Security

• Fixed a bug where ggshield secret scan archive could be passed a maliciously crafted tar archive to overwrite user files.

Added

• ggshield secret scan commands can now output results in SARIF format, using the new --format sarif option (#869).

• ggshield sca scan ci and ggshield sca scan all now support the MALICIOUS value for --minimum-severity

Changed

• ggshield now has the ability to display custom remediation messages on pre-commit, pre-push and pre-receive. These messages are defined in the platform and fetched from the /metadata endpoint of the API. If no messages are set up on the platform, default remediation messages will be displayed as before.

Removed

• The --all option of the ggshield sca scan ci and ggshield iac scan ci commands has been removed.

Added

• ggshield secret scan path now provides a --use-gitignore option to honor .gitignore and related files (#801).

• A new secret scan command, ggshield secret scan changes, has been added to scan changes between the current state of a repository checkout and its default branch.

• GGShield is now available as a standalone executable on Windows.

Changed

• The behavior of the ggshield sca scan ci and ggshield iac scan ci commands have changed. These commands are now expected to run in merge-request CI pipelines only, and will compute the diff exactly associated with the merge request.

Deprecated

• Running ggshield sca scan ci or ggshield iac scan ci outside of a merge request CI pipeline is now deprecated.

Fixed

• GGShield now consumes less memory when scanning large repositories.

• Errors thrown during ggshield auth login flow with an invalid instance URL are handled and the stack trace is no longer displayed on the console.

• Patch symbols at the start of lines are now always displayed, even for single line secrets.

• The ggshield auth login command now respects the --allow-self-signed flag.

• GGShield now exits with a proper error message instead of crashing when it receives an HTTP response without Content-Type header.

Added

• The SCA config ignored_vulnerabilities option now supports taking a CVE id as identifier.

Removed

• The This feature is still in beta, its behavior may change in future versions warning is no longer displayed for sca commands.

Added

• It is now possible to customize the remediation message printed by GGShield pre-receive hook. This can be done by setting the message in the secret.prereceive_remediation_message configuration key. Thanks a lot to @Renizmy for this feature.

• We now provide signed .pkg files for macOS.

• Add This feature is still in beta, its behavior may change in future versions warning to iac scan all

Changed

• Linux .deb and .rpm packages now use the binaries produced by pyinstaller. They no longer depend on Python.

Deprecated

• Dash-separated configuration keys are now deprecated, they should be replaced with underscore-separated keys. For example show-secrets should become show_secrets. GGShield still supports reading from dash-separate configuration keys, but it prints a warning when it finds one.

Fixed

• GGShield commands working with commits no longer fail when parsing a commit without any author.

• Configuration keys defined in the global configuration file are no longer ignored if a local configuration file exists.

• The option --exclude PATTERN is no longer ignored by the command ggshield secret scan repo.

Added

• ggshield auth login learned to create tokens with extra scopes using the --scopes option. Using ggshield auth login --scopes honeytokens:write would create a token suitable for the ggshield honeytokens commands.

Added

• It is now possible to create a honeytoken with context using the new honeytoken create-with-context command.

Changed

• SCA incidents ignored on the GitGuardian app will no longer show up in the scan results, in text/JSON format.

Added

• Adds two new flags for ggshield sca scan commands, --ignore-fixable and --ignore-not-fixable so that the user can filter the returned incidents depending on if incidents can be fixed or not. Both flags cannot be used simultaneously.

Changed

• Number of documents in a chunk is now adapted to the server payload.
• Moved some property from Scannable children classes up to Scannbable itself.

Fixed

• IAC/SCA scans will scan new commits as intended for CI jobs on newly pushed branches.

• IAC/SCA scans will scan new commits as intended for CI jobs on the first push to a new repository

• In CI jobs, IAC/SCA scans on forced pushs no longer trigger an error but perform a scan on all commits instead.

• Fixes ggshield sca scan commands not taking some user parameters into account.

Added

• GGShield output now adapts when the grace period of an IaC incident ignored by a developer has been expired.

• GGShield now shows a warning message if it hits a rate-limit.

Changed

• IaC incidents ignored on the GitGuardian app no longer show up in the scan results.

Fixed

• IaC/SCA scans now properly find the parent commit SHA on GitLab push pipelines for new branches.

• Error messages now appear above progress bars instead of overlapping them.

IaC

• File content are now displayed as intended when executing ggshield iac scan all on a subdirectory of a Git repository.

• Pre-push scans are now diff scans when pushing a new branch, comparing to the last commit of the parent branch.

• Pre-push scans on empty repositories no longer include staged files.

Added

• Secret: ggshield now prints the name of what is being scanned when called with --verbose (#212).

• You can now use the SKIP=ggshield environment variable without the pre-commit framework to skip pre-commit and pre-push scans.

Changed

• ggshield can now scan huge commits without running out of memory.

Fixed

• IAC and SCA: scans in GitLab merge request pipelines should now be performed on the intended commit ranges, instead of an empty range.