Has My Secret Leaked (HMSL) with ggshield: check public GitHub exposure safely

gitguardian logo
GitGuardian
Jan 2, 2026
GitGuardian

Since 2018, GitGuardian has been scanning for secrets added to GitHub public repositories. When a secret is found, GitGuardian hashes it and stores only a fingerprint of the secret. That fingerprint is what you can search against to verify whether any of your secrets have leaked in public repositories, gists, or issues on GitHub.

This service is called Has My Secret Leaked, and in ggshield you’ll see it as the HMSL commands. There’s also a web interface, but in this section we stay in the terminal and use ggshield end to end.

https://docs.gitguardian.com/ggshield-docs/home

https://www.gitguardian.com/hasmysecretleaked

We’ll start by pulling up the HMSL help menu and calling out two quick admin checks:
quota shows how many search credits you have remaining
api-status confirms the HMSL service is healthy

Then we’ll walk through the two ways to run HMSL so you understand what’s happening under the hood.

Option 1 is the three-step flow:
ggshield hmsl fingerprint (path to target file)
This takes the secrets found in the file, fingerprints them using the same hashing approach, and outputs a payload you can send to the service.

ggshield hmsl query (path to payload)
This sends the fingerprint payload to the Has My Secret Leaked service to check for matches against secrets found publicly. The response prints to stdout by default, but it’s a good idea to save it to a file because the next command needs a path.

ggshield hmsl decrypt (path to response payload)
This decrypts the returned payload so you can see the results in plaintext in your terminal.

Option 2 is the one-command flow that does it all:
ggshield hmsl check (path to target file)
This performs the same steps (fingerprint, query, decrypt) in one smooth run and prints the decrypted result directly.

Finally, we’ll touch on vault checking: ggshield can also check whether any keys stored in your vault have been leaked, currently compatible with HashiCorp Vault KV secret engines (v1 or v2). Full enterprise secrets manager integrations are typically managed through the GitGuardian workspace or via API, but this gives you an immediate CLI path for Vault.

Copyright © 2026 OpsMatters™. All rights reserved.