<a href="https://gitguardian.com/"><img src="https://cdn.jsdelivr.net/gh/gitguardian/ggshield/doc/logo.svg"></a>
---
# [ggshield](https://github.com/GitGuardian/ggshield): protect your code with GitGuardian
[](https://pypi.org/project/ggshield/)
[](https://hub.docker.com/r/gitguardian/ggshield)
[](LICENSE)
[](https://github.com/GitGuardian/ggshield/stargazers)
[](https://github.com/GitGuardian/ggshield/actions)
[](https://codecov.io/gh/GitGuardian/ggshield/)
`ggshield` is a CLI application that runs in your local environment or in a CI environment to help you detect more than 400+ types of secrets.
`ggshield` uses our [public API](https://api.gitguardian.com/doc) through [py-gitguardian](https://github.com/GitGuardian/py-gitguardian) to scan and detect potential vulnerabilities in files and other text content.
Only metadata such as call time, request size and scan mode is stored from scans using `ggshield`, therefore secrets will not be displayed on your dashboard and **your files and secrets won't be stored**.
# Table of Contents
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
- [Installation](#installation)
- [Requirements](#requirements)
- [macOS](#macos)
- [Homebrew](#homebrew)
- [Standalone .pkg package](#standalone-pkg-package)
- [Linux](#linux)
- [Deb and RPM packages](#deb-and-rpm-packages)
- [Windows](#windows)
- [Standalone .zip archive](#standalone-zip-archive)
- [All operating systems](#all-operating-systems)
- [Using pipx](#using-pipx)
- [Using pip](#using-pip)
- [Initial setup](#initial-setup)
- [Using `ggshield auth login`](#using-ggshield-auth-login)
- [Manual setup](#manual-setup)
- [Getting started](#getting-started)
- [Secrets](#secrets)
- [Infra as Code Security (IaC)](#infra-as-code-security-iac)
- [Integrations](#integrations)
- [Learn more](#learn-more)
- [Output](#output)
- [Related open source projects](#related-open-source-projects)
- [License](#license)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
# Installation
<!--
Any change made in this section must be replicated in the "Step 1: Install
ggshield" section of the "Getting started" page of ggshield public
documentation.
-->
## Requirements
`ggshield` works on macOS, Linux and Windows.
It requires **Python 3.8 or above** (except for standalone packages) and git.
:warning: Python 3.8 is no longer supported by the Python Software Foundation since October, 14th 2024. GGShield will soon require Python 3.9 or above to run.
Some commands require additional programs:
- docker: to scan docker images.
- pip: to scan pypi packages.
## macOS
### Homebrew
You can install `ggshield` using Homebrew:
```shell
$ brew install gitguardian/tap/ggshield
```
Upgrading is handled by Homebrew.
### Standalone .pkg package
Alternatively, you can download and install a standalone .pkg package from [`ggshield` release page](https://github.com/GitGuardian/ggshield/releases).
This package _does not_ require installing Python, but you have to manually download new versions.
## Linux
### Deb and RPM packages
Deb and RPM packages are available on [Cloudsmith](https://cloudsmith.io/~gitguardian/repos/ggshield/packages/).
Setup instructions:
- [Deb packages](https://cloudsmith.io/~gitguardian/repos/ggshield/setup/#formats-deb)
- [RPM packages](https://cloudsmith.io/~gitguardian/repos/ggshield/setup/#formats-rpm)
Upgrading is handled by the package manager.
## Windows
### Standalone .zip archive
We provide a standalone .zip archive on [`ggshield` release page](https://github.com/GitGuardian/ggshield/releases).
Unpack the archive on your disk, then add the directory containing the `ggshield.exe` file to `%PATH%`.
This archive _does not_ require installing Python, but you have to manually download new versions.
## All operating systems
`ggshield` can be installed on all supported operating systems via its [PyPI package](https://pypi.org/project/ggshield).
### Using pipx
The recommended way to install `ggshield` from PyPI is to use [pipx](https://pypa.github.io/pipx/), which will install it in an isolated environment:
```shell
$ pipx install ggshield
```
To upgrade your installation, run:
```shell
$ pipx upgrade ggshield
```
### Using pip
You can also install `ggshield` from PyPI using pip, but this is not recommended because the installation is not isolated, so other applications or packages installed this way may affect your `ggshield` installation. This method will also not work if your Python installation is declared as externally managed (for example when using the system Python on operating systems like Debian 12):
```shell
$ pip install --user ggshield
```
To upgrade your installation, run:
```shell
$ pip install --user --upgrade ggshield
```
# Initial setup
## Using `ggshield auth login`
To use `ggshield` you need to authenticate against GitGuardian servers. To do so, use the `ggshield auth login` command. This command automates the provisioning of a personal access token and its configuration on the local workstation.
