Skip to content

Releases: GitGuardian/ggshield

1.52.2

Choose a tag to compare

@github-actions github-actions released this 17 Jun 13:39

Added

  • Install and uninstall scripts under scripts/install/: a one-line curl | bash (Linux/macOS) and irm | iex (Windows) installer for the standalone ggshield build that authenticates and optionally installs plugins, plus a matching uninstaller that removes the install it created.

Changed

  • Clarified the description of the ggshield honeytoken plant command.

  • Widened the marshmallow dependency constraint to >=3.18,<5, so ggshield is now compatible with marshmallow 4. This unblocks environments (such as nixpkgs) that ship marshmallow 4.

Fixed

  • macOS: ggshield machine scan is no longer several times slower than on other platforms. The signed launcher now carries the com.apple.security.cs.allow-jit entitlement, so the scanner's PCRE2 JIT works under the hardened runtime instead of silently falling back to the interpreter.

1.52.1

Choose a tag to compare

@github-actions github-actions released this 16 Jun 14:29

Fixed

  • ggshield hmsl Vault integration: list secrets correctly when a KV path has a leading slash, instead of failing against recent HashiCorp Vault versions that reject non-canonical paths.

  • ggshield no longer crashes on startup when the optional truststore setup fails (for example on recent macOS versions where the OS version cannot be parsed). It now falls back to the bundled certifi certificates instead.

1.52.0

Choose a tag to compare

@github-actions github-actions released this 15 Jun 16:20

Added

  • ggshield ai discover --history backfills historical MCP tool calls to GitGuardian (parsed from ~/.claude/projects/*/*.jsonl). The API deduplicates events via idempotency keys, so reruns are safe.

  • Improved MCP server name detection for more human-readable names.

  • ggshield honeytoken plant reconciles this machine's honeytokens with
    GitGuardian and writes or removes the decoy AWS credential profiles on disk. Existing comments and file permissions are preserved.

  • ggshield install -t <agent> now verifies after installing the hooks that ggshield can authenticate to GitGuardian, and warns with remediation steps if it cannot. On macOS, this also triggers the Keychain authorization prompt at a time the user can answer it, instead of inside a non-interactive agent-spawned hook.

  • Standalone Linux artifacts are now also built for ARM (aarch64): tar.gz
    archive, .deb and .rpm packages.

Changed

  • Display an additional warning when the .gitguardian.yaml configuration file is missing the version field.

  • ggshield auth login now requests broader default scopes (scan, honeytokens:check, endpoints:send). If any scope is not granted, a warning is printed but login still succeeds.

  • ggshield install -t <agent> now pins the AI hook to the absolute path of the ggshield that ran the install, instead of a bare ggshield. The hook runs with a PATH that differs from the user's shell and across launch contexts, so on machines with several ggshield installations a bare command could resolve to a different binary than the one the user authenticated with. The stable launcher path is used (symlinks are not resolved) so it survives version upgrades; the bare command remains a fallback when the path cannot be determined.

  • ggshield plugin list shows a verified plugin simply as signed instead of
    signed (<signing-repository>). The signing identity is still recorded in the plugin
    manifest for auditing.

Fixed

  • AI hooks are debounced when an agent calls the same hook multiple times.

  • OAuth local server now uses OS-assigned port (port 0) instead of the hardcoded range 29170-29998, eliminating port conflicts when running multiple ggshield instances or other tools.

  • ggshield plugin uninstall no longer crashes with a raw PermissionError when plugin files cannot be removed. Read-only entries are now fixed automatically, and files owned by another user (e.g. residue from a legacy sudo install) produce a clear remediation message instead of a traceback.

  • The AI hook (ggshield secret scan ai-hook) no longer crashes when it cannot authenticate or reach GitGuardian (e.g. when the API token is stored in the macOS Keychain and is not readable from an agent-spawned process). It now allows the action and warns the user through the agent that the action was NOT scanned, with remediation steps.

  • AI hook: secrets in prompts submitted to GitHub Copilot CLI are now blocked before they reach the model. The prompt event was not recognized under Copilot CLI's native userPromptSubmitted name, and the inherited {"continue": false} output is ignored on the prompt event, so prompts containing secrets were let through. ggshield now maps the event and emits {"decision": "block"}, which Copilot CLI honors to cancel the prompt.

