There is still a lot of noise with basic tools like this (I've also used trufflehog at scale).
To properly handle secret scanning requires calling live APIs to test if keys are "real". And you need to have a way to file tickets when you do have findings... if you rotate a cred from production, that's now an outage, so you need to coordinate multiple teams.
It's a lot of work and free tools only solve one part of this. I can't speak to any of the vendors in this space but I can attest that it's a harder problem than it seems!
Those are good points. Still, it’s fairly manageable, after certain adjustments. Also, we’re using the new (Go-based) version of TH that’s both much more performant and validates secrets against endpoints. I suspect their SaaS offering is a bit more polished and turn-key, but even the open-source one is quite decent. It doesn’t swamp us with FPs, at least.
Well, GitGuardian is free for individual developers (20 K of them use it - n°1 app on GitHub market place) and for team below 25. So I guess the masses can enjoy secrets free code! https://github.com/marketplace/gitguardian
I stand corrected on this, but what I’d argue is it’s not an affordable solution for medium-sized companies and non-profits who don’t swim in cash. It could be that our example is unusual (big non-profit), but when we evaluated GG the pricing left a sour taste..
More specifically, none of the paid security products we use cost nearly as much, and those products do much more than just detecting secrets. So from that standpoint, the pricing just seems outrageous. It’s pretty clearly aimed at big enterprises that can afford it and are vulnerable to FUD (while the “hobbyist” pricing is just free advertising). I don’t blame them for finding a way to make big money, but this business model is not what we’d pick.
