Hey there! If you’re researching different options for a new git secrets scanning solution then you’re probably looking to compare GitGuardian with other solutions to figure out which one is right for you. To help make this as easy as possible, we’ve put together a detailed overview of how GitGuardian stacks up to Gitleaks.
Below you’ll find a very transparent comparison of the main features, and even a set of cases where GitGuardian is not the best choice, and recommendations for when Gitleaks might work better than GitGuardian!
The space is evolving quickly, and we make our best efforts to keep information on our competitors up to date. If you see any information that you consider outdated or unfair with our competitors, please contact us and we will immediately set the record straight!
(for both public and internal monitoring products)
GitGuardian
Gitleaks
Enriched interface and centralization of incidents
GitGuardian
Gitleaks
Rich UI with all data needed for investigation and remediation
Yes
-- No
InfoSec team view (global view)
Yes
-- No
Developer view (local view)
Yes
++ Yes (with GitHub actions)
← swipe left
Detection
Harvest candidates
Filter false positives
GitGuardian
Gitleaks
Regular expressions to match known, distinct patterns
Yes - Over %ndet% secrets detectors (API keys, database connection strings, certificates, usernames and passwords, ...)
++ Yes - Regex on characters chains + entropy filters
High entropy checks to match credentials without distinct patterns and enter “paranoid” mode
Yes, in combination with other techniques to get rid of false positives.
++ Yes, but high level of false positive. Entropy level can be customised by end user.
Contextual analysis
Yes. The context of a presumed credential can help a lot to filter bad candidates (e.g. the import of an API wrapper is a strong indicator of a true positive).
-- No
Credential validity checks
Yes, where feasible.
-- No
Dictionary of anti-patterns
Yes - Ability to exclude folders such as test folders and filter certain credentials like those containing "EXAMPLE" or "QWERTY" in them (placeholders).
++ Yes, manually for each rule you can specify an allowlist regex.
Feedback loop to constantly improve the algorithms
Yes. Approx. %secrets-scanned-in-a-day% alerts sent per day!
-- No
Sensitive File names
Sensitive filetypes raise specific alerts: policy breaks.
-- No
Ability to define custom detectors
Yes, but only through our support and if the detector can be deployed for all customers. Full ability to define custom detectors to be expected in H2 2021.
++ Yes
← swipe left
Alerting
GitGuardian
Gitleaks
Real-time alerting
Yes
-- No
Email alerting
Yes
-- No
Splunk
Native integration
Slack alerting
Yes
-- No
JIRA
Native integration (Q4 2021)
Custom webhook to integrate anywhere
Available to push alerts (JSON output format)
← swipe left
Incident Life Cycle Management
GitGuardian
Gitleaks
Collect and structure weak signals to prioritize incidents
Yes - For example, credentials containing “admin” or “prod” in their context can be prioritized.
-- No
Ability to assign incidents / mark them as resolved / etc.
Yes
-- No
Whitelisting
Yes - Whitelist credentials or folders such as test folders.
++ Yes
Grouping / deduplication of alerts
Yes - Multiple alerts related to the same leaked credential are grouped and can be resolved in a unified manner. No need to triage/resolve every single occurrence.
-- No
REST API
API to retrieve and update secrets incidents
← swipe left
“Shift left”
GitGuardian
Gitleaks
Put the developer in the loop
InfoSec can collect feedback from the developers directly in the dashboard and collaborate in order to remediate.
-- No
“Auto-heal” incidents
Developers have the ability to resolve certain incidents by themselves without involving InfoSec if not needed.
-- No
← swipe left
SDLC stage scanning capabilities
GitGuardian
Gitleaks
Pre-receive
Supported but not recommended because "pre receive" can block developers and create friction
Post-receive
Yes, supported natively. Real-time incremental scanning.
CI pipeline
Natively integrates with GitLab pipelines, in addition to CircleCI, Travis CI, Drone CI...
