GitGuardian’s tool helps companies discover developer leaks on GitHub

GitGuardian released a tool to help companies discover how many secrets their developers have leaked on public GitHub, both company-related and personal.

Even if your organization doesn’t engage in open source, your developers or subcontractors may inadvertently leak sensitive information on their personal GitHub repositories. Think corporate secrets or source code – a significant risk alert!

Enter your domain name and receive valuable metrics, like the number of secrets publicly leaked on GitHub and the number of valid secrets.

Data included in the audit

Commits scanned: All activity on GitHub is linked to a commit email. GitGuardian can tie such commit emails to GitHub accounts, and hence monitor that accountʼs activity.

Active developers in your perimeter: Developers who mentioned your company name on their GitHub profile, or use their company email address when pushing code publicly on GitHub.

Secrets leaked publicly on GitHub: Secrets are digital authentication credentials granting access to systems or data. These are most commonly API keys or usernames and passwords.

Valid secrets publicly available on GitHub: Secrets that can still be exploited by persons with malicious intent.

Secrets breakdown by category: Percentage of secrets leaks for each category (eg. Private key, Version control platform, Cloud provider, Messaging system, Data storage, etc.).

Direct mentions of your company in commits: Commits that mention your company domain in the committed code.

Developers involved in at least one secret leak: Developers from your perimeter who have leaked at least one secret.

Secrets contained in a sensitive file: Secrets that were published inside a file that is sensitive in itself, such as a configuration file.

Public events: A Public Event occurs when a private repository is made public. Such an event is sensitive as it discloses the entire history of a repository, where sensitive data could be found.

Secrets erased from GitHub: Secrets that can no longer be found on GitHub, but have been leaked and can be found in GitHub archives.

GitGuardian’s secrets detection engine has been running in production since 2017, analyzing billions of commits coming from GitHub. The algorithms and detectors constantly train against a dataset of 4 billions commits. The latest State of Secrets Sprawl 2024 reveals 12.8 million new secrets occurrences were exposed on GitHub in 2023. GitGuardian can tell you how many leaks are tied to your company by first identifying your developers active on GitHub.

Even if your organization doesn’t engage in open source, your developers or subcontractors may inadvertently leak sensitive information on their personal GitHub repositories. This includes corporate secrets or source code, posing a significant risk.

The audit generates a score ranging from A to E. This score factors in the volume of hardcoded secrets detected, the number of leakers (developers who have leaked at least one secret), and the number of developers within your scope over the past three years. Companies are grouped by their number of developers, allowing for a fair comparison.