Releases: GitGuardian/ggshield
Release list
1.52.2
Added
- Install and uninstall scripts under
scripts/install/: a one-linecurl | bash(Linux/macOS) andirm | iex(Windows) installer for the standalone ggshield build that authenticates and optionally installs plugins, plus a matching uninstaller that removes the install it created.
Changed
-
Clarified the description of the
ggshield honeytoken plantcommand. -
Widened the
marshmallowdependency constraint to>=3.18,<5, so ggshield is now compatible with marshmallow 4. This unblocks environments (such as nixpkgs) that ship marshmallow 4.
Fixed
- macOS:
ggshield machine scanis no longer several times slower than on other platforms. The signed launcher now carries thecom.apple.security.cs.allow-jitentitlement, so the scanner's PCRE2 JIT works under the hardened runtime instead of silently falling back to the interpreter.
1.52.1
Fixed
-
ggshield hmslVault integration: list secrets correctly when a KV path has a leading slash, instead of failing against recent HashiCorp Vault versions that reject non-canonical paths. -
ggshield no longer crashes on startup when the optional
truststoresetup fails (for example on recent macOS versions where the OS version cannot be parsed). It now falls back to the bundledcertificertificates instead.
1.52.0
Added
-
ggshield ai discover --historybackfills historical MCP tool calls to GitGuardian (parsed from~/.claude/projects/*/*.jsonl). The API deduplicates events via idempotency keys, so reruns are safe. -
Improved MCP server name detection for more human-readable names.
-
ggshield honeytoken plantreconciles this machine's honeytokens with
GitGuardian and writes or removes the decoy AWS credential profiles on disk. Existing comments and file permissions are preserved. -
ggshield install -t <agent>now verifies after installing the hooks that ggshield can authenticate to GitGuardian, and warns with remediation steps if it cannot. On macOS, this also triggers the Keychain authorization prompt at a time the user can answer it, instead of inside a non-interactive agent-spawned hook. -
Standalone Linux artifacts are now also built for ARM (aarch64): tar.gz
archive, .deb and .rpm packages.
Changed
-
Display an additional warning when the
.gitguardian.yamlconfiguration file is missing theversionfield. -
ggshield auth loginnow requests broader default scopes (scan,honeytokens:check,endpoints:send). If any scope is not granted, a warning is printed but login still succeeds. -
ggshield install -t <agent>now pins the AI hook to the absolute path of the ggshield that ran the install, instead of a bareggshield. The hook runs with a PATH that differs from the user's shell and across launch contexts, so on machines with several ggshield installations a bare command could resolve to a different binary than the one the user authenticated with. The stable launcher path is used (symlinks are not resolved) so it survives version upgrades; the bare command remains a fallback when the path cannot be determined. -
ggshield plugin listshows a verified plugin simply assignedinstead of
signed (<signing-repository>). The signing identity is still recorded in the plugin
manifest for auditing.
Fixed
-
AI hooks are debounced when an agent calls the same hook multiple times.
-
OAuth local server now uses OS-assigned port (port 0) instead of the hardcoded range 29170-29998, eliminating port conflicts when running multiple ggshield instances or other tools.
-
ggshield plugin uninstallno longer crashes with a rawPermissionErrorwhen plugin files cannot be removed. Read-only entries are now fixed automatically, and files owned by another user (e.g. residue from a legacysudoinstall) produce a clear remediation message instead of a traceback. -
The AI hook (
ggshield secret scan ai-hook) no longer crashes when it cannot authenticate or reach GitGuardian (e.g. when the API token is stored in the macOS Keychain and is not readable from an agent-spawned process). It now allows the action and warns the user through the agent that the action was NOT scanned, with remediation steps. -
AI hook: secrets in prompts submitted to GitHub Copilot CLI are now blocked before they reach the model. The prompt event was not recognized under Copilot CLI's native
userPromptSubmittedname, and the inherited{"continue": false}output is ignored on the prompt event, so prompts containing secrets were let through. ggshield now maps the event and emits{"decision": "block"}, which Copilot CLI honors to cancel the prompt. -
Ignored secrets (for example secrets on context or deleted lines of a patch) no longer appear in plaintext when they show up in the context lines of another displayed secret.
