DevSecOps Blueprint: from Vulnerability Management and Security-by-Design to Pipeline Integrity

DOWNLOAD

DevSecOps Blueprint: from Vulnerability Management and Security-by-Design to Pipeline Integrity

DOWNLOAD
GitGuardian logo
Apiiro

Compare GitGuardian to  

Check out how the GitGuardian Platform compares to the secret scanning capabilities of Apiiro.

Quote icon

Before we had GitGuardian we were "blind." We had no detections, which was very bad. We were using another product on GitHub, similar to GitGuardian, but it was not really as good as GitGuardian. The graphical interface and the detail GitGuardian gives you are really amazing. And there are fewer false positives than any other platform. We are able to notify developers of issues on the spot and tell them, "You have exposed a secret." It is absolutely brilliant.

Abbas Haidar, Head of InfoSec at a tech services company with 51-200 employees.

Meet the contenders

GitGuardian logo

Meet GitGuardian

GitGuardian is the code security platform for the DevOps generation that offers automated Secrets Detection and Honeytoken capabilities, facilitating a Secure Software Development Lifecycle for Dev, Sec, and Ops teams.

Apiiro

Meet  

Apiiro is a cloud application security platform that empowers security and development teams with complete visibility and actionable context to proactively remediate critical risks in modern applications and software supply chains.

GitGuardian vs.  
The short version

GitGuardian is suitable for you if:

++ You want to experience the open and transparent GitGuardian platform that allows you to effortlessly test and use our product. Sign up for free to explore its capabilities firsthand without any obligation to talk to a salesperson.

++ You want to benefit from a reliable secrets detection engine supporting over %ndet% specific, generic, and custom patterns. With high accuracy and recall, our engine performs presence checks to verify if leaked secrets are still present or completely removed from the git history.

++ You want a proven enterprise-grade platform that offers scalable and robust secrets detection, remediation, and intrusion detection throughout your software supply chain. You want to enjoy continued support and the ability to customize the platform to meet your unique needs.

  is suitable for you if:

++ You're seeking a platform with a wide range of capabilities and prioritize breadth of features over depth.

-- Scanning other sources like Docker images, CI environment, and server logs for secrets is not a priority.

-- No strong need for remediation workflow automation, remediation guidelines, and support to bring dev and sec teams together.

GitGuardian vs.  
The long version

Core detection capabilities

Regular expressions to match known, distinct patterns

%ndet%+ types of specific and generic secrets supported with high accuracy level.

✅ Checks the validity of %nvck%+ types of exposed secrets.

❌ Information on no. of secret detectors is not publicly available.

✅ Validity checks.

Regular expressions result in fewer false alerts. Additionally, known patterns make it simpler to verify if the secret is true or false or whether this is a test or example key.

Learn more about how GitGuardian detects secrets.

High entropy checks to match credentials without distinct patterns and enter “paranoid” mode

++ Yes, based on the combination of entropy checks and contextual analysis of the presumed secret (pre/post-filters).

++ GitGuardian currently supports %ngdet%+ types of generic secrets.

❌ Not as good.

In order to capture a considerably wider variety of secret types, high entropy should be employed.

Learn more about how GitGuardian detects secrets.

Custom patterns

++ Yes, supported with the use of regular expressions (in SaaS/Self-hosted versions).

✅ Yes.

To find company-specific secrets that are not picked up by the default patterns, you should be able to define your own patterns.

Learn how to create custom detectors.

Detector activation/deactivation

++ Detectors can be individually activated/deactivated from the UI, in the workspace settings.

❌ Information is not publicly available.

We recommend keeping all detectors active to avoid missing any hardcoded secrets.

Learn how to configure GitGuardian’s detectors.

Sensitive file names

++ 22 file names raise policy break alerts.

✅ Yes.

There is a very lengthy list of extensions that potentially hold secrets due to the numerous programming languages, frameworks, and coding standards that are used globally.

Learn which file types contain sensitive information.

Sensitive file extensions

++ 14 extensions raise policy break alerts.

✅ Yes.

Secrets are frequently discovered in file extensions together with environment variables and configuration data. Learn more.

Filepath exclusions

++ Yes, excluding paths is possible through the UI. GitGuardian recommends a set of exclusions (e.g. test directories) and enables users to test filepaths against the active exclusion list.