You can learn more about it from [`ggshield auth login` documentation](https://docs.gitguardian.com/internal-repositories-monitoring/ggshield/reference/auth/login).
## Manual setup
You can also create your personal access token manually and store it in the `GITGUARDIAN_API_KEY` environment variable to complete the setup.
# Getting started
## Secrets
You can now use `ggshield` to search for secrets:
- in files: `ggshield secret scan path -r .`
- in repositories: `ggshield secret scan repo .`
- in Docker images: `ggshield secret scan docker ubuntu:22.04`
- in Pypi packages: `ggshield secret scan pypi flask`
- and more, have a look at `ggshield secret scan --help` output for details.
## Infra as Code Security (IaC)
You can also search for vulnerabilities in your IaC files using the following command:
```
ggshield iac scan all .
```
However, if you are only interested in _new_ potential IaC vulnerabilities, you can run:
```
ggshield iac scan diff --ref=HEAD~1 .
```
Have a look at `ggshield iac scan --help` for more details.
# Integrations
You can integrate `ggshield` in your [CI/CD workflow](https://docs.gitguardian.com/ggshield-docs/integrations/overview#cicd-integrations-secrets-detection-in-your-cicd-workflow).
To catch errors earlier, use `ggshield` as a [pre-commit, pre-push or pre-receive Git hook](https://docs.gitguardian.com/ggshield-docs/integrations/overview#git-hooks-prevent-secrets-from-reaching-your-vcs).
# Learn more
For more information, have a look at [the documentation](https://docs.gitguardian.com/ggshield-docs/getting-started)
# Output
If no secrets have been found, the exit code will be 0:
```bash
$ ggshield secret scan pre-commit
```
If a secret is found in your staged code or in your CI, you will have an alert giving you the filename where the secret has been found and a patch giving you the position of the secret in the file:
```shell
$ ggshield secret scan pre-commit
2 incidents have been found in file production.rb
11 | config.paperclip_defaults = {
12 | :s3_credentials => {
13 | :bucket => "XXX",
14 | :access_key_id => "XXXXXXXXXXXXXXXXXXXX",
|_____AWS Keys_____|
15 | :secret_access_key => "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
|_______________AWS Keys_______________|
16 | }
17 | }
```
Lines that are too long are truncated to match the size of the terminal, unless the verbose mode is used (`-v` or `--verbose`).
# Related open source projects
- [truffleHog](https://github.com/dxa4481/truffleHog)
- [gitleaks](https://github.com/zricethezav/gitleaks)
- [gitrob](https://github.com/michenriksen/gitrob)
- [git-hound](https://github.com/tillson/git-hound)
- [AWS git-secrets](https://github.com/awslabs/git-secrets)
- [detect-secrets](https://github.com/Yelp/detect-secrets)
# License
`ggshield` is MIT licensed.
Raw data
{
"_id": null,
"home_page": null,
"name": "ggshield",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.8.1",
"maintainer_email": "GitGuardian <support@gitguardian.com>",
"keywords": "cli, devsecops, secrets-detection, security-tools, gitguardian",
"author": null,
"author_email": "GitGuardian <support@gitguardian.com>",
"download_url": "https://files.pythonhosted.org/packages/03/75/faa11bbc86fc2aae6714f62514239c8d88c87b38c7f7d014ce0db7ac069f/ggshield-1.34.0.tar.gz",
"platform": null,
"description": "<a href=\"https://gitguardian.com/\"><img src=\"https://cdn.jsdelivr.net/gh/gitguardian/ggshield/doc/logo.svg\"></a>\n\n---\n\n# [ggshield](https://github.com/GitGuardian/ggshield): protect your code with GitGuardian\n\n[](https://pypi.org/project/ggshield/)\n[](https://hub.docker.com/r/gitguardian/ggshield)\n[](LICENSE)\n[](https://github.com/GitGuardian/ggshield/stargazers)\n[](https://github.com/GitGuardian/ggshield/actions)\n[](https://codecov.io/gh/GitGuardian/ggshield/)\n\n`ggshield` is a CLI application that runs in your local environment or in a CI environment to help you detect more than 400+ types of secrets.\n\n`ggshield` uses our [public API](https://api.gitguardian.com/doc) through [py-gitguardian](https://github.com/GitGuardian/py-gitguardian) to scan and detect potential vulnerabilities in files and other text content.\n\nOnly metadata such as call time, request size and scan mode is stored from scans using `ggshield`, therefore secrets will not be displayed on your dashboard and **your files and secrets won't be stored**.\n\n# Table of Contents\n\n<!