GitGuardian Review 2026: Secrets Detection

Name: GitGuardian
Availability: OnlineOnly

GitGuardian is the #1 security app on the GitHub Marketplace. It monitors source code repositories for exposed secrets in real-time, detecting API keys, hardcoded passwords, certificates, and other credentials that developers accidentally commit to version control. Secret exposure is a leading supply chain attack vector, and GitGuardian treats it as a first-class problem.

GitGuardian dashboard showing detected secrets with incident status, severity, and remediation tracking

The platform covers 550+ secret types and scans across GitHub, GitLab, Bitbucket, and collaboration tools like Slack, Jira, and Confluence. GitGuardian also validates whether detected secrets are still active, so teams can prioritize live credentials over expired ones.

What is GitGuardian?

GitGuardian catches secrets before they become incidents. When a developer commits an AWS key, database password, or API token to a repository, GitGuardian detects it within seconds and triggers an alert. The platform also scans git history, catching secrets that were committed and later deleted but remain in the repository’s commit log.

Beyond detection, GitGuardian now offers Non-Human Identity (NHI) governance and honeytoken intrusion detection. The ggshield CLI tool runs as a pre-commit hook to block secrets before they ever reach the remote repository.

550+ Secret Types

Detects API keys, database credentials, private keys, OAuth tokens, certificates, and custom patterns using regex and validation checks. Validates whether secrets are still active.

Pre-Commit Protection

The ggshield CLI runs as a pre-commit hook or CI/CD gate. Blocks secrets before they reach the remote repository, preventing incidents rather than just detecting them.

NHI Governance

Tracks machine identities (service accounts, API keys, tokens) across your organization. Maps which secrets are used where, by whom, and flags over-privileged or stale credentials.

Key features

Secret categories

Category	Examples
Cloud providers	AWS, Azure, GCP keys and credentials
Version control	GitHub, GitLab, Bitbucket tokens
Databases	PostgreSQL, MySQL, MongoDB, Redis URIs
Payment	Stripe, PayPal, Square API keys
Communication	Slack, Twilio, SendGrid tokens
Infrastructure	Docker, Kubernetes, Terraform secrets
Authentication	JWT secrets, OAuth tokens, SAML keys
Certificates	Private keys, TLS certificates, SSH keys
Custom	Organization-defined patterns via regex

Secrets detection engine

GitGuardian uses pattern matching combined with validation to detect 550+ secret types. Each finding is checked against the issuing service when possible to confirm the secret is still valid. This reduces false positives and helps teams focus on credentials that are actually exploitable.

ggshield CLI

The open-source CLI tool plugs into pre-commit hooks, GitHub Actions, GitLab CI, Bitbucket Pipelines, and other CI systems. It scans commits on each push and blocks merges if secrets are found.

# Install ggshield
pip install ggshield

# Set up pre-commit hook
ggshield install --mode local

# Scan a repository
ggshield secret scan repo .

# Scan in CI
ggshield secret scan ci

Honeytoken detection

GitGuardian can generate honeytokens (fake credentials) that you plant in repositories, cloud environments, or internal systems. When someone uses a honeytoken, GitGuardian alerts you immediately, providing early warning of unauthorized access or a breach.

Historical scanning

Scanning is not limited to new commits. GitGuardian checks the full git history of a repository, finding secrets that were committed months or years ago. Even if the secret was “deleted” in a later commit, it remains in git history and can be exploited.

Collaboration tool scanning

Beyond code repositories, GitGuardian scans Slack messages, Jira tickets, and Confluence pages for exposed credentials. Developers often paste secrets into chat or documentation without thinking about the security implications.

Setup

Install the GitHub App – Add GitGuardian from the GitHub Marketplace. Select which repositories to monitor. Free for individual developers.

Configure ggshield – Install the CLI with pip install ggshield and run ggshield install --mode local to set up pre-commit hooks.

Review findings – Check the GitGuardian dashboard for detected secrets. Each finding shows the secret type, file location, whether it’s still valid, and remediation steps.

Set up CI scanning – Add ggshield to your CI pipeline to scan every commit automatically.

CI/CD integration

GitHub Actions

name: GitGuardian Secrets Scan
on: [push, pull_request]

jobs:
  scanning:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: GitGuardian scan
        uses: GitGuardian/ggshield-action@v1
        env:
          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}

GitLab CI

ggshield-scan:
  image: gitguardian/ggshield:latest
  script:
    - ggshield secret scan ci
  variables:
    GITGUARDIAN_API_KEY: $GITGUARDIAN_API_KEY
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

When to use GitGuardian

GitGuardian is the go-to choice for secrets detection. If you have developers committing code to repositories, you almost certainly have leaked secrets somewhere in your git history.

Strengths:

550+ secret types with active validation
Pre-commit blocking via ggshield prevents incidents
Historical scanning catches old secrets still in git history
Slack, Jira, Confluence scanning beyond code
Free tier for individual developers

Limitations:

Primarily focused on secrets detection, not general SCA
NHI governance and advanced features require paid plans
Enterprise features (SSO, custom detectors) are commercial only

Best for

Any team with code repositories. Secrets detection is a baseline security control that catches real, exploitable credentials rather than theoretical vulnerabilities.

How it compares:

vs.	Key difference
TruffleHog	TruffleHog is free and open-source but requires more setup. GitGuardian adds a managed dashboard, active secret validation, and collaboration tool scanning.
GitHub Secret Scanning	GitHub’s built-in scanning covers fewer secret types and only works on GitHub. GitGuardian covers 550+ types across multiple platforms.

Further reading: Supply Chain Attacks Guide | Software Supply Chain Security

Frequently Asked Questions

What does GitGuardian do?

GitGuardian scans code repositories and git history for hardcoded secrets like API keys, database credentials, private keys, and tokens. It covers over 550 secret types using pattern matching and validation checks, including secrets that were committed and later deleted.

Is GitGuardian free for individual developers?

Yes, GitGuardian offers a free plan for individual developers that covers personal and public repositories. The paid plans are aimed at teams and enterprises, adding features like dashboards, incident management, and policy controls across an organization’s full codebase.

How does GitGuardian compare to TruffleHog?

TruffleHog is a free open-source tool that scans git repos for secrets using regex and entropy analysis, while GitGuardian is a managed platform with a broader detection engine and a dashboard for tracking incidents. TruffleHog gives you more control and costs nothing, but GitGuardian is easier to roll out across a large team and verifies whether detected secrets are still active.

Can GitGuardian run in CI/CD pipelines?

Yes. GitGuardian provides a CLI tool called ggshield that plugs into GitHub Actions, GitLab CI, Bitbucket Pipelines, and other CI systems. It scans commits on each push and blocks merges if secrets are found, acting as a pre-receive hook for your deployment workflow.