  • Ignored secrets (for example secrets on context or deleted lines of a patch) no longer appear in plaintext when they show up in the context lines of another displayed secret.

  • ggshield plugin install no longer fails with "failed to refresh TUF metadata" on
    locked-down or proxied networks (most often seen on Windows). Plugin signatures are
    now always verified against the sigstore trust root bundled with ggshield's
    dependencies rather than refreshing TUF metadata over the network. Plugin identity is
    still fully enforced; only trust-root freshness now tracks the pinned sigstore version.

1.51.0

Choose a tag to compare

@github-actions github-actions released this 26 May 13:12

Added

  • ggshield auth login --method oob for browser-less environments (SSH sessions, headless servers). Prints the authorization URL, lets you open it on another device, and exchanges the code you paste back into the terminal. Uses the OAuth out-of-band sentinel (urn:ietf:wg:oauth:2.0:oob) — requires a server that supports it.

  • Detection of MCP servers installed with Claude plugins or Claude.ai

  • Add Codex support to ggshield secret scan ai-hook and ggshield install -t codex. (thanks to trickyfalcon)

  • Detect MCP servers installed with Cursor plugins or Cursor extensions.

  • Release binaries published to GitHub Releases now ship with GitHub Artifact Attestations, providing signed SLSA build provenance. Users can verify a downloaded asset with gh attestation verify <file> --repo GitGuardian/ggshield, and tool managers such as mise (via the aqua backend) will verify automatically at install time.

  • ggshield plugin install / update / status now discover and pull plugins from the GitGuardian instance the user is authenticated against, replacing the hard-coded GitHub release URL. Streaming download + sigstore bundle proxying happen via /v1/endpoints/plugins/<reference>/{download,signature}. Requires the matching backend feature.

  • New vscode alias to "copilot" for hook installation.

  • ggshield api-status now displays the workspace ID associated with the current token, in both text and JSON output.

Changed

  • Successful API key checks are now cached on disk for 5 minutes.

  • ggshield plugin list now renders the install source from the manifest verbatim (platform, local file, url, github release, github artifact) instead of local/pip. Plugins installed without a manifest still fall back to pip (entry-point only) or on-disk.

  • AI hooks naively try to detect file read by shell commands.

Fixed

  • Fixed plugin signature verification in PyInstaller-based packages by bundling sigstore's embedded TUF trust roots.

  • Fixed uv tool install ggshield resolution by requiring sigstore 4, avoiding sigstore 3's transitive pre-release dependency on betterproto.

  • The documentation of the ai discover command.

  • Skip OS keyring access at startup when GITGUARDIAN_API_KEY is set in the environment (or in a .env file). This avoids redundant keychain unlock prompts on systems using multiple ggshield intances.

  • Scans no longer fail on a single transient network glitch. ggshield retries connection errors (e.g. ConnectionResetError) and 502/503/504 responses with bounded exponential backoff (~15 s budget with jitter). ggshield secret scan pre-receive uses a minimal retry policy instead so it stays inside GitHub Enterprise Server's fixed 5 s pre-receive hook timeout.

  • Fixed AI hooks support for Copilot CLI.

  • (AI hooks): the command that leaked a secret is now shown in the notification message.

  • MCP configuration parsing improved for VSCode, Copilot CLI and Codex.

  • Plugin installs and updates now enable the canonical ggshield.plugins entry point instead of the wheel package name, migrating any pre-existing alias row (and preserving its auto_update setting), and local plugin wheels extract into the active runtime cache so mixed root/admin and user executions do not silently lose registered commands.

  • ggshield now prunes stale extracted plugin wheel caches during plugin load and removes a plugin's extracted cache on uninstall, preventing old wheel versions from accumulating in the cache directory.

1.50.4

Choose a tag to compare

@github-actions github-actions released this 07 May 18:48

Fixed

  • ggshield plugin install --allow-unsigned and ggshield plugin update --allow-unsigned now verify plugin signatures using the embedded / cached sigstore trust root instead of refreshing it over the network, so plugins can still be installed when the sigstore TUF endpoints are unreachable.

1.50.3

Choose a tag to compare

@github-actions github-actions released this 30 Apr 14:25

Fixed

  • Skip OS keyring access at startup when GITGUARDIAN_API_KEY is set in the environment (or in a .env file). This avoids redundant keychain unlock prompts on systems using multiple ggshield instances.

