Choosing Soteri for your Secret Scanning Tool vs. GitGuardian and Gitleaks
Soteri, GitGuardian, and Gitleaks are three popular secret scanning tools I will compare to help you determine the best one for your use case.
The TL;DR Version
Best for Bitbucket Data Center with 100% on-premise scanning, a native Bitbucket app (Security for Bitbucket), and the best pricing model. However, it lacks native integrations with other repository hosting services, such as GitHub.
Best for GitHub and GitLab cloud, but presents increased security risks when scanning self-hosted instances unless deployed into a private cloud configuration. Comes with a high cost.
Best for solo devs, but becomes less reliable for teams as proper usage requires every member to perform certain steps.
Overview
Soteri – A cybersecurity company that creates best-selling secret scanners, including Security for Bitbucket, Security for Confluence, and Security for Jira. Trusted by the Fortune 500, including Verizon, Bank of America, FICO, and Northrop Grumman.
GitGuardian – A cybersecurity company specializing in detecting and mitigating the exposure of secrets and sensitive data in source code. Used by Acquia, PayFit, Maven Wave, 66degrees, and more.
Gitleaks – As stated by Gitleaks, "A fast, light-weight, portable, and open-source secret scanner for git repositories, files, and directories."
Soteri vs. GitGuardian vs. Gitleaks
In-Depth Comparison
Let's dive into this in-depth " Soteri vs. GitGuardian vs. Gitleaks" comparison and find the best secret scanner for you.
Pricing
The cost of these three secret scanners varies drastically from free to over $1 million/year.
Here's a calculator for the direct costs (as opposed to indirect, such as setup and maintenance) of Security for Bitbucket by Soteri, GitGuardian, and Gitleaks.
Let's break down each of the three products' pricing in more depth.
Soteri
Soteri uses a tiered pricing structure with incremental increases based on the total users.
It's meant to provide affordable and comprehensive secret scanning solutions for all development team sizes – from just a few developers to over 50,000.
If you have over 25 users, Soteri is more cost effective than GitGuardian. However, if you have fewer than 26 users, GitGuardian is less expensive, given its free tier for small teams.
For the latest Soteri pricing, view the plugin on the Atlassian Marketplace.
GitGuardian
GitGuardian costs $220 per developer per year for private repositories (see their pricing for the latest details).
There are three different tiers based on your developer count:
- Free Plan: For fewer than 26 developers
- Business Plan: For 26 or more developers
- Enterprise Plan: Strongly recommended for more than 500 developers; likely requiring a custom quote.
At Soteri, the average developer count is 2,881, which would cost $633,820/year on GitGuardian (the actual cost on Soteri is $27,330/year).
Note: GitGuardian offers separate pricing for scanning public git repositories, but you need to book a meeting to see the pricing.
Gitleaks
Gitleaks is a completely free and open source command line tool.
Gitleaks is great if you are a solo dev wanting to ensure either no secrets are in your repository or that no new secrets ever enter your repository.
While there is no cost to use the software, it's important to factor in the cost of setting it up and maintaining it.
Once you go from an individual to a team, the attractiveness of "free" diminishes. That's because more setup, learning, and training are required to use Gitleaks.
Ensuring that no secrets enter your repository is completely dependent on every developer configuring their local pre-commit hook!
Relying on people manually setting up security configuration is the same as relying on developers to not commit hard-coded secrets.
The goal of a secret scanner is to eliminate human error.
In summary, I recommend Gitleaks for solo developers due to its free, open-source nature. However, for teams, the initial appeal diminishes due to the increased setup, learning, and reliance on individual developers to configure their pre-commit hooks.
Security and Privacy
Security and privacy are a top priority, especially when dealing with scanners that detect secrets.
You must ensure that the scanner operates and retains its findings locally.
The last thing you'd want is for the scanning company to have access to your leaked secrets.
Soteri
Soteri offers a one-click deployment offline solution, meaning data never leaves the premises. While other integrations, may compromise your data, Soteri remains committed to safeguarding your sensitive information.
Soteri provides the most advanced security of the three tools, which is why security professionals from Verizon, Bank of America, FICO, and Northrop Grumman entrust Soteri with their secret scanning.
