Choosing Soteri for your Secret Scanning Tool vs. GitGuardian and Gitleaks

Soteri Logo WhiteGitGuardian LogoGitleaks logo
Soteri vs. GitGuardian vs. Gitleaks

Soteri, GitGuardian, and Gitleaks are three popular secret scanning tools I will compare to help you determine the best one for your use case.

The TL;DR Version

Soteri Logo White

Best for Bitbucket Data Center with 100% on-premise scanning, a native Bitbucket app (Security for Bitbucket), and the best pricing model. However, it lacks native integrations with other repository hosting services, such as GitHub.

GitGuardian Logo

Best for GitHub and GitLab cloud, but presents increased security risks when scanning self-hosted instances and comes with a high cost.

Gitleaks logo

Best for solo devs, but becomes less reliable for teams as proper usage requires every member to perform certain steps.

Overview

Soteri Logo White

Soteri – A cybersecurity company that creates best-selling secret scanners, including Security for Bitbucket, Security for Confluence, and Security for Jira. Trusted by the Fortune 500, including Verizon, Bank of America, FICO, and Northrop Grumman.

GitGuardian Logo

GitGuardian – A cybersecurity company specializing in detecting and mitigating the exposure of secrets and sensitive data in source code. Used by Acquia, PayFit, Maven Wave, 66degrees, and more.

Gitleaks logo

Gitleaks – As stated by Gitleaks, "A fast, light-weight, portable, and open-source secret scanner for git repositories, files, and directories."

Soteri vs. GitGuardian vs. Gitleaks

Soteri
GitGuardian
Gitleaks
Zero Outside Communication
Do on-premise instances require outside communication for scanning? Read more.
Green check mark
Red X mark
Red X mark
Code Is Scanned Locally
Is the code scanned locally (in the case of on-premise/data center solutions)? Read more.
Green check mark
Red X mark
Green check mark
Based in the United States
Green check mark
Red X mark
N/A
Cost for 3,000 Developers (Annually)
See pricing calculator below. 3,000 was chosen because that's the average team size that uses Soteri.
$27,330
$654,500
Free
Has Free Trial
Green check mark
Green check mark
Green check mark
Compatible With GitHub
Red X mark
Green check mark
Green check mark
Compatible With Bitbucket
Green check mark
Green check mark
Green check mark
Allows Adding Custom Rules
Green check mark
Green check mark
Green check mark
Same-Day Support
Green check mark
Question Mark
Red X mark
Customers
Some of the customers of each tool.
Verizon, Bank of America, FICO,  Northrop Grumman, Mercedes, Fidelity
Acquia, PayFit, Maven Wave, 66degrees
McKinsey, ABN AMRO, GitLab
Are secrets lurking in your code? Scan your repository now!

In-Depth Comparison

Let's dive into this in-depth " Soteri vs. GitGuardian vs. Gitleaks" comparison and find the best secret scanner for you.

Receipt icon

Pricing

The cost of these three secret scanners varies drastically from free to over $1 million/year.

Here's a calculator for the direct costs (as opposed to indirect, such as setup and maintenance) of Security for Bitbucket by Soteri, GitGuardian, and Gitleaks.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Soteri's Security for Bitbucket
$--/year
GitGuardian
$--/year
Gitleaks
Free

Let's break down each of the three products' pricing in more depth.

Soteri

Security for Bitbucket Pricing

Soteri uses a tiered pricing structure with incremental increases based on the total users.

It's meant to provide affordable and comprehensive secret scanning solutions for all development team sizes – from just a few developers to over 50,000.

If you have over 25 users, Soteri is more cost effective than GitGuardian. However, if you have fewer than 26 users, GitGuardian is less expensive, given its free tier for small teams.

For the latest Soteri pricing, view the plugin on the Atlassian Marketplace.

GitGuardian

GitGuardian costs $220 per developer per year for private repositories (see their pricing for the latest details).

There are three different tiers based on your developer count:

  • Free Plan: For fewer than 26 developers
  • Business Plan: For 26 to 500 developers
  • Enterprise Plan: For more than 500 developers, likely requiring a custom quote.
At Soteri, the average developer count is 2,881, which would cost $633,820/year on GitGuardian (the actual cost on Soteri is $27,330/year).

Note: GitGuardian offers separate pricing for scanning public git repositories, but you need to book a meeting to see the pricing.

Gitleaks

Gitleaks is a completely free and open source command line tool.

Gitleaks is great if you are a solo dev wanting to ensure either no secrets are in your repository or that no new secrets ever enter your repository.

While there is no cost to use the software, it's important to factor in the cost of setting it up and maintaining it.

Once you go from an individual to a team, the attractiveness of "free" diminishes. That's because more setup, learning, and training are required to use Gitleaks.

Ensuring that no secrets enter your repository is completely dependent on every developer configuring their local pre-commit hook!