1.50.2

Choose a tag to compare

@github-actions github-actions released this 29 Apr 10:41

Fixed

  • Fixed uv tool install ggshield resolution by requiring sigstore 4, avoiding sigstore 3's transitive pre-release dependency on betterproto.

1.50.1

Choose a tag to compare

@github-actions github-actions released this 29 Apr 09:15

Fixed

  • Fixed plugin signature verification in PyInstaller-based packages by bundling sigstore's embedded TUF trust roots.

1.50.0

Choose a tag to compare

@github-actions github-actions released this 28 Apr 14:03

Added

  • ggshield is now available as a MSI package.

  • Add sigstore signature verification for plugin wheels, enforcing identity-based trust via OIDC. Install and update operations are strict by default, while --allow-unsigned persists an explicit trust exception for the exact wheel hash so explicitly accepted unsigned plugins can still load at runtime.

  • API tokens are now stored in the OS credential store (macOS Keychain, Windows Credential Locker, Linux Secret Service) via the keyring library instead of cleartext in auth_config.yaml. Existing cleartext tokens are migrated automatically the next time the configuration is saved. If no OS credential store is available or GGSHIELD_NO_KEYRING=1, file-based storage is used as a fall-back.

  • Added a new secret.fail_on_server_error configuration option (default True), available as the --fail-on-server-error/--no-fail-on-server-error flag or GITGUARDIAN_FAIL_ON_SERVER_ERROR environment variable. When set to False, secret scan pre-commit, secret scan pre-push, secret scan pre-receive, and secret scan ci exit with code 0 and display a warning instead of blocking the git operation when the GitGuardian server is unreachable or returns a 5xx response. The default preserves the previous blocking behavior.

  • New ggshield ai discover command.

  • The AI hooks now also log/block MCP activity

Changed

  • Breaking: secret scan pre-receive no longer fail-opens by default when the GitGuardian server returns a 5xx response. Previously the push was allowed through with a warning; now it is blocked, matching the other git hooks. Set secret.fail_on_server_error to False (or pass --no-fail-on-server-error) to restore the previous fail-open behavior.

Fixed

  • Forward signature_mode through GitHub release and GitHub artifact download paths, ensuring signature verification is applied consistently across all install sources.

  • Scans of large repositories no longer fail on a single transient network glitch. ggshield now retries connection errors (e.g. ConnectionResetError) and 502/503/504 responses with bounded exponential backoff.

  • Global Copilot hooks are configured correctly in ~/.copilot.

Security

  • Pin the default package index in pyproject.toml to public PyPI and add a rolling exclude-newer = "3 days" constraint, so the resolved uv.lock is reproducible for external contributors/CI and newly-published (potentially malicious) releases get a short quarantine window before they can land in the lock.

1.49.0

Choose a tag to compare

@github-actions github-actions released this 31 Mar 14:54

Removed

  • Pre-receive hook on GitHub Enterprise Server v3.9 to v3.13 is no longer supported. v3.13 is EOL since 2025-06-19 and previous versions were discontinued earlier.

Added

  • Add @file support to secret scan path to load scan paths from a file.

  • Add ggshield secret scan ai-hook command to scan AI coding tool hook payloads for secrets in real time.

  • Add new types claude-code|cursor|copilot to the ggshield install command to install hooks into AI coding tool configurations.

  • Pre-receive hook can now be set up on GitHub Enterprise Server from v3.14 to higher.

  • api-status: display the scopes of the current authentication token.

Fixed

  • secret scan ci: fetch the target branch before computing the MR/PR commit range. In CI environments with cached repos or shallow clones, a stale target branch ref could cause ggshield to scan unrelated commits, leading to excessive API calls and secrets reported in files not modified by the MR.

  • hmsl vault-scan: fixed a hang when the HashiCorp Vault server is unresponsive; requests now time out after 30 seconds and network errors are reported with a clear message.

  • Fixed a path traversal security issue in tar archives used for git-based scans; member names with absolute paths or .. components are now sanitized.

  • Fixed an issue where an invalid option for a secret scan subcommand could be silently treated as a request to run the default command, producing a confusing error instead of the expected usage error.