GitGuardian's beta program found an average of 150 secrets per developer laptop, with some machines carrying thousands. Private keys account for 38% of unique secrets; cloud, identity provider, and secret management credentials (AWS IAM, Hashicorp Vault, etc.) add another 22%. And 40% of all secrets sit in AI directories and logs -- the footprint of coding agents and MCP servers that generate credentials and leave copies everywhere.
That's the data behind GitGuardian's new Developer Endpoint Protection, announced today. The product is a scheduled scan that deploys through existing MDM tooling and completes in roughly a minute on most developer machines. It inventories every secret, maps it to the production systems it unlocks, and scores each by severity and access scope.
Why the Developer Endpoint Became the Credential Gap
Supply-chain campaigns over the last 12 months have made the pattern painfully clear: attackers land on a developer or privileged endpoint, harvest plaintext credentials, and pivot into production code, cloud control planes, and SaaS apps. The self-replicating Mini Shai-Hulud worm compromised more than 300 npm and PyPI packages. The Bitwarden CLI compromise, the Trivy-to-LiteLLM campaign, and the April 2026 Vercel exposure all followed the same script: credentials cached on developer or CI endpoints, harvested at scale.
"Attackers have figured out that secrets at rest on endpoints, especially for non-human identities and API keys, are just as valuable as stolen credentials in Active Directory," said Ken Buckler, Information Security Research Director at Enterprise Management Associates. EDR focuses on malicious processes; identity programs only see secrets after they're used. The endpoint is the gap, and GitGuardian is positioning its scanner as the first-class fix.
Three Moves, One Product
Incident responders converge on three moves, according to GitGuardian's research: treat every developer endpoint as a credential store, prioritize credentials by what they grant access to (not where they were found), and shorten the lifetime of anything that cannot be removed. Endpoint Protection tries to automate all three.
It redacts secrets from shell and command history, migrates active credentials into vaults and local secrets managers, and hooks into coding AI agents to prevent them from spreading secrets across the machine. Honeytokens fire the moment an infostealer steals a credential and auto-validate it from the laptop, giving real-time attribution-rich alerts. High-risk findings push straight into SOC, SIEM, and SOAR.
CEO Eric Fourrier noted that the partition between code-resident and endpoint-resident credentials no longer exists for attackers, and it cannot exist for defenders. The product closes a hole that got wider the moment coding agents became standard on developer machines.
Organizations that can answer "what was on this machine on this date" recover faster from a supply-chain hit. GitGuardian is betting that a minute-long scan per laptop, paired with credential-first prioritization, is the fastest path to that answer.
Source: GitGuardian Announces Endpoint Protection
Domain: hackernoon.com
Comments load interactively on the live page.