Ggshield

Removed

- The `This feature is still in beta, its behavior may change in future versions` warning is no longer displayed for sca commands.

Added

- It is now possible to customize the remediation message printed by GGShield pre-receive hook. This can be done by setting the message in the `secret.prereceive_remediation_message` configuration key. Thanks a lot to Renizmy for this feature.

- We now provide signed .pkg files for macOS.

- Add `This feature is still in beta, its behavior may change in future versions` warning to iac scan all

Changed

- Linux .deb and .rpm packages now use the binaries produced by pyinstaller. They no longer depend on Python.

Deprecated

- Dash-separated configuration keys are now deprecated, they should be replaced with underscore-separated keys. For example `show-secrets` should become `show_secrets`. GGShield still supports reading from dash-separate configuration keys, but it prints a warning when it finds one.

Fixed

- GGShield commands working with commits no longer fail when parsing a commit without any author.

- Configuration keys defined in the global configuration file are no longer ignored if a local configuration file exists.

- The option `--exclude PATTERN` is no longer ignored by the command `ggshield secret scan repo`.

<a id='changelog-1.26.0'></a>

Added

- `ggshield auth login` learned to create tokens with extra scopes using the `--scopes` option. Using `ggshield auth login --scopes honeytokens:write` would create a token suitable for the `ggshield honeytokens` commands.

<a id='changelog-1.25.0'></a>

Added

- It is now possible to create a honeytoken with context using the new `honeytoken create-with-context` command.

Changed

- SCA incidents ignored on the GitGuardian app will no longer show up in the scan results, in text/JSON format.

<a id='changelog-1.24.0'></a>

Added

- Adds two new flags for `ggshield sca scan` commands, `--ignore-fixable` and `--ignore-not-fixable` so that the user can filter the returned incidents depending on if incidents can be fixed or not. Both flags cannot be used simultaneously.

Changed

- Number of documents in a chunk is now adapted to the server payload.
- Moved some property from Scannable children classes up to Scannbable itself.

Fixed

- IAC/SCA scans will scan new commits as intended for CI jobs on newly pushed branches.
- IAC/SCA scans will scan new commits as intended for CI jobs on the first push to a new repository

- In CI jobs, IAC/SCA scans on forced pushs no longer trigger an error but perform a scan on all commits instead.

- Fixes `ggshield sca scan` commands not taking some user parameters into account.

<a id='changelog-1.23.0'></a>

Added

- GGShield output now adapts when the grace period of an IaC incident ignored by a developer has been expired.

- GGShield now shows a warning message if it hits a rate-limit.

Changed

- IaC incidents ignored on the GitGuardian app no longer show up in the scan results.

Fixed

- IaC/SCA scans now properly find the parent commit SHA on GitLab push pipelines for new branches.

- Error messages now appear above progress bars instead of overlapping them.

IaC

- File content are now displayed as intended when executing `ggshield iac scan all` on a subdirectory of a Git repository.

- Pre-push scans are now diff scans when pushing a new branch, comparing to the last commit of the parent branch.

- Pre-push scans on empty repositories no longer include staged files.

<a id='changelog-1.22.0'></a>

Added

- Secret: GGShield now prints the name of what is being scanned when called with `--verbose` (212).

- You can now use the `SKIP=ggshield` environment variable without the [pre-commit framework](https://pre-commit.com/) to skip pre-commit and pre-push scans.

Changed

- GGShield can now scan huge commits without running out of memory.

Fixed

- IaC and SCA: scans in GitLab merge request pipelines should now be performed on the intended commit ranges, instead of an empty range.

<a id='changelog-1.21.0'></a>