What does “automatic updates” actually mean?

Drop Guard works in alignment with your Git-based workflow, which means that no updates or modifications will be ever pushed directly to your server without control about what happens. Drop Guard performs actions against the local copy of the Git repository and only affects the branches, (or spins up new branches) as per project configuration. You can, for example, configure Drop Guard to apply highly critical or critical security updates automatically right after they’re released, but again - all the updates will be pushed to the appropriate branches and it’s your call on how and when to deploy them. Integrated with your CI system, Drop Guard can let you test the updates on a separate instance, run automated tests via ssh commands and/or let you test manually and deploy to live after your approval.

What’s the difference between Drop Guard and other Drupal update security tools?

Drop Guard combines two categories of the Saas market which are still offered separately:

  1. Monitoring of updates Unlike Update Manager and similar online services, Drop Guard does not only detects the available updates but allows to group them into categories by their importance (so-called “update types”). It allows fine-grained control of an individual set process pipeline when the update of a certain type was detected.

For example, you may want to notify your developer in case the normal update for a module was released, but in the case of a highly critical update the lead developer gets the “urgent type” email and a @channel message in Slack could be created.

  1. Actually Applying and Deploying Updates as well Drop Guard is not just about monitoring; it’s about taking action in a controlled environment. The platform enables your team to set up your individual update workflow and integrates with your tools as well.

Drop Guard combines the best of two worlds, and how it is used is your choice!

Can I use my favorite CI or testing tool with Drop Guard?

Writing tests in Behat or PhpUnit, running them with TravisCI and deploying with Jenkins, at the same time calling your coffee machine via the API to prep the perfect espresso when the build passes? We’ve got you covered!

Drop Guard’s architecture was initially designed to be extensible by any number of external tools a developer might use in their workflow, no matter how complex it is. When certain events occur, you can send the HTTP request to the CI server, or execute SSH commands on your server - the possibilities are limitless.

When certain events occur, you can send the HTTP request to the CI server, or execute SSH commands on your server - the possibilities are limitless.

Just an example - let Drop Guard create a feature branch for a module update, spin up a feature branch instance out of that branch, run your automated tests via ssh commands, and notify your QA team.

When the QA team is satisfied with the results and sets the update task on “test passed”, let Drop Guard merge a feature branch back, run tests again, and trigger a deployment to the dev server.

After you set up a project like in this example above, this pipeline will be processed for an update type automatically, until you want to change the behavior.

Is there an on-premise version of Drop Guard available?

If you are running behind a private VPN, firewall or on the local network, please contact us via info@drop-guard.net for our solution for you!

Is Drop Guard intended to replace my current workflows?

Absolutely not. Instead of trying to replace the existing workflows and habits, Drop Guard integrates into your processes with minimal changes required from your side. Once configured properly, Drop Guard runs silently in the background, notifying you and your tools when certain events are worth paying attention to. We can tell that you don’t like to miss this team member again.

My website is heavily patched, will Drop Guard work for me?

Sure! When Drop Guard detects a code modification in one of the modules or Drupal core, it makes a patch out of it, does the update job, and tries to reapply the previously generated patch on top. With this mechanism, no code modifications will get lost after updates have been processed.

In the case of success, the update is considered as “passed” and you will get a nice overview of what was patched and a full autogenerated patch output. In case the patch fails to apply, the update process stops, and you get a notification about the error.

Pro tip: This way Drop Guard can be used to detect malicious code inserts, debugging code left by a careless developer, or accidental code modifications. If you face any issues with a (heavily) patched website, you can always reach out for our support via support@drop-guard.net or join our Slack channel.

Do you provide any testing capabilities?

Drop Guard doesn’t do any testing by itself - it’s up to you which testing system or approach you’d like to use.

Can Drop Guard be used as a deployment tool?

By default, Drop Guard is not implied to be a deployment tool. There are plenty of alternatives to choose from, both paid and free, complex and simple.

One solution is to use the integration with Pantheon or Acquia to benefit from their services. After you added the specific integration with one of these hosting platforms, the deployment process can be started via the Drop Guard events page for each project.

However, you can configure Drop Guard to run the deployment scripts on your live server, or even login via SSH and execute any number of commands locally needed to deploy the code.

Why should I install the Drop Guard module on my website?

The Drop Guard module isn’t a requirement anymore. It helps us with fetching the information on enabled modules and themes and their versions. If you use composer and don’t need to monitor the actual modules on your live site, you can use Drop Guard easily without installing its module. Your module information will be checked directly within your composer.lock file.

How secure is Drop Guard itself?

Drop Guard is as secure as your server and Drupal installation are. It acts on the copy of the Git repository without requiring server access. The client module transfers data on enabled projects over an encrypted connection, and we use 4096 bits keys to connect to your Git repository. Our infrastructure is secured by an owned up-to-date dedicated hardware firewall.

How much time is needed to integrate Drop Guard into my current workflow?

Depending on your experience and knowledge, it can be as low as 30 minutes of your time to learn the basic concepts and run your first project with Drop Guard. You can easily clone a project’s settings if you like to, so the setup time decreases to 5 minutes. For more complex workflows, a bit of clicking around and experiments are required, so the time may increase. Always remember, though - the time spent on learning and configuring Drop Guard will allow you to save countless hours in the future.

