Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

In this section, we cover what to do when ggshield finds something you don’t actually need to remediate, like a false positive, an intentionally fake credential in a demo repo, or a known non-sensitive test value. ggshield secret ignore lets you mark specific findings as ignored by adding them to the secrets.ignored_matches section of your local configuration. If your repo doesn’t already have a local config file, ggshield will create a.gitguardian.yaml file for you.

Let's look at Git hooks, which is where ggshield really starts paying off in day-to-day developer workflow. Git hooks are built-in automation in Git. When certain events happen, like committing or pushing, Git checks for specific files inside the.git/hooks folder. If a hook file exists, Git runs it automatically. For example, if there’s a file named pre-commit, Git will execute it every time you commit.

Next up is ggshield secret scan ci, the mode built for continuous integration, not your local machine. In this section, we’ll show how CI scanning works and why it’s different. Instead of scanning your whole repo, it scans the set of commits that triggered your pipeline, whether that build came from a direct push or a pull request. That means you catch secrets at the exact moment they’re introduced, before they get merged or released.

Now we’re getting to the heart of ggshield: secret scanning. In this section, we jump into ggshield secret and its two subcommands, ignore and scan. Ignore makes a lot more sense once you’ve seen scan in action, so we start by learning what ggshield can scan and why it’s so flexible across the development lifecycle. We’ll open the help menu so you can see every scan target available: ggshield secret scan -h.

Let’s start by learning how to navigate ggshield like any other CLI tool: through its built-in help menu. To see the top-level help, just run ggshield with no options and press enter: ggshield Any time you want help for a specific command, add -h or --help to the end of that command before hitting enter. ggshield follows a standard command-line pattern you’ll see in many tools: ggshield ... If you’re new to CLIs, here’s what that means: ggshield is the program you’re running. are the extra details the command needs, like a path or filename.

What ggshield commands are available? First is quota, which checks how many API calls you have remaining for your GitGuardian workspace: ggshield quota As a rule of thumb, Starter plans include 10,000 API calls per month, and Business and Enterprise plans start at 100,000 calls per month. Next is config, which acts like the CLI control panel. ggshield uses YAML configuration to define how the CLI behaves, and you can tune it per repository.

Now that ggshield is installed, the next step is to authenticate it with GitGuardian so it can scan and talk to the API. The most common method is browser-based login: ggshield auth login This opens your browser and prompts you to sign in through the GitGuardian dashboard. It automatically generates an access token for you and stores it safely in your local configuration. By default, the token is scoped for secret scanning, which is what most people need. We’ll revisit scopes later.

Install ggshield the right way for your OS and get scanning in minutes. In this video, we walk through the most common installation paths for macOS, Linux, and Windows, plus container options if that’s your workflow: macOS: install with Homebrew, or grab the standalone.pkg from the ggshield releases page (no Python required, but you’ll update manually). Linux: install via Deb/RPM packages available on Cloudsmith. Windows: install via Chocolatey, or download the standalone.zip from the releases page (no Python required, but you’ll update manually).

In this in-depth walkthrough, we will show you how to turn ggshield, the GitGuardian CLI, into a practical guardrail for keeping secrets out of your code and CI pipelines. You’ll see exactly how to install and authenticate ggshield, then use it to scan repositories, local paths, archives, Docker images, PyPI packages, and CI environments for hardcoded credentials. We’ll also walk through configuring Git hooks with ggshield install.

Get up and running with ggshield, the GitGuardian CLI, in just a few minutes by installing it, authenticating, and running your first secrets scan. This quick-start video shows you how to scan individual files and entire projects, then lock in protection with a pre-commit Git hook to keep secrets out of your commits.

Watch our security researcher Guillaume Valadon break down the sophisticated ShaiHulud 2.0 attack where malware exfiltrates secrets directly to GitHub using stolen developer credentials.

We discovered hackers were testing Shai-Hulud 2.0 three days before the attack. Our researcher Guillaume Valadon explains how GitGuardian's data helped us warn hundreds of companies who didn't even know they were compromised.