Ggshield

Added

- New command: `ggshield iac scan all`. This command replaces the now-deprecated `ggshield iac scan`. It scans a directory for IaC vulnerabilities.

- New command: `ggshield iac scan diff`. This command scans a Git repository and inspects changes in IaC vulnerabilities between two points in the history.

- All options from `ggshield iac scan all` are supported: `--ignore-policy`, `--minimum-severity`, `--ignore-path` etc. Execute `ggshield iac scan diff -h` for more details.
- Two new options allow to choose which state to select for the difference: `--ref <GIT-REFERENCE>` and `--staged`.
- The command can be integrated in Git hooks using the `--pre-commit`, `--pre-push`, `--pre-receive` options.
- The command output list vulnerabilities as `unchanged`, `new` and `deleted`.

- Added a `--log-file FILE` option to redirect all logging output to a file. The option can also be set using the `$GITGUARDIAN_LOG_FILE` environment variable.

Changed

- Improved `secret scan path` speed by updating charset-normalizer to 3.1.

- Errors are no longer reported twice: first using human-friendly message and then using log output. Log output is now off by default, unless `--debug` or `--log-file` is set (213).

- The help messages for the `honeytoken` commands have been updated.

- `ggshield honeytoken create` now displays an easier-to-understand error message when the user does not have the necessary permissions to create an honeytoken.

- `ggshield auth login` now displays a warning message if the token expiration date has been adjusted to comply with the personal access token maximum lifetime setting of the user's workspace.

Deprecated

- `ggshield iac scan` is now replaced by the new `ggshield iac scan all`, which supports the same options and arguments.

<a id='changelog-1.16.0'></a>

Added

- Add a new `ggshield honeytoken create` command to let you create honeytokens if enabled in your workspace.
Learn more about honeytokens at https://www.gitguardian.com/honeytoken

Changed

- `ggshield secret scan` commands can now use server-side configuration for the maximum document size and maximum document count per scan.

Fixed

- Accurately enforce the timeout of the pre-receive secret scan command (417)

- Correctly compute the secret ignore sha in the json output.

- GitLab WebUI Output Handler now behaves correctly when using the `ignore-known-secrets` flag, it also no longer displays empty messages in the UI.

<a id='changelog-1.15.1'></a>

Changed

- `ggshield secret scan` JSON output has been improved:
- It now includes an `incident_url` key for incidents. If a matching incident was found in the user's dashboard it contains the URL to the incident. Otherwise, it defaults to an empty string.
- The `known_secret` key is now always present and defaults to `false` if the incident is unknown to the dashboard.

Fixed

- Fixed a regression introduced in 1.15.0 which caused the `--ignore-known-secrets` option to be ignored.

<a id='changelog-1.15.0'></a>

Changed

- `ggshield secret scan` output now includes a link to the incident if the secret is already known on the user's GitGuardian dashboard.

- `ggshield secret scan docker` no longer rescans known-clean layers, speeding up subsequent scans. This cache is tied to GitGuardian secrets engine version, so all layers are rescanned when a new version of the secrets engine is deployed.

Fixed

- Fixed an issue where the progress bar for `ggshield secret scan` commands would sometimes reach 100% too early and then stayed stuck until the end of the scan.

Removed

- The deprecated commands `ggshield scan` and `ggshield ignore` have been removed. Use `ggshield secret scan` and `ggshield secret ignore` instead.

<a id='changelog-1.14.5'></a>

Changed

- `ggshield iac scan` can now be called without arguments. In this case it scans the current directory.

- GGShield now displays an easier-to-understand error message when no API key has been set.

Fixed

- Fixed GGShield not correctly reporting misspelled configuration keys if the key name contained `-` characters (480).

- When called without an image tag, `ggshield secret scan docker` now automatically uses the `:latest` tag instead of scanning all versions of the image (468).

- `ggshield secret scan` now properly stops with an error message when the GitGuardian API key is not set or invalid (456).

<a id='changelog-1.14.4'></a>

Fixed

- GGShield Docker image can now be used to scan git repositories even if the repository is mounted outside of the /data directory.

- GGShield commit hook now runs correctly when triggered from Visual Studio (467).

<a id='changelog-1.14.3'></a>