-
ggshield plugin installno longer fails with "failed to refresh TUF metadata" on
locked-down or proxied networks (most often seen on Windows). Plugin signatures are
now always verified against the sigstore trust root bundled with ggshield's
dependencies rather than refreshing TUF metadata over the network. Plugin identity is
still fully enforced; only trust-root freshness now tracks the pinned sigstore version.
1.51.0
Added
-
ggshield auth login --method oobfor browser-less environments (SSH sessions, headless servers). Prints the authorization URL, lets you open it on another device, and exchanges the code you paste back into the terminal. Uses the OAuth out-of-band sentinel (urn:ietf:wg:oauth:2.0:oob) — requires a server that supports it. -
Detection of MCP servers installed with Claude plugins or Claude.ai
-
Add Codex support to
ggshield secret scan ai-hookandggshield install -t codex. (thanks to trickyfalcon) -
Detect MCP servers installed with Cursor plugins or Cursor extensions.
-
Release binaries published to GitHub Releases now ship with GitHub Artifact Attestations, providing signed SLSA build provenance. Users can verify a downloaded asset with
gh attestation verify <file> --repo GitGuardian/ggshield, and tool managers such as mise (via the aqua backend) will verify automatically at install time. -
ggshield plugin install/update/statusnow discover and pull plugins from the GitGuardian instance the user is authenticated against, replacing the hard-coded GitHub release URL. Streaming download + sigstore bundle proxying happen via/v1/endpoints/plugins/<reference>/{download,signature}. Requires the matching backend feature. -
New
vscodealias to "copilot" for hook installation. -
ggshield api-statusnow displays the workspace ID associated with the current token, in both text and JSON output.
Changed
-
Successful API key checks are now cached on disk for 5 minutes.
-
ggshield plugin listnow renders the install source from the manifest verbatim (platform,local file,url,github release,github artifact) instead oflocal/pip. Plugins installed without a manifest still fall back topip(entry-point only) oron-disk. -
AI hooks naively try to detect file read by shell commands.
Fixed
-
Fixed plugin signature verification in PyInstaller-based packages by bundling sigstore's embedded TUF trust roots.
-
Fixed
uv tool install ggshieldresolution by requiring sigstore 4, avoiding sigstore 3's transitive pre-release dependency onbetterproto. -
The documentation of the
ai discovercommand. -
Skip OS keyring access at startup when
GITGUARDIAN_API_KEYis set in the environment (or in a.envfile). This avoids redundant keychain unlock prompts on systems using multiple ggshield intances. -
Scans no longer fail on a single transient network glitch. ggshield retries connection errors (e.g.
ConnectionResetError) and 502/503/504 responses with bounded exponential backoff (~15 s budget with jitter).ggshield secret scan pre-receiveuses a minimal retry policy instead so it stays inside GitHub Enterprise Server's fixed 5 s pre-receive hook timeout. -
Fixed AI hooks support for Copilot CLI.
-
(AI hooks): the command that leaked a secret is now shown in the notification message.
-
MCP configuration parsing improved for VSCode, Copilot CLI and Codex.
-
Plugin installs and updates now enable the canonical
ggshield.pluginsentry point instead of the wheel package name, migrating any pre-existing alias row (and preserving itsauto_updatesetting), and local plugin wheels extract into the active runtime cache so mixed root/admin and user executions do not silently lose registered commands. -
ggshield now prunes stale extracted plugin wheel caches during plugin load and removes a plugin's extracted cache on uninstall, preventing old wheel versions from accumulating in the cache directory.
1.50.4
Fixed
ggshield plugin install --allow-unsignedandggshield plugin update --allow-unsignednow verify plugin signatures using the embedded / cached sigstore trust root instead of refreshing it over the network, so plugins can still be installed when the sigstore TUF endpoints are unreachable.
