Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Next up is ggshield secret scan ci, the mode built for continuous integration, not your local machine. In this section, we’ll show how CI scanning works and why it’s different. Instead of scanning your whole repo, it scans the set of commits that triggered your pipeline, whether that build came from a direct push or a pull request. That means you catch secrets at the exact moment they’re introduced, before they get merged or released.

Now we’re getting to the heart of ggshield: secret scanning. In this section, we jump into ggshield secret and its two subcommands, ignore and scan. Ignore makes a lot more sense once you’ve seen scan in action, so we start by learning what ggshield can scan and why it’s so flexible across the development lifecycle. We’ll open the help menu so you can see every scan target available: ggshield secret scan -h.

Let’s start by learning how to navigate ggshield like any other CLI tool: through its built-in help menu. To see the top-level help, just run ggshield with no options and press enter: ggshield Any time you want help for a specific command, add -h or --help to the end of that command before hitting enter. ggshield follows a standard command-line pattern you’ll see in many tools: ggshield ... If you’re new to CLIs, here’s what that means: ggshield is the program you’re running. are the extra details the command needs, like a path or filename.

What ggshield commands are available? First is quota, which checks how many API calls you have remaining for your GitGuardian workspace: ggshield quota As a rule of thumb, Starter plans include 10,000 API calls per month, and Business and Enterprise plans start at 100,000 calls per month. Next is config, which acts like the CLI control panel. ggshield uses YAML configuration to define how the CLI behaves, and you can tune it per repository.

Now that ggshield is installed, the next step is to authenticate it with GitGuardian so it can scan and talk to the API. The most common method is browser-based login: ggshield auth login This opens your browser and prompts you to sign in through the GitGuardian dashboard. It automatically generates an access token for you and stores it safely in your local configuration. By default, the token is scoped for secret scanning, which is what most people need. We’ll revisit scopes later.

Install ggshield the right way for your OS and get scanning in minutes. In this video, we walk through the most common installation paths for macOS, Linux, and Windows, plus container options if that’s your workflow: macOS: install with Homebrew, or grab the standalone.pkg from the ggshield releases page (no Python required, but you’ll update manually). Linux: install via Deb/RPM packages available on Cloudsmith. Windows: install via Chocolatey, or download the standalone.zip from the releases page (no Python required, but you’ll update manually).