RepliCon Q1 2024 Interview with GitGuardian

Apr 29, 2024

Grant: Romain, thank you so much for joining us.

Romain: Thanks, Grant, for inviting me today. I'm a Senior Product Manager here at GitGuardian. GitGuardian is a software automated secret detection, and we also do remediation. When I talk about secrets, think about, an AWS key, an OpenAI key, generic passwords, any kind of secrets, which we use every day in our day to day life. 

We are the number one security app on the GitHub marketplace. We are free for small teams. If you don't have any tools to prevent secret leaks, you can check us out on Google and find GitGuardian. As Product Manager at GitGuardian, my main focus is the self-hosted part because our software runs as a SaaS.  But we do offer a version of our software for on-prem customers, which are either deploying our solution in a kind of a really true on-prem environment, but also in the public cloud.

That's my focus area in the company. We have front-end, back-end, DevOps, QA engineers. It's a decent size team really focusing on that. We've been working with Replicated for a couple of years, it's been a great partnership. I'm looking forward to share more with you today.  

Grant: Great, very excited to have you here. Let’s get started with how you use Replicated. You mentioned that self-hosted is an important part, but do you think that self-hosted is core to your business? Is this a strategic part of how you see your customer engagement and delivery? 

Romain: It's interesting when you look at the number of customers we have today, we don't have a lot of self-hosted customers, but those are the ones representing a good chunk of our revenues.

A lot of the bigger customers, big enterprise accounts, don't want to go with a SaaS solution. They want to have more control over the software deployed. We detect secrets, and for some customers, this cannot be done on the SaaS side. It has to be done on-prem, sometimes air gap. It is very core of our business having that solution for some of those customers who don't want to use our SaaS version, essentially.

Grant: Great. You've been pretty hands on with Replicated, particularly around a lot of the new feature sets. Can you talk about which new features and core features you've been using recently?

Romain: Besides the core features, what we've been using the most is a custom telemetry feature.

Highly recommend you look into it. Before we used that feature, customers which are self-hosted, we're basically black box. I didn't have much information about how they were using the product or any of the very specific product metrics that we care about. 

This feature really helps us to get more insight into how our customers are using our software. 

Grant: What are a couple of examples of metrics that you're sending up for your team's consumption? 

Romain: For example, the user login helps us to know if our software is used. How many users log in every day or for the last 30 days? It helps us to measure engagement.

Grant: That's a really important part for any kind of software usage for sure.  

Romain: In the SaaS version, we know exactly where people click, what it does, when, but for self-hosted, it's much harder. With this feature we are able to very meticulously choose areas of key specific metric and then report some usage on those. It helps the sales team, the support team, the product team, to really understand more how our customers are using our software for the on-prem solution.

Grant: Then you're using that data and you're exporting it. We provide some visualizations that on every customer record will show the latest values as well as a historical graph, but I think you're also exporting using our pretty comprehensive data export to pipe this into your BI tools.

Is that right? 

Romain: Correct. The portal is great for ad hoc, if I want to check one customer because I'm troubleshooting or I want to focus on one, but what we've been doing at GitGuardian is trying to do more correlation between different databases. 

We use Snowflake, so the goal is to use the API to pull the metric every day from Replicated, and then import that into Snowflake.

That allows us to easily build a dashboard and correlate with other databases, like Zendesk, for example, for tickets, and HubSpot for CRM. So we can easily build a custom dashboard for a customer and also aggregate metrics and see for all of those customers, which are in Europe, here is the data. It helps to make decisions on the day to day and manage your customer.

Grant: Right. You're getting that individual visibility into the customer and you can bring together some other data from other sources. Then you can also roll it up and see how many daily active users you have across all of your self-hosted customers and know those metrics and see if that's growing.

That's exactly how we imagined and built this feature. We hoped that teams would use it to really think about driving end customer success.That's ultimately what we want to do is enable the software vendors to make their customers more successful.

Knowing who's using what, is a really key part of that.  

Romain: It's interesting because my team implemented the feature, and then, obviously we have different teams of development focusing on different areas of the product.

Then one of the other teams was able to implement their own metrics. So other Product Managers at GitGuardian are now adding their own metrics for their own area of the software. We booted up the project and then we built some sort of tech doc any developer at GitGuardian can follow, then implement their metric. It is really cool actually, 

Grant: That's great, one of the features we added to both the standard telemetry, like Kubernetes version and upgrades, as well as for custom metric changes, is notifications.

