Skip to main content

Security recommendations and information

TLS certificate#

Because the application will display sensitive information (secrets, your source code, etc), only HTTPS access is allowed.

We recommend that you use a valid certificate (in relation with the FQDN chosen, ex: dashboard.gitguardian.mycorp.local).

A TLS certificate is required to start the installation.

By default, we use a strong cipher suite with only TLS 1.2 and TLS 1.3. Modern browsers will not have any issues with this. In case of an issue, please, contact our support.

Here the default protocols and ciphers enabled:

  • Protocols: TLS 1.2 / TLS 1.3
  • Ciphers:
    • ECDHE-RSA-AES128-GCM-SHA256
    • ECDHE-RSA-AES256-GCM-SHA384

Drawback with self signed certificate#

If you use a self signed certificate with the application, you need to take care of SSL validation with GitLab or GitHub web hooks. By default SSL verification is enabled and you need to disable it to get GitLab or GitHub integrations to work.

Security recommendations#

Because the database will contain sensible information (your source code, leaks, etc), we highly recommend that you encrypt the file system.

Also, restrict access to the host used to run the application to people who really need access (ex: people who manage the host and the application deployment).

Signup restrictions#

By default, a user needs to sign up via SSO or via an invitation link in order to join the GitGuardian workspace.

If signup restrictions are disabled, anyone with access to the instance network will be able to join your workspace and see your potential secrets.

If you were to choose to disable this setting, make sure your GitGuardian instance is only available from a restricted network and not from the Internet.