availability

Package: Invicti AppSec Enterprise (on-premise, on-demand)

GitGuardian SAST

Invicti AppSec supports GitGuardian as a SAST (Static Application Security Testing) scanner. This guide explains how to activate and configure the GitGuardian integration.

GitGuardian is a secrets detection platform that scans source code repositories for hardcoded secrets, API keys, passwords, certificates, and other sensitive data.

Prerequisites

Before starting the integration, ensure you have the following information from your GitGuardian account:

Field	Description	Required
Token	Personal access token (PAT) generated from your GitGuardian account	Yes

info

The GitGuardian API URL is automatically set to https://api.gitguardian.com/v1 and does not need to be configured.

Get a Token (on GitGuardian Side)

Log in to GitGuardian at https://dashboard.gitguardian.com.
Click your avatar (lower left-hand corner) and select API > Personal access tokens.
Click Create a token.
Enter a name, select the appropriate scopes (e.g., scan), and set an expiration.
Click Create and copy the token immediately (it won't be shown again).

Step 1: Navigate to Integrations

From the left sidebar menu, click on Integrations.

Step 2: Select the SAST Tab

On the Integrations page, you will see the Scanners section with multiple tabs. Click on the SAST tab (it is selected by default).

Select the SAST Tab

Step 3: Find and Activate GitGuardian

Scroll through the list of SAST scanners to find GitGuardian.

If GitGuardian is not activated, you will see an "Activate" button. Click it to enable the integration.
If GitGuardian is already activated, you will see a toggle switch in the ON position and a "Deactivate" button, along with a gear icon for configuration.

info

The scan method badge on the GitGuardian card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).

Step 4: Configure Connection Settings

Click on the gear icon on the GitGuardian card to open the configuration panel. Fill in the required fields:

Instance: Select or create an instance name from the dropdown. Use "Default" if you have a single GitGuardian account.
Token: Paste the personal access token you generated from GitGuardian.

Integration setup

Step 5: Test the Connection

Click the Test Connection button at the bottom of the configuration panel to verify that the provided credentials are correct.

If the connection is successful, the integration is ready to use.
If the connection fails, verify your Token value and ensure it has the required scopes.
For existing integrations, you can use the Retest Connection button at the top of the panel.

Step 6: Advanced Settings (Optional)

Click on Advanced Settings to expand additional options:

Setting	Description	Default
Allow team leads to scan this instance	Permits team leads to trigger scans using this GitGuardian instance	Off
Allow team leads to create new instances	Permits team leads to create additional GitGuardian instances	Off

After modifying advanced settings, click Save Advanced Settings to apply changes.

Summary

Step	Action
1	Navigate to Integrations from the sidebar
2	Select the SAST tab under Scanners
3	Find GitGuardian and click Activate (if not already active)
4	Click the gear icon and fill in Token
5	Click Test Connection to verify
6	(Optional) Configure Advanced Settings for team lead permissions

How to Create a Scan

After activating and configuring GitGuardian, you can create scans from your project's scanner settings.

Navigate to Project Scanners

Go to your Project page.
Click the Settings tab.
Select Scanners from the left sidebar.

Add GitGuardian Scanner

In the scanner type dropdown, select SAST.
In the scanner dropdown, search for and select GitGuardian.
Click the Add button to open the scan configuration drawer.

Integration setup

Scan Configuration Fields

Field	Description	Required
Environment	Select the environment for the scan (optional)	No
Branch	Specify the branch to scan	No
Meta Data	Additional metadata for the scan (optional)	No
Scan Tag	Tag to identify the scan (optional)	No
Fork Default Branch	Enable to fork the default branch before scanning	No

Scheduler

Now: Run the scan immediately after saving.
Custom Date: Schedule the scan for a specific date and time.

Webhook (Optional)

Enable webhook to trigger scans via actions taken on your application lifecycle management tool:

Check the Trigger scans via actions checkbox.
Select the Platform (e.g., GitHub, GitLab, Bitbucket).
Click Generate to create a Secret Key for webhook authentication.

KDT Command

You can also trigger GitGuardian scans from your CI/CD pipeline using KDT:

kdt scan -p <project_name> -t gitguardian -b <branch_name>

Click Save to create the scan configuration.

Troubleshooting

Connection Fails

Invalid Token: Verify the personal access token is correct and has not been revoked. Generate a new token from the GitGuardian dashboard.
Token Scope: Ensure the token has the scan scope enabled.
Network Issues: Ensure the Invicti AppSec instance can reach https://api.gitguardian.com.

Scan Issues

No Results: Ensure the repository has been scanned by GitGuardian and findings are available.
Secret Types: GitGuardian detects specific types of secrets. Review the GitGuardian documentation for the list of supported secret detectors.

Best Practices

Use Dedicated Tokens: Create a separate personal access token for the Invicti AppSec integration.
Rotate Tokens Regularly: Regenerate tokens periodically and set appropriate expiration dates.
Select Appropriate Scopes: Grant only the necessary scopes (e.g., scan) to the token.
Monitor Incidents: Regularly review GitGuardian incidents on the GitGuardian dashboard for context.

Limitations

Secrets Detection Only: GitGuardian focuses on secrets detection (API keys, passwords, certificates) rather than general code vulnerabilities.
Cloud API: The integration communicates with GitGuardian's cloud API (api.gitguardian.com).
API Rate Limits: GitGuardian API may enforce rate limits depending on your subscription plan.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?

Prerequisites​

Get a Token (on GitGuardian Side)​

Step 1: Navigate to Integrations​

Step 2: Select the SAST Tab​

Step 3: Find and Activate GitGuardian​

Step 4: Configure Connection Settings​

Step 5: Test the Connection​

Step 6: Advanced Settings (Optional)​

Summary​

How to Create a Scan​

Navigate to Project Scanners​

Add GitGuardian Scanner​

Scan Configuration Fields​

Scheduler​

Webhook (Optional)​

KDT Command​

Troubleshooting​

Connection Fails​

Scan Issues​

Best Practices​

Limitations​

Need help?​