Hey there! If you’re deep in the research process of choosing a new git secrets scanning solution then you’re probably looking to compare GitGuardian with other options to determine whether it might be right for you. To help make this as easy as possible, we’ve put together a detailed overview of how GitGuardian Internal Monitoring stacks up to GitHub’s secret scanning.
Before we dive into the comparison of the main features we first need to acknowledge the difference in business models between GitHub Advanced Security and GitGuardian Internal Monitoring.
GitHub’s security features, including secret scanning, are covered under the GitHub Advanced Security license. This is an additional product in addition to a standard GitHub Enterprise license. Currently, there are three security categories covered in GitHub’s Advanced Security, these are:
An advantage of purchasing GitHub’s Advanced Security license is that you are dealing with a single vendor for multiple security disciplines. The disadvantage of this approach is that you cannot pick specific security vendors which have more in-depth coverage in their specific discipline. For example Snyk for dependency scanning and GitGuardian for secrets scanning. So the decision is between wanting the best possible coverage and dealing with multiple vendors or, dealing with a single vendor.
As mentioned previously, GitHub Advanced Security is a platform covering different elements of application security. This page will evaluate one element of the GitHub security package, Secret Scanning, with GitGuardian’s Internal Monitoring.
Now let’s dive into how GitHub Advanced Security Secret Scanning compares with GitGuardian Internal Monitoring solution.
The space is evolving quickly, and we make our best efforts to keep information on our competitors up to date. If you see any information that you consider outdated or unfair with our competitors, please contact us and we will immediately set the record straight!
(for both public and internal monitoring products)
GitGuardian
GitHub Advanced Security
Enriched interface and centralization of incidents
GitGuardian
GitHub Advanced Security
Rich UI with all data needed for investigation and remediation
Yes
++ Results are displayed in the "security" section of a given repository (see here)
InfoSec team view (global view)
Yes
-- No centralized interface for Infosec team or Github admin team
Developer view (local view)
Yes
++ Developer with sufficient rights at the repo level can see the "security" section
← swipe left
Detection
Harvest candidates
Filter false positives
GitGuardian
GitHub Advanced Security
Regular expressions to match known, distinct patterns
Yes - Over %ndet% secrets detectors (API keys, database connection strings, certificates, usernames and passwords, ...)
++ 135 supported types of secrets
High entropy checks to match credentials without distinct patterns and enter “paranoid” mode
Yes, in combination with other techniques to get rid of false positives.
-- Not supported
Contextual analysis
Yes. The context of a presumed credential can help a lot to filter bad candidates (e.g. the import of an API wrapper is a strong indicator of a true positive).
Credential validity checks
Yes, where feasible.
Dictionary of anti-patterns
Yes - Ability to exclude folders such as test folders and filter certain credentials like those containing "EXAMPLE" or "QWERTY" in them (placeholders).
Feedback loop to constantly improve the algorithms
Yes. Approx. %secrets-scanned-in-a-day% alerts sent per day!
Sensitive File names
Sensitive filetypes raise specific alerts: policy breaks.
Ability to define custom detectors
Yes, but only through our support and if the detector can be deployed for all customers. Full ability to define custom detectors to be expected in H2 2021.
++ Supported, with regular expression syntax
← swipe left
Alerting
GitGuardian
GitHub Advanced Security
Real-time alerting
Yes
Email alerting
Yes
++ Email alert to the repository administrators, organization owners and commit author
Splunk
Native integration
-- Not supported
Slack alerting
Yes
-- Not supported
JIRA
Native integration (Q4 2021)
-- Not supported
Custom webhook to integrate anywhere
Available to push alerts (JSON output format)
++ Available
← swipe left
Incident Life Cycle Management
GitGuardian
GitHub Advanced Security
Collect and structure weak signals to prioritize incidents
Yes - For example, credentials containing “admin” or “prod” in their context can be prioritized.
Ability to assign incidents / mark them as resolved / etc.
Yes
Whitelisting
Yes - Whitelist credentials or folders such as test folders.
++ Yes
Grouping / deduplication of alerts
Yes - Multiple alerts related to the same leaked credential are grouped and can be resolved in a unified manner. No need to triage/resolve every single occurrence.