GitGuardian
Let's break down the security and privacy of GitGuardian by whether or not you're using their on-premises solution or their cloud-hosted solution.
On-Premise
GitGuardian offers on-premise scanning via deployment of its infrastructure to a private cloud specific to your organization.
Selecting On-Premise deployments is almost always the right choice, despite the added complexity of deploying and maintaining a private cloud for GitGuardian deployment. Under no circumstances should your internally hosted repository be accessible via the internet. Keeping it within your internal network enhances security measures, leveraging features such as firewall protection and requiring VPN access.
Cloud Hosted
Here are several reasons why it's not ideal for a secret scanner to communicate its findings over the cloud:
1. Data Privacy and Security – Transmitting sensitive information over the cloud increases the risk of interception or unauthorized access, potentially compromising the confidentiality of the code and findings.
2. Compliance Concerns – Depending on the nature of the information being scanned, there may be legal or regulatory requirements regarding data storage and transmission that must be adhered to. Transmitting data over the cloud could violate these requirements.
3. Control Over Information – Keeping findings local provides greater control over who has access to the information. Once data is transmitted over the cloud, it becomes more difficult to control its distribution and ensure it remains within authorized channels.
4. Reduced Dependency – Relying on local scanning reduces dependency on external networks and services, which can be subject to downtime or disruptions. This ensures that the scanning process remains operational even in situations where internet connectivity is limited or unavailable.
After reading through GitGuardian's privacy policy and public security policy, it's not entirely clear how they handle your data when using their cloud platform.
They are SOC 2 Type 2 certified, which is a sound indication of excellent security practices. However, it is unclear if they collect any data about the discovered secrets, such as the actual secret, your codebase, or any other information that could pose a security risk.
The closest statement I could find about their handling of your sensitive data is from their privacy policy:
"We do not monitor or log data collected from your servers when using the Services, but we may log or monitor information about your access to our Services."
Gitleaks
For repositories that belong to an organization account, a free license key is required and data related to the validation of the key is sent to Gitleaks.
Here's how Gitleaks describes it in regards to running the tool in GitHub Actions:
"The only data that gitleaks-action sends to any third party is data related to license key validation (namely GITLEAKS_LICENSE, repo name, and repo owner), which is sent to the license key validation service, keygen. Your code never leaves GitHub because the scanning takes place within the GitHub Actions docker container."
Gitleaks appears to be a secure way to detect hard-coded secrets, with the only outside communication being the license verification.
Compatibility and Setup
Let's look at what it takes to get set up with Soteri, GitGuardian, and Gitleaks on GitHub, GitLab, and Bitbucket.
Soteri
Soteri creates native apps enabling unparalleled security and an intuitive user interface. Soteri has developed native secret scanners for Bitbucket, Confluence, Jira, and IntelliJ.
For platforms that Soteri does not have a native integration for, you can use their Scanning Service API.
With native apps, there is zero data transmitted outside self-hosted repositories (see the security section of this article for more info).
The setup process is also highly streamlined for native apps...
- Visit the product's respective marketplace (e.g., Atlassian Marketplace)
- Click Try free or Buy now
- Enter your info and generate a license
- Apply the license
Soteri offers the best setup and integration process among the three apps.
GitGuardian
GitGuardian offers a consistent experience when connecting your version control system:
- Select your integration (they support GitHub, Gitleaks, and Bitbucket Data Center)
- Provide a personal access token with admin scope (Bitbucket and Gitleaks), or authenticate the GitGuardian GitHub app with read access to code and metadata, as well as read and write access to checks, issues, and pull requests.
- Run scans sending your code to their systems
Gitleaks
Here's the Gitleaks install overview from their GitHub page:
"Gitleaks can be installed using Homebrew, Docker, or Go. Gitleaks is also available in binary form for many popular platforms and OS types on the releases page. In addition, Gitleaks can be implemented as a pre-commit hook directly in your repo or as a GitHub action using Gitleaks-Action."
Setting it up on GitHub is the smoothest process. Integrating it into your CI/CD pipeline will take longer with Gitleaks or Bitbucket.
Alternatively, you can use the Gitleaks CLI to run the scan locally working with any of your projects. While this is far from automated security testing, it can be useful for one-off scans.
