The State of Secrets Sprawl report 2024 is now live!
DOWNLOADDOWNLOAD

GGSHIELD

The secret to stop hardcoded secrets.

Take GitGuardian’s secrets detection engine to the command line with ggshield.

Complete the login process at: https://dashboard.gitguardian.com/auth/login?response_type=code&client_id=ggshield_oauth&redirect_uri=http%3A%2F%2Flocalhost%3A29170&scope=scan&state=%257B%2522token_name%2522%253A%2520%2522ggshield%2520token%25202022-08-09%2522%252C%2520%2522lifetime%2522%253A%2520null%257D&code_challenge=94QwBaPXUcmGVD4W_Shm0Y0gY0igUHVHzLjduJTmjqE&code_challenge_method=S256&auth_mode=ggshield_login.

Opening your web browser now...
Success! You are now authenticated.
The personal access token has been created and stored in your ggshield config.

token name: ggshield token 2022-08-09
token expiration date: never

You do not need to run "ggshield auth login" again. Future requests will automatically use the token.

Scanning Commits  [####################################]  100%

commit 72f00a62423e1c26a8ab0675bd718acc8c6ce11e
Author: Henry <henry@git.com>
Date: Tue Jan 12 17:20:54 2021+0100

🛡️ ⚔️ 🛡️ 1 incident has been found in file bucket_s3.py

>>> Incident 1(Secrets detection): AWS Keys (Validity: Invalid)  (Ignore with SHA: 9f2785cab705507aaea637b8b38d8e1ff9ce8a4334dda586187cbb018ed33163) (1 occurrence)
   7 |
   8 | def aws_upload(data: Dict):
   9 |     database = aws_lib.connect("AKIA************WSZ5",
"hjshnk5**************************89sjkja"
)
                                       |_____client_id____|
   9 |     database = aws_lib.connect("AKIA************WSZ5",
"hjshnk5**************************89sjkja"
)
                                                               |_____________client_secret____________|
  10 |     database.push(data)

secrets-engine-version: 2.73.0

🛡️ ⚔️ 🛡️ 3 incidents have been found in file postgres_model.js

>>> Incident 1(Secrets detection): PostgreSQL Credentials (Validity: Failed to Check)  (Ignore with SHA: aab3815c8fad99fab2248fdc9868091de77498b0b772e05a8300cf64bfea1cb3) (1 occurrence)
   | @@ -2,7 +2,7 @
2 2 | var pg_port=1212;
3 3 | var pg_host="git**********com:9**2/BLUDB";
                  |_____host_____|
3 3 | var pg_host="git**********com:9**2/BLUDB";
                                   |_port_|
4 4 | var pg_user="r**t";
                  |_username_|
5   | var pg_pass="sup3*************orGG";
                  |______password_____|
 5 | var pg_pass="sup3*************orZG";
6 6 |

>>> Incident 2(Secrets detection): PostgreSQL Credentials (Validity: Failed to Check)  (Ignore with SHA:

...

CIRCLE_RANGE: 90220851160dcf018f372536da223dc0396aa247...2d08c13226628ecfb3ee9a07001c185915a84adf
CIRCLE_SHA1: 2d08c13226628ecfb3ee9a07001c185915a84adf
Commits to scan: 1
Scanning Commits---------------------------------]    0%Scanning Commits  [####################################]  100%

secrets-engine-version: 2.71.0

commit 2d08c13226628ecfb3ee9a07001c185915a84adf
Author: XXXX
Date: XXXX

🛡️ ⚔️ 🛡️ 1 incident has been found in file rapid_api_flightapp.py


>>> Incident 1(Secrets detection): RapidAPI Key (Validity: Invalid)  (Ignore with SHA: 6d56240140523391afaa713d79516e2a19f80dc182fbc34669997e0e2849ff81) (1 occurrence)
7 | headers = {
8 |     'x-rapidapi-host': "skyscanner-skyscanner-flight-search-v1.p.rapidapi.com",
9 |     'x-rapidapi-key': "eb9d30db7********************************4c37d74db"
                           |_____________________apikey_____________________|
10 |     }
11 |


Exited with code exit status 1
CircleCI received exit code 1

Saving docker image... OK
Scanning  [####################################]  100%

secrets-engine-version: 2.73.0

🛡️ ⚔️ 🛡️ 1 incident has been found in file 0e053c6a062cc084693018afaacd7281ffa65f53310a96039127d42b414e2b51:/etc/foo.conf

>>> Incident 1(Secrets detection): GitGuardian Test Token Checked (Validity: Valid)  (Ignore with SHA: e27f84539215c1dfdb9049dbac6a49346a59c0ba665c23f35d02b0a6fb9f90b7) (1 occurrence)
1 | token="ggt*-*-*******234"
          |_____apikey____|

...

