Releases: GitGuardian/ggshield
1.35.0
Added
- The
--all-secrets
option to secret scans, allowing to display all found secrets, and their possible ignore reason.
Changed
-
Files contained in the
.git/
directory are now scanned. Files in subdirectories such as.git/hooks
are still excluded. -
When scanning commits, ggshield now ignores by default secrets that are removed or contextual to the patch.
Fixed
1.34.0
Added
-
ggshield config list
command now supports the--json
option, allowing output in JSON format. -
All
secret scan
commands as well as theapi-status
andquota
commands now supports the--instance
option to allow using a different instance. -
The
api-status
command now prints where the API key and instance used come from.
Changed
-
ggshield api-status --json
output now includes the instance URL. -
ggshield secret scan repo
now usesgit clone --mirror
to retrieve more git objects. -
ggshield secret scan ci
now scans all commits of a Pull Request in the following CI environments: Jenkins, Azure, Bitbucket and Drone.
Deprecated
- ggshield now prints a warning message when it is being run executed by Python 3.8.
Fixed
-
When running
ggshield secret scan ci
in a GitLab CI, new commits from the target branch that are not on the feature branch will no longer be scanned. -
Take into account the
--allow-self-signed
option at all levels inggshield secret scan
commands. -
When
ggshield secret scan
is called with--with-incident-details
and the token does not have the required scopes, the command now fails and an error message is printed. -
ggshield no longer fails to report secrets for patches with content in hunk header lines.
1.33.0
Changed
-
The
--debug
option now automatically turns on verbose mode. -
The
--use-gitignore
option now also applies to single files passed as argument. -
RPM packages now depend on
git-core
instead ofgit
, reducing the number of dependencies to install (#983).
Fixed
1.32.2
1.32.1
Fixed
- Fixed a case where ggshield commit parser could fail because of the local git configuration.
1.32.0
Added
-
When scanning a merge commit,
ggshield secret scan pre-commit
now skips files that merged without conflicts. This makes merging the default branch into a topic branch much faster. You can use the--scan-all-merge-files
option to go back to the previous behavior. -
ggshield secret scan
commands now provide the--with-incident-details
option to output more information about known incidents (JSON and SARIF outputs only). -
It is now possible to ignore a secret manually using
ggshield secret ignore SECRET_SHA --name NAME
.
Fixed
- The git commit parser has been reworked, fixing cases where commands scanning commits would fail.
1.31.0
Added
- We now provide tar.gz archives for macOS, in addition to pkg files.
Fixed
- JSON output: fixed incorrect values for line and index when scanning a file and not a patch.
1.30.2
Security
- Fixed a bug where
ggshield secret scan archive
could be passed a maliciously crafted tar archive to overwrite user files.
1.30.1
Added
-
ggshield secret scan
commands can now output results in SARIF format, using the new--format sarif
option (#869). -
ggshield sca scan ci
andggshield sca scan all
now support theMALICIOUS
value for--minimum-severity
Changed
- ggshield now has the ability to display custom remediation messages on pre-commit, pre-push and pre-receive. These messages are defined in the platform and fetched from the
/metadata
endpoint of the API. If no messages are set up on the platform, default remediation messages will be displayed as before.
1.29.0
Removed
- The
--all
option of theggshield sca scan ci
andggshield iac scan ci
commands has been removed.
Added
-
ggshield secret scan path
now provides a--use-gitignore
option to honor.gitignore
and related files (#801). -
A new secret scan command,
ggshield secret scan changes
, has been added to scan changes between the current state of a repository checkout and its default branch. -
GGShield is now available as a standalone executable on Windows.
Changed
- The behavior of the
ggshield sca scan ci
andggshield iac scan ci
commands have changed. These commands are now expected to run in merge-request CI pipelines only, and will compute the diff exactly associated with the merge request.
Deprecated
- Running
ggshield sca scan ci
orggshield iac scan ci
outside of a merge request CI pipeline is now deprecated.
Fixed
-
GGShield now consumes less memory when scanning large repositories.
-
Errors thrown during
ggshield auth login
flow with an invalid instance URL are handled and the stack trace is no longer displayed on the console. -
Patch symbols at the start of lines are now always displayed, even for single line secrets.
-
The
ggshield auth login
command now respects the--allow-self-signed
flag. -
GGShield now exits with a proper error message instead of crashing when it receives an HTTP response without
Content-Type
header.