Are you using any of the Slack or email notifications to know when those values are changing? 

Romain: We turned that feature on not too long ago, and I was a little scared that I would get spammed, but turned out not really, because you guys implemented that you only communicate on a change. 

Your daily metric, for example, number of users: 10.

If tomorrow is 10, I just want to know when it goes up and down. That reduces spam and I like the idea that because we work in Slack, we have notifications, and once a day you can have a look and see ‘Oh, this customer just upgraded yesterday.’

It helps to be proactive and understand more, and the sales team loves it.

Grant: That's exactly why we built it, to give you more insight. I think there's more work we can do to make sure it doesn't get noisy, to your point, spam and noise is always something that we're trying to make sure that we're working through.

I’m glad you're getting value from it but it is something that we still want to adjust to make sure it's even better. 

Romain: I also had to enable manually on each of our customers to turn that on. It would've been great to check one, ‘Select All’. Because I want it for all of it. 

Grant: Right now, the notifications are instance specific. 

One of the team is looking at how we start to give more notifications around a customer record, even on an account level. I really believe that notifications are an important table stakes for good SaaS applications recently.

We're trying to think more about what we can do to help make that information available, put it at your fingertips, so you have that feed of ‘what's happening’. 

A smaller feature, but something that I know we were excited about launching, is licensing, license tags and instance tagging. 

Romain: That helps because we export that data into Snowflake to be able to identify which instance is what. We use tags, it's been great to have that for sure. 

Grant: That's on the customer page, the instances you can add, instead of having a UID that's some six characters, we let you write a tag in there or rename the instance. It's all searchable by those UIDs, but now you have this more human readable way.

Romain: It's super useful, specifically when you have customers who have staging and prod, which is maybe half of our customers. I used to wonder before, ‘which one is which,’ so that's kind of a cool use case.

Grant: Exactly, we saw a common pattern for us was staging and prod. We want to make that available so folks can change it. I think at some point we're also exploring being able to set that from the SDK, so that if there's something specific in the customer environment or about the installation, then you can set it there and then you have the first version.

Which brings me to the SDK, which you're also using. You were early adopters in the SDK and our Helm install, can you talk a little bit about why that is and how that's working for you?

Romain: Initially, when we worked with Replicated, there was only one way to deploy the software. We used KOTS, Kubernetes Off The Shelf, to install the software, and then more recently, we implemented a different way to deploy the software, via Helm. 

Helm is a popular tool for a more DevOps type of person. They don't like to do deployment or management through a UI. We've offered that all the way, which is really good because it makes it easier for people to deploy the software in an automated way. Part of that is because we still need license management and the custom metric feature I mentioned. For that reason, we are using the Replicated SDK pod, which is running part of the Kubernetes deployment and helping us with those two things. We've also added the pod to our KOTS deployments because all the license management and custom telemetry are going to be located on that Replicated SDK type of service.

Grant: We want the SDK to be able to live anywhere and eventually in binary installs and in other places as well. The idea is that SDK will be the foundation for a lot of the integration, whereas we used to have you talk to KOTS, now you'll talk to the SDK.

That way your application is more portable and you can use different installation methods and not rely on some of the KOTS experience. We saw, to your point, more advanced end customers would have very specific and defined deployment pipelines that required Helm first.

As that became more of a requirement, we wanted to be able to provide the registry, credentials, licensing, entitlements, and the telemetry. There's more to come for us to do, and we actually integrate this as well with the compatibility matrix, by sending back some of that metadata about environments that you can actually create customer represented environments based on your installations. 

I see us doing things to extend supportability, and help you build an admin console to show release history. Some of those things live in the SDK today, but we're trying to think about what we can do to power more successful and easy to use Helm installs while not getting in the way of Helm. 

The other thing that is interesting about this feature is that we understand that by doing a Helm install with Replicated we're not creating as much value, because we're not providing the UI for the installation. There's no built-in snapshots and in all the configuration that we do, there's no underlying Kubernetes cluster that we're providing, because the customer is providing it. 

These licenses are significantly less expensive per license. If you turn off KOTS install for licenses and you make them Helm charts, it goes to $50 a month instead of the $200 or $300 a month that most customers would be paying for most licenses.

