How TriageRook compares
The honest version. TriageRook is not trying to replace CodeQL, Snyk, or your existing CI scanners - it is the zero-setup first pass you can run on any public repo in one click, plus an IAM lens those tools do not offer. Here is where it wins and where it does not.
| capability | TriageRook | GitHub native | Snyk | TruffleHog / Gitleaks |
|---|---|---|---|---|
| Zero setup - no install, no agent, no CI config | yes Paste a public repo URL, or sign in with GitHub. | partial Built into GitHub, but enabled per repo; CodeQL runs as an Actions workflow. | no Account plus a Git, CLI, or IDE integration. | no Install the CLI, or add it as a CI step. |
| Hosted scan of a public repo with no login | yes Anonymous scan, rate-limited per IP and per repo. | no Runs inside repos you already control. | no Account required before any scan. | no CLI runs locally against a clone. |
| Secrets detection | yes 60+ patterns, entropy fallback for custom formats, always masked, plus a 30-commit history replay. | yes Secret scanning and push protection, free on public repos. | partial Not a dedicated secrets product; SCA / SAST / IaC are the focus. | yes Core purpose - regex plus entropy across full git history. |
| Deep code analysis (SAST)If you already run CodeQL or Snyk Code, keep them - they go deeper on code analysis. | partial TypeScript / JavaScript AST (28 rules) plus regex for other languages. A fast first pass, shallower than a full dataflow engine. | yes CodeQL - semantic dataflow analysis across many languages. | yes Snyk Code - a dedicated SAST engine. | no Secrets only, not a code analyzer. |
| Dependency / SCA scanning | yes npm advisories plus OSV.dev for PyPI, Go, RubyGems, Maven / Gradle, Composer; container OS-package CVEs via a committed Trivy SARIF. | yes Dependabot across many package ecosystems. | yes A core product, with the broadest ecosystem coverage of the four. | no Not a dependency scanner. |
| Supply-chain heuristics (typosquatting, install hooks) | yes Damerau-Levenshtein typosquatting plus install-hook abuse detection (npm, PyPI). | partial Dependabot vulnerability alerts; no dedicated typosquatting or install-hook heuristic. | partial Flags known malicious packages from its advisory database. | no Not in scope. |
| GitHub OIDC trust and repo IAM postureScoped to GitHub Actions OIDC trust and repo-level IAM posture. Cloud-IaC IAM (Terraform policy linting) is a different surface. | yes 12 checks: OIDC trust misconfiguration, privilege-escalation paths, and admin-equivalent access. | no Not offered as a static check. | no No GitHub Actions OIDC trust analysis. | no Not in scope. |
| Repo posture grade | yes An A-F grade across 17 signals: branch protection, CODEOWNERS, signed commits, Dependabot, secret scanning, least-privilege GITHUB_TOKEN, release provenance, and more. | partial Individual signals appear in repo settings and the security overview; not rolled into a single score. | no Not offered. | no Not offered. |
| Price | Free to use. | Free: secret scanning, Dependabot, and CodeQL on public repos. GitHub Advanced Security is paid for private repos. | Free tier plus paid plans. | Free and open source. |
Zero setup - no install, no agent, no CI config
Paste a public repo URL, or sign in with GitHub.
Built into GitHub, but enabled per repo; CodeQL runs as an Actions workflow.
Account plus a Git, CLI, or IDE integration.
Install the CLI, or add it as a CI step.
Hosted scan of a public repo with no login
Anonymous scan, rate-limited per IP and per repo.
Runs inside repos you already control.
Account required before any scan.
CLI runs locally against a clone.
Secrets detection
60+ patterns, entropy fallback for custom formats, always masked, plus a 30-commit history replay.
Secret scanning and push protection, free on public repos.
Not a dedicated secrets product; SCA / SAST / IaC are the focus.
Core purpose - regex plus entropy across full git history.
Deep code analysis (SAST)
If you already run CodeQL or Snyk Code, keep them - they go deeper on code analysis.
TypeScript / JavaScript AST (28 rules) plus regex for other languages. A fast first pass, shallower than a full dataflow engine.
CodeQL - semantic dataflow analysis across many languages.
Snyk Code - a dedicated SAST engine.
Secrets only, not a code analyzer.
Dependency / SCA scanning
npm advisories plus OSV.dev for PyPI, Go, RubyGems, Maven / Gradle, Composer; container OS-package CVEs via a committed Trivy SARIF.
Dependabot across many package ecosystems.
A core product, with the broadest ecosystem coverage of the four.
Not a dependency scanner.
Supply-chain heuristics (typosquatting, install hooks)
Damerau-Levenshtein typosquatting plus install-hook abuse detection (npm, PyPI).
Dependabot vulnerability alerts; no dedicated typosquatting or install-hook heuristic.
Flags known malicious packages from its advisory database.
Not in scope.
GitHub OIDC trust and repo IAM posture
Scoped to GitHub Actions OIDC trust and repo-level IAM posture. Cloud-IaC IAM (Terraform policy linting) is a different surface.
12 checks: OIDC trust misconfiguration, privilege-escalation paths, and admin-equivalent access.
Not offered as a static check.
No GitHub Actions OIDC trust analysis.
Not in scope.
Repo posture grade
An A-F grade across 17 signals: branch protection, CODEOWNERS, signed commits, Dependabot, secret scanning, least-privilege GITHUB_TOKEN, release provenance, and more.
Individual signals appear in repo settings and the security overview; not rolled into a single score.
Not offered.
Not offered.
Price
Free to use.
Free: secret scanning, Dependabot, and CodeQL on public repos. GitHub Advanced Security is paid for private repos.
Free tier plus paid plans.
Free and open source.
Try it on a repo you know.
The fastest way to judge any of these claims is to run it. Scan a public repo - no login, no install.