❌ Information is not publicly available.

The ability to reduce the number of incidents and concentrate solely on those that matter most is critical to scaling your secrets detection and remediation program.

Scanning multiple sources

Code repositories

++ Secrets scanning is possible for local Git repositories or repositories managed through GitHub, GitHub Enterprise, GitLab, Azure DevOps, and Bitbucket Server/Data Center.

✅ Yes, they support major SCMs.

Your repositories contain secrets and sensitive data, such as user passwords or other security flaws, making it possible for anybody with access to the image to obtain that secret and perhaps exploit it to gain access to other systems.

Learn more on why secrets inside Git are a problem

Docker images

++ Yes, Docker images can be scanned with the GitGuardian CLI, ggshield, using a specific command. The Dockerfile, build arguments, and the image's layers' filesystem are scanned for secrets.

❌ Information is not publicly available.

Your Docker image can wind up containing a private SSH key, an AWS access token, or a password.

Learn more about the secrets we found on Docker Hub.

Logs

🟠 The GitGuardian REST API and CLI, ggshield, support scanning all types of text input for secrets. GitGuardian can provide wrappers (code snippets) to extract and load data from observability tools or CI/CD logs.

❌ Information is not publicly available.

Sensitive data may unintentionally leak from your server logs when services unintentionally output sensitive data.

Other sources

++ Yes, we are currently supporting the scan of Slack, Jira , Confluence and Microsoft Teams.

❌ Do not scan Slack, Jira, or s3 buckets Struggle in air-gapped environments when running POCs.

Sensitive data may unintentionally be leaked in other productivity tools used by developers.

Monitoring perimeter

GitHub Enterprise
Instance level

++ Yes

✅ Yes.

GitHub Enterprise
Organization level

++ Yes, native GitHub App at the organization level (one-click integration).

✅ Yes.

Repository level

++ Yes, upon integration of a GitHub Enterprise organization, admins can choose to - give access to select repositories - provide access to all repositories (present and future repositories).

✅ Yes.

GitHub
Organization or Repository level

++ Yes, native GitHub App available. Admins can:
- give access to select repositories
- give access to all repositories (present and future repositories).

✅ Yes.

GitLab
Instance level

++ Yes, a native integration is available. GitGuardian needs a Personal Access Token with an Admin scope.

✅ Yes.

GitLab
Project or Repository level

++ Yes, a native integration is available. GitGuardian needs a Personal Access Token with an Admin scope to establish a webhook with the VCS for historical and real-time scanning.

✅ Yes.

Bitbucket Server/Data Center
Instance level

++ Yes, a native integration is available. GitGuardian needs a Personal Access Token with an Admin scope to set up a webhook with the VCS for historical and real-time scanning.

✅ Yes.

Bitbucket Server/Data Center
Project level

++ Yes, a native integration is available. GitGuardian needs a Personal Access Token with an Admin scope to set up a webhook with the VCS for historical and real-time scanning.

✅ Yes.

Azure DevOps (Repos)
Instance level

++ Yes, a native integration is available. GitGuardian needs a Personal Access Token with an Admin scope to set up a webhook with the VCS.

✅ Yes.

Azure DevOps (Repos)
Project or Repository level

++ Yes, a native integration is available. GitGuardian needs a Personal Access Token with an Admin scope to set up a webhook with the VCS.

✅ Yes.

Secure the SDLC and more

Historical scans

++ Yes, full repository history scan can be launched on-demand. Scanning is performed across all branches and for the entire history up to the initial commit.

❌ Information is not publicly available.

Hardcoded secrets can hide deep in the commit history across various branches, not only the latest revision of the code.

Pre-commit

++ Yes, supported through the GitGuardian CLI, ggshield.

✅ Yes.

Pre-commit hooks put the onus on developers to keep their code free from secrets before contributing to the team’s codebase. The cost of remediation at this stage is low. Learn how to set up a pre-commit hook with GitGuardian.

Pre-push

++ Yes, supported through the GitGuardian CLI, ggshield.

✅ Yes.

Pre-push hooks put the onus on developers to keep their code free from secrets before contributing to the team’s codebase.