Whether running Gitleaks locally or integrating it into your CI/CD/pipeline, you'll need to leverage their CLI.
Enterprise Support
Let's see how well these three tools align with enterprise needs.
Soteri
Soteri Is Protecting Top Companies
Trusted by the Fortune 500 because we don't phone home like other competing brands.
SLA – Soteri has four levels in their service level agreement. Level one offers same-day responses for issues reported within business hours and level four has a five-day response time.
Here's the full breakdown:
Soteri makes all legal policies such as privacy policy, SLA, and end user license agreement (EULA) available on this legal page.
Security and Compliance – Soteri boasts many certifications and adheres to numerous standards, detailed in the Trust Center, including CCPA, GDPR, HIPAA, ISO 27001 (data center providers), and is completing its SOC 2, Type I audit in Q1 2024, and SOC 2, Type II in Q3 2024.
Support – Soteri offers 24-hour/day engineer-backed support. You can get in touch by phone number, email, or by submitting a form/ticket.
GitGuardian
SLA – The support availability varies by plan. Business plans provide next business day support, while Enterprise plans provide same-day support during business hours.
Security and Compliance – GitGuardian has a SOC 2 Type 2 certification, underscoring their commitment to high-security standards.
Support – Support is handled through email for Business plans, while Enterprise plans also have access to live support. The Free tier does not offer support.
Gitleaks
SLA – None
Security and Compliance – Being open-source and self-hosted, formal certifications are not directly applicable, as its security and compliance depend on how the user implements it.
Support – Gitleaks offers community-driven support via GitHub, lacking formal service guarantees but benefiting from a responsive open-source community.
Features
Soteri
- Add unlimited custom scanning rules through the UI
- Many secrets are automatically detected (including API keys from popular services, SSH keys, private keys, financial information, and other secrets)
- Prevent secrets from entering the repository with a pre-commit hook with the option to enable it for all developers
- Ignore false positives with one click (or add a pragma in code)
- Downloadable report of scan findings
- Native dashboard to review exposed secrets, hide false positives, add custom scanning rules, and configure the tool
- REST API for scripting and automation
- Scan commit history
- 100% local scanning, meaning all of your data remains local (see the security section of this article for more info)
- And more
GitGuardian
- 350+ secrets detected (API keys, SSL certificates, private keys, usernames and passwords, and more)
- Add custom secret detection formats
- Automated scanning in CI/CD and pre-commit hook
- Dashboard to review secret scanning results
- Integrates with all popular version control systems and many CI/CD tools
- And more
Gitleaks
- 160+ secrets detected (only API keys and secrets – no SSH keys, financial information, or other secrets)
- Add your own custom scanning rules
- Command line interface to detect secrets locally or in your CI/CD pipeline
- And more
Final Thoughts On Using Secret Scanning Tools
Data leaks and breaches are a common problem that many organizations face today. The last thing you want is for your secrets to be leaked. As a potential consumer of your product/service, I am ecstatic that you are adding secret scanning to your security strategy.
However, adding a standalone security testing tool is not always enough.
Enterprises must ensure that the security controls they deploy work effectively. It's paramount in the threat landscape of today. It's also imperative to ensure that the security scanning tool you use is secure enough itself and doesn't add any additional risks to the company.
We engineered Soteri to add zero communication outside of your instance while still offering all the features to minimize or eliminate data leakage. With a quick deployment and intuitive interface, this ensures that your dev team is securing their code and secrets protected from leaks.
Experience the benefits of Security for Bitbucket by Soteri for free today.
Stop Sensitive Information from Getting Published on Bitbucket
Over 200,000 developers rely on Security for Bitbucket to audit, detect, and remove secrets from Bitbucket repositories.
Disclaimers
We are not affiliated with or endorsed by GitGuardian or Gitleaks. The use of their logos is solely for the purpose of comparison and does not imply any partnership or endorsement. Any mention of these third-party products is for informational purposes only.
The content on this site may be subject to change, and we cannot guarantee its real-time accuracy. We strive to provide up-to-date information, but there is a possibility that it may be out of date, especially if a competitor has updated their product after our publication. We recommend verifying details independently for the most current insights and contacting us if you see outdated information.