Skip to main content

What is GuardRails

GuardRails orchestrates open-source, and commercial security tools by integrating them seamlessly into your existing development workflow. GuardRails curates each security rule of the security tools to keep the noise low and only report high-impact and relevant security issues.

Installing and configuring security tools, even for one repository, typically takes a lot of time and effort. GuardRails makes that process frictionless, quick and rewarding for developers.

GuardRails can be installed across all your repositories in minutes. Once enabled, GuardRails scans every new code change, identifies whether security vulnerabilities are being introduced and provides step-by-step instructions on how to fix them.

To see the list of security tools that are integrated into GuardRails, go to the Tools page.

GuardRails is effectively a full fletched DevSecOps pipeline, no assembly required, including batteries. It is built on the experience of industry veterans that have overseen and deployed dozens of DevSecOps programs around the globe.

With GuardRails, you can move fast and be safe.


GuardRails is providing a unique differentiation to other solutions in 4 key areas:

  • Version Control System Integration
  • Security Tool Orchestration
  • Security Rules Curation
  • False Positive Detection

Version Control System Integration

GuardRails is a platform with a unique architecture. We focus on providing a completely frictionless integration with all modern Version Control Systems. At the moment GitHub, GitLab and Bitbucket are supported, for both cloud and on-premise versions. This allows GuardRails to establish an end-to-end security verification pipeline that covers all repositories (present and future), without requiring any configuration or additional setup.

Security Tool Orchestration

Built on top of the tight Version Control System integration, GuardRails receives notifications of any new code change that is created. GuardRails then seamlessly identifies the programming languages and frameworks in a repository, selects the matching security engines, and runs it against the code. GuardRails is smart and detects similar results from different security tools and automatically de-duplicates them, so you don't have to. GuardRails also understands what latest code changes introduce vulnerabilities and, out of the box, only alerts on these new vulnerabilities.

Security Rules Curation

The traditional mindset of security tool vendors is that more vulnerabilities equal better, which resulted in a tremendous amount of security issues being flagged. This burden is then handed to the engineers or the security team, which causes a lot of noise and work. At GuardRails, we understand these problems, and based on our extensive first-hand experience, every single rule of every single tool is curated to decide whether it qualifies as a GuardRails issue, or not. This means much less noise for you and your teams so that you can focus on shipping new and exciting features.

False Positive Detection

Even with a carefully curated ruleset, tools are limited in their ability to identify false positives in the reported issues. GuardRails has built an expert system that detects false positives and is starting to use machine learning to continuously increase the accuracy of detecting real vulnerabilities that need to be addressed. This further ensures that engineers and security teams have more time to work on challenging and important activities, that can't be done by tools.

Business Outcomes

GuardRails is typically purchased to achieve the following business outcomes:

  • Reduced time to market: Continuous security scanning of software changes reduces cycle times and as such speeds up the shipping of software products and features.
  • Reduced engineering cost: Real-time feedback loop allows software engineers to fix critical security issues, when they are introduced, early in the Secure SDLC, without requiring external security support.
  • Reduced business risk: Enforcing consistent security scanning across the entire product portfolio results in more secure software.
  • Increased visibility: Extensive security scan data allow deep insights into risk across the entire product portfolio, which is accessible via Dashboards and APIs.
  • Improved skills: Security scan data combined with development data allows the identification of training opportunities within departments, teams and engineers.


A usual report based on what we found will look like this: Example Report

Note: By default, we only fail builds on newly introduced vulnerabilities. However, GuardRails can be configured in many different ways, based on your and your team's preference.

Security Testing Techniques

GuardRails orchestrates and unifies dozens of engines that, currently, perform one of 4 different security testing techniques.

