GitGuardian’s cover photo
GitGuardian

GitGuardian

Computer and Network Security

Paris, Île-de-France 18,894 followers

The end-to-end platform for Secrets Security.

About us

***** We're hiring: building an outstanding tech team in Paris right now! Apply here: https://careers.gitguardian.com/ ***** GitGuardian is the end-to-end NHI security leader. GitGuardian helps you take control of your NHI security by discovering all your secrets, prioritizing and remediating leaks at scale, ultimately protecting your non-human identities, and reducing breach exposure. Widely adopted by developer communities, GitGuardian is used by over 600 thousand developers and leading companies, including Snowflake, Orange, Iress, Mirantis, Maven Wave, ING, BASF, and Bouygues Telecom. GitGuardian is the number 1 security app on the GitHub Marketplace. Try it for free today: https://dashboard.gitguardian.com/

Website
https://www.gitguardian.com
Industry
Computer and Network Security
Company size
51-200 employees
Headquarters
Paris, Île-de-France
Type
Privately Held
Founded
2017
Specialties
Data Loss Prevention, Cybersecurity, Supply chain security, Application Security, Code Security, Application Security Testing, Cybersecurity, and DevSecOps

Products

Locations

Employees at GitGuardian

Updates

  • AI agents commit secrets. Then they commit a fix. The original commit stays forever. This is not a new mistake. It is a new actor making the same one at scale. Security researchers at CYPFER ran a GitHub search for phrases like "remove credentials from documentation." The result: roughly 124,000 commits where the secret sat one commit back, fully intact. Timing signatures and structured commit messages pointed to AI agents handling both the leak and the cleanup. The core issue is architectural. Models learn from training data that treats Git as a linear series of changes. New commits do not erase prior history. A commit message advertising the removal just tells attackers exactly where to look. What actual remediation requires: - Rotate or revoke the credential first, before touching history - Use git-filter-repo to scrub every affected commit across branches - Scan full history with ggshield, not just HEAD GitGuardian Agent Skills give Cursor, Claude Code, and Codex a tested operating plan for this. Scan first. Remediate from findings. Git remembers everything. https://lnkd.in/eTTuw6qi What gaps are you seeing in how agents handle secrets today? #SecretsManagement #AppSec #DevSecOps #NHI

  • Most security teams can't see their whole attack surface, and you can't clean up what you can't see. Writing in The Cybersecurity Pulse (TCP) this week, Dr. Yonesy Núñez, a six-time CISO, makes the case that the boring work, the hygiene most teams defer, is now the moat, and that seeing all of your exposed surface is what decides whether your security holds. Credentials are a good place to watch that break down. A scanner flags the secret committed to a repo. The live key sitting in a .env file, a cloud credential store, or an AI tool config on a developer's laptop or a CI runner goes unnoticed, because traditional scanning stops at the repo and the pipeline. That's exactly what an infostealer or a poisoned package is designed to harvest. Most teams have no inventory of any of it, and you can't revoke a credential you never knew existed. #Cybersecurity #SecretsSecurity #AppSec

  • Most people think of a developer laptop as the place where code gets written. Attackers think of it differently. It's where source control, cloud accounts, package registries, build scripts, and AI coding agents all converge, and where the credentials that connect all of those systems quietly accumulate. Secrets that sit on developer machines and what those secrets unlock - that's the problem. An AWS key on a laptop is production access. An npm token is the ability to publish packages to thousands of downstream users. A GitHub token is a repository write access, Actions trigger rights, and a trusted identity in every workflow it touches. AI coding agents make this worse. They read files, run commands, summarize outputs, and call external services with access to the same credential store the developer uses. A single prompt can pull a token into model context. A single tool call can print an API key into a log. The exposure surface now includes everything the developers' agents can reach. → We wrote about what this means for security controls, and where the guardrails need to go now. https://lnkd.in/ezVXkZBQ

