Once a secret enters Git, it’s expensive to remediate. But the real problem runs deeper than cost.
Grégory Maitrallain, Solution Architect at Orange Business, discovered this reality during their implementation: “Once a secret is pushed to GitLab or GitHub, you cannot remove it. You can modify it or remove it from a Git repository. However, the references will remain in the database, and you can always consult them afterwards.”
Database references persist indefinitely. Anyone with historical access can retrieve past commits. Forever. This means that every remediation effort, no matter how thorough, is actually permanent damage control, not a true fix.
The scale of the challenge becomes clear when you look at the numbers. For a 3,000-developer organization:
- Industry average: 2-3 accidental exposures per developer annually
- Potential exposure: 6,000-9,000 secrets per year without proper controls
And code repositories are only 70% of the problem. The remaining 30% of secrets hide in Teams messages, Confluence documentation, Jira tickets, container registries, and application logs, places where traditional security scanning rarely reaches.
The CISO reality: Every “remediation” is actually a form of permanent damage control. Prevention is the only complete solution that addresses the root cause rather than managing endless consequences.
NIS2 + developer experience demands new approach
Two powerful forces are colliding in 2026, reshaping how enterprises think about secrets security.
Force 1: Regulatory inevitability
The NIS2 Directive brings clear requirements: Secrets must be managed and encrypted by 2028. Essential service providers face significant penalties for non-compliance. But forward-thinking enterprises like Orange Business aren’t waiting for deadlines to loom. They’re building robust security architectures now, ensuring they’re ready well ahead of regulatory requirements.
Force 2: The developer experience veto
Like many organizations, Orange Business started with open-source tools, expecting developers to integrate security into their workflows. The results revealed a harsh truth about security at scale.
When they scanned Project Alpha, a large, production codebase, GitLeaks detected 17,000 secrets. The development team’s response was immediate and unequivocal: “We’re not doing this.”
This was rational self-preservation. With an unknown false positive rate and no prioritization framework, 17,000 alerts translated to weeks of unusable triage work with no clear path forward.
As Grégory explains: “If a developer gets an alert when they commit or push, and 80% of the time it’s a false positive, it immediately becomes something they’ll ignore. It becomes a nuisance and noise. And that’s unacceptable.”
Several factors consistently kill security tools at enterprise scale:
- High false positive rates create alert fatigue and erode trust
- Manual configuration requirements lead to inconsistent adoption across teams
- Lack of prioritization means everything appears “critical,” so nothing is
- Poor developer experience drives workarounds and eventual rejection
The 2026 requirement: Solutions must deliver both regulatory compliance and developer acceptance. Compromise on either dimension, and the entire program fails.
80% Leak reduction via pre-commit hooks: Proven results
Orange Business ran what amounted to the ultimate controlled experiment: Same codebase. Two different tools. Radically different outcomes.
GitLeaks: 17,000 secrets detected
GitGuardian: 1 secret detected (and it was valid)
While manually reviewing all 17,000 findings wasn’t feasible, validation on comparable smaller repositories confirmed that GitGuardian maintained detection accuracy with minimal false negatives. The difference was the elimination of noise, not missed secrets. The challenge wasn’t that open-source tools were finding too much. It was the signal-to-noise ratio that made the results unusable.
GitGuardian’s performance metrics tell the story:
- False positive rate: Under 5%—the critical threshold for developer trust
- Detection coverage: 500+ secret types across multiple categories
- Result: Eliminated noise while maintaining comprehensive detection
The prevention layer that changed everything
Based on these results, Orange Business implemented mandatory GitLab pre-receive hooks, a technical solution with profound behavioral implications:
- Blocks commits containing secrets at push time, before they enter the repository
- Two-month phased rollout rather than big-bang deployment, allowing teams to adapt
- Bypass option for legitimate cases (like test values), with all bypasses creating incidents on the security dashboard for visibility
- Clear, actionable remediation guidance delivered in real-time when secrets are detected
The measurable result: 80% reduction in new secret leaks since activation.
But the more interesting result was behavioral. As Grégory observed: “Projects that had detection and potentially pushed secrets before, and had detection after, corrected their code. If they hadn’t done it, we would have had the same stats before and after pre-receive.”
Developers weren’t being forced to comply. They were choosing to fix issues proactively. When presented with accurate, actionable information at the right moment, they took ownership.
“This isn’t a desire to do sloppy work. It’s really that either they didn’t realize it, or it was something that appeared in their code and left on its own. So they correct it. And that’s quite positive.”
