1.29.0

Removed

• The --all option of the ggshield sca scan ci and ggshield iac scan ci commands has been removed.

Added

• ggshield secret scan path now provides a --use-gitignore option to honor .gitignore and related files (#801).

• A new secret scan command, ggshield secret scan changes, has been added to scan changes between the current state of a repository checkout and its default branch.

• GGShield is now available as a standalone executable on Windows.

Changed

• The behavior of the ggshield sca scan ci and ggshield iac scan ci commands have changed. These commands are now expected to run in merge-request CI pipelines only, and will compute the diff exactly associated with the merge request.

Deprecated

• Running ggshield sca scan ci or ggshield iac scan ci outside of a merge request CI pipeline is now deprecated.

Fixed

• GGShield now consumes less memory when scanning large repositories.

• Errors thrown during ggshield auth login flow with an invalid instance URL are handled and the stack trace is no longer displayed on the console.

• Patch symbols at the start of lines are now always displayed, even for single line secrets.

• The ggshield auth login command now respects the --allow-self-signed flag.

• GGShield now exits with a proper error message instead of crashing when it receives an HTTP response without Content-Type header.

1.28.0

Added

• The SCA config ignored_vulnerabilities option now supports taking a CVE id as identifier.

1.27.0

Removed

• The This feature is still in beta, its behavior may change in future versions warning is no longer displayed for sca commands.

Added

• It is now possible to customize the remediation message printed by GGShield pre-receive hook. This can be done by setting the message in the secret.prereceive_remediation_message configuration key. Thanks a lot to @Renizmy for this feature.

• We now provide signed .pkg files for macOS.

• Add This feature is still in beta, its behavior may change in future versions warning to iac scan all

Changed

• Linux .deb and .rpm packages now use the binaries produced by pyinstaller. They no longer depend on Python.

Deprecated

• Dash-separated configuration keys are now deprecated, they should be replaced with underscore-separated keys. For example show-secrets should become show_secrets. GGShield still supports reading from dash-separate configuration keys, but it prints a warning when it finds one.

Fixed

• GGShield commands working with commits no longer fail when parsing a commit without any author.

• Configuration keys defined in the global configuration file are no longer ignored if a local configuration file exists.

• The option --exclude PATTERN is no longer ignored by the command ggshield secret scan repo.

1.26.0

Added

• ggshield auth login learned to create tokens with extra scopes using the --scopes option. Using ggshield auth login --scopes honeytokens:write would create a token suitable for the ggshield honeytokens commands.

1.25.0

Added

• It is now possible to create a honeytoken with context using the new honeytoken create-with-context command.

Changed

• SCA incidents ignored on the GitGuardian app will no longer show up in the scan results, in text/JSON format.

1.24.0

Added

• Adds two new flags for ggshield sca scan commands, --ignore-fixable and --ignore-not-fixable so that the user can filter the returned incidents depending on if incidents can be fixed or not. Both flags cannot be used simultaneously.

Changed

• Number of documents in a chunk is now adapted to the server payload.
• Moved some property from Scannable children classes up to Scannbable itself.

Fixed

• IAC/SCA scans will scan new commits as intended for CI jobs on newly pushed branches.

• IAC/SCA scans will scan new commits as intended for CI jobs on the first push to a new repository

• In CI jobs, IAC/SCA scans on forced pushs no longer trigger an error but perform a scan on all commits instead.

• Fixes ggshield sca scan commands not taking some user parameters into account.

1.23.0

Added

• GGShield output now adapts when the grace period of an IaC incident ignored by a developer has been expired.

• GGShield now shows a warning message if it hits a rate-limit.

Changed

• IaC incidents ignored on the GitGuardian app no longer show up in the scan results.

Fixed

• IaC/SCA scans now properly find the parent commit SHA on GitLab push pipelines for new branches.

• Error messages now appear above progress bars instead of overlapping them.

IaC

• File content are now displayed as intended when executing ggshield iac scan all on a subdirectory of a Git repository.

• Pre-push scans are now diff scans when pushing a new branch, comparing to the last commit of the parent branch.

• Pre-push scans on empty repositories no longer include staged files.

1.22.0

Added

• Secret: ggshield now prints the name of what is being scanned when called with --verbose (#212).

• You can now use the SKIP=ggshield environment variable without the pre-commit framework to skip pre-commit and pre-push scans.

