Bridge

  2. Click "Create Bridge" Create GG Bridge

  3. Configure your bridge: Name your bridge (e.g., "Production Network", "Dev Environment"), optionally add a Custom CA if your internal services use custom certificates, and add domain names of internal services (you can also do this later). Then download the certificate bundle and copy the bridge URL. Configure GG Bridge

    Custom CA Configuration

    The Custom CA field is required when your target services use certificates signed by a custom Certificate Authority (CA). You must provide the complete certificate chain in PEM format, including:

    • The Root CA certificate
    • All intermediate CA certificates (if any)

    To export the certificate chain from your service:

    openssl s_client -showcerts -connect your-internal-service.com:443 -servername your-internal-service.com </dev/null 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > bundle.pem

    Example PEM format:

    -----BEGIN CERTIFICATE-----
    MIIDXTCCAkWgAwIBAgIJAKoK/OvD... (Root CA)
    ...certificate content...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDbTCCAlWgAwIBAgIJAKoK/OvD... (Intermediate CA)
    ...certificate content...
    -----END CERTIFICATE-----

    Without the proper Custom CA configuration, GitGuardian Bridge will not be able to establish secure connections to your internal services and will fail with SSL verification errors.

Step 3: Configure bridge client

Deploy the bridge client in your private network using the certificate bundle and bridge URL from Step 2.

📋 Follow the detailed installation guide: github.com/GitGuardian/ggbridge

The repository provides complete instructions for:

  • Docker deployment
  • Kubernetes/Helm deployment
  • OpenShift configurations
  • Troubleshooting guides
Important

Make sure to whitelist the bridge URL in your network security settings to allow outbound connections from your private network to GitGuardian SaaS.

Step 4: Configure URL mapping (if not done during creation)

If you didn't add domain names during bridge creation, go to your bridge settings and add the domain names of internal services that should route through the bridge:

  • gitlab.internal.company.com
  • bitbucket.team.local
  • artifactory.dev.internal

Configure URL Mapping

GitGuardian will automatically route traffic to these URLs through your bridge.

Step 5: Configure your integrations

Set up your self-hosted services in GitGuardian Dashboard:

  1. Sources: Navigate to Settings > Integrations > Sources
  2. Destinations: Navigate to Settings > Integrations > Destinations
  3. Custom Hosts: Navigate to Settings > Secrets > Detectors.

Example with GitHub Enterprise:

Example Sources Integration Settings

When you enter URLs that match your bridge configuration, GitGuardian automatically uses the bridge connection.

Verify everything works

  • Bridge Status: Check Settings > Security > GitGuardian Bridge for connection status
  • Integration Health: Monitor your source/destination health checks
  • Test Scans: Run a test scan on a private repository

For assistance, contact support.