1.16.0

Added

• Add a new ggshield honeytoken create command to let you create honeytokens if enabled in your workspace.
  Learn more about honeytokens at https://www.gitguardian.com/honeytoken

Changed

• ggshield secret scan commands can now use server-side configuration for the maximum document size and maximum document count per scan.

Fixed

• Accurately enforce the timeout of the pre-receive secret scan command (#417)

• Correctly compute the secret ignore sha in the json output.

• GitLab WebUI Output Handler now behaves correctly when using the ignore-known-secrets flag, it also no longer displays empty messages in the UI.

1.15.1

Changed

• ggshield secret scan JSON output has been improved:
  • It now includes an incident_url key for incidents. If a matching incident was found in the user's dashboard it contains the URL to the incident. Otherwise, it defaults to an empty string.
  • The known_secret key is now always present and defaults to false if the incident is unknown to the dashboard.

Fixed

• Fixed a regression introduced in 1.15.0 which caused the --ignore-known-secrets option to be ignored.

1.15.0

Changed

• ggshield secret scan output now includes a link to the incident if the secret is already known on the user's GitGuardian dashboard.

• ggshield secret scan docker no longer rescans known-clean layers, speeding up subsequent scans. This cache is tied to GitGuardian secrets engine version, so all layers are rescanned when a new version of the secrets engine is deployed.

Fixed

• Fixed an issue where the progress bar for ggshield secret scan commands would sometimes reach 100% too early and then stayed stuck until the end of the scan.

Removed

• The deprecated commands ggshield scan and ggshield ignore have been removed. Use ggshield secret scan and ggshield secret ignore instead.

1.14.5

Changed

• ggshield iac scan can now be called without arguments. In this case it scans the current directory.

• GGShield now displays an easier-to-understand error message when no API key has been set.

Fixed

• Fixed GGShield not correctly reporting misspelled configuration keys if the key name contained - characters (#480).

• When called without an image tag, ggshield secret scan docker now automatically uses the :latest tag instead of scanning all versions of the image (#468).

• ggshield secret scan now properly stops with an error message when the GitGuardian API key is not set or invalid (#456).

1.14.4

Fixed

• GGShield Docker image can now be used to scan git repositories even if the repository is mounted outside of the /data directory.

• GGShield commit hook now runs correctly when triggered from Visual Studio (#467).

1.14.3

Fixed

• ggshield secret scan pre-receive no longer scans deleted commits when a branch is force-pushed (#437).

• If many GGShield users are behind the same IP address, the daily update check could cause GitHub to rate-limit the IP. If this happens, GGShield honors GitHub rate-limit headers and no longer checks for a new update until the rate-limit is lifted (#449).

• GGShield once again prints a "No secrets have been found" message when a scan does not find any secret (#448).

• Installing GGShield no longer creates a "tests" directory in "site-packages" (#383).

• GGShield now shows a clear error message when it cannot use git in a repository because of dubious ownership issues.

Deprecated

• The deprecation message when using ggshield scan instead of ggshield secret scan now states the ggshield scan commands are going to be removed in GGShield 1.15.0.

1.14.2

Changed

• It is now possible to use generic command-line options like --verbose anywhere on the command line and scan options anywhere after the scan word (#197).

• ggshield iac scan now shows the severity of the detected vulnerabilities.

Fixed

• If a file containing secrets has been committed in two different branches, then ggshield secret scan repo would show 4 secrets instead of 2. This has been fixed (#428).

• ggshield now uses different error codes when a scan succeeds but finds problems and when a scan does not finish (#404).

• ggshield now correctly handles the case where git is not installed (#329).

1.14.1

Fixed

• Fixed dependency on pygitguardian, which blocked the release on pypi.

1.14.0

Added

• ggshield scan commands now accept the --ignore-known-secrets option. This option is useful when working on an existing code-base while secrets are being remediated.

• ggshield learned a new secret scan command: docset. This command can scan any content as long as it has been converted into our new docset file format.

Changed

• ggshield auth login --method=token can now read its token from the standard input.

Fixed

• ggshield now prints clearer error messages if the .gitguardian.yaml file is invalid (#377).

• When used with the pre-commit framework, ggshield would sometimes scan commits with many files more than once. This has been fixed.

1.13.6

Fixed

• ggshield auth login no longer fails when called with --lifetime.

• pre-receive and pre-push hooks now correctly handle the case where a branch with no new commits is pushed.

• ggshield no longer fails when scanning paths longer than 256 characters (#391).