Skip to main content
Connect your GitGuardian workspace to enable CloudThinker agents to browse secret incidents, investigate exposed credentials, and monitor honeytokens across your repositories. GitGuardian authenticates with a Personal Access Token (PAT); CloudThinker derives the right endpoint from your dashboard URL, so the same setup works for US, EU, and self-hosted instances.

Supported platforms

PlatformURL
GitGuardian US (SaaS)https://dashboard.gitguardian.com
GitGuardian EU (SaaS)https://dashboard.eu1.gitguardian.com
GitGuardian Self-HostedYour instance URL (e.g. https://gitguardian.your-company.com)

Prerequisites

  • A GitGuardian workspace with access to the incidents you want to review.
  • A Personal Access Token with the scopes for the data CloudThinker should reach.
  • For honeytoken creation: a workspace Manager role.
A PAT inherits the scopes you grant it and the role of the workspace member who creates it. Mint it from a least-privileged member that still covers what CloudThinker needs.

Setup

1

Open GitGuardian

Sign in to your GitGuardian dashboard (US, EU, or your self-hosted URL).
2

Create a Personal Access Token

On the sidebar, click Settings, then go to API โ†’ Personal Access Tokens and click Create token:
  • Name: cloudthinker
  • Expiration: set a rotation window
  • Scopes: select the scopes for the data CloudThinker should access (start with incidents)
Copy the token immediately โ€” it is shown only once.
3

Add the connection in CloudThinker

Navigate to Connections โ†’ GitGuardian and enter:
  • GitGuardian URL: your dashboard or instance URL
  • Personal Access Token: the token you just created
Click Connect. CloudThinker verifies the token and shows a Connected status.
Copy the Personal Access Token immediately after creation. GitGuardian shows it only once, and youโ€™ll need to mint a new one if itโ€™s lost.

Connection details

FieldDescriptionExample
GITGUARDIAN_URLGitGuardian dashboard or instance URLhttps://dashboard.gitguardian.com
GITGUARDIAN_PERSONAL_ACCESS_TOKENGitGuardian Personal Access Tokenโ€”
CloudThinker derives the API endpoint from the URL, so US, EU, and self-hosted forms all work without extra configuration.

Required permissions

GitGuardian access is scope-driven: each PAT scope unlocks the matching family of capabilities. If a capability is missing, the token usually lacks that scope rather than the connection being broken. Select the scopes for the data CloudThinker should reach. Start with incidents for incident triage and add others as needed.
ScopeEnables
scanningRun secret and security scans on content
incidentsBrowse, inspect, and manage secret incidents
secretsAccess detected secrets and their occurrence details
sourcesList and inspect monitored sources (repositories)
custom_tagsRead and manage custom tags
honeytokensList and create honeytokens
membersView and manage workspace members
teamsView and manage teams
audit_logsRead workspace audit logs
api_tokensView and manage API tokens
ip_allowlistView and manage the IP allowlist
health_checksValidate connection and token health
Grant only the scopes CloudThinker needs. Many scopes offer separate read and write access โ€” pick read-only unless a write capability is required.

Agent capabilities

Once connected, agents have scope-gated access to your GitGuardian workspace.
CapabilityDescription
Incident browsingList and inspect secret incidents, including status and severity
Incident investigationReview exposed credentials, sources, and occurrences for triage
HoneytokensList honeytokens and, with Manager role, create new ones
Token inspectionReport the connected tokenโ€™s scopes and capabilities
Honeytoken creation changes workspace state. CloudThinker requires explicit approval and a Manager-role token before any write runs.

Verify the connection

@oliver verify the GitGuardian connection: confirm the token is valid and report which scopes it carries

Example prompts

@oliver list open GitGuardian secret incidents and #alert on anything touching production repos
@oliver investigate the most recent secret incident and summarize the exposed credential and its sources
@oliver report which scopes the connected GitGuardian token carries

Troubleshooting

The PAT lacks the matching scope. Re-mint or update the token with the needed GitGuardian scope, then reconnect.
The PAT is invalid, expired, or revoked. Create a new Personal Access Token and update the connection in CloudThinker.
The tokenโ€™s scope or workspace role is insufficient. Grant the required scope or workspace role. Honeytoken writes require the Manager role.
Incidents appear empty or the endpoint canโ€™t be reached. Confirm the GitGuardian URL matches your workspace region (US, EU) or self-hosted instance.

Security

  • Least privilege โ€” grant only the permissions the agents need for your use case; start read-only and widen later.
  • Read-only by default โ€” use read-only credentials unless you want agents to make changes through this connection.
  • Rotate credentials โ€” rotate keys and tokens on your normal schedule; CloudThinker picks up the new value when you update the connection.
  • Revoke on offboarding โ€” remove the credential at the provider when you delete a connection or a teammate leaves.
  • Scope-driven access โ€” grant only the scopes CloudThinker needs; prefer read-only access where a scope offers it.
  • Manager role for writes โ€” reserve Manager-role tokens for setups that must create honeytokens; keep honeytoken creation approval-gated.

https://mintcdn.com/cloudthinker/aLd-ttc-SCW-aFky/images/icons/sonarqube.svg?fit=max&auto=format&n=aLd-ttc-SCW-aFky&q=85&s=b667e04fbb28aa908d4777071a5a7414

SonarQube Connection

Code quality and security scanning
https://mintcdn.com/cloudthinker/aLd-ttc-SCW-aFky/images/icons/atlassian.svg?fit=max&auto=format&n=aLd-ttc-SCW-aFky&q=85&s=64fcf0381646a233832602a9086a14eb

Atlassian Connection

Track incidents as Jira issues