-- Not supported
REST API
API to retrieve and update secrets incidents
++ Yes
← swipe left
“Shift left”
GitGuardian
GitHub Advanced Security
Put the developer in the loop
InfoSec can collect feedback from the developers directly in the dashboard and collaborate in order to remediate.
-- Infosec team not involved and kept out of the equation.
“Auto-heal” incidents
Developers have the ability to resolve certain incidents by themselves without involving InfoSec if not needed.
← swipe left
SDLC stage scanning capabilities
GitGuardian
GitHub Advanced Security
Pre-receive
Supported but not recommended because "pre receive" can block developers and create friction
-- Not supported
Post-receive
Yes, supported natively. Real-time incremental scanning.
++ Yes
CI pipeline
Natively integrates with GitLab pipelines, in addition to CircleCI, Travis CI, Drone CI...
Full historical scan
Yes, can be launched on-demand through the interface
-- Not supported
← swipe left
Reporting
GitGuardian
GitHub Advanced Security
In app
Yes - Global Health Status, MTTD / MTTR, etc.
-- No centralized view
Data exporting
Yes - Enriched data can be exported in CSV format.
-- Real-time incidents can be programmatically retrieved using the API.
← swipe left
Security
GitGuardian
GitHub Advanced Security
SSO authentication
Yes
++ Yes
RBAC
Yes - Roles available: Owner / Manager (Admin) / Members.
++ Secret scanning access rights can be granted by Admins / Repo owners to certain users/teams
Audit trail
Yes
← swipe left
(On top of general capabilities)
GitGuardian
GitHub Advanced Security
Monitoring
GitGuardian
GitHub Advanced Security
Monitor all GitHub public activity, at scale
Yes
Reliably filter public activity on GitHub that is linked with your company
Yes - We have the ability to match developers, source code and companies using a unique combination of heuristics. Contact us, we will show you our results for your company!
Identify and monitor developers’ personal repositories
Yes - This is where 80% of corporate leaks occur on GitHub.
← swipe left
Deployment
of the solution
GitGuardian
GitHub Advanced Security
Available in SaaS
Yes
Available On Prem
No - GitGuardian Public Monitoring scans only public data, thus on prem is often not a requirement for our customers.
← swipe left
(On top of general capabilities)
GitGuardian
GitHub Advanced Security
Integration with the Version Control System
GitGuardian
GitHub Advanced Security
GitHub native integration
Yes - Integration at the GitHub Org level with the ability to select monitored repositories
GitLab native integration
Yes - Integration at the instance level on full perimeter or at the group level
Bitbucket native integration
Yes - Bitbucket Server/Data Center customer only
← swipe left
Secure the SDLC and more
GitGuardian
GitHub Advanced Security
Detection API to integrate anywhere in the SLDC and the tools developers use
Yes - Integrate GitGuardian as a pre-commit or scan Slack messages for secrets using our API (that can be self-hosted)
← swipe left
Alerting
GitGuardian
GitHub Advanced Security
Notification for the developer, directly in the VCS frontend
Yes - GitHub only
← swipe left
Deployment of the solution
GitGuardian
GitHub Advanced Security
Available in SaaS
Yes
++ Yes
Available On Prem
Yes - For more than 200 developers or 30k$ annual contract
++ Yes
Pricing
Individual developer: Free
Small team (<25 dev): Free
Enterprise (>25 dev): Yearly fee based on the number of developers included in the surveillance perimeter
← swipe left
Multi source scanning
GitGuardian
GitHub Advanced Security
VCS
Integrates natively with GitHub, in addition to GitLab and Bitbucket.
++ Yes, limited to GitHub
Docker image scanning
Yes
-- Not supported
Other sources
REST API to scan any plain text by leveraging GitGuardian’s secrets detection engine.
-- Not supported
← swipe left
Choosing between GitHub Advanced Security and GitGuardian Internal Monitoring is a choice between deciding if you want to deal with one vendor for multiple critical security disciplines or multiple vendors that have the most extensive coverage in their discipline.
The answer to what solution to buy will very much depend on your precise requirements and also what current tools and solutions you already have in place.
To understand more and advise on your specific scenario please don’t hesitate to contact our sales team.
Review your business needs with us and learn more about monitoring source code for secrets!