GGSHIELD
Take GitGuardian’s secrets detection engine to the command line with ggshield.
Complete the login process at: https://dashboard.gitguardian.com/auth/login?response_type=code&client_id=ggshield_oauth&redirect_uri=http%3A%2F%2Flocalhost%3A29170&scope=scan&state=%257B%2522token_name%2522%253A%2520%2522ggshield%2520token%25202022-08-09%2522%252C%2520%2522lifetime%2522%253A%2520null%257D&code_challenge=94QwBaPXUcmGVD4W_Shm0Y0gY0igUHVHzLjduJTmjqE&code_challenge_method=S256&auth_mode=ggshield_login.
Opening your web browser now...
Success! You are now authenticated.
The personal access token has been created and stored in your ggshield config.
token name: ggshield token 2022-08-09
token expiration date: never
You do not need to run "ggshield auth login" again. Future requests will automatically use the token.
Scanning Commits [####################################] 100%
commit 72f00a62423e1c26a8ab0675bd718acc8c6ce11e
Author: Henry <henry@git.com>
Date: Tue Jan 12 17:20:54 2021+0100
🛡️ ⚔️ 🛡️ 1 incident has been found in file bucket_s3.py
>>> Incident 1(Secrets detection): AWS Keys (Validity: Invalid) (Ignore with SHA: 9f2785cab705507aaea637b8b38d8e1ff9ce8a4334dda586187cbb018ed33163) (1 occurrence)
7 |
8 | def aws_upload(data: Dict):
9 | database = aws_lib.connect("AKIA************WSZ5",
"hjshnk5**************************89sjkja")
|_____client_id____|
9 | database = aws_lib.connect("AKIA************WSZ5",
"hjshnk5**************************89sjkja")
|_____________client_secret____________|
10 | database.push(data)
secrets-engine-version: 2.73.0
🛡️ ⚔️ 🛡️ 3 incidents have been found in file postgres_model.js
>>> Incident 1(Secrets detection): PostgreSQL Credentials (Validity: Failed to Check) (Ignore with SHA: aab3815c8fad99fab2248fdc9868091de77498b0b772e05a8300cf64bfea1cb3) (1 occurrence)
| @@ -2,7 +2,7 @
2 2 | var pg_port=1212;
3 3 | var pg_host="git**********com:9**2/BLUDB";
|_____host_____|
3 3 | var pg_host="git**********com:9**2/BLUDB";
|_port_|
4 4 | var pg_user="r**t";
|_username_|
5 | var pg_pass="sup3*************orGG";
|______password_____|
5 | var pg_pass="sup3*************orZG";
6 6 |
>>> Incident 2(Secrets detection): PostgreSQL Credentials (Validity: Failed to Check) (Ignore with SHA:
...
CIRCLE_RANGE: 90220851160dcf018f372536da223dc0396aa247...2d08c13226628ecfb3ee9a07001c185915a84adf
CIRCLE_SHA1: 2d08c13226628ecfb3ee9a07001c185915a84adf
Commits to scan: 1
Scanning Commits---------------------------------] 0%Scanning Commits [####################################] 100%
secrets-engine-version: 2.71.0
commit 2d08c13226628ecfb3ee9a07001c185915a84adf
Author: XXXX
Date: XXXX
🛡️ ⚔️ 🛡️ 1 incident has been found in file rapid_api_flightapp.py
>>> Incident 1(Secrets detection): RapidAPI Key (Validity: Invalid) (Ignore with SHA: 6d56240140523391afaa713d79516e2a19f80dc182fbc34669997e0e2849ff81) (1 occurrence)
7 | headers = {
8 | 'x-rapidapi-host': "skyscanner-skyscanner-flight-search-v1.p.rapidapi.com",
9 | 'x-rapidapi-key': "eb9d30db7********************************4c37d74db"
|_____________________apikey_____________________|
10 | }
11 |
Exited with code exit status 1
CircleCI received exit code 1
Saving docker image... OK
Scanning [####################################] 100%
secrets-engine-version: 2.73.0
🛡️ ⚔️ 🛡️ 1 incident has been found in file 0e053c6a062cc084693018afaacd7281ffa65f53310a96039127d42b414e2b51:/etc/foo.conf
>>> Incident 1(Secrets detection): GitGuardian Test Token Checked (Validity: Valid) (Ignore with SHA: e27f84539215c1dfdb9049dbac6a49346a59c0ba665c23f35d02b0a6fb9f90b7) (1 occurrence)
1 | token="ggt*-*-*******234"
|_____apikey____|
...
Install ggshield and run
$ ggshield auth login to get your API key and start scanning.
Detect %ndet%+ types of hardcoded secrets in pre-commit hooks, before you push. Never revoke and rotate a secret again!
Not a sensitive secret? Run
$ ggshield secret ignore --last-found. Commit, push, and move on to your next task.
Add ggshield to your CI/CD and scan pipelines for hardcoded secrets.
Hardcoded secrets in Docker images are like a needle in a haystack. Scan your images’ layers’ filesystem, build args, or Dockerfile and harden them before every release.
#1 Security app on
the GitHub marketplace
use ggshield to stop hardcoding them
ggshield is a command-line interface application developed by GitGuardian. ggshield helps developers detect and prevent vulnerabilities like hardcoded secrets (like API keys, certificates, database connection URLs) before pushing their code to shared repositories. ggshield is integrated with GitGuardian Internal Monitoring, the automated secrets detection and remediation platform.
In a scenario where an attacker gains initial access to code repositories or DevOps tools, they will look for valid hardcoded secrets for further lateral movement. Once the attacker finds the credentials they need to operate as a valid user or machine, it is difficult to detect abuse and the threat becomes persistent.
The risk of secrets exposure must be proactively reduced in the software development lifecycle with automated detection and remediation. OWASP ranks the vulnerability of hardcoded secrets #2 in its latest Top 10 Web Application Security Risks – under the Cryptographic Failures (A02:2021) entry. MITRE, on the other hand, ranks the vulnerability #15 on its CWE Top 25 Most Dangerous Software Weaknesses list.
ggshield, the GitGuardian CLI application is open-source – check out the official GitHub repository. ggshield is a wrapper for our Python API client, py-gitguardian, used to call our public API. However, the secrets detection library behind the GitGuardian public API is closed-source.
Only metadata such as call time, request size, and scan mode is stored from scans using ggshield. The CLI and the underlying API are stateless; hardcoded secrets incidents found using ggshield will not be displayed on your GitGuardian Internal Monitoring dashboard, nor will they be stored in our backend.
To use ggshield, you need to sign up for a GitGuardian account. If you are an individual developer or a pro developer part of an organization with 25 developers or fewer, you are eligible for our Free plan that includes 1,000 API calls per month. If you need a larger quota, you can try our Business plan for 30 days for free.
Widely adopted by developer communities, GitGuardian is used by more than %nggsu% thousand developers and is the #1 app in the security category on GitHub Marketplace. Developers from leading companies, including Instacart, Automox, Orange, Iress, Beyond Identity, NOW: Pensions, and Stedi use ggshield to prevent hardcoded secrets.
If you believe you have found a bug or if you have any suggestions for the GitGuardian team to improve ggshield, please visit the official GitHub repository and create an issue.