-- START doctoc generated TOC please keep comment here to allow auto update -->\n<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->\n\n- [Installation](#installation)\n - [Requirements](#requirements)\n - [macOS](#macos)\n - [Homebrew](#homebrew)\n - [Standalone .pkg package](#standalone-pkg-package)\n - [Linux](#linux)\n - [Deb and RPM packages](#deb-and-rpm-packages)\n - [Windows](#windows)\n - [Standalone .zip archive](#standalone-zip-archive)\n - [All operating systems](#all-operating-systems)\n - [Using pipx](#using-pipx)\n - [Using pip](#using-pip)\n- [Initial setup](#initial-setup)\n - [Using `ggshield auth login`](#using-ggshield-auth-login)\n - [Manual setup](#manual-setup)\n- [Getting started](#getting-started)\n - [Secrets](#secrets)\n - [Infra as Code Security (IaC)](#infra-as-code-security-iac)\n- [Integrations](#integrations)\n- [Learn more](#learn-more)\n- [Output](#output)\n- [Related open source projects](#related-open-source-projects)\n- [License](#license)\n\n<!-- END doctoc generated TOC please keep comment here to allow auto update -->\n\n# Installation\n\n<!--\nAny change made in this section must be replicated in the \"Step 1: Install\nggshield\" section of the \"Getting started\" page of ggshield public\ndocumentation.\n-->\n\n## Requirements\n\n`ggshield` works on macOS, Linux and Windows.\n\nIt requires **Python 3.8 or above** (except for standalone packages) and git.\n\n:warning: Python 3.8 is no longer supported by the Python Software Foundation since October, 14th 2024. GGShield will soon require Python 3.9 or above to run.\n\nSome commands require additional programs:\n\n- docker: to scan docker images.\n- pip: to scan pypi packages.\n\n## macOS\n\n### Homebrew\n\nYou can install `ggshield` using Homebrew:\n\n```shell\n$ brew install gitguardian/tap/ggshield\n```\n\nUpgrading is handled by Homebrew.\n\n### Standalone .pkg package\n\nAlternatively, you can download and install a standalone .pkg package from [`ggshield` release page](https://github.com/GitGuardian/ggshield/releases).\n\nThis package _does not_ require installing Python, but you have to manually download new versions.\n\n## Linux\n\n### Deb and RPM packages\n\nDeb and RPM packages are available on [Cloudsmith](https://cloudsmith.io/~gitguardian/repos/ggshield/packages/).\n\nSetup instructions:\n\n- [Deb packages](https://cloudsmith.io/~gitguardian/repos/ggshield/setup/#formats-deb)\n- [RPM packages](https://cloudsmith.io/~gitguardian/repos/ggshield/setup/#formats-rpm)\n\nUpgrading is handled by the package manager.\n\n## Windows\n\n### Standalone .zip archive\n\nWe provide a standalone .zip archive on [`ggshield` release page](https://github.com/GitGuardian/ggshield/releases).\n\nUnpack the archive on your disk, then add the directory containing the `ggshield.exe` file to `%PATH%`.\n\nThis archive _does not_ require installing Python, but you have to manually download new versions.\n\n## All operating systems\n\n`ggshield` can be installed on all supported operating systems via its [PyPI package](https://pypi.org/project/ggshield).\n\n### Using pipx\n\nThe recommended way to install `ggshield` from PyPI is to use [pipx](https://pypa.github.io/pipx/), which will install it in an isolated environment:\n\n```shell\n$ pipx install ggshield\n```\n\nTo upgrade your installation, run:\n\n```shell\n$ pipx upgrade ggshield\n```\n\n### Using pip\n\nYou can also install `ggshield` from PyPI using pip, but this is not recommended because the installation is not isolated, so other applications or packages installed this way may affect your `ggshield` installation. This method will also not work if your Python installation is declared as externally managed (for example when using the system Python on operating systems like Debian 12):\n\n```shell\n$ pip install --user ggshield\n```\n\nTo upgrade your installation, run:\n\n```shell\n$ pip install --user --upgrade ggshield\n```\n\n# Initial setup\n\n## Using `ggshield auth login`\n\nTo use `ggshield` you need to authenticate against GitGuardian servers. To do so, use the `ggshield auth login` command. This command automates the provisioning of a personal access token and its configuration on the local workstation.\n\nYou can learn more about it from [`ggshield auth login` documentation](https://docs.gitguardian.com/internal-repositories-monitoring/ggshield/reference/auth/login).\n\n## Manual setup\n\nYou can also create your personal access token manually and store it in the `GITGUARDIAN_API_KEY` environment variable to complete the setup.