Skip to content

Releases: GitGuardian/ggshield

1.35.0

08 Jan 14:57
Compare
Choose a tag to compare

Added

  • The --all-secrets option to secret scans, allowing to display all found secrets, and their possible ignore reason.

Changed

  • Files contained in the .git/ directory are now scanned. Files in subdirectories such as .git/hooks are still excluded.

  • When scanning commits, ggshield now ignores by default secrets that are removed or contextual to the patch.

Fixed

  • Handle trailing content in multi-parent hunk header.

  • Installing ggshield from the release RPM on EL9 failed because of a missing library. This is now fixed (#1036).

  • Fix Visual Studio not being able to show error messages from ggshield pre-commit (#170).

1.34.0

27 Nov 13:14
Compare
Choose a tag to compare

Added

  • ggshield config list command now supports the --json option, allowing output in JSON format.

  • All secret scan commands as well as the api-status and quota commands now supports the --instance option to allow using a different instance.

  • The api-status command now prints where the API key and instance used come from.

Changed

  • ggshield api-status --json output now includes the instance URL.

  • ggshield secret scan repo now uses git clone --mirror to retrieve more git objects.

  • ggshield secret scan ci now scans all commits of a Pull Request in the following CI environments: Jenkins, Azure, Bitbucket and Drone.

Deprecated

  • ggshield now prints a warning message when it is being run executed by Python 3.8.

Fixed

  • When running ggshield secret scan ci in a GitLab CI, new commits from the target branch that are not on the feature branch will no longer be scanned.

  • Take into account the --allow-self-signed option at all levels in ggshield secret scan commands.

  • When ggshield secret scan is called with --with-incident-details and the token does not have the required scopes, the command now fails and an error message is printed.

  • ggshield no longer fails to report secrets for patches with content in hunk header lines.

1.33.0

29 Oct 14:55
Compare
Choose a tag to compare

Changed

  • The --debug option now automatically turns on verbose mode.

  • The --use-gitignore option now also applies to single files passed as argument.

  • RPM packages now depend on git-core instead of git, reducing the number of dependencies to install (#983).

Fixed

  • When using the --debug option, the log output no longer overlaps with the progress bars.

  • The ggshield pre-commit hook no longer crashes when merging files with spaces in their names (#991).

  • RPM packages now work correctly on RHEL 8.8 (#984).

1.32.2

16 Oct 14:19
Compare
Choose a tag to compare

Fixed

  • Fixed a regression introduced in ggshield 1.32.1, which made ggshield install -m global crash (#972).

1.32.1

01 Oct 13:51
Compare
Choose a tag to compare

Fixed

  • Fixed a case where ggshield commit parser could fail because of the local git configuration.

1.32.0

24 Sep 09:24
Compare
Choose a tag to compare

Added

  • When scanning a merge commit, ggshield secret scan pre-commit now skips files that merged without conflicts. This makes merging the default branch into a topic branch much faster. You can use the --scan-all-merge-files option to go back to the previous behavior.

  • ggshield secret scan commands now provide the --with-incident-details option to output more information about known incidents (JSON and SARIF outputs only).

  • It is now possible to ignore a secret manually using ggshield secret ignore SECRET_SHA --name NAME.

Fixed

  • The git commit parser has been reworked, fixing cases where commands scanning commits would fail.

1.31.0

27 Aug 08:48
Compare
Choose a tag to compare

Added

  • We now provide tar.gz archives for macOS, in addition to pkg files.

Fixed

  • JSON output: fixed incorrect values for line and index when scanning a file and not a patch.

1.30.2

05 Aug 09:40
Compare
Choose a tag to compare

Security

  • Fixed a bug where ggshield secret scan archive could be passed a maliciously crafted tar archive to overwrite user files.

1.30.1

30 Jul 15:20
Compare
Choose a tag to compare

Added

  • ggshield secret scan commands can now output results in SARIF format, using the new --format sarif option (#869).

  • ggshield sca scan ci and ggshield sca scan all now support the MALICIOUS value for --minimum-severity

Changed

  • ggshield now has the ability to display custom remediation messages on pre-commit, pre-push and pre-receive. These messages are defined in the platform and fetched from the /metadata endpoint of the API. If no messages are set up on the platform, default remediation messages will be displayed as before.

1.29.0

25 Jun 12:41
Compare
Choose a tag to compare

Removed

  • The --all option of the ggshield sca scan ci and ggshield iac scan ci commands has been removed.

Added

  • ggshield secret scan path now provides a --use-gitignore option to honor .gitignore and related files (#801).

  • A new secret scan command, ggshield secret scan changes, has been added to scan changes between the current state of a repository checkout and its default branch.

  • GGShield is now available as a standalone executable on Windows.

Changed

  • The behavior of the ggshield sca scan ci and ggshield iac scan ci commands have changed. These commands are now expected to run in merge-request CI pipelines only, and will compute the diff exactly associated with the merge request.

Deprecated

  • Running ggshield sca scan ci or ggshield iac scan ci outside of a merge request CI pipeline is now deprecated.

Fixed

  • GGShield now consumes less memory when scanning large repositories.

  • Errors thrown during ggshield auth login flow with an invalid instance URL are handled and the stack trace is no longer displayed on the console.

  • Patch symbols at the start of lines are now always displayed, even for single line secrets.

  • The ggshield auth login command now respects the --allow-self-signed flag.

  • GGShield now exits with a proper error message instead of crashing when it receives an HTTP response without Content-Type header.