Check out how the GitGuardian Platform compares to the secret scanning capabilities of GitHub Advanced Security.
Before we had GitGuardian we were "blind." We had no detections, which was very bad. We were using another product on GitHub, similar to GitGuardian, but it was not really as good as GitGuardian. The graphical interface and the detail GitGuardian gives you are really amazing. And there are fewer false positives than any other platform. We are able to notify developers of issues on the spot and tell them, "You have exposed a secret." It is absolutely brilliant.
Abbas Haidar, Head of InfoSec at a tech services, company with 51-200 employees.
GitGuardian is the code security platform for the DevOps generation that offers automated Secrets Detection, Infra as Code Security, and Honeytoken capabilities, facilitating a Secure Software Development Lifecycle for Dev, Sec, and Ops teams.
GitHub makes extra security features available to customers under a GitHub Advanced Security license. These features include code scanning, secret scanning, and dependency review.
++ You need "single pane of glass" monitoring and must roll out secrets detection and remediation to your entire engineering ecosystem, not only supporting GitHub but also GitLab, Bitbucket, or Azure DevOps.
++ You are looking for a best-of-breed secrets detection engine that supports 350+ specific, generic, and custom patterns while maintaining high accuracy and recall.
++ You want a fully integrated platform with capabilities like alerting, incident triage, remediation workflows but you also need to integrate scanning in developer workflows with tools like a CLI or a REST API.
++ You fall in our free tier; free and easy to use is excellent, especially when you find out GitGuardian is the #1 security app on the GitHub Marketplace!
++ You prefer to work with a single code security vendor.
++ You want to implement minimum security standards in a variety of disciplines.
v-html being used here
v-html being used here
v-html being used here
While choosing a single vendor like GitHub Advanced Security may be convenient, it limits your ability to choose specialized vendors with more extensive coverage in specific security disciplines, such as GitGuardian for secrets scanning.
GitHub Advanced Security was created exclusively for GitHub. It only looks for secrets in the repository's code, not in other areas, such as CI/CD pipelines or Docker images.
GitGuardian is compatible with various VCS platforms, including GitHub, Bitbucket, GitLab, and Azure DevOps. As a result, teams that use multiple VCS platforms can use the same security solution across all of their repositories.
The secret scanning feature of GitHub Advanced Security may not detect up to 60% of potential secret incidents due to its reliance on specific detectors only.
GitGuardian's detection engine, on the other hand, provides both specific and generic detectors, as well as custom regex patterns, making it more adaptable to specific needs. GitGuardian supports a broader range of secret types, such as API keys, tokens, and certificates, making it more effective at detecting security incidents.
Developers often express dissatisfaction with GitHub's push protection's tendency to produce false positives.
The secret detection engine at GitGuardian eliminates false positives by performing secret validity checks and contextual code analysis. Specific detectors have a 91% true positive rate, while generic detectors have an 80% true positive rate. Furthermore, GitGuardian consolidates multiple occurrences of secrets exposed across files and repositories into a single incident.
GitHub Advanced Security provides limited contextual info, incident management, and developer-led remediation features compared to GitGuardian, making it harder to manage incidents and collaborate with team members.
Organizations can respond to incidents more quickly by automating alerting, severity scoring, prioritization, and developer collaboration tasks with GitGuardian playbooks. This results in faster elimination of high-severity incidents with custom remediation advice.
Pre-commit hooks are not offered by GitHub Advanced Security.
When a developer accidentally commits a secret in his local working environment, ggshield, the GitGuardian CLI, alerts developers immediately. Hence, the fix is less than a few minutes away.
The solution has significantly reduced our mean time to remediation, by three or four months. We wouldn't know about it until we did our quarterly or semi-annual review for secrets and scan for secrets.
Jon-Erik Schneiderhan, Senior Site Reliability Engineer at a computer software company with 501-1,000 employees