Pre-receive

++ Yes, supported through the GitGuardian CLI, ggshield.

In addition, a 'break-glass' option is provided to avoid blocking developer workflow in case test credentials or false positives are raised.

✅ Yes.

Pre-receive hooks are the most effective tool to prevent secrets from reaching your codebase.

Post-receive

✅ Yes, supported with the native VCS integrations (GitHub, GitLab, Bitbucket and Azure DevOps). Historical and continuous protection.

✅ Yes.

CI environment

++ Yes, the GitGuardian CLI, ggshield, runs natively with 8 different providers in total: GitHub Actions, GitLab CI/CD, Bitbucket pipelines, Azure pipelines, Jenkins CI, CircleCI, Drone CI, and Travis CI.

❌ Information is not publicly available.

It is important to raise awareness around the problem of hardcoded secrets and align Dev, Sec, and Ops with Automated Security Testing (AST) in pipelines.

Learn how to use GitGuardian's secrets detection in your CI workflows.

Pull requests (check runs)
& commit status checks

++ In GitHub, secrets scanning check runs can be triggered on pull requests on repositories monitored by GitGuardian. The behavior can be configured to block merging PRs containing secrets.

✅ Yes.

Pull request or merge request scanning brings secrets detection to environments developers are familiar with, such as the GitHub or GitLab UI.

Enriched UI and centralization of incidents

Rich UI with all data needed for investigation and remediation

++ Unified view of incidents across all monitored sources found via the native VCS integrations.

✅ Yes.

It facilitates the collection of relevant data for big-picture analysis.

Security team view
(global view)

++ Rich UI/centralized dashboard for Security and Incident Response teams.

✅ Yes.

To accurately assess the code security posture of an enterprise, security professionals require visibility across complex, sprawling environments.

Developer/Engineering view (local view)

++ Developers can get access to incidents via the GitGuardian UI, with a scoped view on incidents shared with them.

++ An external page can be generated for the developers to view individual incident details, fill out a feedback form and possibly remediate the incident on their own with our advice.

✅ Yes.

Developers can view and handle their incidents most effectively with the help of intuitive dashboards.

Incident Lifecycle Management

Incident data

✅ In addition to data such as the commit sha, date, author, secrets type, location (repository, file name, line) and validity, GitGuardian provides contextual tags such as "from a historical scan", "sensitive file", "test file", "exposed publicly", "leaked publicly", "regression", "default branch", etc. 

+- Yes, but it is language dependent.

Incident data helps you in prioritizing and investigating incidents better by giving additional context.

Automated Severity Scoring

++ GitGuardian scores the severity of incidents: "Low", "Medium", "High" or "Critical" following default rules or user-defined rules.

✅ Yes.

Severity scoring will assist in identifying and prioritizing issues for quicker resolution.

Validity and presence checks

++ For certain secrets, GitGuardian can perform non-intrusive checks to verify their validity. When revoked, secrets will be marked as no longer valid, effectively providing proof of remediation.

++ GitGuardian can also verify the presence of the secrets in the commits and provide proof of deletion after all evidence of the secret is removed.

✅ Yes, they have validity checks.

❌ Information on presence checks is not publicly available.

Users should be able to check the validity of each incident and determine whether the leaked secret is still present or has been entirely erased from the commit history. Learn how to verify if an exposed secret was removed from the commit history.

Occurrence grouping

++ GitGuardian groups all occurrences of the same secret leak across files, repositories, and organizations.

❌ Information is not publicly available.

You can lessen alert fatigue. There is no need to triage/resolve each and every occurrence separately.

Incidents status management

++ Incident handling with "Triggered", "Assigned", "Resolved" and "Ignored" statuses. Two outcomes are possible: incidents can be resolved or ignored.

✅ Yes.

This will assist organizations in swiftly identifying incidents and mitigating their negative impact.

Incident assignment

++ Incidents can be assigned to a team member (a security engineer or a developer) to handle the incident.

✅ Yes.

Defining incident assignees makes sure that the incident gets a timely and appropriate response.

Remediation guidelines

++ Default remediation guidelines and recommendations are displayed in the UI. The guidelines can also be customized.

✅ Yes

You have some remediation guidelines by default. But as each organization has its own context and remediation policies, you will have the ability to customize the remediation guidelines.

