Ggshield

Added

- `ggshield secret scan` commands can now output results in [SARIF format](https://sarifweb.azurewebsites.net/), using the new `--format sarif` option (#869).

- `ggshield sca scan ci` and `ggshield sca scan all` now support the `MALICIOUS` value for `--minimum-severity`

Changed

- ggshield now has the ability to display custom remediation messages on pre-commit, pre-push and pre-receive. These messages are defined in the platform and fetched from the `/metadata` endpoint of the API. If no messages are set up on the platform, default remediation messages will be displayed as before.

<a id='changelog-1.30.0'></a>

Yanked: release process issue.

<a id='changelog-1.29.0'></a>

Removed

- The `--all` option of the `ggshield sca scan ci` and `ggshield iac scan ci` commands has been removed.

Added

- `ggshield secret scan path` now provides a `--use-gitignore` option to honor `.gitignore` and related files (801).

- A new secret scan command, `ggshield secret scan changes`, has been added to scan changes between the current state of a repository checkout and its default branch.

- GGShield is now available as a standalone executable on Windows.

Changed

- The behavior of the `ggshield sca scan ci` and `ggshield iac scan ci` commands have changed. These commands are now expected to run in merge-request CI pipelines only, and will compute the diff exactly associated with the merge request.

Deprecated

- Running `ggshield sca scan ci` or `ggshield iac scan ci` outside of a merge request CI pipeline is now deprecated.

Fixed

- GGShield now consumes less memory when scanning large repositories.

- Errors thrown during `ggshield auth login` flow with an invalid instance URL are handled and the stack trace is no longer displayed on the console.

- Patch symbols at the start of lines are now always displayed, even for single line secrets.

- The `ggshield auth login` command now respects the `--allow-self-signed` flag.

- GGShield now exits with a proper error message instead of crashing when it receives an HTTP response without `Content-Type` header.

<a id='changelog-1.28.0'></a>

Added

- The SCA config `ignored_vulnerabilities` option now supports taking a CVE ID as identifier.

<a id='changelog-1.27.0'></a>

Removed

- The `This feature is still in beta, its behavior may change in future versions` warning is no longer displayed for sca commands.

Added

- It is now possible to customize the remediation message printed by GGShield pre-receive hook. This can be done by setting the message in the `secret.prereceive_remediation_message` configuration key. Thanks a lot to Renizmy for this feature.

- We now provide signed .pkg files for macOS.

- Add a `This feature is still in beta, its behavior may change in future versions` warning to `ggshield iac scan all` command.

Changed

- Linux .deb and .rpm packages now use the binaries produced by pyinstaller. They no longer depend on Python.

Deprecated

- Dash-separated configuration keys are now deprecated, they should be replaced with underscore-separated keys. For example `show-secrets` should become `show_secrets`. GGShield still supports reading from dash-separate configuration keys, but it prints a warning when it finds one.

Fixed

- GGShield commands working with commits no longer fail when parsing a commit without any author.

- Configuration keys defined in the global configuration file are no longer ignored if a local configuration file exists.

- The option `--exclude PATTERN` is no longer ignored by the command `ggshield secret scan repo`.

<a id='changelog-1.26.0'></a>

Added

- `ggshield auth login` learned to create tokens with extra scopes using the `--scopes` option. Using `ggshield auth login --scopes honeytokens:write` would create a token suitable for the `ggshield honeytokens` commands.

<a id='changelog-1.25.0'></a>