Convert Figma logo to code with AI

GitGuardian logoggshield

Find and fix 400+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.

1,666
150
1,666
52
View on GitHub

Top Related Projects

gitleaks's avatar

gitleaks

17,623

Protect and discover secrets using Gitleaks 🔑

awslabs's avatar

git-secrets

12,364

Prevents you from committing secrets and credentials into git repositories

thoughtworks's avatar

talisman

1,905

Using a pre-commit hook, Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys.

trufflesecurity's avatar

trufflehog

15,918

Find, verify, and analyze leaked credentials

Quick Overview

GitGuardian/ggshield is an open-source CLI application designed to detect and prevent secrets (like API keys, passwords, and tokens) from being exposed in source code. It integrates with various CI/CD pipelines and can be used locally by developers to scan their code before committing changes.

Pros

  • Seamless integration with multiple CI/CD platforms and Git workflows
  • Supports scanning of various file types and formats
  • Customizable rules and policies for secret detection
  • Provides detailed reports and actionable insights

Cons

  • May produce false positives in certain scenarios
  • Requires initial setup and configuration for optimal use
  • Limited to secret detection and doesn't cover other security aspects
  • Performance may be impacted when scanning large codebases

Code Examples

# Scan the current directory for secrets
ggshield secret scan path .

# Scan a specific file for secrets
ggshield secret scan path /path/to/file.py

# Scan Git history for secrets
ggshield secret scan repo-path /path/to/repo

Getting Started

  1. Install ggshield:

    pip install ggshield

  2. Set up your GitGuardian API key:

    ggshield auth login

  3. Scan your project:

    ggshield secret scan path /path/to/your/project

  4. (Optional) Add a pre-commit hook:

    ggshield install pre-commit-hook

Competitor Comparisons

gitleaks logo

gitleaks

17,623

Protect and discover secrets using Gitleaks 🔑

Pros of gitleaks

  • Lightweight and fast, with minimal dependencies
  • Supports a wide range of version control systems beyond Git
  • Highly customizable with extensive regex pattern support

Cons of gitleaks

  • Less user-friendly interface compared to ggshield
  • Requires more manual configuration for optimal results
  • Limited integration with CI/CD pipelines out of the box

Code Comparison

gitleaks:

func (s *Scanner) Scan(ctx context.Context, opts ...ScanOption) ([]Report, error) {
    for _, opt := range opts {
        opt(s)
    }
    return s.scan(ctx)
}

ggshield:

def scan(self, paths: List[str], **kwargs) -> List[Secret]:
    secrets = []
    for path in paths:
        secrets.extend(self._scan_path(path, **kwargs))
    return secrets

Both tools offer efficient scanning capabilities, but gitleaks uses Go for performance, while ggshield leverages Python for easier extensibility and integration with other tools.

awslabs logo

git-secrets

12,364

Prevents you from committing secrets and credentials into git repositories

Pros of git-secrets

  • Lightweight and easy to set up, with minimal dependencies
  • Integrates well with AWS-specific secret patterns
  • Can be used as a standalone tool or as a git hook

Cons of git-secrets

  • Limited to predefined patterns and regex-based scanning
  • Lacks advanced features like API integration or cloud-based scanning
  • May produce more false positives compared to AI-powered solutions

Code Comparison

git-secrets:

#!/bin/bash
git secrets --install
git secrets --register-aws
git secrets --scan

ggshield:

pip install ggshield
ggshield install
ggshield scan repo .

Key Differences

  • ggshield offers more comprehensive scanning capabilities, including AI-powered secret detection
  • git-secrets focuses primarily on AWS-related secrets, while ggshield covers a broader range of secret types
  • ggshield provides integration with GitGuardian's cloud platform for advanced monitoring and reporting
  • git-secrets is a bash-based tool, while ggshield is a Python-based CLI tool with more extensive features

Both tools aim to prevent secret leaks in Git repositories, but ggshield offers a more robust and feature-rich solution at the cost of increased complexity and potential overhead. git-secrets remains a solid choice for simpler setups or AWS-focused environments.

thoughtworks logo

talisman

1,905

Using a pre-commit hook, Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys.

Pros of Talisman

  • Lightweight and easy to set up, with minimal dependencies
  • Supports multiple version control systems (Git, Mercurial)
  • Customizable through configuration files and ignore patterns

Cons of Talisman

  • Limited integration with CI/CD platforms compared to ggshield
  • Fewer pre-built secret detection patterns out of the box
  • Less frequent updates and maintenance

Code Comparison

Talisman configuration (.talismanrc):

fileignoreconfig:
- filename: config/database.yml
  checksum: 0123456789abcdef0123456789abcdef

ggshield configuration (.gitguardian.yaml):

secret:
  ignored-paths:
    - config/database.yml
  ignored-matches:
    - name: Generic Password
      match: 0123456789abcdef0123456789abcdef

Both tools aim to prevent secrets from being committed, but ggshield offers more advanced features and integrations, while Talisman focuses on simplicity and ease of use. ggshield provides a broader range of secret detection patterns and better CI/CD integration, making it more suitable for larger projects or organizations with complex security requirements. Talisman, on the other hand, is a good choice for smaller projects or teams looking for a straightforward, lightweight solution.

