Detect secrets from all sources using GitGuardian's brains
Project description
ggshield: protect your code with GitGuardian
ggshield is a CLI application that runs in your local environment or in a CI environment to help you detect more than 400+ types of secrets.
ggshield uses our public API through py-gitguardian to scan and detect potential vulnerabilities in files and other text content.
Only metadata such as call time, request size and scan mode is stored from scans using ggshield, therefore secrets will not be displayed on your dashboard and your files and secrets won't be stored.
Table of Contents
- Installation
- Initial setup
- Getting started
- Integrations
- Learn more
- Output
- Related open source projects
- License
Installation
macOS
Homebrew
You can install ggshield using Homebrew:
$ brew install ggshield
Upgrading is handled by Homebrew.
Standalone .pkg package
Alternatively, you can download and install a standalone .pkg package from ggshield release page.
This package does not require installing Python, but you have to manually download new versions.
Linux
Deb and RPM packages
Deb and RPM packages are available on Cloudsmith.
Setup instructions:
Upgrading is handled by the package manager.
Windows
Chocolatey
ggshield is available via the Chocolatey package manager:
$ choco install ggshield
Standalone .zip archive
We provide a standalone .zip archive on ggshield release page.
Unpack the archive on your disk, then add the directory containing the ggshield.exe file to %PATH%.
This archive does not require installing Python, but you have to manually download new versions.
All operating systems
ggshield can be installed on all supported operating systems via its PyPI package.
It requires a supported version of Python (not EOL) (except for standalone packages) and git.
If you don't use our packaged versions of ggshield, please be aware that we follow the Python release cycle and do not support versions that have reached EOL.
Using pipx
The recommended way to install ggshield from PyPI is to use pipx, which will install it in an isolated environment:
$ pipx install ggshield
To upgrade your installation, run:
$ pipx upgrade ggshield
Using pip
You can also install ggshield from PyPI using pip, but this is not recommended because the installation is not isolated, so other applications or packages installed this way may affect your ggshield installation. This method will also not work if your Python installation is declared as externally managed (for example when using the system Python on operating systems like Debian 12):
$ pip install --user ggshield
To upgrade your installation, run:
$ pip install --user --upgrade ggshield
Initial setup
Using ggshield auth login
To use ggshield you need to authenticate against GitGuardian servers. To do so, use the ggshield auth login command. This command automates the provisioning of a personal access token and its configuration on the local workstation.
You can learn more about it from ggshield auth login documentation.
Manual setup
You can also create your personal access token manually and store it in the GITGUARDIAN_API_KEY environment variable to complete the setup.
Getting started
Secrets
You can now use ggshield to search for secrets:
- in files:
ggshield secret scan path -r . - in repositories:
ggshield secret scan repo . - in Docker images (
dockercommand must be available):ggshield secret scan docker ubuntu:22.04 - in Pypi packages (
pipcommand must be available):ggshield secret scan pypi flask - and more, have a look at
ggshield secret scan --helpoutput for details.
Integrations
You can integrate ggshield in your CI/CD workflow.
To catch errors earlier, use ggshield as a pre-commit, pre-push or pre-receive Git hook.
Learn more
For more information, have a look at the documentation
Output
If no secrets have been found, the exit code will be 0:
$ ggshield secret scan pre-commit
If a secret is found in your staged code or in your CI, you will have an alert giving you the filename where the secret has been found and a patch giving you the position of the secret in the file:
$ ggshield secret scan pre-commit
2 incidents have been found in file production.rb
11 | config.paperclip_defaults = {
12 | :s3_credentials => {
13 | :bucket => "XXX",
14 | :access_key_id => "XXXXXXXXXXXXXXXXXXXX",
|_____AWS Keys_____|
15 | :secret_access_key => "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
|_______________AWS Keys_______________|
16 | }
17 | }
Lines that are too long are truncated to match the size of the terminal, unless the verbose mode is used (-v or --verbose).
Related open source projects
License
ggshield is MIT licensed.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ggshield-1.41.0.tar.gz.
File metadata
- Download URL: ggshield-1.41.0.tar.gz
- Upload date:
- Size: 302.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0cb8cd0e86e2012bb210be5a62416352bee5e366c4573874ce5cb225bf440207
|
|
| MD5 |
2f8e90108c24d19787e6c142a8fe9d6e
|
|
| BLAKE2b-256 |
66f525c4bbc960cb90e162534f701f799395cd5416ca80aacbee2831ce942666
|
File details
Details for the file ggshield-1.41.0-py3-none-any.whl.
File metadata
- Download URL: ggshield-1.41.0-py3-none-any.whl
- Upload date:
- Size: 182.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a387c5d91a401d9cceaad11875ab09f7b756c1b290ee4cf5a080270753c675e5
|
|
| MD5 |
f79e4cbb099dabf4aa0ebd592b9e7961
|
|
| BLAKE2b-256 |
0df6d31d28353f66fcf94fcd6f54cf361de1b12168b41c56b89bf1079e9c811d
|
