A Deep Dive Into ggshield, The GitGuardian CLI

In this in-depth walkthrough, we will show you how to turn ggshield, the GitGuardian CLI, into a practical guardrail for keeping secrets out of your code and CI pipelines.

You’ll see exactly how to install and authenticate ggshield, then use it to scan repositories, local paths, archives, Docker images, PyPI packages, and CI environments for hardcoded credentials.

We’ll also walk through configuring Git hooks with ggshield install.

We will also go over HasMySecretLeaked to check whether your secrets were exposed on public GitHub repositories, and how to deploy Honeytokens as active tripwires to detect attacker activity.

If you already have Python, Git, and a GitGuardian account, this video will help you go from first install to production-ready workflows that give your developers and security teams fast, reliable secret scanning straight from the terminal.

Additional resources:

Installing Git: https://git-scm.com/install/

Installing Python: https://www.python.org/downloads/

ggshield GitHub repo: https://github.com/gitguardian/ggshield

ggshield documentation: https://docs.gitguardian.com/ggshield-docs/home

GitGuardian's website: https://www.gitguardian.com/

HasMySecretLeaked: https://www.gitguardian.com/hasmysecretleaked

GitGuardian Honytoken: https://www.gitguardian.com/honeytoken

Chapters

00:00 – Intro & agenda

00:58 – Installing ggshield

02:05 – Verifying your install with ggshield --version

02:15 – Authenticating with ggshield auth login

02:40 – Authenticating with tokens & on-prem instances

03:08 – Checking API connectivity with ggshield api-status

03:31 – Logging out and rotating credentials

04:04 – Understanding the ggshield CLI structure & help system

04:49 – Global options: config, updates, insecure mode, logging, debug, verbose

06:14 – Available commands overview

06:30 – Checking API quotas with ggshield quota

06:44 – Managing configuration with ggshield config (global vs local)

07:33 – Secret scanning overview (ggshield secret)

08:05 – Deep repo history scans with ggshield secret scan repo

09:33 – Local path scans with ggshield secret scan path

10:10 – Scanning changes and commit ranges for new secrets

10:55 – Archive scanning (zip/tar) for embedded secrets

11:10 – Scanning Docker images for hardcoded credentials

11:38 – Scanning PyPI packages & JSONL docsets

12:21 – Using ggshield in CI: overview and GitHub Actions Example

13:54 – Git hooks 101: pre-commit, pre-push, pre-receive

14:57 – Automating hook setup with ggshield install (local vs global)

17:09 – Ignoring non-sensitive secrets with ggshield secret ignore

18:03 – Intro to HasMySecretLeaked (HMSL)

18:51 – HMSL admin commands: quota & api-status

19:01 – Fingerprint → query → decrypt flow (hmsl fingerprint/query/decrypt)

20:16 – One-shot ggshield hmsl check usage

20:32 – Checking secrets stored in HashiCorp Vault

20:57 – Honeytokens overview & when to use them

21:41 – Permissions, plans, and required scopes for ggshield honeytoken

23:11 – Creating a basic honeytoken from the CLI

24:13 – Honeytokens via create-with-context

25:20 – Recap and closing thoughts