Secret scanning with ggshield (repo, files, changes, commits, archives, Docker, and PyPI)
Now we’re getting to the heart of ggshield: secret scanning.
https://docs.gitguardian.com/ggshield-docs/home
In this section, we jump into ggshield secret and its two subcommands, ignore and scan. Ignore makes a lot more sense once you’ve seen scan in action, so we start by learning what ggshield can scan and why it’s so flexible across the development lifecycle.
We’ll open the help menu so you can see every scan target available:
ggshield secret scan -h
From there, we focus on the two most common scan modes you’ll use day-to-day: repo and path.
Repo scanning is the deep audit. It scans an entire Git repository, including commit history and branches, which makes it perfect for onboarding legacy code, validating before a release, or hunting for secrets buried in history. We’ll scan a local repo using the current directory and a full path, and then we’ll show how repo scans can target remote repositories you can access too.
ggshield secret scan repo.
ggshield secret scan repo /Users/dwaynemcdaniel/Documents/wrongsecrets1
Path scanning is the fast, practical option for local work. It scans files and folders without Git history, and the most common flag you’ll use is recursive scanning so it can walk subdirectories.
ggshield secret scan path -r.
Then we shift into targeted scanning, because you often don’t need to scan everything. You’ll see how to scan just what changed since the last commit, and how to scan a specific commit range, which is great for pull requests, merges, audits, and incident review workflows.
ggshield secret scan changes
ggshield secret scan commit-range HEAD~10..HEAD
After that, we cover a few power moves that surprise a lot of people the first time: scanning archives, Docker images, and even PyPI packages. ggshield can unwrap and inspect these because, at the end of the day, they’re still text and code inside compressed layers.
ggshield secret scan archive path
ggshield secret scan docker image-or-path
ggshield secret scan pypi package-name
We also touch on docset scanning for teams working with structured datasets:
ggshield secret scan docset path
Finally, we tee up the next section: pre-commit, pre-push, and pre-receive scanning, which ties directly into Git hooks so you can catch secrets before they ever make it into your repo or your remote.