// compare

How TriageRook compares

The honest version. TriageRook is not trying to replace CodeQL, Snyk, or your existing CI scanners - it is the zero-setup first pass you can run on any public repo in one click, plus an IAM lens those tools do not offer. Here is where it wins and where it does not.

Zero setup - no install, no agent, no CI config

TriageRook
yes

Paste a public repo URL, or sign in with GitHub.

GitHub native
partial

Built into GitHub, but enabled per repo; CodeQL runs as an Actions workflow.

Snyk
no

Account plus a Git, CLI, or IDE integration.

TruffleHog / Gitleaks
no

Install the CLI, or add it as a CI step.

Hosted scan of a public repo with no login

TriageRook
yes

Anonymous scan, rate-limited per IP and per repo.

GitHub native
no

Runs inside repos you already control.

Snyk
no

Account required before any scan.

TruffleHog / Gitleaks
no

CLI runs locally against a clone.

Secrets detection

TriageRook
yes

60+ patterns, entropy fallback for custom formats, always masked, plus a 30-commit history replay.

GitHub native
yes

Secret scanning and push protection, free on public repos.

Snyk
partial

Not a dedicated secrets product; SCA / SAST / IaC are the focus.

TruffleHog / Gitleaks
yes

Core purpose - regex plus entropy across full git history.

Deep code analysis (SAST)

If you already run CodeQL or Snyk Code, keep them - they go deeper on code analysis.

TriageRook
partial

TypeScript / JavaScript AST (28 rules) plus regex for other languages. A fast first pass, shallower than a full dataflow engine.

GitHub native
yes

CodeQL - semantic dataflow analysis across many languages.

Snyk
yes

Snyk Code - a dedicated SAST engine.

TruffleHog / Gitleaks
no

Secrets only, not a code analyzer.

Dependency / SCA scanning

TriageRook
yes

npm advisories plus OSV.dev for PyPI, Go, RubyGems, Maven / Gradle, Composer; container OS-package CVEs via a committed Trivy SARIF.

GitHub native
yes

Dependabot across many package ecosystems.

Snyk
yes

A core product, with the broadest ecosystem coverage of the four.

TruffleHog / Gitleaks
no

Not a dependency scanner.

Supply-chain heuristics (typosquatting, install hooks)

TriageRook
yes

Damerau-Levenshtein typosquatting plus install-hook abuse detection (npm, PyPI).

GitHub native
partial

Dependabot vulnerability alerts; no dedicated typosquatting or install-hook heuristic.

Snyk
partial

Flags known malicious packages from its advisory database.

TruffleHog / Gitleaks
no

Not in scope.

GitHub OIDC trust and repo IAM posture

Scoped to GitHub Actions OIDC trust and repo-level IAM posture. Cloud-IaC IAM (Terraform policy linting) is a different surface.

TriageRook
yes

12 checks: OIDC trust misconfiguration, privilege-escalation paths, and admin-equivalent access.

GitHub native
no

Not offered as a static check.

Snyk
no

No GitHub Actions OIDC trust analysis.

TruffleHog / Gitleaks
no

Not in scope.

Repo posture grade

TriageRook
yes

An A-F grade across 17 signals: branch protection, CODEOWNERS, signed commits, Dependabot, secret scanning, least-privilege GITHUB_TOKEN, release provenance, and more.

GitHub native
partial

Individual signals appear in repo settings and the security overview; not rolled into a single score.

Snyk
no

Not offered.

TruffleHog / Gitleaks
no

Not offered.

Price

TriageRook

Free to use.

GitHub native

Free: secret scanning, Dependabot, and CodeQL on public repos. GitHub Advanced Security is paid for private repos.

Snyk

Free tier plus paid plans.

TruffleHog / Gitleaks

Free and open source.

yes supportedpartial limited or not the tool's focusno not offered

Try it on a repo you know.

The fastest way to judge any of these claims is to run it. Scan a public repo - no login, no install.