GitGuardian Shield: protect your secrets with GitGuardian
The GitGuardian shield (gg-shield) is a CLI application that runs in your local environment or in a CI environment to help you detect more than 200 types of secrets, as well as other potential security vulnerabilities or policy breaks.
GitGuardian shield uses our public API through py-gitguardian to scan your files and detect potential secrets or issues in your code. The /v1/scan
endpoint of the public API is stateless. We will not store any files you are sending or any secrets we have detected.
You can also use gg-shield via the pre-commit framework on your repositories, or as a standalone pre-commit either globally or locally.
You'll need an API Key from GitGuardian to use gg-shield.
Add the API Key to your environment variables:
GITGUARDIAN_API_KEY=<GitGuardian API Key>
- Pre-commit hooks
- Pre-receive hooks
- GitLab
- GitHub Actions
- Bitbucket Pipelines
- Circle CI Orbs
- Travis CI
- Jenkins
-
- Scan
- Install
-
- The pre-commit framework
- The global and local pre-commit hook
Install and update using pip
:
$ pip install ggshield
gg-shield supports Python 3.6 and newer.
The package should run on MacOS, Linux and Windows.
You'll need an API Key from the GitGuardian dashboard to use ggshield.
Add the API Key to your environment variables:
GITGUARDIAN_API_KEY=<GitGuardian API Key>
Usage: ggshield [OPTIONS] COMMAND [ARGS]...
Options:
-c, --config-path FILE Set a custom config file. Ignores local and global
config files.
-v, --verbose Verbose display mode.
-h, --help Show this message and exit.
Commands:
install Command to install a pre-commit hook (local or global).
scan Command to scan various contents.
ggshield scan
is the main command for gg-shield, it has a few config
options that can be used to override output behaviour.
Usage: ggshield scan [OPTIONS] COMMAND [ARGS]...
Command to scan various contents.
Options:
--show-secrets Show secrets in plaintext instead of hiding them.
--exit-zero Always return a 0 (non-error) status code, even if issues
are found.The env var GITGUARDIAN_EXIT_ZERO can also be used
to set this option.
--all-policies Present fails of all policies (Filenames, FileExtensions,
Secret Detection). By default, only Secret Detection is
shown.
-v, --verbose Verbose display mode.
-h, --help Show this message and exit.
Commands:
ci scan in a CI environment.
commit-range scan a defined COMMIT_RANGE in git.
path scan files and directories.
pre-commit scan as a pre-commit git hook.
repo clone and scan a REPOSITORY.
ggshield scan
has different subcommands for each type of scan:
-
CI
: scan each commit since the last build in your CI.ggshield scan ci
No options or arguments
-
Commit Range
: scan each commit in the given commit rangeUsage: ggshield scan commit-range [OPTIONS] COMMIT_RANGE scan a defined COMMIT_RANGE in git. git rev-list COMMIT_RANGE to list several commits to scan. example: ggshield scan commit-range HEAD~1...
-
Path
: scan files or directories with the recursive option.Usage: ggshield scan path [OPTIONS] PATHS... scan files and directories. Options: -r, --recursive Scan directory recursively -y, --yes Confirm recursive scan -h, --help Show this message and exit.
-
Pre-commit
: scan every changes that have been staged in a git repository.ggshield scan pre-commit
No options or arguments
-
Repo
: scan all commits in a git repository.Usage: ggshield scan repo [OPTIONS] REPOSITORY clone and scan a REPOSITORY. REPOSITORY is the clone URI of the repository to scan. example: ggshield scan repo [email protected]:GitGuardian/gg-shield.git
The install
command allows you to use ggshield as a pre-commit hook on your machine, either locally or globally for all repositories.
You will find further details in the pre-commit part of this documentation.
Usage: ggshield install [OPTIONS]
Command to install a pre-commit hook (local or global).
Options:
-m, --mode [local|global] Hook installation mode [required]
-f, --force Force override
-h, --help Show this message and exit.