It reduces the cost because I think it's important for that cost to be associated with the value. We want you to be able to say, ‘Hey, it's not as much value here, so we should pay a bit less and hopefully deploy more and be able to spread this out everywhere.’ 

Romain: That’s what happened with us, since we have that available, right now we have half of our customers deploying our solution with help. People appreciate that, they deploy production application software on-premise, and they've been very happy with the experience, so far, very happy.

We've had tons of good feedback from those customers, so that's great.

Grant: As Replicated evolves we want to embrace Helm more. We're getting more involved in the Helm community and making Helm a first class way to distribute applications.

For customers that don't know much about Kubernetes the kURL installation, soon to be the Embedded Cluster solution, will really simplify that and provide a great solution for folks that don't know much about Kubernetes. 

Romain: Even more than just for people who don't know about Kubernetes, we’ve been using  embedded cluster for POCs, Proof of Concept, because a quick VM with your software can show the value and win that engagement. Talking to the database guys, the Kubernetes guy, ‘Why just deploy one VM?’ - it could just go faster for a POC development engagement. That's another good reason to use embedded cluster. 

Grant: Great point, it can speed up a POC and reduce the number of people that have to be involved. Most people can get access to that pretty quickly and then do an easy install. 

We're describing a lot of it, but from your perspective, what’s the value that Replicated provides to your company and to your role? 

Romain: It really helps us to focus on developing our solution, our core business. The delivery aspect is not what we do.

Replicated helps us a lot in different aspects; delivery, we use super bundle every day when we have issues so our customers easily generate a super bundle, send it over to us and we look at the logs. That's one of the main challenges when you do self-hosted - how do you troubleshoot? 

That's super helpful. The analytics are super valuable and it's been a good partnership and we’re excited to use more and more of your product.

Grant: I appreciate that. We hope to build more and more to solve further problems for you. 

You've been a really strong partner in terms of early design partner feedback. We're very lucky as a company to have ISVs as our customers. Generally, our customers know how to build great software and they can build anything, they just can't build everything. We're lucky to have customers like GitGuardian, like you, Romain, who can give us really great feedback and help us further advance our product and solve problems for you.

I encourage anyone watching to be a design partner on features that we're developing. Let us know your pain points and really lean into engaging with the team. We do prioritize customers and we do prioritize that feedback. We work as an inspired methodology company.

This is the idea from Silicon Valley Product Group, but we really value customer feedback and how customers value things that feed directly into everything that we build and how we prioritize our time.  

What are you most excited about right now? What are you seeing that's coming along that you're stoked about?  

Romain: We are doing a lot at GitGuardian. There’s a lot of new features coming on. We are going to add the capability to scan secrets in Slack, and we're going to do more like JIRA Confluence. We are starting to look in other places and that's really exciting because it brings different challenges to resolve and offer more broad capabilities to our solution. That's really cool. 

The first release for scan on self-hosted, it’s been available in the SaaS for a few months already, but the self-hosted version has always had a little lag, between what we’re shipping and what’s ready in the SaaS.

Grant: You get a little experience with the SaaS first. I love that, that's great. 

Romain: Replicated helps us to soak up a feature for X number of weeks until we stamp it ready to ship on customer premise. It's more validated, quality is better.

We are looking into selling more to government entities like DOD or other U.S. government types of customers. Those are definitely going to go self-hosted. The partnership we have with Replicated is going to help us a lot because we also use air gap functionality.

We don't have to deal with the whole air gap type of delivery problem you can face. We're going to have to have more of those types of customers, that brings interesting challenges.  

Grant: With more controls and more compliance, we really make sure that we're partnering there. We've heard this from a lot of customers. We've dramatically reduced our CVE count down to 0 by using the Wolfi-base images, which has been great.

That was a challenge that we had because a lot of CVEs that float out in the world and mediums and lows are hard to fix. The Wolfi stuff really squashes a lot of that. Additionally, looking at different STIGs and NIST and all these other requirements that customers end up having and trying to make sure that we're at least partnering to provide, what we can do, what can't be done, how to think about those things.

Romain, anything else you wanna add before we move on? 

Romain: I'd like to thank the team. You guys have helped us a lot the last few years. Thank you and the Replicated team for all the support and the great work you guys are doing for us. 

Grant: Thank you very much. We really appreciate your partnership as well. Thanks so much.