Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Next up is ggshield secret scan ci, the mode built for continuous integration, not your local machine. In this section, we’ll show how CI scanning works and why it’s different. Instead of scanning your whole repo, it scans the set of commits that triggered your pipeline, whether that build came from a direct push or a pull request. That means you catch secrets at the exact moment they’re introduced, before they get merged or released.

Now we’re getting to the heart of ggshield: secret scanning. In this section, we jump into ggshield secret and its two subcommands, ignore and scan. Ignore makes a lot more sense once you’ve seen scan in action, so we start by learning what ggshield can scan and why it’s so flexible across the development lifecycle. We’ll open the help menu so you can see every scan target available: ggshield secret scan -h.

Do NOT Enable These Options!

Let’s start by learning how to navigate ggshield like any other CLI tool: through its built-in help menu. To see the top-level help, just run ggshield with no options and press enter: ggshield Any time you want help for a specific command, add -h or --help to the end of that command before hitting enter. ggshield follows a standard command-line pattern you’ll see in many tools: ggshield ... If you’re new to CLIs, here’s what that means: ggshield is the program you’re running. are the extra details the command needs, like a path or filename.

What ggshield commands are available? First is quota, which checks how many API calls you have remaining for your GitGuardian workspace: ggshield quota As a rule of thumb, Starter plans include 10,000 API calls per month, and Business and Enterprise plans start at 100,000 calls per month. Next is config, which acts like the CLI control panel. ggshield uses YAML configuration to define how the CLI behaves, and you can tune it per repository.