Supported platforms
| Platform | URL |
|---|---|
| GitGuardian US (SaaS) | https://dashboard.gitguardian.com |
| GitGuardian EU (SaaS) | https://dashboard.eu1.gitguardian.com |
| GitGuardian Self-Hosted | Your instance URL (e.g. https://gitguardian.your-company.com) |
Prerequisites
- A GitGuardian workspace with access to the incidents you want to review.
- A Personal Access Token with the scopes for the data CloudThinker should reach.
- For honeytoken creation: a workspace Manager role.
A PAT inherits the scopes you grant it and the role of the workspace member who creates it. Mint it from a least-privileged member that still covers what CloudThinker needs.
Setup
Create a Personal Access Token
On the sidebar, click Settings, then go to API โ Personal Access Tokens and click Create token:
- Name:
cloudthinker - Expiration: set a rotation window
- Scopes: select the scopes for the data CloudThinker should access (start with
incidents)
Connection details
| Field | Description | Example |
|---|---|---|
| GITGUARDIAN_URL | GitGuardian dashboard or instance URL | https://dashboard.gitguardian.com |
| GITGUARDIAN_PERSONAL_ACCESS_TOKEN | GitGuardian Personal Access Token | โ |
CloudThinker derives the API endpoint from the URL, so US, EU, and self-hosted forms all work without extra configuration.
Required permissions
GitGuardian access is scope-driven: each PAT scope unlocks the matching family of capabilities. If a capability is missing, the token usually lacks that scope rather than the connection being broken. Select the scopes for the data CloudThinker should reach. Start withincidents for incident triage and add others as needed.
| Scope | Enables |
|---|---|
scanning | Run secret and security scans on content |
incidents | Browse, inspect, and manage secret incidents |
secrets | Access detected secrets and their occurrence details |
sources | List and inspect monitored sources (repositories) |
custom_tags | Read and manage custom tags |
honeytokens | List and create honeytokens |
members | View and manage workspace members |
teams | View and manage teams |
audit_logs | Read workspace audit logs |
api_tokens | View and manage API tokens |
ip_allowlist | View and manage the IP allowlist |
health_checks | Validate connection and token health |
Agent capabilities
Once connected, agents have scope-gated access to your GitGuardian workspace.| Capability | Description |
|---|---|
| Incident browsing | List and inspect secret incidents, including status and severity |
| Incident investigation | Review exposed credentials, sources, and occurrences for triage |
| Honeytokens | List honeytokens and, with Manager role, create new ones |
| Token inspection | Report the connected tokenโs scopes and capabilities |
Verify the connection
Example prompts
Troubleshooting
Some GitGuardian tools are missing
Some GitGuardian tools are missing
The PAT lacks the matching scope. Re-mint or update the token with the needed GitGuardian scope, then reconnect.
401 Unauthorized from GitGuardian
401 Unauthorized from GitGuardian
403 Forbidden from GitGuardian
403 Forbidden from GitGuardian
The tokenโs scope or workspace role is insufficient. Grant the required scope or workspace role. Honeytoken writes require the Manager role.
Wrong region or instance
Wrong region or instance
Incidents appear empty or the endpoint canโt be reached. Confirm the GitGuardian URL matches your workspace region (US, EU) or self-hosted instance.
Security
- Least privilege โ grant only the permissions the agents need for your use case; start read-only and widen later.
- Read-only by default โ use read-only credentials unless you want agents to make changes through this connection.
- Rotate credentials โ rotate keys and tokens on your normal schedule; CloudThinker picks up the new value when you update the connection.
- Revoke on offboarding โ remove the credential at the provider when you delete a connection or a teammate leaves.
- Scope-driven access โ grant only the scopes CloudThinker needs; prefer read-only access where a scope offers it.
- Manager role for writes โ reserve Manager-role tokens for setups that must create honeytokens; keep honeytoken creation approval-gated.
Related
SonarQube Connection
Code quality and security scanning
Atlassian Connection
Track incidents as Jira issues