Relying on people manually setting up security configuration is the same as relying on developers to not commit hard-coded secrets.

The goal of a secret scanner is to eliminate human error.

In summary, I recommend Gitleaks for solo developers due to its free, open-source nature. However, for teams, the initial appeal diminishes due to the increased setup, learning, and reliance on individual developers to configure their pre-commit hooks.

Face scan icon

Security and Privacy

Security and privacy are a top priority, especially when dealing with scanners that detect secrets.

You must ensure that the scanner operates and retains its findings locally.

The last thing you'd want is for the scanning company to have access to your leaked secrets.

Soteri

Soteri offers a totally offline solution, meaning data never leaves the premises. While other integrations, like GitGuardian, may compromise your data, Soteri remains committed to safeguarding your sensitive information.

Soteri provides the most advanced security of the three tools, which is why security professionals from Verizon, Bank of America, FICO, and Northrop Grumman entrust Soteri with their secret scanning.

GitGuardian

Let's break down the security and privacy of GitGuardian by whether or not you're using their on-premises solution or cloud.

On-Premise

Caution: GitGuardian's on-premise solution does NO local scanning. They instead transmit your codebase to their own servers for analysis using access tokens.

Under no circumstances should your internally hosted repository be accessible via the internet. Keeping it within your internal network enhances security measures, leveraging features such as firewall protection and requiring VPN access.

Apart from the significant security vulnerability posed by an externally accessible repository, you're also granting a third party access to your entire codebase through a personal access token.

Here are several reasons why it's not ideal for a secret scanner to communicate its findings over the cloud:

1. Data Privacy and Security – Transmitting sensitive information over the cloud increases the risk of interception or unauthorized access, potentially compromising the confidentiality of the code and findings.

2. Compliance Concerns – Depending on the nature of the information being scanned, there may be legal or regulatory requirements regarding data storage and transmission that must be adhered to. Transmitting data over the cloud could violate these requirements.

3. Control Over Information – Keeping findings local provides greater control over who has access to the information. Once data is transmitted over the cloud, it becomes more difficult to control its distribution and ensure it remains within authorized channels.

4. Reduced Dependency – Relying on local scanning reduces dependency on external networks and services, which can be subject to downtime or disruptions. This ensures that the scanning process remains operational even in situations where internet connectivity is limited or unavailable.

The exposure of your repository to the public and the third-party access to your code raises concerns about whether you are left in a less secure position than if you were not scanning at all.

Cloud Hosted

After reading through GitGuardian's privacy policy and public security policy, it's not entirely clear how they handle your data when using their cloud platform.

They are SOC 2 Type 2 certified, which is a sound indication of excellent security practices. However, it is unclear if they collect any data about the discovered secrets, such as the actual secret, your codebase, or any other information that could pose a security risk.

The closest statement I could find about their handling of your sensitive data is from their privacy policy:

"We do not monitor or log data collected from your servers when using the Services, but we may log or monitor information about your access to our Services."

Gitleaks

For repositories that belong to an organization account, a free license key is required and data related to the validation of the key is sent to Gitleaks.

Here's how Gitleaks describes it in regards to running the tool in GitHub Actions:

"The only data that gitleaks-action sends to any third party is data related to license key validation (namely GITLEAKS_LICENSE, repo name, and repo owner), which is sent to the license key validation service, keygen. Your code never leaves GitHub because the scanning takes place within the GitHub Actions docker container."

Gitleaks appears to be a secure way to detect hard-coded secrets, with the only outside communication being the license verification.

Server icon

Compatibility and Setup

Let's look at what it takes to get set up with Soteri, GitGuardian, and Gitleaks on GitHub, GitLab, and Bitbucket.

Soteri

Soteri creates native apps enabling unparalleled security and an intuitive user interface. Soteri has developed native secret scanners for Bitbucket, Confluence, Jira, and IntelliJ.

For platforms that Soteri does not have a native integration for, you can use their Scanning Service API.

With native apps, there is zero data transmitted outside self-hosted repositories (see the security section of this article for more info).

The setup process is also highly streamlined for native apps...

  1. Visit the product's respective marketplace (e.g., Atlassian Marketplace)
  2. Click Try free or Buy now
  3. Enter your info and generate a license
  4. Apply the license

Soteri offers the best setup and integration process among the three apps.

GitGuardian

GitGuardian offers a consistent experience when connecting your version control system:

  1. Select your integration (they support GitHub, Gitleaks, and Bitbucket Data Center)
  2. Provide a personal access token with admin scope (Bitbucket and Gitleaks), or authenticate the GitGuardian GitHub app with read access to code and metadata, as well as read and write access to checks, issues, and pull requests.
  3. Run scans sending your code to their systems

Gitleaks

Here's the Gitleaks install overview from their GitHub page:

"Gitleaks can be installed using Homebrew, Docker, or Go. Gitleaks is also available in binary form for many popular platforms and OS types on the releases page. In addition, Gitleaks can be implemented as a pre-commit hook directly in your repo or as a GitHub action using Gitleaks-Action."

