We performed a comparison between GitGuardian Internal Monitoring and SonarQube based on real PeerSpot user reviews.Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.
"The secrets detection and alerting is the most important feature. We get alerted almost immediately after someone commits a secret. It has been very accurate, allowing us to jump on it right away, then figure out if we have something substantial that has been leaked or whether it is something that we don't have to worry about. This general main feature of the app is great."
"When they give you a description of what happened, it's really easy to follow and to retest. And the ability to retest is something that you don't have in other solutions. If a secret was detected, you can retest if it is still there. It will show you if it is in the history."
"Presently, we find the pre-commit hooks more useful."
"GitGuardian has pretty broad detection capabilities. It covers all of the types of secrets that we've been interested in... [Yet] The "detector" concept, which identifies particular categories or types of secrets, allows an organization to tweak and tailor the configuration for things that are specific to its environment. This is highly useful if you're particularly worried about a certain type of secret and it can help focus attention, as part of early remediation efforts."
"The most valuable feature of GitGuardian is that it finds tokens and passwords. That's why we need this tool. It minimizes the possibility of security violations that we cannot find on our own."
"The entire GitGuardian solution is valuable. The product is doing its job and showing us many things. We get many false positives, but the ability to automatically display potential leaks when developers commit is valuable. The dashboards show you recent and historical commits, and we have a full scan that shows historical leaked secrets."
"GitGuardian has also helped us develop a security-minded culture. We're serious about shift left and getting better about code security. I think a lot of people are getting more mindful about what a secret is."
"It actually creates an incident ticket for us. We can now go end-to-end after a secret has been identified, to track down who owns the repository and who is responsible for cleaning it up."
"The most valuable features are the dashboard, the ability to drill down to the code, user-friendly, and the technical debt estimation."
"The solution has a plug-in that supports both C and C++ languages."
"My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it."
"SonarQube is one of the more popular solutions because it supports 29 languages."
"The SonarQube dashboard looks great."
"We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part."
"All the features of the solution are quite good."
"This solution has helped with the integration and building of our CICD pipeline."
"They could give a developer access to a dashboard for their team's repositories that just shows their repository secrets. I think more could be exposed to developers."
"One improvement that I'd like to see is a cleaner for Splunk logs. It would be nice to have a middle man for anything we send or receive from Splunk forwarders. I'd love to see it get cleaned by GitGuardian or caught to make sure we don't have any secrets getting committed to Splunk logs."
"GitGuardian could have more detailed information on what software engineers can do. It only provides some highly generic feedback when a secret is detected. They should have outside documentation. We send this to our software engineers, who are still doing the commits. It's the wrong way to work, but they are accustomed to doing it this way. When they go into that ticket, they see a few instructions that might be confusing. If I see a leaked secret committed two years ago, it's not enough to undo that commit. I need to go in there, change all my code to utilize GitHub secrets, and go on AWS to validate my key."
"There is room for improvement in its integration for bug-tracking. It should be more direct. They have invested a lot in user management, but they need to invest in integrations. That is a real lack."
"I would like to see more fine-grained access controls when tickets are assigned for incidents. I would like the ability to provide more controls to the team leads or the product managers so that they can drive what we, the AppSec team, are doing."
"For some repositories, there are a lot of incidents. For example, one repository says 255 occurrences, so I assume these are 255 alerts and nobody is doing anything about them. These could be false positives. However, I cannot assess it correctly, because I haven't been closing these false positives myself. From the dashboard, I can see that for some of the repositories, there have been a lot of closing of these occurrences, so I would assume there are a lot of false positives. A ballpark estimate would be 60% being false positives. One of the arguments from the developers against this tool is the number of false positives."
"It would be nice if they supported detecting PII or had some kind of data loss prevention feature."
"It took us a while to get new patterns introduced into the pattern reporting process."
"New plug-ins should be integrated into SonarCloud to give more flexibility to the product."
"The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple."
"It would be better if SonarQube provided a good UI for external configuration."
"The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations."
"The product provides false reports sometimes."
"There could be better integration with other products."
"We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed."
"There isn't a very good enterprise report."
GitGuardian helps organizations detect and fix vulnerabilities in source code at every step of the software development lifecycle. With GitGuardian’s policy engine, security teams can monitor and enforce rules across their VCS, DevOps tools, and infrastructure-as-code configurations.
Widely adopted by developer communities, GitGuardian is used by more than 200 thousand developers and is the #1 app in the security category on the GitHub Marketplace. GitGuardian is also trusted by leading companies, including Instacart, Genesys, Orange, Iress, Beyond Identity, NOW: Pensions, and Stedi.
GitGuardian Platform includes automated secrets detection and remediation. By reducing the risks of secrets exposure across the SDLC, GitGuardian helps software-driven organizations strengthen their security posture and comply with frameworks and standards.
Its detection engine is trained against more than a billion public GitHub commits every year, and it covers 350+ types of secrets such as API keys, database connection strings, private keys, certificates, and more.
GitGuardian brings security and development teams together with automated remediation playbooks and collaboration features to resolve incidents fast and in full. By pulling developers closer to the remediation process, organizations can achieve higher incident closing rates and shorter fix times.
The platform integrates across the DevOps toolchain, including native support for continuously scanning VCS platforms like GitHub, Gitlab, Azure DevOps and Bitbucket or CI/CD tools like Jenkins, CircleCI, Travis CI, GitLab pipelines, and many more. It also integrates with ticketing and messaging systems like Splunk, PagerDuty, Jira and Slack to support teams with their incident remediation workflows. GitGuardian is offered as a SaaS platform but can also be hosted on-premise for organizations operating in highly regulated industries or with strict data privacy requirements.
SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.
GitGuardian Internal Monitoring is ranked 8th in Application Security Tools with 16 reviews while SonarQube is ranked 1st in Application Security Tools with 30 reviews. GitGuardian Internal Monitoring is rated 9.0, while SonarQube is rated 8.2. The top reviewer of GitGuardian Internal Monitoring writes "Even before a commit gets to GitHub, the CLI identifies secrets within the code and prevents the commit". On the other hand, the top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". GitGuardian Internal Monitoring is most compared with Cycode, Snyk, Microsoft Purview Data Loss Prevention, Veracode and Checkmarx, whereas SonarQube is most compared with Checkmarx, Coverity, SonarCloud, Veracode and Snyk. See our GitGuardian Internal Monitoring vs. SonarQube report.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.