-
Fixed a bug which caused IaC and SCA scans to fail on GitLab CI because GitLab does not run
git fetchon the target branch for merge requests. ggshield now runsgit fetchitself to avoid this problem. -
Fixed a typo in the command suggested to tell git a directory is safe.
- ggshield gained a new group of commands:
hmsl, short for "Has My Secret Leaked". These commands make it possible to securely check if secrets have been leaked in a public repository.
-
ggshield iac scannow provides three new commands for use as Git hooks:ggshield iac scan pre-commitggshield iac scan pre-pushggshield iac scan pre-receive
They use the same arguments and options as the other
ggshield iac scancommands. -
The new
ggshield iac scan cicommand can be used to perform IaC scans in CI environments. It supports the same arguments as hook subcommands (in particular,--allto scan the whole repository). Supported CIs are:- Azure
- Bitbucket
- CircleCI
- Drone
- GitHub
- GitLab
- Jenkins
- Travis
-
Introduces new commands to perform SCA scans with ggshield:
ggshield sca scan all <DIRECTORY>: scans a directory or a repository to find all existing SCA vulnerabilities.ggshield sca scan diff <DIRECTORY> --ref <GIT_REF>: runs differential scan compared to a given git ref.ggshield sca scan pre-commitggshield sca scan pre-pushggshield sca scan pre-receiveggshield sca scan ci: Evaluates if a CI event introduces new vulnerabilities, only available on Github and Gitlab for now.
-
It is now possible to manipulate the default instance using
ggshield config:ggshield config set instance <THE_INSTANCE_URL>defines the default instance.ggshield config unset instanceremoves the previously defined instance.- The default instance can be printed with
ggshield config get instanceandggshield config list.
-
ggshield now requires Python 3.8.
-
The IaC Github Action now runs the new
ggshield iac scan cicommand. This means the action only fails if the changes introduce a new vulnerability. To fail if any vulnerability is detected, use theggshield iac scan ci --allcommand.
- The following options have been removed from
ggshield iac scan diff:--pre-commit,--pre-pushand--pre-receive. You can replace them with the newggshield iac scan pre-*commands.
-
ggshield secret scan dockernow runs as many scans in parallel as the other scan commands. -
ggshieldnow provides an easier-to-understand error message for "quota limit reached" errors (#309). -
ggshield iac scan diff--minimum-severityand--ignore-policyoptions are now correctly processed. -
ggshield secret scanno longer tries to scan files longer than the maximum document size (#561).
- ggshield now depends on cryptography 41.0.3, fixing https://github.com/advisories/GHSA-jm77-qphf-c4w8.
- Pin PyYAML>=6.0.1 to fix building (see yaml/pyyaml#702)
- Fixed ggshield not installing properly when installing with Brew on macOS.
-
New command:
ggshield iac scan all. This command replaces the now-deprecatedggshield iac scan. It scans a directory for IaC vulnerabilities. -
New command:
ggshield iac scan diff. This command scans a Git repository and inspects changes in IaC vulnerabilities between two points in the history.- All options from
ggshield iac scan allare supported:--ignore-policy,--minimum-severity,--ignore-pathetc. Executeggshield iac scan diff -hfor more details. - Two new options allow to choose which state to select for the difference:
--ref <GIT-REFERENCE>and--staged. - The command can be integrated in Git hooks using the
--pre-commit,--pre-push,--pre-receiveoptions. - The command output list vulnerabilities as
unchanged,newanddeleted.
- All options from
-
Added a
--log-file FILEoption to redirect all logging output to a file. The option can also be set using the$GITGUARDIAN_LOG_FILEenvironment variable.
-
Improved
secret scan pathspeed by updating charset-normalizer to 3.1. -
Errors are no longer reported twice: first using human-friendly message and then using log output. Log output is now off by default, unless
--debugor--log-fileis set (#213). -
The help messages for the
honeytokencommands have been updated. -
ggshield honeytoken createnow displays an easier-to-understand error message when the user does not have the necessary permissions to create an honeytoken. -
ggshield auth loginnow displays a warning message if the token expiration date has been adjusted to comply with the personal access token maximum lifetime setting of the user's workspace.
ggshield iac scanis now replaced by the newggshield iac scan all, which supports the same options and arguments.
- Add a new
ggshield honeytoken createcommand to let you create honeytokens if enabled in your workspace. Learn more about honeytokens at https://www.gitguardian.com/honeytoken
ggshield secret scancommands can now use server-side configuration for the maximum document size and maximum document count per scan.