Changed

• ggshield can now scan huge commits without running out of memory.

Fixed

• IAC and SCA: scans in GitLab merge request pipelines should now be performed on the intended commit ranges, instead of an empty range.

1.21.0

Added

• Support for new options in gitguardian config file. IaC ignored-paths and ignored_policies can now be defined as objects with comment and until properties. If an until date is provided, the path/policy is only ignored up until this date. The old format is still supported. Check .gitguardian.example.yaml for a sample.

Changed

• ggshield iac scan diff --json output was changed. added_vulns, persisting_vulns and removed_vulns were renamed as new, unchanged and deleted. They also were moved into a entities_with_incidents similarly to the scan all JSON output.

  Sample IaC diff JSON output

  ```json
  {
      "id": "fb0e9a92-de34-43f9-b779-17d25e99ab35",
      "iac_engine_version": "1.15.0",
      "type": "diff_scan",
      "entities_with_incidents": {
          "unchanged": [
              {
                  "filename": "s3.tf",
                  "incidents": [
                      {
                          "policy": "Allowing public exposure of a S3 bucket can lead to data leakage",
                          "policy_id": "GG_IAC_0055",
                          "line_end": 118,
                          "line_start": 96,
                          "description": "AWS S3 Block Public Access is a feature that allows setting up centralized controls\\nto manage public access to S3 resources.\\n\\nEnforcing the BlockPublicAcls, BlockPublicPolicy and IgnorePublicAcls rule on a bucket\\nallows to make sure that no ACL (Access control list) or policy giving public access\\ncan be associated with the bucket, and that existing ACL giving public access to\\nthe bucket will not be taken into account.",
                          "documentation_url": "<https://docs.gitguardian.com/iac-scanning/policies/GG_IAC_0055>",
                          "component": "aws_s3_bucket.operations",
                          "severity": "HIGH"
                      }
                  ],
                  "total_incidents": 1
              }
          ],
          "deleted": [
          {
              "filename": "s3.tf",
                  "incidents": [
                      {
                          "policy": "Allowing public exposure of a S3 bucket can lead to data leakage",
                          "policy_id": "GG_IAC_0055",
                          "line_end": 118,
                          "line_start": 96,
                          "description": "AWS S3 Block Public Access is a feature that allows setting up centralized controls\\nto manage public access to S3 resources.\\n\\nEnforcing the BlockPublicAcls, BlockPublicPolicy and IgnorePublicAcls rule on a bucket\\nallows to make sure that no ACL (Access control list) or policy giving public access\\ncan be associated with the bucket, and that existing ACL giving public access to\\nthe bucket will not be taken into account.",
                          "documentation_url": "<https://docs.gitguardian.com/iac-scanning/policies/GG_IAC_0055>",
                          "component": "aws_s3_bucket.operations",
                          "severity": "HIGH",
                      }
                  ],
                  "total_incidents": 1
              }
          ],
          "new": [
          {
              "filename": "s3.tf",
                  "incidents": [
                      {
                          "policy": "Allowing public exposure of a S3 bucket can lead to data leakage",
                          "policy_id": "GG_IAC_0055",
                          "line_end": 118,
                          "line_start": 96,
                          "description": "AWS S3 Block Public Access is a feature that allows setting up centralized controls\\nto manage public access to S3 resources.\\n\\nEnforcing the BlockPublicAcls, BlockPublicPolicy and IgnorePublicAcls rule on a bucket\\nallows to make sure that no ACL (Access control list) or policy giving public access\\ncan be associated with the bucket, and that existing ACL giving public access to\\nthe bucket will not be taken into account.",
                          "documentation_url": "<https://docs.gitguardian.com/iac-scanning/policies/GG_IAC_0055>",
                          "component": "aws_s3_bucket.operations",
                          "severity": "HIGH"
                      }
                  ],
                  "total_incidents": 1
              }
          ]
      }
  }
  ```
  

Fixed

• When a git command fails, its output is now always correctly logged.

1.20.0

Changed

HMSL

• Adapt message in case we find tons of matches

• command hmsl check-secret-manager hashicorp-vault with a "key" naming strategy will display the variable's full path instead of the variable name

• Support no location URL in HMSL response.

• Change wording for HMSL output: do not mention occurrences as it can be misleading.