Setting it up on GitHub is the smoothest process. Integrating it into your CI/CD pipeline will take longer with Gitleaks or Bitbucket.

Alternatively, you can use the Gitleaks CLI to run the scan locally working with any of your projects. While this is far from automated security testing, it can be useful for one-off scans.

Whether running Gitleaks locally or integrating it into your CI/CD/pipeline, you'll need to leverage their CLI.

Activity icon

Enterprise Support

Let's see how well these three tools align with enterprise needs.

Soteri

Soteri Is Protecting Top Companies

Trusted by the Fortune 500 because we don't phone home like other competing brands.

SLA – Soteri has four levels in their service level agreement. Level one offers same-day responses for issues reported within business hours and level four has a five-day response time.

Here's the full breakdown:

The four levels of Soteri's SLA

Soteri makes all legal policies such as privacy policy, SLA, and end user license agreement (EULA) available on this legal page.

Security and Compliance – Soteri boasts many certifications and adheres to numerous standards, detailed in the Trust Center, including CCPA, GDPR, HIPAA, ISO 27001 (data center providers), and is completing its SOC 2, Type I audit in Q1 2024, and SOC 2, Type II in Q3 2024.

Support – Soteri offers 24-hour/day engineer-backed support. You can get in touch by phone number, email, or by submitting a form/ticket.

GitGuardian

SLA – It doesn't appear there is a public-facing service level agreement. What I could find is their status dashboard, which indicates there are rarely issues.

Security and Compliance – In describing GitGuardian's security, I encountered a dichotomy: on one hand, they boast SOC 2 Type 2 certification, underscoring their commitment to high-security standards; on the other hand, their requirement for the repository to be internet-facing might be incompatible with a lot of large enterprise security precautions.

Support – Support is handled through email, but specific details like operating hours are unclear.

Gitleaks

SLA – None

Security and Compliance – Being open-source and self-hosted, formal certifications are not directly applicable, as its security and compliance depend on how the user implements it.

Support – Gitleaks offers community-driven support via GitHub, lacking formal service guarantees but benefiting from a responsive open-source community.

Regex icon

Features

Soteri

  • Add unlimited custom scanning rules through the UI
  • Many secrets are automatically detected (including API keys from popular services, SSH keys, private keys, financial information, and other secrets)
  • Prevent secrets from entering the repository with a pre-commit hook with the option to enable it for all developers
  • Ignore false positives with one click (or add a pragma in code)
  • Downloadable report of scan findings
  • Native dashboard to review exposed secrets, hide false positives, add custom scanning rules, and configure the tool
  • REST API for scripting and automation
  • Scan commit history
  • 100% local scanning, meaning all of your data remains local (see the security section of this article for more info)
  • And more

GitGuardian

  • 350+ secrets detected (API keys, SSL certificates, private keys, usernames and passwords, and more)
  • Add custom secret detection formats
  • Automated scanning in CI/CD and pre-commit hook
  • Dashboard to review secret scanning results
  • Integrates with all popular version control systems and many CI/CD tools
  • And more

Gitleaks

  • 160+ secrets detected (only API keys and secrets – no SSH keys, financial information, or other secrets)
  • Add your own custom scanning rules
  • Command line interface to detect secrets locally or in your CI/CD pipeline
  • And more

Final Thoughts On Using Secret Scanning Tools

Data leaks and breaches are a common problem that many organizations face today. The last thing you want is for your secrets to be leaked. As a potential consumer of your product/service, I am ecstatic that you are adding secret scanning to your security strategy.

However, adding a standalone security testing tool is not always enough.

Enterprises must ensure that the security controls they deploy work effectively. It's paramount in the threat landscape of today. It's also imperative to ensure that the security scanning tool you use is secure enough itself and doesn't add any additional risks to the company.

We engineered Soteri to add zero communication outside of your instance while still offering all the features to minimize or eliminate data leakage. With a quick deployment and intuitive interface, this ensures that your dev team is securing their code and secrets protected from leaks.

Experience the benefits of Security for Bitbucket by Soteri for free today.

Stop Sensitive Information from Getting Published on Bitbucket

Over 200,000 developers rely on Security for Bitbucket to audit, detect, and remove secrets from Bitbucket repositories.

Disclaimers

We are not affiliated with or endorsed by GitGuardian or Gitleaks. The use of their logos is solely for the purpose of comparison and does not imply any partnership or endorsement. Any mention of these third-party products is for informational purposes only.

The content on this site may be subject to change, and we cannot guarantee its real-time accuracy. We strive to provide up-to-date information, but there is a possibility that it may be out of date, especially if a competitor has updated their product after our publication. We recommend verifying details independently for the most current insights and contacting us if you see outdated information.