Fastly Next-Gen WAF is GitGuardian’s top secret-keeping tool

When it comes to battle-tested code security scanning and secret detection, GitGuardian tackles the challenge with the prowess of Julius Caesar and the analytical skills of Sherlock Holmes. Their real-time scanning, detection, and remediation capabilities empower Dev, Sec, and Ops teams to keep sensitive information such as API keys, passwords, certificates, and encryption keys out of their source code ultimately saving time, money, and administrative hassle.

Having scanned over 3 billion commits pushed to public GitHub repositories since 2017, GitGuardian has witnessed significant growth. However, the expanding user base exposed the limitations of their unwieldy WAF solution. The legacy WAF's high rate of false positives was not only breaking the app but also posed a threat to the user experience. The team knew it was time to find a good replacement fast.

Unacceptable exceptions

GitGuardian chose its previous cloud-based WAF for easy integration into its SaaS platform. However, it would inadvertently block in-app messages containing code from devs and engineers, as well as automated webhooks coming from customer systems. Mitigating this issue was a real drag – it meant introducing exceptions for about 100 rules, covering roughly 10% of total endpoints. When the team decided to move their apps to Kubernetes in 2022, migrating the existing WAF would have entailed significant engineering work, especially for a solution that was evidently unreliable. With the time ripe for a new, functional WAF, GitGuardian outlined specific criteria for their desired solution:

• WAF must proficiently detect and block attacks, be self-hosted, and have high availability.


• WAF rules should be written in an Infrastructure as Code (IAC) language so it’s easy for developers to suggest changes and security teams to audit them.


• WAF logs must be exportable to Elastic and correlate to other logs using the request ID generated by the WAF.


• WAF should be Kubernetes hosted, system and rule updates should be automated, and should be very easy to deploy, not taking more than four (4) business days for the initial setup.

Last but not least, the WAF provider should be trustworthy, a paramount criterion when security and secrets are your bread and butter.

Fastly Next-Gen WAF surpassed the competition in meeting these (and other) criteria. The question remained: would it perform as impressively in practice as it appeared on paper?

Trusted and reliable

With Fastly Next-Gen WAF in place, no exceptions are necessary. This stands as the main takeaway for GitGuardian: SmartParse intelligence understands that the regular code snippets submitted for scanning are just that – not attack payloads. On the flip side, the solution also means the team has an iron curtain against genuine attacks. GitGuardian has created customized dashboards that instantly send alerts when there’s an attack spike. Knowing threats are swiftly detected and blocked provides the peace of mind essential for a small team to focus on their tasks, secure in the knowledge that they are backed by robust security visibility and monitoring.

Most crucially, the biggest benefit Fastly’s Next-Gen WAF provides GitGuardian is reliability as it deploys seamlessly across GitGuardian’s four different environments (sandbox, staging, pre-production, and production). Instead of manually managing new rules across all four, the team can leverage infrastructure-as-code automation to sequentially deploy changes. This ensures the workflows are reliably tested before any changes are rolled out to production.

Red-hot logging and support

As one of the first customers to deploy in an Istio-enabled Kubernetes environment, GitGuardian worked closely with Fastly’s Senior Solutions Architect, Alexander Orlov, to develop a bespoke solution. Essentially, the challenge arose from the fact that following standardized documentation wasn't sufficient for a non-standard deployment. Istio has its own networking and decision-making protocols, sometimes directing requests to different containers. While this had no impact on client functionality, and the WAF was still blocking requests, it posed a challenge for logging.

After working alongside Fastly to iron out the unique deployment, GitGuardian now successfully runs Fastly on Kubernetes, with logs sent to ElasticSearch, and metrics sent to Prometheus and displayed in Grafana. “Fastly’s sales engineering team was brilliant,” says GitGuardian’s Kayssar Daher, “Kudos to Alexander for showing Next-Gen WAF’s strengths and helping us debug our setup.”

Indeed, after developing the bespoke solution to navigate initial challenges, Kayssar now specifically praises the logging capabilities:

“I’m very happy with the logging we ended up having with Next-Gen WAF,” he explains. “With our current deployment, it looks like any other application we’ve got. As a result, we’ve already got the logging pipelines to take the WAF logs from wherever they are to the data lake. So I don’t have to spend time setting up the logging pipelines. The Fastly logs are very complete and precise. I refer to them often.”

GitGuardian also invested time in refining the WAF log ingestion pipeline, ensuring they can be queried quickly, easily, and frequently. Their expertise lies in enhancing security and building trust. So GitGuardian's choice of Fastly to fine-tune its security setup is a testament to the technical flexibility and expert support that can yield remarkable results. As GitGuardian continues its mission of safeguarding secrets in stealth mode, we're (quietly) thrilled to collaborate undercover together.