Releases: GitGuardian/ggshield
1.16.0
Added
- Add a new
ggshield honeytoken create
command to let you create honeytokens if enabled in your workspace.
Learn more about honeytokens at https://www.gitguardian.com/honeytoken
Changed
ggshield secret scan
commands can now use server-side configuration for the maximum document size and maximum document count per scan.
Fixed
-
Accurately enforce the timeout of the pre-receive secret scan command (#417)
-
Correctly compute the secret ignore sha in the json output.
-
GitLab WebUI Output Handler now behaves correctly when using the
ignore-known-secrets
flag, it also no longer displays empty messages in the UI.
1.15.1
Changed
ggshield secret scan
JSON output has been improved:- It now includes an
incident_url
key for incidents. If a matching incident was found in the user's dashboard it contains the URL to the incident. Otherwise, it defaults to an empty string. - The
known_secret
key is now always present and defaults tofalse
if the incident is unknown to the dashboard.
- It now includes an
Fixed
- Fixed a regression introduced in 1.15.0 which caused the
--ignore-known-secrets
option to be ignored.
1.15.0
Changed
-
ggshield secret scan
output now includes a link to the incident if the secret is already known on the user's GitGuardian dashboard. -
ggshield secret scan docker
no longer rescans known-clean layers, speeding up subsequent scans. This cache is tied to GitGuardian secrets engine version, so all layers are rescanned when a new version of the secrets engine is deployed.
Fixed
- Fixed an issue where the progress bar for
ggshield secret scan
commands would sometimes reach 100% too early and then stayed stuck until the end of the scan.
Removed
- The deprecated commands
ggshield scan
andggshield ignore
have been removed. Useggshield secret scan
andggshield secret ignore
instead.
1.14.5
Changed
-
ggshield iac scan
can now be called without arguments. In this case it scans the current directory. -
GGShield now displays an easier-to-understand error message when no API key has been set.
Fixed
-
Fixed GGShield not correctly reporting misspelled configuration keys if the key name contained
-
characters (#480). -
When called without an image tag,
ggshield secret scan docker
now automatically uses the:latest
tag instead of scanning all versions of the image (#468). -
ggshield secret scan
now properly stops with an error message when the GitGuardian API key is not set or invalid (#456).
1.14.4
1.14.3
Fixed
-
ggshield secret scan pre-receive
no longer scans deleted commits when a branch is force-pushed (#437). -
If many GGShield users are behind the same IP address, the daily update check could cause GitHub to rate-limit the IP. If this happens, GGShield honors GitHub rate-limit headers and no longer checks for a new update until the rate-limit is lifted (#449).
-
GGShield once again prints a "No secrets have been found" message when a scan does not find any secret (#448).
-
Installing GGShield no longer creates a "tests" directory in "site-packages" (#383).
-
GGShield now shows a clear error message when it cannot use git in a repository because of dubious ownership issues.
Deprecated
- The deprecation message when using
ggshield scan
instead ofggshield secret scan
now states theggshield scan
commands are going to be removed in GGShield 1.15.0.
1.14.2
Changed
-
It is now possible to use generic command-line options like
--verbose
anywhere on the command line and scan options anywhere after thescan
word (#197). -
ggshield iac scan
now shows the severity of the detected vulnerabilities.
Fixed
-
If a file containing secrets has been committed in two different branches, then
ggshield secret scan repo
would show 4 secrets instead of 2. This has been fixed (#428). -
ggshield now uses different error codes when a scan succeeds but finds problems and when a scan does not finish (#404).
-
ggshield now correctly handles the case where git is not installed (#329).
1.14.1
Fixed
- Fixed dependency on pygitguardian, which blocked the release on pypi.
1.14.0
Added
-
ggshield scan commands now accept the
--ignore-known-secrets
option. This option is useful when working on an existing code-base while secrets are being remediated. -
ggshield learned a new secret scan command:
docset
. This command can scan any content as long as it has been converted into our new docset file format.
Changed
ggshield auth login --method=token
can now read its token from the standard input.
Fixed
-
ggshield now prints clearer error messages if the .gitguardian.yaml file is invalid (#377).
-
When used with the pre-commit framework, ggshield would sometimes scan commits with many files more than once. This has been fixed.