Prioritize incidents
Overview
With potentially hundreds or thousands of public secret incidents to review, effective prioritization is important for focusing your remediation efforts on the secrets that pose the greatest risk to your organization.
This guide explains the tools available to help you identify which incidents require immediate attention.
Severity and severity rules
Severity is the primary prioritization tool, designed to consolidate multiple risk factors into a single, actionable priority level.
The possible severity levels are: Critical, High, Medium, Low, Info, Unknown.
Since severity consolidates the key prioritization principles into a single metric, sorting by severity is often the most effective starting point for incident review.
Severity rules
Severity rules automatically evaluate incidents based on various factors (secret type, organizational relevance, validity, company indicators) and assign priority levels accordingly.
Your workspace comes with GitGuardian's default severity rules, which you can customize in Settings > Severity rules to match your organization's specific risk priorities.
When creating or editing a severity rule, you can specify whether it applies to public incidents, internal incidents (from Internal Monitoring), or both.
Some rule criteria only apply to specific incident types. For example, company-related tags are unique to Public Monitoring, so rules using these criteria will automatically disable the "internal incidents" option.
Incidents with "Unknown" severity indicate they haven't matched any configured severity rules—these may require manual review or additional rule configuration.
Manual severity override
You can manually edit any incident's severity to override the automatic assignment when you have additional context or disagree with the automated assessment.
Complementary prioritization tools
While severity provides a first automated prioritization, the additional tools below help you fine-tune your approach and handle specific scenarios that benefit from more granular control.
Incidents table
The Public secret incidents table is where you'll apply these severity-based prioritization strategies, along with additional filtering and sorting capabilities. The table comes with several tools to help you have a clearer view on your incident list.
Filtering and sorting
Beyond severity, use additional filters for more targeted prioritization:
- Organizational relevance: Attachment reasons, company-related tags, vault properties
- Risk indicators: Secret validity, secret type
- Other tags of contextual information.
Saved views
Create and save filter combinations for quick access to specific incident sets. GitGuardian provides default views to help you get started, but you can build custom saved views based on your most frequently used filtering strategies.
Custom tags
Create and assign your own custom tags to mark incidents for your specific workflows. These custom tags can then be used in filters and saved views to support your organization's unique prioritization needs.
Additional capabilities for Generic secrets
Generic incidents—high-entropy strings that couldn't be matched to a specific detector—can be challenging to assess at first glance. It's often difficult to determine how critical they might be.
To address this challenge, GitGuardian uses a specialized machine learning model that analyzes the context surrounding generic secrets. This analysis can often determine the category, family, and provider of the secret, providing valuable insights for prioritization.
Learn more about generic secret enricher.
These enhanced insights provide additional columns and filters specifically designed for prioritizing generic secret incidents more effectively.
Next steps
Use these tools to systematically identify your highest-priority incidents, then proceed to remediate confirmed threats.
