📅 Webinar - September 29, 11AM EDT - Hunting for Secrets in Docker Hub: The leaks we found and how to prevent them
Save my spot!7
Understand how GitGuardian Internal Monitoring compares with GitHub Advanced Security, so you can find the best fit for you.
Hey there! If you’re deep in the research process of choosing a new git secrets scanning solution then you’re probably looking to compare GitGuardian with other options to determine whether it might be right for you. To help make this as easy as possible, we’ve put together a detailed overview of how GitGuardian Internal Monitoring stacks up to GitHub’s secret scanning.
Before we dive into the comparison of the main features we first need to acknowledge the difference in business models between GitHub Advanced Security and GitGuardian Internal Monitoring.
GitHub’s security features, including secret scanning, are covered under the GitHub Advanced Security license. This is an additional product in addition to a standard GitHub Enterprise license. Currently, there are three security categories covered in GitHub’s Advanced Security, these are:
An advantage of purchasing GitHub’s Advanced Security license is that you are dealing with a single vendor for multiple security disciplines. The disadvantage of this approach is that you cannot pick specific security vendors which have more in-depth coverage in their specific discipline. For example Snyk for dependency scanning and GitGuardian for secrets scanning. So the decision is between wanting the best possible coverage and dealing with multiple vendors or, dealing with a single vendor.
As mentioned previously, GitHub Advanced Security is a platform covering different elements of application security. This page will evaluate one element of the GitHub security package, Secret Scanning, with GitGuardian’s Internal Monitoring.
Now let’s dive into how GitHub Advanced Security Secret Scanning compares with GitGuardian Internal Monitoring solution.
The space is evolving quickly, and we make our best efforts to keep information on our competitors up to date. If you see any information that you consider outdated or unfair with our competitors, please contact us and we will immediately set the record straight!
(for GitGuardian Internal Monitoring product)
GitGuardian
GitHub Advanced Security
Core detection capabilities / supported policies
GitGuardian
truffleHog
Supported providers
250+ types of secrets supported with high accuracy level provided by the ability to check the validity of some type of keys before raising an alert
Around 35 supported providers
Generic Secrets
“Paranoïd mode” based on the powerful combination of entropy checks + contextual analysis of the presumed secret
Not supported
Sensitive File names
Sensitive filetypes raise specific alerts: policy breaks.
Not supported
Ability to define custom patterns
On roadmap (H2 2021)
Not supported
← swipe left
Implementation method
GitGuardian
truffleHog
GitHub Enterprise - Instance Level
Not supported for now (on the roadmap)
Not supported for now (on the roadmap)
GitHub Enterprise - Org Level
Yes, native GitHub app at organisation level (simple integration)
Yes
GitHub Enterprise - Individual repository level
Yes, upon integration of a GHE organization, users can choose to:
- give access to only one repository in particular
- give access to all repositories (and the ones that will be created).
Yes
Secrets Detection API
Core detection engine can be used to scan any type of text files (Slack messages, Gdivre, Jira tickets, etc.) More information: here
No secret detection API (GitHub’s available API can be used to fetch alerts).
← swipe left
SDLC stage scanning capabilities
GitGuardian
truffleHog
Pre-receive
Not recommended because "pre receive" can block developers and create friction
Not supported
Post-receive
Yes, supported natively with the GitHub app. Real-time incremental scanning.
Yes
Full historical scan
Yes, can be launched on-demand through the interface
Not supported
← swipe left
Interface and centralization of alerts
GitGuardian
truffleHog
Results visualization / Output format
Rich UI / centralized dashboard for Infosec and GitHub admin teams
Results are displayed in the "security" section of a given repository (see here)
Infosec team view
Rich UI / centralized dashboard for Infosec and GitHub admin teams
No centralized interface for Infosec team or Github admin team
Developer / Engineering view
“Developer in the loop” feature (local access to the dashboard for developers), GitGuardian is also compatible with GitHub Actions and GitHub check runs.
GitGuardian-shield can also be implemented in most CI Tools.
Developer with sufficient rights at the repo level can see the "security" section
← swipe left
RBAC
GitGuardian
truffleHog
Roles available
Owner / Manager (admin) / Members
Secret scanning access rights can be granted by Admins / Repo owners to certain users/teams
SSO
Full compatibility with any SAML 2.0 provider
Yes
← swipe left
Alerting
GitGuardian
truffleHog
Email
Email alert to dashboard members (Infosec team) and commit author
Email alert to the repository administrators, organization owners and commit author
Splunk
Native integration
Not supported
Slack
Native integration
Not supported
JIRA
Native integration (Q4 2021)
Not supported
Custom webhook to integrate anywhere
Available to push alerts (JSON output format)
Available
← swipe left
Reporting
GitGuardian
truffleHog
In-app
Yes, rich UI with centralized metrics to assess security posture over time and remediation performance.
No centralized view
Data exporting
All data is exportable in .csv (including historical incidents)
Real-time incidents can be programmatically retrieved using the API.
← swipe left
Collaborative remediation
GitGuardian
truffleHog
Collaborative remediation
“Developer in the loop” feature allows Infosec team to collect feedback directly from the developer responsible for an incident through the dashboard.
Infosec team not involved and kept out of the equation.
← swipe left
Incident lifecycle management
GitGuardian
truffleHog
Whitelisting
Yes; ability to mark test keys and whitelist future occurrences of such keys.
Yes
Grouping/deduplication of alerts
Multiple alerts related to the same leaked credential are grouped and can be resolved in a unified manner. Triaging and resolving multiple occurrences in bulk is possible.
Not supported
REST API
API to retrieve and update secrets incidents
Yes
← swipe left
Multi source scanning
GitGuardian
truffleHog
VCS
Integrates natively with GitLab, in addition to GitHub and Bitbucket.
Yes, limited to GitLab
Docker Image scanning
Yes
Not supported
Other sources
REST API to scan any plain text by leveraging GitGuardian’s secrets detection engine.
Not supported
← swipe left
Deployment method
GitGuardian
truffleHog
Available in SaaS
Yes
Yes
Available On-Prem
Yes
Yes
← swipe left
Choosing between GitHub Advanced Security and GitGuardian Internal Monitoring is a choice between deciding if you want to deal with one vendor for multiple critical security disciplines or multiple vendors that have the most extensive coverage in their discipline.
The answer to what solution to buy will very much depend on your precise requirements and also what current tools and solutions you already have in place.
To understand more and advise on your specific scenario please don’t hesitate to contact our sales team.
You want the most comprehensive secret detection coverage across the board
Your organization is currently using different security tools already for SAST or detecting dependencies in vulnerabilities, and you’re looking to add secret detection to your existing toolkit rather than buying a generic code security solution
You want advanced remediation playbooks
You want to empower both security teams and developers
You want to deal with one code security vendor
You want to quickly implement minimum security standards
Review your business needs with us and learn more about monitoring source code for secrets!