The fundamental lesson: Accurate, timely feedback enables developers to do the right thing without heavy-handed enforcement.
3-layer defense + <5% false positives = developer adoption
Orange Business built a security architecture that developers actually accept rather than circumvent. The key was understanding that security and developer experience aren’t opposing forces. They’re mutually reinforcing when properly designed.
Layer 1: Developer’s workstation (optional)
The first layer scans code pre-commit on the developer’s local machine, catching secrets before they even reach version control. This is true shift-left security, intervention at the earliest possible point.
What’s notable is that this layer is optional, not mandated. Despite limited formal communication about the feature, projects across Orange Business are self-implementing it. The lesson here is powerful: Build tools developers want to use, not just tools they’re required to use.
Layer 2: Pre-receive hook (mandatory)
The second layer provides enforcement at Git push, blocking commits that contain secrets before they enter the repository. Orange Business implemented this through a two-month phased rollout with continuous feedback collection, avoiding the disruption and resistance that often accompany big-bang security deployments.
The design includes a bypass option to maintain developer velocity when dealing with legitimate cases like test values or false positives. Critically, every bypass still creates an incident on the dashboard, ensuring security maintains visibility without blocking work.
The result speaks for itself: 80% reduction in new leaks since activation.
Layer 3: Post-commit scanning (continuous)
The third layer provides continuous monitoring, catching secrets that slip through via bypasses or edge cases. It also enables complete lifecycle management from initial detection through final remediation and audit trail completion.
As Grégory notes with approval: “It detects what it says and says what it does. That’s a good thing.” In an environment where security tools often overpromise and underdeliver, reliability matters.
The critical success factor: <5% false positives
The entire architecture hinges on one critical metric: maintaining false positive rates below 5%.
Above this threshold: Developer trust erodes rapidly. Alerts get dismissed or ignored. Boxes get checked on compliance forms while actual risk remains unmanaged.
Below this threshold: Developers trust the alerts they receive. Proactive fixes increase organically. Security becomes embedded in culture rather than imposed through process.
This threshold represents the difference between success and failure at enterprise scale. It’s not a nice-to-have quality metric. It’s the foundation that makes everything else possible.
Enterprise features that enable scale
Beyond detection accuracy, several enterprise capabilities proved essential:
- Centralized visibility gives leadership and compliance teams the oversight they need
- Distributed remediation allows developers to fix their own issues, enabling the program to scale to thousands of developers
- Automated prioritization based on validity checking and severity scoring focuses attention on genuine risks
- Complete lifecycle tracking from initial detection through remediation and audit creates the trail compliance requires
Telcos lead → enterprises follow
Telecommunications companies are emerging as pioneers in prevention-first secrets security, and the reasons reveal much about where enterprise security is heading.
Telcos face challenges that push traditional security approaches to breaking point: massive scale with thousands of developers, complex regulatory requirements including NIS2 and sector-specific mandates, critical infrastructure status that attracts sophisticated threat actors, and zero tolerance for service disruptions.
When organizations operating at this scale and complexity solve secrets security, they create blueprints that other enterprises will follow. Orange Business joins Bouygues Telecom, Deutsche Telekom, and several other major telecommunications providers who have implemented prevention-first approaches.
By the end of 2026, enterprises will increasingly split into two distinct categories:
Prevention-First Organizations maintain false positive rates below 5%, achieve 70-90% leak reduction, build genuine developer-security partnerships, and maintain proactive compliance postures that turn regulatory requirements into competitive advantages.
Remediation-Dependent Organizations struggle with alert fatigue from tool sprawl, face persistent exposure as secrets continue leaking, experience ongoing developer-security conflict, scramble reactively to meet compliance deadlines, and find themselves explaining incidents rather than preventing them.
The gap between these categories will widen throughout 2026 as prevention-first organizations compound their advantages while remediation-dependent organizations fight the same battles repeatedly.
The CISO mandate
As regulatory deadlines accelerate and secrets sprawl multiplies, the organizations that succeed will make security invisible to developers doing the right thing, and impossible for those who aren’t.
The telecommunications sector has shown what’s possible. Orange Business’s journey demonstrates that the technology and approaches exist today.
Now the question facing CISOs in 2026 is: Are you ready to lead this transition?
Ready to build prevention-first secrets security at enterprise scale? Contact GitGuardian to discuss your roadmap.