Find and fix 360+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.
hmsl
, short for "Has My Secret Leaked". These commands make it possible to securely check if secrets have been leaked in a public repository.ggshield iac scan
now provides three new commands for use as Git hooks:
ggshield iac scan pre-commit
ggshield iac scan pre-push
ggshield iac scan pre-receive
They use the same arguments and options as the other ggshield iac scan
commands.
The new ggshield iac scan ci
command can be used to perform IaC scans in CI environments.
It supports the same arguments as hook subcommands (in particular, --all
to scan the whole repository).
Supported CIs are:
Introduces new commands to perform SCA scans with ggshield:
ggshield sca scan all <DIRECTORY>
: scans a directory or a repository to find all existing SCA vulnerabilities.ggshield sca scan diff <DIRECTORY> --ref <GIT_REF>
: runs differential scan compared to a given git ref.ggshield sca scan pre-commit
ggshield sca scan pre-push
ggshield sca scan pre-receive
ggshield sca scan ci
: Evaluates if a CI event introduces new vulnerabilities, only available on Github and Gitlab for now.It is now possible to manipulate the default instance using ggshield config
:
ggshield config set instance <THE_INSTANCE_URL>
defines the default instance.ggshield config unset instance
removes the previously defined instance.ggshield config get instance
and ggshield config list
.ggshield now requires Python 3.8.
The IaC Github Action now runs the new ggshield iac scan ci
command. This means the action only fails if the changes introduce a new vulnerability. To fail if any vulnerability is detected, use the ggshield iac scan ci --all
command.
ggshield iac scan diff
: --pre-commit
, --pre-push
and --pre-receive
. You can replace them with the new ggshield iac scan pre-*
commands.ggshield secret scan docker
now runs as many scans in parallel as the other scan commands.
ggshield
now provides an easier-to-understand error message for "quota limit reached" errors (#309).
ggshield iac scan diff
--minimum-severity
and --ignore-policy
options are now correctly processed.
ggshield secret scan
no longer tries to scan files longer than the maximum document size (#561).
New command: ggshield iac scan all
. This command replaces the now-deprecated ggshield iac scan
. It scans a directory for IaC vulnerabilities.
New command: ggshield iac scan diff
. This command scans a Git repository and inspects changes in IaC vulnerabilities between two points in the history.
ggshield iac scan all
are supported: --ignore-policy
, --minimum-severity
, --ignore-path
etc. Execute ggshield iac scan diff -h
for more details.--ref <GIT-REFERENCE>
and --staged
.--pre-commit
, --pre-push
, --pre-receive
options.unchanged
, new
and deleted
.Added a --log-file FILE
option to redirect all logging output to a file. The option can also be set using the $GITGUARDIAN_LOG_FILE
environment variable.
Improved secret scan path
speed by updating charset-normalizer to 3.1.
Errors are no longer reported twice: first using human-friendly message and then using log output. Log output is now off by default, unless --debug
or --log-file
is set (#213).
The help messages for the honeytoken
commands have been updated.
ggshield honeytoken create
now displays an easier-to-understand error message when the user does not have the necessary permissions to create an honeytoken.
ggshield auth login
now displays a warning message if the token expiration date has been adjusted to comply with the personal access token maximum lifetime setting of the user's workspace.
ggshield iac scan
is now replaced by the new ggshield iac scan all
, which supports the same options and arguments.ggshield honeytoken create
command to let you create honeytokens if enabled in your workspace.
Learn more about honeytokens at https://www.gitguardian.com/honeytoken
ggshield secret scan
commands can now use server-side configuration for the maximum document size and maximum document count per scan.Accurately enforce the timeout of the pre-receive secret scan command (#417)
Correctly compute the secret ignore sha in the json output.
GitLab WebUI Output Handler now behaves correctly when using the ignore-known-secrets
flag, it also no longer displays empty messages in the UI.
ggshield secret scan
JSON output has been improved:
incident_url
key for incidents. If a matching incident was found in the user's dashboard it contains the URL to the incident. Otherwise, it defaults to an empty string.known_secret
key is now always present and defaults to false
if the incident is unknown to the dashboard.--ignore-known-secrets
option to be ignored.ggshield secret scan
output now includes a link to the incident if the secret is already known on the user's GitGuardian dashboard.
ggshield secret scan docker
no longer rescans known-clean layers, speeding up subsequent scans. This cache is tied to GitGuardian secrets engine version, so all layers are rescanned when a new version of the secrets engine is deployed.
ggshield secret scan
commands would sometimes reach 100% too early and then stayed stuck until the end of the scan.ggshield scan
and ggshield ignore
have been removed. Use ggshield secret scan
and ggshield secret ignore
instead.ggshield iac scan
can now be called without arguments. In this case it scans the current directory.
GGShield now displays an easier-to-understand error message when no API key has been set.
Fixed GGShield not correctly reporting misspelled configuration keys if the key name contained -
characters (#480).
When called without an image tag, ggshield secret scan docker
now automatically uses the :latest
tag instead of scanning all versions of the image (#468).
ggshield secret scan
now properly stops with an error message when the GitGuardian API key is not set or invalid (#456).
ggshield secret scan pre-receive
no longer scans deleted commits when a branch is force-pushed (#437).
If many GGShield users are behind the same IP address, the daily update check could cause GitHub to rate-limit the IP. If this happens, GGShield honors GitHub rate-limit headers and no longer checks for a new update until the rate-limit is lifted (#449).
GGShield once again prints a "No secrets have been found" message when a scan does not find any secret (#448).
Installing GGShield no longer creates a "tests" directory in "site-packages" (#383).
GGShield now shows a clear error message when it cannot use git in a repository because of dubious ownership issues.
ggshield scan
instead of ggshield secret scan
now states the ggshield scan
commands are going to be removed in GGShield 1.15.0.