Releases: GitGuardian/ggshield
1.49.0
Removed
- Pre-receive hook on GitHub Enterprise Server v3.9 to v3.13 is no longer supported. v3.13 is EOL since 2025-06-19 and previous versions were discontinued earlier.
Added
-
Add
@filesupport tosecret scan pathto load scan paths from a file. -
Add
ggshield secret scan ai-hookcommand to scan AI coding tool hook payloads for secrets in real time. -
Add new types
claude-code|cursor|copilotto theggshield installcommand to install hooks into AI coding tool configurations. -
Pre-receive hook can now be set up on GitHub Enterprise Server from v3.14 to higher.
-
api-status: display the scopes of the current authentication token.
Fixed
-
secret scan ci: fetch the target branch before computing the MR/PR commit range. In CI environments with cached repos or shallow clones, a stale target branch ref could cause ggshield to scan unrelated commits, leading to excessive API calls and secrets reported in files not modified by the MR. -
hmsl vault-scan: fixed a hang when the HashiCorp Vault server is unresponsive; requests now time out after 30 seconds and network errors are reported with a clear message. -
Fixed a path traversal security issue in tar archives used for git-based scans; member names with absolute paths or
..components are now sanitized. -
Fixed an issue where an invalid option for a
secret scansubcommand could be silently treated as a request to run the default command, producing a confusing error instead of the expected usage error.
1.48.0
Added
-
Add enterprise plugin system for ggshield, allowing organizations to install and manage plugins from GitGuardian.
-
hmsl: Secrets shorter than 6 characters are now filtered out before being sent to the HMSL API, reducing false positives from obvious non-secrets.
Changed
-
hmsl: Expand the list of excluded placeholder values (e.g.,changeme,placeholder,redacted) that are not sent to the HMSL API. -
Relax
urllib3dependency pin from~=2.2.2to>=2.2.2,<3, allowing compatibility with newer urllib3 versions (#1160).
Fixed
- Prevent docker scan stdout from leaking into JSON output.
1.47.0
Added
- Display a warning if .cache_ggshield is not ignored in a git repository.
1.46.0
Added
-
A HTTPAdapter with wider parameters has been setup to better address scanning multiple files at the same time.
-
Add
GITGUARDIAN_GIT_REMOTE_FALLBACK_URLenvironment variable that allows setting a fallback value for the repository remote. -
Tokens are obfuscated in
ggshield config listoutput.
Changed
- Clearer error message when token is missing: specify the command to run to generate a token (ggshield auth login).
Fixed
- Install
ggshieldhooks inside.husky/when the repository uses Husky-managed hooks so local installs work out of the box. (#1143).
1.45.0
Fixed
-
ggshield no longer crashes when scanning invalid symlinks, it emits a warning instead.
-
Handle unmerged files in pre-commit scanning during an ongoing merge.
-
Fixed crash when ggshield received missing tags.
1.44.1
Added
- Added
--insecureCLI option andinsecureconfiguration setting as clearer alternatives to--allow-self-signedandallow_self_signed. The new option explicitly communicates that SSL verification is completely disabled, making the connection vulnerable to man-in-the-middle attacks. - Added prominent warning messages when SSL verification is disabled (via either
--insecureor--allow-self-signed), explaining the security risks and recommending the secure alternative of using the system certificate trust store (available with Python >= 3.10).
Changed
- Removed Clear Linux from the OS package testing workflow as the project has been discontinued.
- Fixed Python version for PDM install in the build release workflow.
Deprecated
- The
--allow-self-signedCLI option andallow_self_signedconfiguration setting are now deprecated in favor of--insecureandinsecure. Deprecation warnings are displayed when these options are used, guiding users to the clearer alternative. Both options remain functional for backward compatibility and will be maintained for an extended deprecation period before removal.
Fixed
- Fixed crash when API returns scopes not yet recognized by py-gitguardian.
- Skip non-seekable files instead of crashing.
Security
- Improved clarity around SSL verification settings. The
--allow-self-signedoption name was misleading as it suggests certificate validation is still performed, when in reality all SSL verification is disabled. The new--insecureoption makes this behavior explicit. Both options remain functional for backward compatibility.
1.43.0
Fixed
-
Fixed PyInstaller deprecation warning when running PyInstaller-based ggshield.
-
Scanning git repositories can no longer fail with git "dubious ownership" errors.
-
Extended the range of API error status codes supported by ggshield so the UI correctly displays them.
1.42.0
Added
-
Added an additional section in
ggshieldoutputs to return vault related fields if the account setting is enabled. -
ggshieldDocker image now supports both linux/amd64 and linux/arm64 architectures (#952). -
ggshield secret scan dockernow scans more files.
Changed
ggshield secret scannow provides an--source-uuidoption. When this option is set, it will create the incidents on the GIM dashboard on the corresponding source. Note that the token should have the scopescan:create-incidents.
1.41.0
Changed
- When scanning a docker image, if no image is found matching the client platform, try to pull the
linux/amd64image.
1.40.0
Added
-
The release assets now contain a NuGet package.
-
Added a new section in
ggshieldoutputs (text and JSON) to notify if a secret is in one of the accounts' secrets managers.
Changed
ggshield secret scan dockernow scans files in/usr/src/app.
Fixed
-
Fixed a bug in the way
ggshieldobfuscated secrets that caused a crash for short secrets (#1086). -
ggshieldno longer crashes when it can't find git.