Learn how to create custom remediation guidelines.

Automation and playbooks

++ Incident remediation playbooks like sharing incidents with involved developers, collecting feedback, and closing incidents when they are re-checked as invalid can be automated.

✅ Yes.

The time savings, particularly at the enterprise scale, can be significant. Playbooks keep your teams productive and focused!

Learn more about how to prioritize, investigate and remediate hardcoded secrets incidents at scale.

Incident timeline

++ A detailed timeline is provided with an extensive activity log of all performed events (status changes, feedback notes, access sharing, and much more).

✅ Yes, they have a knowledge graph.

Timelines help security teams keep track of all of the actions performed on the incident.

Collaboration with developers

++ Developers can get access to incidents via:
• GitGuardian workspace, scoped view on incidents shared with them;
• A link to an external page can be generated for the developers to view individual incident details, fill a feedback form and possibly remediate the incident on their own.

✅ Yes.

Because developers are key to taming secrets sprawl, AppSec teams must provide them with instant access to and ownership of their hardcoded secrets incidents.

Learn how to bring Dev, Sec, and Ops together for tackling secret sprawl.

Whitelisting options

++ Yes. When ignoring incidents, it is possible to flag findings as false positives, low-risk credentials, or test credentials.

❌ Information is not publicly available.

Pull request or merge request scanning brings secrets detection to environments developers are familiar with, such as the GitHub or GitLab UI.

Regression behavior

++ New occurrences of a resolved incident can be configured to re-open the incident and trigger new alerts or deliver silent notifications.

❌ Information is not publicly available.

If new secrets were added or rotated secrets broke existing app functionality, you need to reopen the incident.

Alerting

Real-time alerting

++ Yes

✅ Yes.

Serious incidents are immediately identified. Alerts may be directed to the right developers more rapidly for remediation.

Email alerts

++ Yes, to prevent alert fatigue, only one email is sent for multiple occurrences of the same incident.

✅ Yes.

The problem of secret leaks has developers at the forefront. It is crucial to notify the developer in charge of the incident via their commit email.

Learn what's included in GitGuardian email alerts.

Integration with most common SIEMs like Splunk or ITSMs

++ Yes

✅ Yes.

Teams, processes, and tools should be integrated to increase efficiency and effectiveness for all users by ensuring that alerts are received at the appropriate time and location and that no alert is missed.

Integration with ticketing systems like Jira or messaging apps like Slack

++ Yes

✅ Yes.

By integrating your code security platform and ticketing/messaging tool, you can address critical incidents and expedite remediation.

Event-driven generic webhooks

++ Yes

Stay in the know with event-driven alerts when new incidents are raised or when actions are performed on open incidents.

Reporting & Analytics

Analytics

++ Yes, enriched analytics to assess security posture over time and remediation performance.

✅ Yes.

Analytics help you assess security posture over time, and remediation performance.

Data exports

++ All data is exportable in .csv (including historical incidents) or in JSON format using the REST API.

✅ Yes.

Your Dev can review the incident data and filter it further based on their needs.

Enterprise support

Deployment

++ SaaS & On-premises (self-hosted)

✅ Both.

SaaS is less expensive and easier to scale, while on-premises offers more visibility.

See how an enterprise customer deployed a secrets detection program.

SSO

++ Yes, fully compatible with any SAML 2.0 provider.

✅ Yes.

Because users only log in once per day and utilize a single set of credentials, it decreases the number of attack surfaces.

See the setup procedures for different IdPs.

Roles Based Access Control (RBAC) & Team management

++ Yes, the available roles "Workspace Owner", "Manager" (admin), "Member" and "Restricted" are designed for fine-grained access control down to the occurrence level. Teams management available.

✅ Yes.

It's a wonderful approach to bring in every developer, scale up incident remediation, and deal with orphan incidents.

Learn how RBAC can help fix hardcoded credentials faster.

Audit logs

++ Detailed activity logs of all actions triggered on the dashboard or through the REST API.

✅ Yes.

Audit logs include precise historical data that can be used to retrace an incident's timeline.

See how to access Gitguardian audit logs.

REST API

++ GitGuardian’s public REST API can be used to realize all sorts of actions on your workspace and incidents (retrieve, assign, update status, and share secrets incidents, and more).

