Skip to content

1.18.0

Compare
Choose a tag to compare
@github-actions github-actions released this 16 Aug 09:22
· 830 commits to main since this release

Added

HMSL

  • ggshield gained a new group of commands: hmsl, short for "Has My Secret Leaked". These commands make it possible to securely check if secrets have been leaked in a public repository.

IaC

  • ggshield iac scan now provides three new commands for use as Git hooks:

    • ggshield iac scan pre-commit
    • ggshield iac scan pre-push
    • ggshield iac scan pre-receive

    They use the same arguments and options as the other ggshield iac scan commands.

  • The new ggshield iac scan ci command can be used to perform IaC scans in CI environments.
    It supports the same arguments as hook subcommands (in particular, --all to scan the whole repository).
    Supported CIs are:

    • Azure
    • Bitbucket
    • CircleCI
    • Drone
    • GitHub
    • GitLab
    • Jenkins
    • Travis

SCA

  • Introduces new commands to perform SCA scans with ggshield:

    • ggshield sca scan all <DIRECTORY> : scans a directory or a repository to find all existing SCA vulnerabilities.
    • ggshield sca scan diff <DIRECTORY> --ref <GIT_REF>: runs differential scan compared to a given git ref.
    • ggshield sca scan pre-commit
    • ggshield sca scan pre-push
    • ggshield sca scan pre-receive
    • ggshield sca scan ci: Evaluates if a CI event introduces new vulnerabilities, only available on Github and Gitlab for now.

Other

  • It is now possible to manipulate the default instance using ggshield config:

    • ggshield config set instance <THE_INSTANCE_URL> defines the default instance.
    • ggshield config unset instance removes the previously defined instance.
    • The default instance can be printed with ggshield config get instance and ggshield config list.

Changed

  • ggshield now requires Python 3.8.

  • The IaC Github Action now runs the new ggshield iac scan ci command. This means the action only fails if the changes introduce a new vulnerability. To fail if any vulnerability is detected, use the ggshield iac scan ci --all command.

Removed

  • The following options have been removed from ggshield iac scan diff: --pre-commit, --pre-push and --pre-receive. You can replace them with the new ggshield iac scan pre-* commands.

Fixed

  • ggshield secret scan docker now runs as many scans in parallel as the other scan commands.

  • ggshield now provides an easier-to-understand error message for "quota limit reached" errors (#309).

  • ggshield iac scan diff --minimum-severity and --ignore-policy options are now correctly processed.

  • ggshield secret scan no longer tries to scan files longer than the maximum document size (#561).

Security