GitGuardian vs Gitleaks for git secrets scanning

Understand how GitGuardian compares with Gitleaks, so you can find the best fit for you.

Compare GitGuardian to Gitleaks
trufflehog alternatives

Hey there! If you’re researching different options for a new git secrets scanning solution then you’re probably looking to compare GitGuardian with other solutions to figure out which one is right for you. To help make this as easy as possible, we’ve put together a detailed overview of how GitGuardian stacks up to Gitleaks.

Below you’ll find a very transparent comparison of the main features, and even a set of cases where GitGuardian is not the best choice, and recommendations for when Gitleaks might work better than GitGuardian!

Let's compare!

Note: the space is evolving quickly, and we make our best efforts to keep information on our competitors up to date. If you see any information that you consider outdated or unfair with our competitors, please contact us and we will immediately set the record straight!

General capabilities

(for both public and internal monitoring products)

GitGuardian

Gitleaks

Enriched interface and centralization of incidents

GitGuardian

Gitleaks

Rich UI with all data needed for investigation and remediation

Yes

No

InfoSec team view (global view)

Yes

No

Developer view (local view)

Yes

Yes (with GitHub actions)

← swipe left

Detection

Harvest candidates

Filter false positives

GitGuardian

Gitleaks

Regular expressions to match known, distinct patterns

Yes - Over 250 secrets detectors (API keys, database connection strings, certificates, usernames and passwords, ...)

Yes - Regex on characters chains + entropy filters

High entropy checks to match credentials without distinct patterns and enter “paranoid” mode

Yes, in combination with other techniques to get rid of false positives.

Yes, but high level of false positive. Entropy level can be customised by end user.

Contextual analysis

Yes. The context of a presumed credential can help a lot to filter bad candidates (e.g. the import of an API wrapper is a strong indicator of a true positive).

No

Credential validity checks

Yes, where feasible.

No

Dictionary of anti-patterns

Yes - Ability to exclude folders such as test folders and filter certain credentials like those containing "EXAMPLE" or "QWERTY" in them (placeholders).

Yes, manually for each rule you can specify an allowlist regex.

Feedback loop to constantly improve the algorithms

Yes. Approx. 5,000 alerts sent per day!

No

Ability to define custom detectors

Yes, but only through our support and if the detector can be deployed for all customers. Full ability to define custom detectors to be expected in H2 2021.

Yes

← swipe left

Alerting

GitGuardian

Gitleaks

Real-time alerting

Yes

No

Email alerting

Yes

No

Integration with most common SIEMs or ITSMs

Yes

No

Slack alerting

Yes

No

← swipe left

Incident Life Cycle Management

GitGuardian

Gitleaks

Collect and structure weak signals to prioritize incidents

Yes - For example, credentials containing “admin” or “prod” in their context can be prioritized.

No

Ability to assign incidents / mark them as resolved / etc.

Yes

No

Whitelisting

Yes - Whitelist credentials or folders such as test folders.

Yes

Grouping / deduplication of alerts

Yes - Multiple alerts related to the same leaked credential are grouped and can be resolved in a unified manner. No need to triage/resolve every single occurrence.

No

← swipe left

“Shift left”

GitGuardian

Gitleaks

Put the developer in the loop

InfoSec can collect feedback from the developers directly in the dashboard and collaborate in order to remediate.

No

“Auto-heal” incidents

Developers have the ability to resolve certain incidents by themselves without involving InfoSec if not needed.

No

← swipe left

Reporting

GitGuardian

Gitleaks

In app

Yes - Global Health Status, MTTD / MTTR, etc.

No

Data exporting

Yes - Enriched data can be exported in CSV format.

Yes (Only one scan at a time)

← swipe left

Security

GitGuardian

Gitleaks

SSO authentication

Yes

No

RBAC

Yes - Roles available: Owner / Manager (Admin) / Members.

No

Audit trail

Yes

No

← swipe left

Get a demo

Public monitoring product

(On top of general capabilities)

GitGuardian

Gitleaks

Monitoring

GitGuardian

Gitleaks

Monitor all GitHub public activity, at scale

Yes

No - You need to direct Gitleaks against repositories you know exist

Reliably filter public activity on GitHub that is linked with your company

Yes - We have the ability to match developers, source code and companies using a unique combination of heuristics. Contact us, we will show you our results for your company!

No

Identify and monitor developers’ personal repositories

Yes - This is where 80% of corporate leaks occur on GitHub.

No

← swipe left

Deployment
of the solution

GitGuardian

Gitleaks

Available in SaaS

Yes

No

Available On Prem

No - GitGuardian Public Monitoring scans only public data, thus on prem is often not a requirement for our customers.

Open source

← swipe left

Get a demo

Internal monitoring product

(On top of general capabilities)

GitGuardian

Gitleaks

Integration with the Version Control System

GitGuardian

Gitleaks

GitHub native integration

Yes - Integration at the GitHub Org level with the ability to select monitored repositories

No

GitLab native integration

Yes - Integration at the instance level on full perimeter or at the group level

No

Bitbucket native integration

Yes  - Bitbucket Server/Data Center customer only

No

← swipe left

Secure the SDLC and more

GitGuardian

Gitleaks

Detection API to integrate anywhere in the SLDC and the tools developers use

Yes - Integrate GitGuardian as a pre-commit or scan Slack messages for secrets using our API (that can be self-hosted)

Yes

← swipe left

Alerting

GitGuardian

Gitleaks

Notification for the developer, directly in the VCS frontend

Yes - GitHub only

Yes

← swipe left

Deployment of the solution

GitGuardian

Gitleaks

Available in SaaS (Out the box)

Yes

No

Available On Prem

Yes - For more than 200 developers or 30k$ annual contract

Open source

Pricing

Individual developer: Free
Small team (<25 dev): Free
Enterprise (>25 dev): Yearly fee based on the number of developers included in the surveillance perimeter

Free

← swipe left

Get a demo

The short version

Choosing Gitleaks or GitGuardian for git secrets scanning is mostly a question of build or buy. As a famous open source software, Gitleaks is a good base to build on if you decide to build rather than buy.

The answer to the build vs buy question depends on your precise requirements and the exact goals that you’re trying to achieve. For example, you might not need a rich dashboard or real-time scanning, which lowers the cost of building and maintaining an in-house tool.

By the way, we’ve written a comprehensive article if you’d like to explore building a tool such as GitGuardian yourself. In our article, you will learn more about howSAP (NYSE:SAP) built an internal secrets detection solution. Hopefully this will help you!

We also have a significant experience in building TCO analyses and strong use cases for security leadership, so don’t hesitate to contact our sales team.

gitguardian vs trufflehog for git secrets scanning

GitGuardian is best if:

You want a ready-to-use solution with many capabilities that go beyond detection such as dashboarding, alerting, incident lifecycle management and reporting, etc.

You have numerous repos or large developer teams and you’re looking for enterprise-grade software.

You fall in our free tier (individual developer and teams below 25 developers), and free and easy-to-use is great!

trufflehog vs gitguardian

Gitleaks is best if:

You don’t fall in our free tier and you don’t want to pay for a solution.

You have a small developer team, few repositories or secrets to protect so it is not worth paying for a subscription.

You prefer monitoring internal repositories manually.

Secured by GitGuardian

Schedule a demo

Schedule a demo!

Review your business needs with us and learn more about monitoring source code for secrets!