Releases: GitGuardian/ggshield
1.17.2
Fixed
- Fixed ggshield not installing properly when installing with Brew on macOS.
1.17.1
Added
-
New command:
ggshield iac scan all
. This command replaces the now-deprecatedggshield iac scan
. It scans a directory for IaC vulnerabilities. -
New command:
ggshield iac scan diff
. This command scans a Git repository and inspects changes in IaC vulnerabilities between two points in the history.- All options from
ggshield iac scan all
are supported:--ignore-policy
,--minimum-severity
,--ignore-path
etc. Executeggshield iac scan diff -h
for more details. - Two new options allow to choose which state to select for the difference:
--ref <GIT-REFERENCE>
and--staged
. - The command can be integrated in Git hooks using the
--pre-commit
,--pre-push
,--pre-receive
options. - The command output list vulnerabilities as
unchanged
,new
anddeleted
.
- All options from
-
Added a
--log-file FILE
option to redirect all logging output to a file. The option can also be set using the$GITGUARDIAN_LOG_FILE
environment variable.
Changed
-
Improved
secret scan path
speed by updating charset-normalizer to 3.1. -
Errors are no longer reported twice: first using human-friendly message and then using log output. Log output is now off by default, unless
--debug
or--log-file
is set (#213). -
The help messages for the
honeytoken
commands have been updated. -
ggshield honeytoken create
now displays an easier-to-understand error message when the user does not have the necessary permissions to create an honeytoken. -
ggshield auth login
now displays a warning message if the token expiration date has been adjusted to comply with the personal access token maximum lifetime setting of the user's workspace.
Deprecated
ggshield iac scan
is now replaced by the newggshield iac scan all
, which supports the same options and arguments.
1.16.0
Added
- Add a new
ggshield honeytoken create
command to let you create honeytokens if enabled in your workspace.
Learn more about honeytokens at https://www.gitguardian.com/honeytoken
Changed
ggshield secret scan
commands can now use server-side configuration for the maximum document size and maximum document count per scan.
Fixed
-
Accurately enforce the timeout of the pre-receive secret scan command (#417)
-
Correctly compute the secret ignore sha in the json output.
-
GitLab WebUI Output Handler now behaves correctly when using the
ignore-known-secrets
flag, it also no longer displays empty messages in the UI.
1.15.1
Changed
ggshield secret scan
JSON output has been improved:- It now includes an
incident_url
key for incidents. If a matching incident was found in the user's dashboard it contains the URL to the incident. Otherwise, it defaults to an empty string. - The
known_secret
key is now always present and defaults tofalse
if the incident is unknown to the dashboard.
- It now includes an
Fixed
- Fixed a regression introduced in 1.15.0 which caused the
--ignore-known-secrets
option to be ignored.
1.15.0
Changed
-
ggshield secret scan
output now includes a link to the incident if the secret is already known on the user's GitGuardian dashboard. -
ggshield secret scan docker
no longer rescans known-clean layers, speeding up subsequent scans. This cache is tied to GitGuardian secrets engine version, so all layers are rescanned when a new version of the secrets engine is deployed.
Fixed
- Fixed an issue where the progress bar for
ggshield secret scan
commands would sometimes reach 100% too early and then stayed stuck until the end of the scan.
Removed
- The deprecated commands
ggshield scan
andggshield ignore
have been removed. Useggshield secret scan
andggshield secret ignore
instead.
1.14.5
Changed
-
ggshield iac scan
can now be called without arguments. In this case it scans the current directory. -
GGShield now displays an easier-to-understand error message when no API key has been set.
Fixed
-
Fixed GGShield not correctly reporting misspelled configuration keys if the key name contained
-
characters (#480). -
When called without an image tag,
ggshield secret scan docker
now automatically uses the:latest
tag instead of scanning all versions of the image (#468). -
ggshield secret scan
now properly stops with an error message when the GitGuardian API key is not set or invalid (#456).
1.14.4
1.14.3
Fixed
-
ggshield secret scan pre-receive
no longer scans deleted commits when a branch is force-pushed (#437). -
If many GGShield users are behind the same IP address, the daily update check could cause GitHub to rate-limit the IP. If this happens, GGShield honors GitHub rate-limit headers and no longer checks for a new update until the rate-limit is lifted (#449).
-
GGShield once again prints a "No secrets have been found" message when a scan does not find any secret (#448).
-
Installing GGShield no longer creates a "tests" directory in "site-packages" (#383).
-
GGShield now shows a clear error message when it cannot use git in a repository because of dubious ownership issues.
Deprecated
- The deprecation message when using
ggshield scan
instead ofggshield secret scan
now states theggshield scan
commands are going to be removed in GGShield 1.15.0.
1.14.2
Changed
-
It is now possible to use generic command-line options like
--verbose
anywhere on the command line and scan options anywhere after thescan
word (#197). -
ggshield iac scan
now shows the severity of the detected vulnerabilities.
Fixed
-
If a file containing secrets has been committed in two different branches, then
ggshield secret scan repo
would show 4 secrets instead of 2. This has been fixed (#428). -
ggshield now uses different error codes when a scan succeeds but finds problems and when a scan does not finish (#404).
-
ggshield now correctly handles the case where git is not installed (#329).
1.14.1
Fixed
- Fixed dependency on pygitguardian, which blocked the release on pypi.