\n\n# Getting started\n\n## Secrets\n\nYou can now use `ggshield` to search for secrets:\n\n- in files: `ggshield secret scan path -r .`\n- in repositories: `ggshield secret scan repo .`\n- in Docker images: `ggshield secret scan docker ubuntu:22.04`\n- in Pypi packages: `ggshield secret scan pypi flask`\n- and more, have a look at `ggshield secret scan --help` output for details.\n\n## Infra as Code Security (IaC)\n\nYou can also search for vulnerabilities in your IaC files using the following command:\n\n```\nggshield iac scan all .\n```\n\nHowever, if you are only interested in _new_ potential IaC vulnerabilities, you can run:\n\n```\nggshield iac scan diff --ref=HEAD~1 .\n```\n\nHave a look at `ggshield iac scan --help` for more details.\n\n# Integrations\n\nYou can integrate `ggshield` in your [CI/CD workflow](https://docs.gitguardian.com/ggshield-docs/integrations/overview#cicd-integrations-secrets-detection-in-your-cicd-workflow).\n\nTo catch errors earlier, use `ggshield` as a [pre-commit, pre-push or pre-receive Git hook](https://docs.gitguardian.com/ggshield-docs/integrations/overview#git-hooks-prevent-secrets-from-reaching-your-vcs).\n\n# Learn more\n\nFor more information, have a look at [the documentation](https://docs.gitguardian.com/ggshield-docs/getting-started)\n\n# Output\n\nIf no secrets have been found, the exit code will be 0:\n\n```bash\n$ ggshield secret scan pre-commit\n```\n\nIf a secret is found in your staged code or in your CI, you will have an alert giving you the filename where the secret has been found and a patch giving you the position of the secret in the file:\n\n```shell\n$ ggshield secret scan pre-commit\n\n2 incidents have been found in file production.rb\n\n11 | config.paperclip_defaults = {\n12 | :s3_credentials => {\n13 | :bucket => \"XXX\",\n14 | :access_key_id => \"XXXXXXXXXXXXXXXXXXXX\",\n |_____AWS Keys_____|\n\n15 | :secret_access_key => \"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\"\n |_______________AWS Keys_______________|\n\n16 | }\n17 | }\n```\n\nLines that are too long are truncated to match the size of the terminal, unless the verbose mode is used (`-v` or `--verbose`).\n\n# Related open source projects\n\n- [truffleHog](https://github.com/dxa4481/truffleHog)\n- [gitleaks](https://github.com/zricethezav/gitleaks)\n- [gitrob](https://github.com/michenriksen/gitrob)\n- [git-hound](https://github.com/tillson/git-hound)\n- [AWS git-secrets](https://github.com/awslabs/git-secrets)\n- [detect-secrets](https://github.com/Yelp/detect-secrets)\n\n# License\n\n`ggshield` is MIT licensed.\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Detect secrets from all sources using GitGuardian's brains",
"version": "1.34.0",
"project_urls": {
"Homepage": "https://github.com/GitGuardian/ggshield"
},
"split_keywords": [
"cli",
" devsecops",
" secrets-detection",
" security-tools",
" gitguardian"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "2d79ab1c39332b37cd473e1a9b6b5096d57a4218b790f2ffe4c4fc38650d6b49",
"md5": "ce244d4f80e7b6d33105dc53ee86d00e",
"sha256": "48086506ea34fa10fa2e5858e62cb02672c8829d7116edbda9137b50bc91c472"
},
"downloads": -1,
"filename": "ggshield-1.34.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "ce244d4f80e7b6d33105dc53ee86d00e",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8.1",
"size": 229776,
"upload_time": "2024-11-27T13:06:11",
"upload_time_iso_8601": "2024-11-27T13:06:11.013848Z",
"url": "https://files.pythonhosted.org/packages/2d/79/ab1c39332b37cd473e1a9b6b5096d57a4218b790f2ffe4c4fc38650d6b49/ggshield-1.34.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "0375faa11bbc86fc2aae6714f62514239c8d88c87b38c7f7d014ce0db7ac069f",
"md5": "14755b39ae42190a66713628bb348fef",
"sha256": "ff6b5b4f303b371170d29e1adc17ca61834a0420335d57882a5292f0e39a6d44"
},
"downloads": -1,
"filename": "ggshield-1.34.0.tar.gz",
"has_sig": false,
"md5_digest": "14755b39ae42190a66713628bb348fef",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8.1",
"size": 418052,
"upload_time": "2024-11-27T13:06:13",
"upload_time_iso_8601": "2024-11-27T13:06:13.471959Z",
"url": "https://files.pythonhosted.org/packages/03/75/faa11bbc86fc2aae6714f62514239c8d88c87b38c7f7d014ce0db7ac069f/ggshield-1.34.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-11-27 13:06:13",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "GitGuardian",
"github_project": "ggshield",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "ggshield"
}
JSON