Full historical scan
Yes, can be launched on-demand through the interface
← swipe left
Reporting
GitGuardian
Gitleaks
In app
Yes - Global Health Status, MTTD / MTTR, etc.
-- No
Data exporting
Yes - Enriched data can be exported in CSV format.
++ Yes (Only one scan at a time)
← swipe left
Security
GitGuardian
Gitleaks
SSO authentication
Yes
-- No
RBAC
Yes - Roles available: Owner / Manager (Admin) / Members.
-- No
Audit trail
Yes
-- No
← swipe left
(On top of general capabilities)
GitGuardian
Gitleaks
Monitoring
GitGuardian
Gitleaks
Monitor all GitHub public activity, at scale
Yes
-- No - You need to direct Gitleaks against repositories you know exist
Reliably filter public activity on GitHub that is linked with your company
Yes - We have the ability to match developers, source code and companies using a unique combination of heuristics. Contact us, we will show you our results for your company!
-- No
Identify and monitor developers’ personal repositories
Yes - This is where 80% of corporate leaks occur on GitHub.
-- No
← swipe left
Deployment
of the solution
GitGuardian
Gitleaks
Available in SaaS
Yes
-- No
Available On Prem
No - GitGuardian Public Monitoring scans only public data, thus on prem is often not a requirement for our customers.
Open source
← swipe left
(On top of general capabilities)
GitGuardian
Gitleaks
Integration with the Version Control System
GitGuardian
Gitleaks
GitHub native integration
Yes - Integration at the GitHub Org level with the ability to select monitored repositories
-- No
GitLab native integration
Yes - Integration at the instance level on full perimeter or at the group level
-- No
Bitbucket native integration
Yes - Bitbucket Server/Data Center customer only
-- No
← swipe left
Secure the SDLC and more
GitGuardian
Gitleaks
Detection API to integrate anywhere in the SLDC and the tools developers use
Yes - Integrate GitGuardian as a pre-commit or scan Slack messages for secrets using our API (that can be self-hosted)
++ Yes
← swipe left
Alerting
GitGuardian
Gitleaks
Notification for the developer, directly in the VCS frontend
Yes - GitHub only
++ Yes
← swipe left
Deployment of the solution
GitGuardian
Gitleaks
Available in SaaS
Yes
-- No
Available On Prem
Yes - For more than 200 developers or 30k$ annual contract
Open source
Pricing
Individual developer: Free
Small team (<25 dev): Free
Enterprise (>25 dev): Yearly fee based on the number of developers included in the surveillance perimeter
Free
← swipe left
Multi source scanning
GitGuardian
Gitleaks
VCS
Integrates natively with GitHub, in addition to GitLab and Bitbucket.
-- -
Docker image scanning
Yes
-- -
Other sources
REST API to scan any plain text by leveraging GitGuardian’s secrets detection engine.
-- -
← swipe left
Choosing Gitleaks or GitGuardian for git secrets scanning is mostly a question of build or buy. As a famous open source software, Gitleaks is a good base to build on if you decide to build rather than buy.
The answer to the build vs buy question depends on your precise requirements and the exact goals that you’re trying to achieve. For example, you might not need a rich dashboard or real-time scanning, which lowers the cost of building and maintaining an in-house tool.
By the way, we’ve written a comprehensive article if you’d like to explore building a tool such as GitGuardian yourself. In our article, you will learn more about how SAP (NYSE:SAP) built an internal secrets detection solution. Hopefully this will help you!
We also have a significant experience in building TCO analyses and strong use cases for security leadership, so don’t hesitate to contact our sales team.
Review your business needs with us and learn more about monitoring source code for secrets!
GitGuardian is the code security platform for the DevOps generation.
With automated secrets detection and remediation, our platform enables Dev, Sec, and Ops to advance together towards the Secure Software Development Lifecycle.
Subscribe to our newsletter to receive the latest content and updates from GitGuardian.
