1.14.2

Changed

• It is now possible to use generic command-line options like --verbose anywhere on the command line and scan options anywhere after the scan word (#197).

• ggshield iac scan now shows the severity of the detected vulnerabilities.

Fixed

• If a file containing secrets has been committed in two different branches, then ggshield secret scan repo would show 4 secrets instead of 2. This has been fixed (#428).

• ggshield now uses different error codes when a scan succeeds but finds problems and when a scan does not finish (#404).

• ggshield now correctly handles the case where git is not installed (#329).

1.14.1

Fixed

• Fixed dependency on pygitguardian, which blocked the release on pypi.

1.14.0

Added

• ggshield scan commands now accept the --ignore-known-secrets option. This option is useful when working on an existing code-base while secrets are being remediated.

• ggshield learned a new secret scan command: docset. This command can scan any content as long as it has been converted into our new docset file format.

Changed

• ggshield auth login --method=token can now read its token from the standard input.

Fixed

• ggshield now prints clearer error messages if the .gitguardian.yaml file is invalid (#377).

• When used with the pre-commit framework, ggshield would sometimes scan commits with many files more than once. This has been fixed.

1.13.6

Fixed

• ggshield auth login no longer fails when called with --lifetime.

• pre-receive and pre-push hooks now correctly handle the case where a branch with no new commits is pushed.

• ggshield no longer fails when scanning paths longer than 256 characters (#391).

1.13.5

Fixed

• Fix crash at startup if the home directory is not writable.

1.13.4

Added

• ggshield now checks for update once a day and notifies the user if a new version is available. This check can be disabled with the --no-check-for-updates command-line option (#299).

Changed

• Scanning Git repositories is now faster.

• ggshield secret scan path now shows a progress bar.

• When used as a pre-push or pre-receive hook, ggshield no longer scans more commits than necessary when a new branch is pushed (#303, #369).

Fixed

• ggshield no longer declares two separate instances if the instance URL is set with and without a trailing slash (#357).

• Fixed a regression where ggshield would not load the .env from the current working directory.

• ggshield no longer silently ignores network issues.

1.13.3

🔧 Improvements

• Scanning is faster, thanks to ggshield making better use of available CPU cores (#356).

• ggshield secret scan commands now use less memory on large file trees and skip more binary files (#353).

🐛 Bug fixes

• ggshield no longer fails when scanning a repository with only one commit in it (#313).

• ggshield now properly decodes and detects secrets in texts stored in UTF-16, UTF-32 and others, with or without BOM (#355).

• ggshield no longer ignores errors when running ggshield secret scan repo on a non-existing repository from within an existing repository (#351).

1.13.2

🐛 Bug fixes

• Fixes secret scan pre-commit skipping the first file (#341).

1.13.1

🐛 Bug fixes

• secret scan repo no longer aborts if ggshield fails to parse a git commit (#323).
• iac commands now return a non-zero exit code in case of errors.
• Merge commits are now correctly parsed (#322).
• ggshield no longer creates its cache directory when running secret scan pre-receive (#306).
• The iac scan command now has an help message.
• The command "mode" for secret scan ci is now correctly reported in server statistics (#320).

🔧 Chores

• The minimum version of pygitguardian is now 1.3.5 (#319).

v1.13.0

🚀 New features

• The new ggshield iac scan command lets you detect vulnerabilities in your Infrastructure as Code files. Note that this feature is experimental for now.

🔧 Improvements

• ggshield secret scan repo now continues scanning if a commit fails to scan (#267).
• ggshield now provides a --debug option to help diagnose problems.

🐛 Bug fixes

• ggshield now uses stderr to report all progress and warnings, making it possible to pipe commands generating JSON such as secret scan --json to tools like jq.
• The file-system banlist of ggshield secret scan docker has been improved (#193).
• ggshield secret scan pre-receive and ggshield secret scan repo no longer fail on filenames containing spaces (#273, #296).
• ggshield secret scan repo no longer floods the terminal with "No secrets found" messages (#265).
• The commands used by the pre-commit hooks and by the GitHub action no longer use the deprecated ggshield scan syntax.

📜 Deprecations

• The configuration file format has changed, learn more about this change and how to adapt to it from the documentation.