GitGuardian and TruffleHog both have secrets scanning capabilities.
GitGuardian is a global cybersecurity startup focusing on code security solutions for the DevOps generation. A leader in the market of secrets detection and remediation, its solutions are already used by hundred thousands developers in all industries.
Trufflehog is a popular open source project to find leaked credentials.
In this article, you will understand how GitGuardian compares with TruffleHog v3, so you can find the best fit for you.
Hey there! If you’re deep in the research process of choosing a new git secrets scanning solution then you’re probably looking to compare GitGuardian with other options to figure out whether it might be right for you. To help make this as easy as possible, we’ve put together a detailed overview of how GitGuardian stacks up to TruffleHog v3.
Below you’ll find a high level comparison of the main features, and even a set of cases where GitGuardian is not the best choice, and recommendations for when TruffleHog v3 might work better than GitGuardian!
The space is evolving quickly, and we make our best efforts to keep information on our competitors up to date. If you see any information that you consider outdated or unfair with our competitors, please contact us and we will immediately set the record straight!
(for both public and internal monitoring products)
GitGuardian
TruffleHog v3
GitGuardian
TruffleHog v3
Yes
-- No
Yes
-- No
Yes
-- No
← swipe left
Harvest candidates
Filter false positives
GitGuardian
TruffleHog v3
Yes - Over %ndet% secrets detectors (API keys, database connection strings, certificates, usernames and passwords, ...)
++ TruffleHog v3 covers 600+ types of specific secrets.
Yes, in combination with other techniques to get rid of false positives.
-- TruffleHog v3 does not support entropy checks yet – link to GitHub repo
Yes. The context of a presumed credential can help a lot to filter bad candidates (e.g. the import of an API wrapper is a strong indicator of a true positive).
++ Yes
Yes, where feasible.
++ Yes, where feasible.
Yes - Ability to exclude folders such as test folders and filter certain credentials like those containing "EXAMPLE" or "QWERTY" in them (placeholders).
++ Yes - Ability to exclude folders such as test folders.
Yes. Approx. %secrets-scanned-in-a-day% alerts sent per day!
-- No
Sensitive filetypes raise specific alerts: policy breaks.
Yes, but only through our support and if the detector can be deployed for all customers. Full ability to define custom detectors to be expected in H2 2021.
++ Yes
← swipe left
GitGuardian
TruffleHog v3
Yes
Yes, native GitHub app at organisation level (simple integration)
Yes, upon integration of a GHE organization, users can choose to:
- give access to only one repository in particular
- give access to all repositories (and the ones that will be created).
Core detection engine can be used to scan any type of text files (Slack messages, Gdivre, Jira tickets, etc.) More information: here
← swipe left
GitGuardian
TruffleHog v3
Yes
-- No
Yes
-- No
Native integration
Yes
-- No
Yes
-- No
Native integration (Q4 2021)
Available to push alerts (JSON output format)
Not supported
← swipe left
GitGuardian
TruffleHog v3
Yes - For example, credentials containing “admin” or “prod” in their context can be prioritized.
-- No
Yes
-- No
Yes - Whitelist credentials or folders such as test folders.
++ Yes - Whitelist folders such as test folders. No native ability to whitelist credentials.
Yes - Multiple alerts related to the same leaked credential are grouped and can be resolved in a unified manner. No need to triage/resolve every single occurrence.
-- No
API to retrieve and update secrets incidents
← swipe left
GitGuardian
TruffleHog v3
Yes - Global Health Status, MTTD / MTTR, etc.
-- No
Yes - Enriched data can be exported in CSV format.
++ Yes - Data can be exported in CSV or outputted in JSON.
← swipe left
GitGuardian
TruffleHog v3
Yes
-- No
Yes - Roles available: Owner / Manager (Admin) / Members.
-- No
Yes
-- No
← swipe left
(On top of general capabilities)
GitGuardian
TruffleHog v3
GitGuardian
TruffleHog v3
Yes
-- No - You need to direct TruffleHog v3 against repositories you know exist.
Yes - We have the ability to match developers, source code and companies using a unique combination of heuristics. Contact us, we will show you our results for your company!
-- No
Yes - This is where 80% of corporate leaks occur on GitHub.
-- No
← swipe left
GitGuardian
TruffleHog v3
Yes
-- No
No - GitGuardian Public Monitoring scans only public data, thus on prem is often not a requirement for our customers.
Open Source
← swipe left
(On top of general capabilities)
GitGuardian
TruffleHog v3
GitGuardian
TruffleHog v3
Yes - Integration at the GitHub Org level with the ability to select monitored repositories
-- TruffleHog v3 scans GitHub repos but does not offer a native GitHub app.
Yes - Integration at the instance level on full perimeter or at the group level
-- TruffleHog v3 scans GitLab repos but does not offer a native integration.
Yes - Bitbucket Server/Data Center customer only
-- No
← swipe left
GitGuardian
TruffleHog v3
Supported but not recommended because "pre receive" can block developers and create friction
Yes, supported natively. Real-time incremental scanning.
Natively integrates with GitLab pipelines, in addition to CircleCI, Travis CI, Drone CI...
Yes, can be launched on-demand through the interface
← swipe left
GitGuardian
TruffleHog v3
Yes - Integrate GitGuardian as a pre-commit or scan Slack messages for secrets using our API (that can be self-hosted)
++ Yes, TruffleHog v3 can be integrated with git hooks.
← swipe left
GitGuardian
TruffleHog v3
InfoSec can collect feedback from the developers directly in the dashboard and collaborate in order to remediate.
-- No
Developers have the ability to resolve certain incidents by themselves without involving InfoSec if not needed.
-- No
← swipe left
GitGuardian
TruffleHog v3
Yes - GitHub only
-- No
← swipe left
GitGuardian
TruffleHog v3
Yes
-- No
Yes - For more than 200 developers or 30k$ annual contract
Open source
Individual developer: Free
Small team (<25 dev): Free
Enterprise (>25 dev): Yearly fee based on the number of developers included in the surveillance perimeter
Free
← swipe left
GitGuardian
TruffleHog v3
Integrates natively with GitHub, in addition to GitLab and Bitbucket.
-- Scans repos hosted on GitHub and GitLab but does not offer a native app.
Yes
-- No
REST API to scan any plain text by leveraging GitGuardian’s secrets detection engine.
++ AWS S3 buckets, and filesystems are supported.
← swipe left
Choosing TruffleHog v3 or GitGuardian for git secrets scanning is mostly a question of build or buy. As a famous open source software, TruffleHog v3 is a good base to build on if you decide to build rather than buy.
The answer to the build VS buy question depends on your precise requirements and the exact goals that you’re trying to achieve. For example, you might not need a rich dashboard or real-time scanning, which lowers the cost of building and maintaining an in-house tool.
By the way, we’ve written a comprehensive article if you’d like to explore building a tool such as GitGuardian yourself. In our article, you will learn more about how SAP (NYSE:SAP) built an internal secrets detection solution. Hopefully this will help you!
We also have a significant experience in building TCO analyses and strong use cases for security leadership, so don’t hesitate to contact our sales team.
Review your business needs with us and learn more about monitoring source code for secrets!