Goodbye, remediation.

Hello, prevention.

Developers

Get started in minutes

Install ggshield and run  
$ ggshield auth login  to get your API key and start scanning.

Download ggshield

Catch hardcoded secrets before your security team

Detect 350+ types of hardcoded secrets in pre-commit hooks, before you push. Never revoke and rotate a secret again!

View documentation

Don’t let security get in your way

Not a sensitive secret? Run
$ ggshield secret ignore --last-found. Commit, push, and move on to your next task.

View documentation

Yes, ggshield also runs in the CI

Devops & sre

Automate security testing in your CI

Add ggshield to your CI/CD and scan pipelines for hardcoded secrets and IaC misconfigurations.

View integrations
Arrow right

Scan Docker images before every release

Hardcoded secrets in Docker images are like a needle in a haystack. Scan your images’ layers’ filesystem, build args, or Dockerfile and harden them before every release.

View documentation
Arrow right

Join thousands of developers keeping their code secrets-free

Whatever you do with your secrets

use ggshield to stop hardcoding them

Developer security resources

  • What is ggshield?

    ggshield is a command-line interface application developed by GitGuardian. ggshield helps developers detect and prevent vulnerabilities like hardcoded secrets (like API keys, certificates, database connection URLs) before pushing their code to shared repositories. ggshield is integrated with GitGuardian Internal Monitoring, the automated secrets detection and remediation platform.

    Recently, ggshield has also integrated the capability of scanning Terraform files for infrastructure-as-code for security misconfigurations (public beta).

  • Where should I scan my code for hardcoded secrets?

    In a scenario where an attacker gains initial access to code repositories or DevOps tools, they will look for valid hardcoded secrets for further lateral movement. Once the attacker finds the credentials they need to operate as a valid user or machine, it is difficult to detect abuse and the threat becomes persistent.

    The risk of secrets exposure must be proactively reduced in the software development lifecycle with automated detection and remediation. OWASP ranks the vulnerability of hardcoded secrets #2 in its latest Top 10 Web Application Security Risks – under the Cryptographic Failures (A02:2021) entry. MITRE, on the other hand, ranks the vulnerability #15 on its CWE Top 25 Most Dangerous Software Weaknesses list.

  • Is ggshield open-source?

    ggshield, the GitGuardian CLI application is open-source – check out the official GitHub repository. ggshield is a wrapper for our Python API client, py-gitguardian, used to call our public API. However, the secrets detection library behind the GitGuardian public API is closed-source.

    Only metadata such as call time, request size, and scan mode is stored from scans using ggshield. The CLI and the underlying API are stateless; hardcoded secrets and policy break incidents found using ggshield will not be displayed on your GitGuardian Internal Monitoring dashboard, nor will they be stored in our backend.

  • Can I use ggshield for free?

    To use ggshield, you need to sign up for a GitGuardian account. If you are an individual developer or a pro developer part of an organization with 25 developers or fewer, you are eligible for our Free plan that includes 1,000 API calls per month. If you need a larger quota, you can try our Business plan for 30 days for free.

  • Who else uses ggshield?

    Widely adopted by developer communities, GitGuardian is used by more than 200 thousand developers and is the #1 app in the security category on GitHub Marketplace. Developers from leading companies, including Instacart, Automox, Orange, Iress, Beyond Identity, NOW: Pensions, and Stedi use ggshield to prevent hardcoded secrets.

  • I found a bug/I have a feature request

    If you believe you have found a bug or if you have any suggestions for the GitGuardian team to improve ggshield, please visit the official GitHub repository and create an issue.