Check out how the GitGuardian Platform compares to Yelp/detect-secrets, an open-source secrets scanner.
I've previously implemented open source alternatives. These proved cumbersome, unscalable, and with such large false-positive rates as to make the output useless. That low false-positive rate was one of the reasons we picked it. There are always going to be some, but in reality, it's very low compared to a lot of the other, open source tools that are available.
Andy, Senior Security Engineer at an insurance company with 201-500 employees
GitGuardian is the code security platform for the DevOps generation that offers automated Secrets Detection, Infra as Code Security, and Honeytoken capabilities, facilitating a Secure Software Development Lifecycle for Dev, Sec, and Ops teams.
Yelp detect-secrets is a Python CLI and library for detecting secrets within a codebase; it scans files within Git repositories using a pattern matching or entropy filtering technique.
++ In your application security program, you want to address secrets detection and scale it to include all of your company's engineering and security departments.
++ You need a completely integrated platform that goes beyond detection, with features like alerting, incident prioritization, and triage, automated remediation workflows, role-based access management, a REST API, a CLI for developers, etc.
++ You're looking for enterprise-grade software (SaaS or self-hosted) that can manage the continuous monitoring hundreds or thousands of repositories and contributing developers.
++ You are eligible for our free tier, and free and simple to use is great!
++ Secrets detection is not yet prioritized on your application security roadmap because you first need to size up the issue and its seriousness at your organization.
++ You would prefer to begin with open-source tools and build the missing features later: integrations for source control and alerting, incident lifecycle management, issue tracking, collaboration tools, role-based access management (RBAC), etc.
v-html being used here
v-html being used here
v-html being used here
While open-source solutions like Yelp Detect Secrets can be a good choice for some organizations, they may not be the best fit for everyone. It's important to carefully consider the specific needs and requirements of your organization before choosing a code security solution.
Open source projects rely on volunteers for maintenance and development, which can lead to inconsistent updates and bug fixes. Yelp detect-secrets requires ongoing maintenance and upkeep, including regular updates and scans of your codebase. This can be time-consuming and may need a dedicated resource.
GitGuardian is available as a service too, so there is no maintenance required.
GitGuardian has the GUI that Yelp detect-secrets doesn't have.
GitGuardian’s rich UI and analytics dashboard allow Dev, Sec teams, and Ops to collaborate. You can start scans and check their results, assign open secret incidents to developers in your team with restricted roles, track progress with analytics, etc. Our Incidents Details view captures the entire scene of the secret incident and helps you in further investigation.
Compared to GitGuardian's secrets detection engine which incorporates over 350 specific and generic detectors, Yelp/detect-secrets' 20 detectors are inadequate for efficient detection, resulting in the need to construct additional detectors manually.
The use of generic detectors is essential in detecting all valid secrets, and GitGuardian's detection engine performs secret validity checks and contextual code analysis to eliminate false positives. Additionally, GitGuardian consolidates multiple occurrences of secrets exposed in various files and repositories into a single incident.
Yelp detect-secrets is a stand-alone solution that may not integrate well with other security tools, limiting its ability to provide a comprehensive security picture.
In contrast, GitGuardian is VCS agnostic, offering native integrations with various platforms and the ability to receive alerts directly in Slack or Discord. You can also report incidents to Jira and Pagerduty or create custom webhooks, enabling integration with your existing workflows.
Yelp detect secrets does not cover incident response and remediation.
GitGuardian offers playbooks to help organizations respond quickly and effectively to incidents. Sec engineers can automate alerting, ticketing, severity scoring, prioritizing, and collaboration tasks with developers using GitGuardian playbooks. With our customized remediation advice, developers can prioritize and eliminate the majority of high-severity incidents in a matter of hours.
As an open source tool, there may be limited official support available to you, compared to commercial solutions. Their documentation also may not be as complete as commercial solutions, making it harder for you to get started and use the tool effectively.
GitGuardian offers a wide range of customer support services, including Proof-of-Concept (PoC) exercises, phased rollout, and scaling, simple implementation with onboarding programs, specialized technical account managers for ongoing check-ins, etc.
The solution has significantly reduced our mean time to remediation, by three or four months. We wouldn't know about it until we did our quarterly or semi-annual review for secrets and scan for secrets.
Jon-Erik Schneiderhan, Senior Site Reliability Engineer at a computer software company with 501-1,000 employees