Incident lifecycle
Incident statuses
A public secret incident can be in one of two overall states:
- Open: including Triggered and Assigned statuses
- Closed: including Resolved and Ignored statuses
Triggered
A triggered incident is an incident detected and stored by GitGuardian but not yet investigated by a member of your workspace.
Assigned
An assigned incident is being investigated by a specific member of the workspace. It is not resolved or ignored yet.
Resolved
A resolved incident is an incident considered as remediated. In the case of a public secret incident related to your company, you must typically ensure that the secret is revoked, and optionally that the evidence is removed from Public GitHub.
- If you consider a new occurrence of an incident that has already been resolved to be problematic, you will want the regression behavior enabled. When the regression behavior is turned
On
, GitGuardian will reopen this incident and alert you again if a new occurrence of this secret is detected in real-time, (regardless of whether it has been revoked or not). - If the exposure of the secret is not important to you and only revocation matters, you can turn
Off
the regression behavior and GitGuardian will silently add the occurrence to the existing resolved incident without delivering any notifications.
The regression behavior can be configured in the General section of your settings.
Ignored
An ignored incident is an incident not considered as such by a member of your team and does not require remediation.
For public secrets incidents, a typical reason for ignoring a secret is that the secret is a personal credential from a developer, and not actually related to your company ("Credential is not related to the company"). However, several other ignore reasons are possible:
- this is a test credential
- this is a low risk secret
- this is not a secret (false positive)
- developer is not connected to the company
- credential is not related to the company
Ignoring an incident means that you don't want GitGuardian to consider it anymore. If a new occurrence appears for an ignored incident, GitGuardian will not reopen it or alert you.
Lifecycle of an incident
1. Receiving incidents alerts
GitGuardian can send an alert upon detection of a new incident. All members with access to Public Monitoring can be alerted by email, and/or on their alerting integrations, in order to tackle the new incident as quickly as possible.
Note that for incidents detected thanks to historical scanning, we do not send an alert per incident but rather an email recap with all the incidents discovered on a given historical scan.
Members will also receive similar alerts upon regression of an already-resolved incident.
2. Assigning incidents
Investigation and remediation of an incident can take some time. So let your teammates know that you are currently working on a given incident, by declaring the assignee, in order not to duplicate work within your team.
Prioritizing and knowing which incident is more severe than another can be very challenging, especially when you are dealing with a large number of incidents. Have a look at our Prioritize guide to read our good pratices for identifying the incidents you need to tackle first.
3. Collaborate and remediate
Once you decide which incident you want to work on, a new phase of collaboration and remediation starts. GitGuardian helps you by providing as much as contextual information as possible and features that help you get in touch with the appropriate stakeholders and check that the incident has been properly remediated. Read more about this topic in our Remediating incidents section.
Ultimately, you can resolve or ignore the incident. You will always have the possibility to reopen it manually. In the specific case of resolved incidents for which new occurrences are detected again, you can configure GitGuardian to automatically re-open incidents and receive alerts or not by choosing your preferred Regression setting.
All user activity and team notes attached to a given incident can be found in the Activity section of the incident page.