Besides, we are always happy to assist you in setting up your first projects in a hands-off session with Drop Guard expert. Just leave a note at support@drop-guard.net.

What Drupal versions does Drop Guard support?

Drop Guard provides full support for Drupal 7 and Drupal 8. Earlier versions can not be used with Drop Guard, as they are not officially supported anymore.

Can Drop Guard break my site? And if yes, who will be responsible for it?

Drop Guards acts on the copy of the Git repository and doesn’t require access to the live server, so there is no chance it will break the website.

However, due to the Drop Guard’s flexible configuration possibilities, it is very much possible to configure it to execute harmful commands.

Drop Guard is not a magic bullet and an answer to all possible problems. In the end, it’s a tool to assist a team in its update process routine. All the actions and commands entered into the project configuration are the responsibility of the person who configures a project.

We always recommend to test SSH commands and deployment hooks before saving the configuration and work with development and feature branches avoiding pushing things directly to the production branches.

Do you provide a trial period or a free website to try Drop Guard?

First of all, Drop Guard can be used for monitoring of any number of websites completely free of charge. Just connect Drop Guard to your Git repository and the website and enjoy the robust notification system, 3rd party tools integration and other integration capabilities. You can even create tasks in your project management system when the new update arrives.

However, if you decide to let Drop Guard taking care of the updates for you, you can try it for 14 days for free. If you need more time - just let us know and we will find a solution.

Does Drop Guard support Composer-managed websites?

At the moment Drop Guard supports Composer-managed websites. An official Drupal.org repository and the Drupal Composer Packagist are supported. Instead of updating the actual Drupal codebase in your Git repository, Drop Guard makes changes to the composer.lock file, filling it with proper modules and core versions as per Update behavior configuration, then runs "composer update" command and pushes the changed files to your Git repository. It is a responsibility of a user to configure the appropriate Drop Guard actions for running deployment commands in the local shell or use a CI. Currently, we don’t support projects based on makefile builds. Contact us if you need this feature!

Does Drop Guard support dev versions of modules?


Does Drop Guard update Drupal core?

Absolutely. Drop Guard takes care of the Drupal core and contributed modules updates.

Is database access required to connect Drop Guard to my site?

No. Drop Guard never asks you to provide the database access details, because the only thing it deals with is the codebase managed by Git.

How can I exclude single modules from an update process?

Depending on your site configuration, you can exclude a module from an update process in two ways:

  1. You will find an “exclude from updates” button on the “Modules and tasks” page within your project overview.
  2. For Composer-based projects, all restrictions could be specified in composer.json file (to avoid updates, you need to specify the specific version of any module there) and enable the “respect version constraints” mode on the “Site config” tab of the configuration screen within your project. In this case, tasks will still be created within an update process, but no module will be updated.

Is the patching process the same for a Composer managed D8 site as with a non-Composer managed D7 site?

No. When you are using Composer (it doesn't matter if in D7 or D8), the patching process differentiates from the case when modules are placed in the repository directly. Within a Composer managed process, you can use the internal patching mechanism from Composer. Drop Guard doesn’t apply any custom patch solutions in this case. If you use the package “cweagans/composer-patches” in your composer dependencies, Drop Guard will be able to apply all specified patches.

How much time does Drop Guard need to display the available update?

It can take up to 10 minutes until Drop Guard displays you the release update within all of your projects.

Why are some updates displayed without a security type and need to be set manually by the Drop Guard team?

When Drop Guard detects any new release information for a module update, it first checks one parameter: is it a security-related update or not? After that, Drop Guard tries to get the information about the specific update type for all undefined security releases on Drupal.org. If Drop Guard can't detect it automatically because the information was not provided correctly on drupal.org, our Drop Guard team solves this manually. New tasks will be created only after this was defined.

There was a Security update release but Drop Guard didn't create an update task. What might have happened?

a) Drop Guard didn’t detect the latest release yet. It can take up to several minutes for it. b) Drop Guard didn’t detect the specific update type for the latest release. In this case, our team will set the update type manually and you can create new tasks for the released update. c) Drop Guard didn’t create an update task for this module in your project yet. d.) Some of your configurations withhold Drop Guard to create tasks properly. You can always ask our support team for help via support@drop-guard.net or join our Slack channel.

How can I manage my Multi Site with Drop Guard?

If you’re running a multisite installation you can still benefit from Drop Guard.

There are several possible setups in this case:

Create a separate Drop Guard project for each website in your multisite environment, enable Drop Guard module for each and provide a unique access key. You will be billed for each website separately, but you will get the best picture of the status of modules across your subsites and full control. This way you will be sure Drop Guard cares about the whole codebase without exceptions.


Drop Guard is not a magic bullet and an answer to all possible problems. In the end, it's a service tool that assists a team in its update process routine. All the actions and commands entered into the project configuration are the responsibility of the person who configures a project. We’re always available to support you to profit from all benefits of Drop Guard - contact us via support@drop-guard.net or join our Slack channel.

Your questions weren't mentioned above? Leave a comment or contact us - we're looking forward to your suggestions!