See for yourself how TruffleHog Open Source secrets scanning CLI, fares against GitGuardian’s code security platform.
We have tried a bunch of open-source solutions, the biggest one being TruffleHog Open Source. The main reason for switching was the lack of good detection. It pretty much thinks any complex string is a password, so the signal-to-noise ratio was extremely high. That was a huge toil for us, trying to tune it and get rid of all the noise so the engineers could actually work.
Don M., Security Engineer
GitGuardian is the code security platform for the DevOps generation that offers automated Secrets Detection and Honeytoken capabilities, facilitating a Secure Software Development Lifecycle for Dev, Sec, and Ops teams.
TruffleHog Open Source (v3) is a popular command-line interface (CLI) that helps find hardcoded secrets in git repositories and other developer tools.
++ Tackling hardcoded secrets is a high priority in your AppSec roadmap and you want to scale secrets detection to your entire engineering organization.
++ You want a fully integrated platform with capabilities like alerting, incident prioritization and triage, automated remediation workflows, Role-based Access Control (RBAC), developer tools (API, CLI and SDK).
++ You are looking for enterprise-grade software (SaaS or self-hosted) built to support and scale to thousands of developers and repositories.
++ You fall in our free tier, and free and easy-to-use is excellent!
++ You are not yet sure that secrets detection is a priority on your Application Security roadmap and want to run a light experiment with an open-source tool.
++ You prefer going with open-source and building the missing features on top: source control and alerting integrations, incident lifecycle management, issue tracking, collaboration features, authentication, role-based access management (RBAC), audit logs, etc.
* Truffle Security, the company behind TruffleHog Open Source also offers an enterprise version which provides more advanced features like those mentioned above.
v-html being used here
v-html being used here
v-html being used here
Note: The space is evolving quickly, and we do our best to keep information on our competitors up to date. If you see any outdated information, contact us and we will immediately set the record straight!
TruffleHog Open Source is a great resource to start tackling hardcoded secrets. However, the breadth of features and support offered by open-source solutions might not be sufficient to meet the code security needs of large, dynamic enterprises. Here’s why users choose GitGuardian as a TruffleHog Open Source alternative.
GitGuardian has the GUI that TruffleHog Open Source doesn't have.
GitGuardian’s rich UI and centralized dashboard allow complete collaboration between Dev, Sec teams, and Ops. You can start scans and check their results, assign open secret incidents to developers in your team with restricted roles, track progress with analytics, etc.
TruffleHog Open Source is only capable of local scanning of git repositories and does not support native integrations with version control systems. TruffleHog Open Source may not be able to handle large Git repositories or complex Git histories, which can lead to performance issues.
The GitGuardian platform is VCS agnostic (GitHub, Gitlab, BitBucket, Azure DevOps).
TruffleHog Open Source, like other open source secret detection tools, can generate false positives leading to wasted time and resources. It uses regular expressions to search for secrets, which may miss potential secrets.
GitGuardian's detection engine has specific and generic detectors, and performs secret validity checks and contextual code analysis to filter out false positives. GitGuardian also regroups multiple occurrences of secrets into a single incident.
TruffleHog Open Source is a standalone tool and needs to be integrated into the overall developer security workflow with varying degrees of effort.
With GitGuardian, you can add continuous monitoring for secrets in your software delivery pipeline in a matter of seconds. Alerts can be sent directly to Slack or Discord if secrets are discovered. The incident can be reported to Jira and Pagerduty or you can create custom webhooks.
TruffleHog Open Source does not provide any context around the exposed secret to address incident response and remediation.
With GitGuardian, you can create teams and invite your Developers to join our workspace. Thanks to our playbooks, Sec engineers can reduce their Mean Time To Remediate by automating alerting, prioritization, and collaboration tasks with Dev. Developers can prioritize and nullify most high-severity incidents with our custom remediation advice within a few hours.
As an open-source tool, there may be limited official support from TruffleHog Open Source.
GitGuardian provides extensive customer support: PoC exercises, phased rollout and scaling, easy implementation with onboarding programs, dedicated technical account managers for regular check-ins, etc.
The solution has significantly reduced our mean time to remediation, by three or four months. We wouldn't know about it until we did our quarterly or semi-annual review for secrets and scan for secrets.
Jon-Erik Schneiderhan, Senior Site Reliability Engineer at a computer software company with 501-1,000 employees