  • Source Code Analysis
  • Vulnerable Dependency Analysis
  • Secret Detection
  • Cloud Security Analysis

Source Code Analysis

Our static application security testing (SAST) code analysis engines can detect a range of security issues:

  • GR0001: Insecure Use of SQL Queries
  • GR0002: Insecure Use of Dangerous Function
  • GR0003: Insecure Use of Regular Expressions
  • GR0005: Insecure Authentication
  • GR0006: Insecure Access Control
  • GR0007: Insecure Configuration
  • GR0008: Insecure File Management
  • GR0009: Insecure Use of Crypto
  • GR0010: Insecure Use of Language/Framework API
  • GR0011: Insecure Processing of Data
  • GR0012: Insecure Network Communication
  • GR0014: Privacy Concerns
  • GR0015: Information Disclosure

Dependency Analysis

Dependency Analysis, also known as software composition analysis (SCA), relies on public available vulnerability data to provide feedback on the status of your current dependency tree. By default, reports are only created for high-severity issues that have a real impact on your application.

This category is identified by this rule:

  • GR0013: Using Vulnerable Libraries

Secret Detection

Our secret detection engines, leverage sensitive information scanners (SIS) that can identify several types of hard-coded secrets in your code:

  • Private Keys
  • High Entropy Strings
  • Basic Authentication Strings
  • API Keys (Stripe, AWS, GCP, etc.)

This category is identified by this rule:

  • GR0004: Hard-Coded Secrets

Cloud Security Analysis

Cloud Security Analysis in the GuardRails platform scans compatible Infrastructure as Code (IaC) for vulnerabilities. We support Kubernetes, Terraform, Cloud Formation, Ansible, and many more. This category includes several categories.

OWASP Mapping

Each OWASP category contains a lot of dedicated CWEs. The high-level mapping between GuardRails categories and OWASP categories is shown in the table below.

OWASP CategoryGuardRails Category
A1:2021-Broken Access ControlGR0006: Insecure Access Control
A2:2021-Sensitive Data ExposureGR0012: Insecure Network Communication
A3:2021-InjectionGR0001: Insecure Use of SQL Queries
A4:2021-Insecure DesignGR0008: Insecure File Management
A5:2021-Security MisconfigurationGR0007: Insecure Configuration
A6:2021-Using Components with Known VulnerabilitiesGR0013: Using Vulnerable Libraries
A7:2021-Broken AuthenticationGR0005: Insecure Authentication
A8:2021-Software and Data Integrity FailuresGR0011: Insecure Processing of Data
A9:2021-Insufficient Logging & MonitoringN/A
A10:2021-Server-Side Request Forgery (SSRF)GR0011: Insecure Processing of Data

GuardRails covers more than OWASP's Top 10 categories, for example:

  • GR0002: Insecure Use of Dangerous Function
  • GR0003: Insecure Use of Regular Expressions
  • GR0004: Hard-Coded Secrets
  • GR0009: Insecure Use of Crypto
  • GR0010: Insecure Use of Language/Framework API
  • GR0014: Privacy Concerns
  • GR0015: Information Disclosure

Language Support

GuardRails Software Composition (SCA)

  • C
  • C++
  • Objective-C
  • Dart
  • Debian dpkg
  • .Net
  • Go
  • Haskell
  • Java
  • Javascript
  • PHP
  • Python
  • RedHat RPM
  • Ruby
  • Rust
  • Swift

GuardRails Code Vulnerability Scanning (SAST)

  • Android
  • Apex
  • C
  • C++
  • Elixir
  • .Net
  • Go
  • iOS
  • Java
  • Javascript
  • Typescript
  • PHP
  • Python
  • Ruby
  • Rust
  • Solidity

GuardRails IaC

Supported Cloud providers are AWS, GCP, and Azure. The following IaC technologies are supported:

  • HashiCorp Terraform
  • AWS CloudFormation
  • Kubernetes
  • Ansible
  • Azure Resource Manager
  • Google Deployment Manager
  • Docker

GuardRails Secrets

  • Detection rules for ~100 Secrets

If you are looking for a language that we do not support at the moment, please drop us a line at [email protected].