Configuration in ggshield
follows a global>local>CLI
configuration scheme.
Meaning options on local
overwrite or extend global
and options on CLI overwrite or extend local.
ggshield
will search for a global
config file in the user's home directory (example: ~/.gitguardian.yml
on Linux and %USERPROFILE%\.gitguardian
on Windows).
ggshield
will recognize as well a local
config file in the user's working directory (example: ./.gitguardian.yml
).
You can also use the option --config-path
on the main command to set another config file. In this case, neither local
nor global
config files will be evaluated (example: ggshield --config-path=~/Desktop/only_config.yaml scan path -r .
)
A sample config file can be found at .gitguardian.example
# Exclude files and paths by globbing
paths-ignore:
- '**/README.md'
- 'doc/*'
- 'LICENSE'
# Ignore policy breaks with the SHA256 of the policy break obtained at output or the secret itself
matches-ignore:
- 530e5a4a7ea00814db8845dd0cae5efaa4b974a3ce1c76d0384ba715248a5dc1
- MY_TEST_CREDENTIAL
show-secrets: false # default: false
# Set to true if the desired exit code for the CLI is always 0,
# otherwise the exit code will be 1 if issues are found.
# the environment variable GITGUARDIAN_EXIT_ZERO=true can also be used toggle this behaviour.
exit-zero: false # default: false
# By default only secrets are detected. Use all-policies to toggle this behaviour.
all-policies: false # default: false
api-url: https://api.gitguardian.com # GITGUARDIAN_API_URL environment variable will override this setting
verbose: false # default: false
ggshield can be configured to run on your on-premises dashboard, request an API key from your dashboard administrator.
You can modify your environment variables to include:
GITGUARDIAN_API_KEY=<GitGuardian API Key>
GITGUARDIAN_API_URL=<GitGuardian on-premises API URL>
Alternatively to setting the GITGUARDIAN_API_URL
environment variable, set the api-url
in your .gitguardian.yaml
.
In order to use ggshield with the pre-commit framework, you need to do the following steps.
Make sure you have pre-commit installed:
$ pip install pre-commit
Create a .pre-commit-config.yaml
file in your root repository:
repos:
- repo: https://github.com/gitguardian/gg-shield
rev: main
hooks:
- id: ggshield
language_version: python3
stages: [commit]
Then install the hook with the command:
$ pre-commit install
pre-commit installed at .git/hooks/pre-commit
Now you're good to go!
If you want to skip the pre-commit check, you can add -n
parameter:
$ git commit -m "commit message" -n
Another way is to add SKIP=hook_id before the command:
$ SKIP=ggshield git commit -m "commit message"
To install pre-commit globally (for all current and future repos), you just need to execute the following command:
$ ggshield install --mode global
It will do the following:
- check if a global hook folder is defined in the global git configuration
- create the
~/.git/hooks
folder (if needed) - create a
pre-commit
file which will be executed before every commit - give executable access to this file
You can also install the hook locally on desired repositories. You just need to go in the repository and execute:
$ ggshield install --mode local
If a pre-commit executable file already exists, it will not be overriden.
You can force override with the --force
option:
$ ggshield install --mode local --force
If you already have a pre-commit executable file and you want to use gg-shield, all you need to do is to add this line in the file:
ggshield scan pre-commit
Do not forget to add your GitGuardian API Key to the GITGUARDIAN_API_KEY
environment variable of your project or development environment.
A pre-receive hook allows you to reject commits from being pushed to a git repository if they do not validate every check.
You can find gg-shield's pre-receive hook sample in the doc/pre-receive.sample.
⚠ gg-shield's pre-receive hook requires the host machine to have docker installed.
- Move
pre-receive.sample
to.git/hooks/pre-receive
- Do not forget to
chmod +x .git/hooks/pre-receive
- either set an environment variable machine wide
GITGUARDIAN_API_KEY
or set it in the.git/hooks/pre-receive
as instructed in the sample file.
