GitGuardian launches endpoint protection for laptops

GitGuardian has launched Developer Endpoint Protection, a product aimed at credentials stored on developer and privileged workstations.

The launch comes as software supply-chain attacks and SaaS breaches increasingly centre on developer machines that hold valid credentials in plaintext, shell history and local caches.

The new tool extends GitGuardian's existing secrets detection, honeytoken and non-human identity coverage to laptops and other privileged endpoints. It is designed to find credentials on a machine, identify where else the same credential appears and map each one to the production systems it can unlock.

The move reflects a shift in attack methods described by security researchers and incident responders. Rather than relying on zero-day exploits, attackers are increasingly moving through developer endpoints and CI environments to collect API keys, private keys and other tokens that can be used immediately.

GitGuardian pointed to a series of recent incidents, including Mini Shai-Hulud, the Bitwarden CLI compromise, the Trivy-to-LiteLLM campaign and the Vercel exposure. In each case, the common factor was the theft of credentials cached on developer or CI systems.

Changing threat

Another growing risk is the rise of coding agents and Model Context Protocol servers on employee machines. GitGuardian said these tools can generate credentials that remain after a session ends, leaving copies in log files, shell history and IDE caches, while many organisations lack a clear inventory of what has been created or stored.

Ken Buckler, Information Security Research Director at Enterprise Management Associates, said the gap sits between endpoint and identity tools. "Attackers have figured out that secrets at rest on endpoints, especially for non-human identities (NHIs) and API keys, are just as valuable as stolen credentials in Active Directory," Buckler said.

"EDR focuses on malicious processes; identity programs only see secrets after they're used, so the endpoint becomes the gap. The organizations winning this fight are the ones treating endpoint secrets discovery as a first-class security problem, not bolting it onto EDR as an afterthought," he added.

GitGuardian said incident responders are converging on three priorities: treating every developer and privileged endpoint as a credential store, prioritising credentials by the access they grant rather than where they were found, and reducing the lifetime of credentials that cannot be removed.

The company argues this approach can also help in post-incident analysis, because teams need to answer a specific question after a compromise: what was on a given machine at a given time?

Early findings

Data from an early field test illustrates the scale of the issue on a single device. GitGuardian said one laptop at a Tier-1 European telecom contained about 2,000 secrets, 10 of which were classed as critical and seven of which were still valid against production systems.

Eric Fourrier, Chief Executive Officer and Co-Founder of GitGuardian, outlined broader figures from the beta programme. "Over the past few months, barely a week has gone by without a major breach involving credentials stolen from a laptop," Fourrier said. "Our beta program data shows an average of 150 secrets on developer laptops, with some even ranging into the thousands. Among these secrets, private keys account for 38% of unique secrets, while cloud, identity provider, and secret management credentials like AWS IAM and Hashicorp Vault add another 22%. And the most interesting point is that 40% of secrets are found in AI directories/logs, demonstrating the impact of AI adoption. The partition between code-resident and endpoint-resident credentials no longer exists for attackers, and it cannot exist for defenders."

According to GitGuardian, the product runs as a scheduled scan deployed through existing mobile device management tools and usually completes in about a minute on most developer machines. It can redact secrets from shell and command history, move active credentials into vaults and local secrets managers, and use agent hooks intended to stop coding agents from copying secrets across the device.

The software can also score findings by severity and access scope before sending high-risk results into security operations tools, including SIEM and SOAR platforms. GitGuardian added that honeytokens can trigger alerts when an infostealer takes a credential and attempts to use it.

GitGuardian, which focuses on exposed credentials and non-human identities across code, cloud and developer environments, said more than 500,000 developers use its tools. It named customers including Snowflake, Orange, ING, Mirantis, Maven Wave, Euronext and Bouygues Telecom.

Its central claim is that developer laptops now need to be managed as credential stores rather than simply as endpoints, and the field-test figure of roughly 2,000 secrets on one machine underscores how much access a single compromised laptop can expose.