1.20.0

Changed

HMSL

• Adapt message in case we find tons of matches

• command hmsl check-secret-manager hashicorp-vault with a "key" naming strategy will display the variable's full path instead of the variable name

• Support no location URL in HMSL response.

• Change wording for HMSL output: do not mention occurrences as it can be misleading.

1.19.1

Removed

• ggshield now refuses to install on python < 3.8

Added

HMSL

• Added new ggshield hmsl check-secret-manager hashicorp-vault command to scan secrets of an HashiCorp Vault instance.

Changed

• Help messages have been improved and are now kept in sync with ggshield online reference documentation.

Fixed

• Fixed a typo in the command suggested to tell git a directory is safe.

• The bug on Gitlab CI for IaC and SCA, failing because git does not access the target branch in a merge request is fixed. Now fetches the target branch in the CI env before collecting commit shas.

• Fix IaC and SCA scan commands in Windows

1.18.1

Fixed

• Fixed a bug which caused IaC and SCA scans to fail on GitLab CI because GitLab does not run git fetch on the target branch for merge requests. ggshield now runs git fetch itself to avoid this problem.

• Fixed a typo in the command suggested to tell git a directory is safe.

1.18.0

Added

HMSL

• ggshield gained a new group of commands: hmsl, short for "Has My Secret Leaked". These commands make it possible to securely check if secrets have been leaked in a public repository.

IaC

• ggshield iac scan now provides three new commands for use as Git hooks:

  • ggshield iac scan pre-commit
  • ggshield iac scan pre-push
  • ggshield iac scan pre-receive

  They use the same arguments and options as the other ggshield iac scan commands.

• The new ggshield iac scan ci command can be used to perform IaC scans in CI environments.
  It supports the same arguments as hook subcommands (in particular, --all to scan the whole repository).
  Supported CIs are:

  • Azure
  • Bitbucket
  • CircleCI
  • Drone
  • GitHub
  • GitLab
  • Jenkins
  • Travis

SCA

• Introduces new commands to perform SCA scans with ggshield:

  • ggshield sca scan all <DIRECTORY> : scans a directory or a repository to find all existing SCA vulnerabilities.
  • ggshield sca scan diff <DIRECTORY> --ref <GIT_REF>: runs differential scan compared to a given git ref.
  • ggshield sca scan pre-commit
  • ggshield sca scan pre-push
  • ggshield sca scan pre-receive
  • ggshield sca scan ci: Evaluates if a CI event introduces new vulnerabilities, only available on Github and Gitlab for now.

Other

• It is now possible to manipulate the default instance using ggshield config:

  • ggshield config set instance <THE_INSTANCE_URL> defines the default instance.
  • ggshield config unset instance removes the previously defined instance.
  • The default instance can be printed with ggshield config get instance and ggshield config list.

Changed

• ggshield now requires Python 3.8.

• The IaC Github Action now runs the new ggshield iac scan ci command. This means the action only fails if the changes introduce a new vulnerability. To fail if any vulnerability is detected, use the ggshield iac scan ci --all command.

Removed

• The following options have been removed from ggshield iac scan diff: --pre-commit, --pre-push and --pre-receive. You can replace them with the new ggshield iac scan pre-* commands.

Fixed

• ggshield secret scan docker now runs as many scans in parallel as the other scan commands.

• ggshield now provides an easier-to-understand error message for "quota limit reached" errors (#309).

• ggshield iac scan diff --minimum-severity and --ignore-policy options are now correctly processed.

• ggshield secret scan no longer tries to scan files longer than the maximum document size (#561).

Security

• ggshield now depends on cryptography 41.0.3, fixing GHSA-jm77-qphf-c4w8.

1.17.3

Fixed

• Pin PyYAML>=6.0.1 to fix building (see yaml/pyyaml#702)

1.17.2

Fixed

• Fixed ggshield not installing properly when installing with Brew on macOS.

1.17.1

Added

• New command: ggshield iac scan all. This command replaces the now-deprecated ggshield iac scan. It scans a directory for IaC vulnerabilities.

• New command: ggshield iac scan diff. This command scans a Git repository and inspects changes in IaC vulnerabilities between two points in the history.

  • All options from ggshield iac scan all are supported: --ignore-policy, --minimum-severity, --ignore-path etc. Execute ggshield iac scan diff -h for more details.
  • Two new options allow to choose which state to select for the difference: --ref <GIT-REFERENCE> and --staged.
  • The command can be integrated in Git hooks using the --pre-commit, --pre-push, --pre-receive options.
  • The command output list vulnerabilities as unchanged, new and deleted.

• Added a --log-file FILE option to redirect all logging output to a file. The option can also be set using the $GITGUARDIAN_LOG_FILE environment variable.

Changed

• Improved secret scan path speed by updating charset-normalizer to 3.1.

• Errors are no longer reported twice: first using human-friendly message and then using log output. Log output is now off by default, unless --debug or --log-file is set (#213).

• The help messages for the honeytoken commands have been updated.

• ggshield honeytoken create now displays an easier-to-understand error message when the user does not have the necessary permissions to create an honeytoken.

• ggshield auth login now displays a warning message if the token expiration date has been adjusted to comply with the personal access token maximum lifetime setting of the user's workspace.

Deprecated

• ggshield iac scan is now replaced by the new ggshield iac scan all, which supports the same options and arguments.

1.16.0

Added

• Add a new ggshield honeytoken create command to let you create honeytokens if enabled in your workspace.
  Learn more about honeytokens at https://www.gitguardian.com/honeytoken

Changed

• ggshield secret scan commands can now use server-side configuration for the maximum document size and maximum document count per scan.

Fixed

• Accurately enforce the timeout of the pre-receive secret scan command (#417)

• Correctly compute the secret ignore sha in the json output.

• GitLab WebUI Output Handler now behaves correctly when using the ignore-known-secrets flag, it also no longer displays empty messages in the UI.

1.15.1

Changed

• ggshield secret scan JSON output has been improved:
  • It now includes an incident_url key for incidents. If a matching incident was found in the user's dashboard it contains the URL to the incident. Otherwise, it defaults to an empty string.
  • The known_secret key is now always present and defaults to false if the incident is unknown to the dashboard.

Fixed

• Fixed a regression introduced in 1.15.0 which caused the --ignore-known-secrets option to be ignored.

1.15.0

Changed

• ggshield secret scan output now includes a link to the incident if the secret is already known on the user's GitGuardian dashboard.

• ggshield secret scan docker no longer rescans known-clean layers, speeding up subsequent scans. This cache is tied to GitGuardian secrets engine version, so all layers are rescanned when a new version of the secrets engine is deployed.

Fixed

• Fixed an issue where the progress bar for ggshield secret scan commands would sometimes reach 100% too early and then stayed stuck until the end of the scan.

Removed

• The deprecated commands ggshield scan and ggshield ignore have been removed. Use ggshield secret scan and ggshield secret ignore instead.