You may be interested in using GitGuardian's GitLab integration to ensure full coverage of your GitLab projects as well as full git history scans and reporting.
Configuring GitLab pipelines to use ggshield is as simple as adding a step to your project's pipeline:
stages:
- scanning
🦉 gitguardian scan:
image: gitguardian/ggshield:latest
stage: scanning
script: ggshield scan ci
Do not forget to add your GitGuardian API Key to the GITGUARDIAN_API_KEY
environment variable in your project settings.
You may be interested in using GitGuardian's GitHub integration to ensure full coverage of your GitHub projects as well as full git history scans and reporting.
ggshield's support of GitHub comes in the form of GitHub actions.
The action for this repository is hosted at gg-shield-action.
Configuring a GitHub workflow to use ggshield is as simple as adding a step to your project's workflow:
name: GitGuardian scan
on: [push, pull_request]
jobs:
scanning:
name: GitGuardian scan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0 # fetch all history so multiple commits can be scanned
- name: GitGuardian scan
uses: GitGuardian/gg-shield-action@master
env:
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
Do not forget to add your GitGuardian API Key to the GITGUARDIAN_API_KEY
secret in your project settings.
⚠ Bitbucket pipelines do not support commit ranges therefore only your latest commit in a pushed group or in a new branch will be scanned.
Configuring a Bitbucket pipeline to use ggshield is as simple as adding a step to your project's workflow:
pipelines:
default:
- step:
image: gitguardian/ggshield:latest
services:
- docker
script:
- ggshield scan ci
Do not forget to add your GitGuardian API Key to the GITGUARDIAN_API_KEY
environment variable in your project settings.
Circle CI is supported in gg-shield through gg-shield-orb.
To add gg-shield to your pipelines configure your .circleci/config.yml
to add the gg-shield orb:
orbs:
gg-shield: gitguardian/ggshield
workflows:
main:
jobs:
- gg-shield/scan:
name: gg-shield-scan # best practice is to name each orb job
base_revision: << pipeline.git.base_revision >>
revision: <<pipeline.git.revision>>
Do not forget to add your GitGuardian API Key to the GITGUARDIAN_API_KEY
environment variable in your project settings.
To add gg-shield to your pipelines configure your .travis.yml
to add a gg-shield scanning job:
jobs:
include:
- name: GitGuardian Scan
language: python
python: 3.8
install:
- pip install ggshield
script:
- ggshield scan ci
Do not forget to add your GitGuardian API Key to the GITGUARDIAN_API_KEY
environment variable in your project settings.
To add gg-shield to your pipelines configure your Jenkinsfile
to add a gg-shield stage:
pipeline {
agent none
stages {
stage('GitGuardian Scan') {
agent {
docker { image 'gitguardian/ggshield:latest' }
}
environment {
GITGUARDIAN_API_KEY = credentials('gitguardian-api-key')
}
steps {
sh 'ggshield scan ci'
}
}
}
}
Do not forget to add your GitGuardian API Key to the gitguardian-api-key
credential in your project settings.
If no secrets or policy breaks have been found, the exit code will be 0:
$ ggshield scan pre-commit
If a secret or other issue is found in your staged code or in your CI, you will have an alert giving you the type of policy break, the filename where the policy break has been found and a patch giving you the position of the policy break in the file:
$ ggshield scan pre-commit
🛡️ ⚔️ 🛡️ 2 policy breaks have been found in file production.rb
11 | config.paperclip_defaults = {
12 | :s3_credentials => {
13 | :bucket => "XXX",
14 | :access_key_id => "XXXXXXXXXXXXXXXXXXXX",
|_____AWS Keys_____|
15 | :secret_access_key => "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
|_______________AWS Keys_______________|
16 | }
17 | }
If you have questions you would like to ask the developers, or feedback you would like to provide, feel free to create an issue on our issue tracker.
We would love to hear from you. Additionally, if you have a feature you would like to suggest, feel free to create an issue on our issue tracker.
GitGuardian shield is MIT licensed.