Getting started

Request your 14-day trial now!

SCA is a new service offered by GitGuardian platform.

Request now your 14-days trial from the GitGuardian Platform. You can also request a live demo!

THE SERVICE IS RESTRICTED TO MANAGER ROLES

SCA service is only available for the Manager role on the GitGuardian platform. This will evolve shortly to grant access to other roles including Developer and match your company organization.

We suggest incorporating automated SCA scanning into every Software Development Lifecycle (SDLC) phase. This approach will help reduce the risk of software supply chain exposure by creating a layered defense. This method requires minimal effort and can facilitate widespread adoption from developers.

1. Start monitoring your remote perimeters using native VCS integrations and evaluating your project's exposure to dependency vulnerabilities. It is an easy setup and guarantees a real-time and continuous overview of your incidents and dependencies. It will also cover you upon new vulnerability disclosure, even when your sources remain unchanged.
2. Resolve your incidents to protect the code you release.
   1. Review and prioritize the list of triggered incidents from the 'Incidents' view with your teams.
   2. Follow GitGuardian's remediation recommendations available from the incident information to fix triggered issues.
3. Monitor your dependencies and comply with legal regulations and obligations by: by:
   1. Reviewing third-party licenses to protect you from Intellectual Property issues.
   2. Generating your application's Software Bill Of Materials (SBOMs) when necessary.
4. Track your performance to follow up on your remediation objective and lower your exposure faster.
5. Gradually move SCA scanning to the developers' environment and your CI Pipeline (client-side) to prevent new vulnerable dependencies from reaching your VCS.
   1. Add automatic scanning jobs in CI environments to test supporting branches such as feature, release, and hotfix before merging them into the main one. At first, we recommend scanning for newly introduced dependencies without blocking your CI pipeline to lower the number of alerts and give you flexibility until you later reinforce that policy. Have a look at ggshield SCA CI integration for more information.
   2. Configure developer workstations to scan local changes thanks to the pre-commit or pre-push git hook and ggshield CLI. It prevents any new vulnerable dependencies from entering the remote repositories. Getting started with ggshield.

Was this page helpful?