GitGuardian raises $44M to offer ‘comprehensive’ code security

GitGuardian, which today announced raising a $44 million series B funding round, plans to build upon its popular solution for detecting sensitive data in code by expanding to offer a broader code security platform, CEO and cofounder Jérémy Thomas told VentureBeat.

GitGuardian’s secrets detection solution already ranks as the top-downloaded security application on GitHub with 132,000 installs. Looking ahead, Thomas said the company aims to become a top player in the broader application security and DevSecOps space.

GitGuardian is “now in pole position to compete against other leaders in other code security verticals, and build a holistic platform to enforce code security at scale,” he said in an email.

Focus on developer security

According to a recent report from Venafi, nearly all senior IT executives — 97% — agree that software build processes are not secure enough. Meanwhile, concerns about software supply chain insecurity are widespread in the wake of attacks such as the SolarWinds breach.

And yet, increasing pressures on developers appear to be worsening the issues. A recent survey by Invicti Security found that 70% of development teams always or frequently skip security steps due to time pressures when completing projects.

In response, many companies are now in the process of moving toward DevSecOps — an approach that aligns development, security, and operations with the goal of securing applications from the get-go during development.

GitGuardian has made its name operating in just one vertical of the code security market: secrets detection. The company’s app scans selected code repositories for sensitive data such as API keys or passwords, and then sends an alert if one of these secrets is discovered.

Detecting sensitive data

This is needed because developers, perennially facing deadline pressures, have been known to take shortcuts while managing secrets — leading to sensitive data being accidentally committed as part of a code revision. GitGuardian previously reported that it had discovered more than 2 million secrets in public GitHub repositories in 2020, a 20% increase over the previous year. Just last week, Amazon Web Services announced a new secrets detector feature in its Amazon CodeGuru Reviewer tool.

GitGuardian scans billions of commits a year and solves the complex challenges that are linked with the processing of massive amounts of data in real time, Thomas said. The company’s algorithms are a mix of entropy scanning and sophisticated pattern matching techniques, and also involve leveraging the context of the presumed credentials, he said.

The technology comprises more than 300 detectors and is capable of detecting secrets in public or private repositories, and in containers, according to GitGuardian. It can also be deployed as software-as-a-service or in an on-premises environment.

With its incident lifecycle management capabilities, ability to handle advanced remediation workflows, and deployment flexibility, GitGuardian is “the only option suitable for the large enterprise segment,” Thomas said.

Beyond secrets

Now, with the help of the new funding round, Paris-based GitGuardian plans to extend its technology to scan for a wider variety of vulnerabilities in code, in order to become a provider of “comprehensive” code security, according to Thomas.

For example, in the future, GitGuardian solution will likely be able to scan for infrastructure as code (IaC) security misconfigurations and perform static application security testing (SAST), he said. The goal will be “to compete with legacy code security platforms that aren’t built for the DevOps generation from the ground up,” Thomas said.

Key differentiators that GitGuardian will bring to bear include its “massive” dataset and large developer community, which will enable rapid testing, he said.

“Broadening the detection scope will increase numbers of high assurance and high-value findings, making GitGuardian even more relevant for enterprises, individual developers, and small development teams,” Thomas said.

Growth so far

With the new investment, GitGuardian has raised $56 million since its founding in 2017 by Thomas and Eric Fourrier. The two had previously founded data science consulting firm Quantiops together.

The company’s series B funding round was led by Eurazeo and included investments from Sapphire Ventures, Balderton, BPI, and Fly Ventures.

Plans for 2022 include opening GitGuardian’s first U.S. office during the first quarter — which Thomas plans to relocate to — and hire 100 staff members in the U.S. and Europe. GitGuardian currently employs 60.

GitGuardian expects to quadruple its recurring revenue in 2021, and then quadruple again in 2022. By the end of this year, the company expects to close its first seven-digit deal, according to Thomas.

New customers added in 2021 include Automox, Instacart, Maven Wave, Seequent, Iress, Stedi, Now: Pensions, and Cloudbakers.

Code security has proven to be a highly popular area for venture funding this year, including in recent months—which have seen major investments in code security startups including Snyk ($530 million), Contrast Security ($150 million), and Cycode ($56 million).