Ignore false positives safely with ggshield secret ignore

In this section, we cover what to do when ggshield finds something you don’t actually need to remediate, like a false positive, an intentionally fake credential in a demo repo, or a known non-sensitive test value.

https://docs.gitguardian.com/ggshield-docs/home

ggshield secret ignore lets you mark specific findings as ignored by adding them to the secrets.ignored_matches section of your local configuration. If your repo doesn’t already have a local config file, ggshield will create a.gitguardian.yaml file for you.

You’ll see two common ways to use it:
Use --name to label and ignore a specific secret finding.
Use --last-found to ignore all secrets found in your most recent scan, which is especially handy during local testing and iterations.

The key idea is that ignoring is tracked in config, not hidden in your terminal history, so it stays consistent for the repo and prevents repeated noise while you’re working.

And with that, we’ve covered scanning files, repos, archives, and containers. Next up, we’ll look at how ggshield can help you track leaked credentials on public GitHub and detect live exposure using Honeytokens.