    • No alternative text description for this image
    • No alternative text description for this image
  • At Identiverse 2026, 3,800+ identity professionals asked the same question across every session. Not which protocol. Not which vendor. "Who is accountable when an agent causes harm?" The answer, at most organizations, was silence. The stakes are concrete: - One customer environment had 70,000 NHIs. Most had no named owner. - Agents bootstrapped with API keys carry full blast radius into every sub-agent they spawn. - A red team at a financial institution impersonated any employee via a chatbot. The fix required taking the system offline. Four controls came up in every session: - A named human owner per agent, reachable when something breaks - Short-lived, scope-bound tokens issued at runtime, not API keys copied into ENV files - Delegation chains that preserve intent from the first trigger to the final action - Full inventory before any other control is applied Governance cannot protect what it cannot see. https://lnkd.in/e4ruXKGz What control is your team prioritizing first for AI agents in production? #NHI #SecretsManagement #DevSecOps #AppSec #CyberSecurity

  • Guillaume Valadon our cybersecurity researcher scanned public sources for leaked PyPI tokens. What he found was worse than expected. https://lnkd.in/eyeYHzMR Out of 3,714 valid pypi.org tokens analyzed, 62 were still live. Those 62 keys had access to 125 real packages with 25,000 monthly downloads. - Most live tokens leaked on GitHub in 2024, where automatic scanning should have caught and revoked them - PyPI tokens are macaroons: you can decode one without the signing secret and read its project scope before ever testing if it works - After responsible disclosure, PyPI revoked all 62 tokens and shipped new admin tooling to simplify future reports A valid #PyPI token is a direct path to a supply chain compromise. Scoped tokens, clean .gitignore files, and pre-push secret scanning close most of the gap.

    • No alternative text description for this image
  • Tomorrow: Dwayne McDaniel takes the stage at the Cloud Security Alliance Agentic AI Security Summit Every coding agent you run spins up new credentials. Every orchestration harness chains permissions across systems. Most security teams have no map of the access model that creates. His session shows how non-human identity becomes the trust fabric that governs it. 🎤 Session: From Pets to Cattle to Agents: Evolving Identity and Security for Workloads 📅 Wednesday, June 24, 12:55 PM EDT. 💻 Free and virtual Register here for free: https://ow.ly/XQfc50ZfnWn #NonHumanIdentity #AgenticAI #SecretsSecurity

    • No alternative text description for this image
  • Your CI/CD scans pass clean. Your repo shows no secrets. Your production app is still leaking credentials. BSides San Antonio 2026 made this gap impossible to ignore. Secrets detection has to follow credentials beyond the commit. Into the build, the artifact, the runtime bundle. That is where attackers are already looking. Three signals we brought back from the event: - A service principal token gives an attacker the application's full authority, not just a user session - Over-permissioned managed identities in Logic Apps and Function Apps are a lateral movement path waiting to be used - Compliance controls die where evidence thins out: exceptions, ignored service accounts, unreviewed SIEM alerts The through-line across every session: attackers operate where trust has already been granted. Defenders have to follow that trust path through every layer. https://lnkd.in/e-f2hxF2 Where does your secrets detection coverage stop today? Source, pipeline, artifact, or runtime? #SecretsManagement #AppSec #NHI #DevSecOps #CloudSecurity

  • The average developer laptop holds 150 secrets. Some machines reach into the thousands. That number matters because every credential sitting in a shell history, .env file, or AI agent config is a breach waiting to happen. Traditional scanning stops at the repo. Infostealers don't. We built Developer Endpoint Protection into ggshield to close that gap: - Scans 500,000 files in under one minute, fully local, no credentials ever sent in clear text - Around 40% of high and critical secrets surface in AI tool directories and log files, locations no repo scanner sees - Honeytokens placed on machines fire the moment an infostealer validates a credential, giving you real-time attribution before damage is done Endpoint findings feed directly into GitGuardian's NHI and Secrets Security platform. One inventory. Endpoint to repository to identity. What's your current visibility into credentials sitting on developer machines? https://lnkd.in/e_kSW2-h #SecretsManagement #NHI #DevSecOps #AppSec #CyberSecurity

Similar pages

Browse jobs

Funding

GitGuardian 4 total rounds

Last Round

Series B

US$ 44.0M

See more info on crunchbase