-
Accurately enforce the timeout of the pre-receive secret scan command (#417)
-
Correctly compute the secret ignore sha in the json output.
-
GitLab WebUI Output Handler now behaves correctly when using the
ignore-known-secretsflag, it also no longer displays empty messages in the UI.
ggshield secret scanJSON output has been improved:- It now includes an
incident_urlkey for incidents. If a matching incident was found in the user's dashboard it contains the URL to the incident. Otherwise, it defaults to an empty string. - The
known_secretkey is now always present and defaults tofalseif the incident is unknown to the dashboard.
- It now includes an
- Fixed a regression introduced in 1.15.0 which caused the
--ignore-known-secretsoption to be ignored.
-
ggshield secret scanoutput now includes a link to the incident if the secret is already known on the user's GitGuardian dashboard. -
ggshield secret scan dockerno longer rescans known-clean layers, speeding up subsequent scans. This cache is tied to GitGuardian secrets engine version, so all layers are rescanned when a new version of the secrets engine is deployed.
- Fixed an issue where the progress bar for
ggshield secret scancommands would sometimes reach 100% too early and then stayed stuck until the end of the scan.
- The deprecated commands
ggshield scanandggshield ignorehave been removed. Useggshield secret scanandggshield secret ignoreinstead.
-
ggshield iac scancan now be called without arguments. In this case it scans the current directory. -
GGShield now displays an easier-to-understand error message when no API key has been set.
-
Fixed GGShield not correctly reporting misspelled configuration keys if the key name contained
-characters (#480). -
When called without an image tag,
ggshield secret scan dockernow automatically uses the:latesttag instead of scanning all versions of the image (#468). -
ggshield secret scannow properly stops with an error message when the GitGuardian API key is not set or invalid (#456).
-
GGShield Docker image can now be used to scan git repositories even if the repository is mounted outside of the /data directory.
-
GGShield commit hook now runs correctly when triggered from Visual Studio (#467).
-
ggshield secret scan pre-receiveno longer scans deleted commits when a branch is force-pushed (#437). -
If many GGShield users are behind the same IP address, the daily update check could cause GitHub to rate-limit the IP. If this happens, GGShield honors GitHub rate-limit headers and no longer checks for a new update until the rate-limit is lifted (#449).
-
GGShield once again prints a "No secrets have been found" message when a scan does not find any secret (#448).
-
Installing GGShield no longer creates a "tests" directory in "site-packages" (#383).
-
GGShield now shows a clear error message when it cannot use git in a repository because of dubious ownership issues.
- The deprecation message when using
ggshield scaninstead ofggshield secret scannow states theggshield scancommands are going to be removed in GGShield 1.15.0.
-
It is now possible to use generic command-line options like
--verboseanywhere on the command line and scan options anywhere after thescanword (#197). -
ggshield iac scannow shows the severity of the detected vulnerabilities.
-
If a file containing secrets has been committed in two different branches, then
ggshield secret scan repowould show 4 secrets instead of 2. This has been fixed (#428). -
ggshield now uses different error codes when a scan succeeds but finds problems and when a scan does not finish (#404).
-
ggshield now correctly handles the case where git is not installed (#329).
- Fixed dependency on pygitguardian, which blocked the release on pypi.
-
ggshield scan commands now accept the
--ignore-known-secretsoption. This option is useful when working on an existing code-base while secrets are being remediated. -
ggshield learned a new secret scan command:
docset. This command can scan any content as long as it has been converted into our new docset file format.
ggshield auth login --method=tokencan now read its token from the standard input.
-
ggshield now prints clearer error messages if the .gitguardian.yaml file is invalid (#377).
-
When used with the pre-commit framework, ggshield would sometimes scan commits with many files more than once. This has been fixed.
-
ggshield auth loginno longer fails when called with--lifetime. -
pre-receive and pre-push hooks now correctly handle the case where a branch with no new commits is pushed.
-
ggshield no longer fails when scanning paths longer than 256 characters (#391).
- Fix crash at startup if the home directory is not writable.
- ggshield now checks for update once a day and notifies the user if a new version is available. This check can be disabled with the
--no-check-for-updatescommand-line option (#299).
-
Scanning Git repositories is now faster.
-
ggshield secret scan pathnow shows a progress bar. -
When used as a pre-push or pre-receive hook, ggshield no longer scans more commits than necessary when a new branch is pushed (#303, #369).
-
ggshield no longer declares two separate instances if the instance URL is set with and without a trailing slash (#357).
-
Fixed a regression where ggshield would not load the .env from the current working directory.
-
ggshield no longer silently ignores network issues.