✅ Yes.

This API provides you with access to all of the incident data, including tasks.

Enterprise support & onboarding

++ A dedicated team of Solutions and DevOps Engineers will be made available to help you rollout secrets detection and remediation for your organization (included in the licensing model, at no additional cost).

✅ Yes.

In order to use a product effectively, a solid onboarding program aids in your ability to comprehend and experience the value it offers.

It is always advantageous to have support professionals who are completely committed to fixing any technical issues you may encounter.

Read more in-depth articles on GitGuardian Blog.

Why does it matter?

OFFERS
PARTIALLY OFFERS
DOES NOT OFFER

{{group.name}}

Toggle

v-html being used here

v-html being used here

v-html being used here

v-html being used here

Note: The space is evolving quickly, and we do our best to keep information on our competitors up to date. If you see any outdated information, contact us and we will immediately set the record straight!

How do users like you rate us?

Users rate GitGuardian high on these categories on review sites like PeerSpot, G2, and Capterra.

Ease of Use • 4.6 stars

Customer Service • 4.6 stars

Value for Money • 4.6 stars

Ease of Use • 8.9

Quality of Support • 9.0

Ease of setup • 9.3

The top four reasons why users prefer GitGuardian over Apiiro

GitGuardian excels with extensive detection capabilities, streamlined developer collaboration, remediation, and dedicated customer support, surpassing Apiiro in key areas.

GitGuardian surpasses Apiiro in terms of detection capabilities on multiple fronts. Unlike Apiiro, GitGuardian supports over %ndet% types of secrets and maintains high accuracy with its extensive detectors.

In addition, GitGuardian provides a unique feature of checking the presence of keys in Git history before triggering an alert, which sets it apart from Apiiro. With stronger entropy checks, 14 sensitive file extensions, and 22 sensitive file names that trigger policy break alerts, GitGuardian further enhances its detection capabilities. Moreover, GitGuardian's engine conducts contextual code analysis to filter out false positives effectively.

Our platform has highly accurate specific detectors with an impressive %sdtpr%% true positive rate, ensuring you receive reliable alerts. Even our generic detectors offer around %gdtpr%% true positives, surpassing the weak entropy checks provided by Apiiro. Our advanced algorithms actively search for patterns such as high entropy strings and contextual hints like 'username' and 'pwd' keywords, allowing us to identify potential secrets with greater precision.

But that's not all. GitGuardian goes the extra mile by consolidating multiple instances of exposed secrets across various files and repositories into a single incident. This streamlined approach simplifies the remediation process, saving you time and effort. Say goodbye to alert overload and deliver accurate and actionable alerts while effectively combating alert fatigue.

At GitGuardian, we prioritize seamless collaboration with developers, making incident management and feedback collection a breeze. Developers can easily access incidents through a scoped view on our intuitive dashboard. This streamlined approach enables quick incident remediation and valuable feedback.

Additionally, GitGuardian offers default remediation guidelines, along with the flexibility to create custom guidelines, empowering teams to tailor their workflows to their specific needs. While Apiiro may offer similar features, we have heard from prospects that their implementation can be buggy and challenging to manage remediation efforts effectively.

At GitGuardian, we prioritize your success and satisfaction during the rollout phase. That's why we offer extensive and complimentary onboarding packages tailored to your needs, even if it requires several months of support.

Our dedicated customer success team is committed to providing guidance and assistance throughout the entire onboarding process. From initial setup to regular check-ins, we'll be there to ensure a smooth transition. Additionally, our DevRel lunch and learn sessions are designed to empower your team with in-depth knowledge and expertise, ensuring everyone feels confident and comfortable using GitGuardian.

GitGuardian is the #1 security application on the GitHub Marketplace

Trusted by security leaders
at the world’s biggest companies

Learn how Jon-Erik and his team saved over 200 hours of manual review

The solution has significantly reduced our mean time to remediation, by three or four months. We wouldn't know about it until we did our quarterly or semi-annual review for secrets and scan for secrets.

Jon-Erik Schneiderhan, Senior Site Reliability Engineer at a computer software company with 501-1,000 employees

Read the case study

Want to see the difference for yourself?

And keep your secrets out of sight