Find and fix 360+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.
This feature is still in beta, its behavior may change in future versions
warning is no longer displayed for sca commands.It is now possible to customize the remediation message printed by GGShield pre-receive hook. This can be done by setting the message in the secret.prereceive_remediation_message
configuration key. Thanks a lot to @Renizmy for this feature.
We now provide signed .pkg files for macOS.
Add This feature is still in beta, its behavior may change in future versions
warning to iac scan all
show-secrets
should become show_secrets
. GGShield still supports reading from dash-separate configuration keys, but it prints a warning when it finds one.GGShield commands working with commits no longer fail when parsing a commit without any author.
Configuration keys defined in the global configuration file are no longer ignored if a local configuration file exists.
The option --exclude PATTERN
is no longer ignored by the command ggshield secret scan repo
.
ggshield sca scan
commands, --ignore-fixable
and --ignore-not-fixable
so that the user can filter the returned incidents depending on if incidents can be fixed or not. Both flags cannot be used simultaneously.IAC/SCA scans will scan new commits as intended for CI jobs on newly pushed branches.
IAC/SCA scans will scan new commits as intended for CI jobs on the first push to a new repository
In CI jobs, IAC/SCA scans on forced pushs no longer trigger an error but perform a scan on all commits instead.
Fixes ggshield sca scan
commands not taking some user parameters into account.
GGShield output now adapts when the grace period of an IaC incident ignored by a developer has been expired.
GGShield now shows a warning message if it hits a rate-limit.
IaC/SCA scans now properly find the parent commit SHA on GitLab push pipelines for new branches.
Error messages now appear above progress bars instead of overlapping them.
File content are now displayed as intended when executing ggshield iac scan all
on a subdirectory of a Git repository.
Pre-push scans are now diff scans when pushing a new branch, comparing to the last commit of the parent branch.
Pre-push scans on empty repositories no longer include staged files.
Secret: ggshield now prints the name of what is being scanned when called with --verbose
(#212).
You can now use the SKIP=ggshield
environment variable without the pre-commit framework to skip pre-commit and pre-push scans.
ignored-paths
and ignored_policies
can now be defined as objects with comment
and until
properties. If an until
date is provided, the path/policy is only ignored up until this date. The old format is still supported. Check .gitguardian.example.yaml
for a sample.ggshield iac scan diff --json
output was changed. added_vulns
, persisting_vulns
and removed_vulns
were renamed as new
, unchanged
and deleted
. They also were moved into a entities_with_incidents
similarly to the scan all JSON output.
```json
{
"id": "fb0e9a92-de34-43f9-b779-17d25e99ab35",
"iac_engine_version": "1.15.0",
"type": "diff_scan",
"entities_with_incidents": {
"unchanged": [
{
"filename": "s3.tf",
"incidents": [
{
"policy": "Allowing public exposure of a S3 bucket can lead to data leakage",
"policy_id": "GG_IAC_0055",
"line_end": 118,
"line_start": 96,
"description": "AWS S3 Block Public Access is a feature that allows setting up centralized controls\\nto manage public access to S3 resources.\\n\\nEnforcing the BlockPublicAcls, BlockPublicPolicy and IgnorePublicAcls rule on a bucket\\nallows to make sure that no ACL (Access control list) or policy giving public access\\ncan be associated with the bucket, and that existing ACL giving public access to\\nthe bucket will not be taken into account.",
"documentation_url": "<https://docs.gitguardian.com/iac-scanning/policies/GG_IAC_0055>",
"component": "aws_s3_bucket.operations",
"severity": "HIGH"
}
],
"total_incidents": 1
}
],
"deleted": [
{
"filename": "s3.tf",
"incidents": [
{
"policy": "Allowing public exposure of a S3 bucket can lead to data leakage",
"policy_id": "GG_IAC_0055",
"line_end": 118,
"line_start": 96,
"description": "AWS S3 Block Public Access is a feature that allows setting up centralized controls\\nto manage public access to S3 resources.\\n\\nEnforcing the BlockPublicAcls, BlockPublicPolicy and IgnorePublicAcls rule on a bucket\\nallows to make sure that no ACL (Access control list) or policy giving public access\\ncan be associated with the bucket, and that existing ACL giving public access to\\nthe bucket will not be taken into account.",
"documentation_url": "<https://docs.gitguardian.com/iac-scanning/policies/GG_IAC_0055>",
"component": "aws_s3_bucket.operations",
"severity": "HIGH",
}
],
"total_incidents": 1
}
],
"new": [
{
"filename": "s3.tf",
"incidents": [
{
"policy": "Allowing public exposure of a S3 bucket can lead to data leakage",
"policy_id": "GG_IAC_0055",
"line_end": 118,
"line_start": 96,
"description": "AWS S3 Block Public Access is a feature that allows setting up centralized controls\\nto manage public access to S3 resources.\\n\\nEnforcing the BlockPublicAcls, BlockPublicPolicy and IgnorePublicAcls rule on a bucket\\nallows to make sure that no ACL (Access control list) or policy giving public access\\ncan be associated with the bucket, and that existing ACL giving public access to\\nthe bucket will not be taken into account.",
"documentation_url": "<https://docs.gitguardian.com/iac-scanning/policies/GG_IAC_0055>",
"component": "aws_s3_bucket.operations",
"severity": "HIGH"
}
],
"total_incidents": 1
}
]
}
}
```
Adapt message in case we find tons of matches
command hmsl check-secret-manager hashicorp-vault
with a "key" naming strategy will display the variable's full path instead of the variable name
Support no location URL in HMSL response.
Change wording for HMSL output: do not mention occurrences as it can be misleading.
ggshield hmsl check-secret-manager hashicorp-vault
command to scan secrets of an HashiCorp Vault instance.Fixed a typo in the command suggested to tell git a directory is safe.
The bug on Gitlab CI for IaC and SCA, failing because git does not access the target branch in a merge request is fixed. Now fetches the target branch in the CI env before collecting commit shas.
Fix IaC and SCA scan commands in Windows