trufflesecurity logo

trufflehog

15,918

Find, verify, and analyze leaked credentials

Pros of Trufflehog

  • More extensive scanning capabilities, including support for various version control systems and cloud providers
  • Open-source and community-driven, allowing for greater customization and contributions
  • Supports a wider range of secret types and patterns out-of-the-box

Cons of Trufflehog

  • Less user-friendly interface compared to ggshield's CLI
  • Fewer pre-built integrations with CI/CD platforms and development tools
  • May require more setup and configuration for advanced use cases

Code Comparison

ggshield example:

ggshield secret scan path /path/to/your/code

Trufflehog example:

trufflehog filesystem /path/to/your/code

Both tools offer similar basic functionality for scanning local directories, but their advanced features and usage patterns differ. ggshield focuses on ease of use and integration with GitGuardian's platform, while Trufflehog provides more flexibility and customization options for advanced users.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

ggshield: protect your code with GitGuardian

PyPI Docker Image Version (latest semver) License GitHub stars GitHub Workflow Status Codecov

ggshield is a CLI application that runs in your local environment or in a CI environment to help you detect more than 400+ types of secrets, as well as other potential security vulnerabilities or policy breaks affecting your codebase.

ggshield uses our public API through py-gitguardian to scan and detect potential vulnerabilities in files and other text content.

Only metadata such as call time, request size and scan mode is stored from scans using ggshield, therefore secrets and policy breaks incidents will not be displayed on your dashboard and your files and secrets won't be stored.

Table of Contents

Installation

Requirements

ggshield works on macOS, Linux and Windows.

It requires Python 3.8 and newer (except for standalone packages) and git.

Some commands require additional programs:

  • docker: to scan docker images.
  • pip: to scan pypi packages.

macOS

Homebrew

You can install ggshield using Homebrew:

$ brew install gitguardian/tap/ggshield

Upgrading is handled by Homebrew.

Standalone .pkg package

Alternatively, you can download and install a standalone .pkg package from ggshield release page.

This package does not require installing Python, but you have to manually download new versions.

Linux

Deb and RPM packages

Deb and RPM packages are available on Cloudsmith.

Setup instructions:

Upgrading is handled by the package manager.

Windows

Standalone .zip archive

We provide a standalone .zip archive on ggshield release page.

Unpack the archive on your disk, then add the directory containing the ggshield.exe file to %PATH%.

This archive does not require installing Python, but you have to manually download new versions.

All operating systems

ggshield can be installed on all supported operating systems via its PyPI package.

Using pipx

The recommended way to install ggshield from PyPI is to use pipx, which will install it in an isolated environment:

$ pipx install ggshield

To upgrade your installation, run:

$ pipx upgrade ggshield

Using pip

You can also install ggshield from PyPI using pip, but this is not recommended because the installation is not isolated, so other applications or packages installed this way may affect your ggshield installation. This method will also not work if your Python installation is declared as externally managed (for example when using the system Python on operating systems like Debian 12):

$ pip install --user ggshield

To upgrade your installation, run:

$ pip install --user --upgrade ggshield

Initial setup

Using ggshield auth login

To use ggshield you need to authenticate against GitGuardian servers. To do so, use the ggshield auth login command. This command automates the provisioning of a personal access token and its configuration on the local workstation.

You can learn more about it from ggshield auth login documentation.

Manual setup

You can also create your personal access token manually and store it in the GITGUARDIAN_API_KEY environment variable to complete the setup.

Getting started

Secrets

You can now use ggshield to search for secrets:

  • in files: ggshield secret scan path -r .
  • in repositories: ggshield secret scan repo .
  • in Docker images: ggshield secret scan docker ubuntu:22.04
  • in Pypi packages: ggshield secret scan pypi flask
  • and more, have a look at ggshield secret scan --help output for details.

Infra as Code Security (IaC)

You can also search for vulnerabilities in your IaC files using the following command:

ggshield iac scan all .

However, if you are only interested in new potential IaC vulnerabilities, you can run:

ggshield iac scan diff --ref=HEAD~1 .

Have a look at ggshield iac scan --help for more details.

Integrations

You can integrate ggshield in your CI/CD workflow.

To catch errors earlier, use ggshield as a pre-commit, pre-push or pre-receive Git hook.

Learn more

For more information, have a look at the documentation

Output

If no secrets or policy breaks have been found, the exit code will be 0:

$ ggshield secret scan pre-commit

If a secret or other issue is found in your staged code or in your CI, you will have an alert giving you the type of policy break, the filename where the policy break has been found and a patch giving you the position of the policy break in the file:

$ ggshield secret scan pre-commit

🛡️  ⚔️  🛡️  2 policy breaks have been found in file production.rb

11 | config.paperclip_defaults = {
12 |     :s3_credentials => {
13 |     :bucket => "XXX",
14 |     :access_key_id => "XXXXXXXXXXXXXXXXXXXX",
                            |_____AWS Keys_____|

15 |     :secret_access_key => "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
                                |_______________AWS Keys_______________|

16 |     }
17 | }

Lines that are too long are truncated to match the size of the terminal, unless the verbose mode is used (-v or --verbose).

Related open source projects

License

ggshield is MIT licensed.