1.50.3
Fixed
- Skip OS keyring access at startup when
GITGUARDIAN_API_KEYis set in the environment (or in a.envfile). This avoids redundant keychain unlock prompts on systems using multiple ggshield instances.
1.50.2
Fixed
- Fixed
uv tool install ggshieldresolution by requiring sigstore 4, avoiding sigstore 3's transitive pre-release dependency onbetterproto.
1.50.1
Fixed
- Fixed plugin signature verification in PyInstaller-based packages by bundling sigstore's embedded TUF trust roots.
1.50.0
Added
-
ggshield is now available as a MSI package.
-
Add sigstore signature verification for plugin wheels, enforcing identity-based trust via OIDC. Install and update operations are strict by default, while
--allow-unsignedpersists an explicit trust exception for the exact wheel hash so explicitly accepted unsigned plugins can still load at runtime. -
API tokens are now stored in the OS credential store (macOS Keychain, Windows Credential Locker, Linux Secret Service) via the
keyringlibrary instead of cleartext inauth_config.yaml. Existing cleartext tokens are migrated automatically the next time the configuration is saved. If no OS credential store is available orGGSHIELD_NO_KEYRING=1, file-based storage is used as a fall-back. -
Added a new
secret.fail_on_server_errorconfiguration option (defaultTrue), available as the--fail-on-server-error/--no-fail-on-server-errorflag orGITGUARDIAN_FAIL_ON_SERVER_ERRORenvironment variable. When set toFalse,secret scan pre-commit,secret scan pre-push,secret scan pre-receive, andsecret scan ciexit with code0and display a warning instead of blocking the git operation when the GitGuardian server is unreachable or returns a 5xx response. The default preserves the previous blocking behavior. -
New
ggshield ai discovercommand. -
The AI hooks now also log/block MCP activity
Changed
- Breaking:
secret scan pre-receiveno longer fail-opens by default when the GitGuardian server returns a 5xx response. Previously the push was allowed through with a warning; now it is blocked, matching the other git hooks. Setsecret.fail_on_server_errortoFalse(or pass--no-fail-on-server-error) to restore the previous fail-open behavior.
Fixed
-
Forward
signature_modethrough GitHub release and GitHub artifact download paths, ensuring signature verification is applied consistently across all install sources. -
Scans of large repositories no longer fail on a single transient network glitch. ggshield now retries connection errors (e.g.
ConnectionResetError) and 502/503/504 responses with bounded exponential backoff. -
Global Copilot hooks are configured correctly in
~/.copilot.
Security
- Pin the default package index in
pyproject.tomlto public PyPI and add a rollingexclude-newer = "3 days"constraint, so the resolveduv.lockis reproducible for external contributors/CI and newly-published (potentially malicious) releases get a short quarantine window before they can land in the lock.
1.49.0
Removed
- Pre-receive hook on GitHub Enterprise Server v3.9 to v3.13 is no longer supported. v3.13 is EOL since 2025-06-19 and previous versions were discontinued earlier.
Added
-
Add
@filesupport tosecret scan pathto load scan paths from a file. -
Add
ggshield secret scan ai-hookcommand to scan AI coding tool hook payloads for secrets in real time. -
Add new types
claude-code|cursor|copilotto theggshield installcommand to install hooks into AI coding tool configurations. -
Pre-receive hook can now be set up on GitHub Enterprise Server from v3.14 to higher.
-
api-status: display the scopes of the current authentication token.
Fixed
-
secret scan ci: fetch the target branch before computing the MR/PR commit range. In CI environments with cached repos or shallow clones, a stale target branch ref could cause ggshield to scan unrelated commits, leading to excessive API calls and secrets reported in files not modified by the MR. -
hmsl vault-scan: fixed a hang when the HashiCorp Vault server is unresponsive; requests now time out after 30 seconds and network errors are reported with a clear message. -
Fixed a path traversal security issue in tar archives used for git-based scans; member names with absolute paths or
..components are now sanitized. -
Fixed an issue where an invalid option for a
secret scansubcommand could be silently treated as a request to run the default command, producing a confusing error instead of the expected usage error.