ggshield

ggshield is designed to identify hardcoded secrets in source code by providing a robust command-line interface (CLI) for detecting and preventing such vulnerabilities. This tool, developed by GitGuardian, integrates into developer workflows, whether in local environments or within Continuous Integration/Continuous Deployment (CI/CD) pipelines.

Technically, ggshield leverages GitGuardian's public API via the py-gitguardian library to scan files, repositories, Docker images, and even PyPI packages for over 400 types of hardcoded secrets, including API keys, certificates, and database connection URLs. The tool is designed to be stateless, ensuring that only metadata such as call time, request size, and scan mode are stored, without retaining any secrets or policy breaks incidents on the GitGuardian backend.

Operationally, ggshield can be installed on macOS, Linux, and Windows, requiring Python 3.8 or newer (except for standalone packages) and Git. Additional tools like Docker and pip may be necessary for specific scanning tasks. The setup involves authenticating with a GitGuardian workspace using either a personal access token or a service account token, which can be automated via the ggshield auth login command or set up manually for CI environments.

Key operational considerations include integrating ggshield into pre-commit hooks to catch secrets before code is pushed, and into CI/CD pipelines to ensure continuous scanning. However, it's important to note that while ggshield is highly effective, it may introduce additional steps in the development workflow and requires periodic updates to maintain its effectiveness. The free plan offers 1,000 API calls per month, which may be sufficient for small teams but could be limiting for larger organizations, necessitating a business plan for higher quotas.