Ggshield

Added

- Add a new `ggshield honeytoken create` command to let you create honeytokens if enabled in your workspace.
Learn more about honeytokens at https://www.gitguardian.com/honeytoken

Changed

- `ggshield secret scan` commands can now use server-side configuration for the maximum document size and maximum document count per scan.

Fixed

- Accurately enforce the timeout of the pre-receive secret scan command (417)

- Correctly compute the secret ignore sha in the json output.

- GitLab WebUI Output Handler now behaves correctly when using the `ignore-known-secrets` flag, it also no longer displays empty messages in the UI.

<a id='changelog-1.15.1'></a>

Changed

- `ggshield secret scan` JSON output has been improved:
- It now includes an `incident_url` key for incidents. If a matching incident was found in the user's dashboard it contains the URL to the incident. Otherwise, it defaults to an empty string.
- The `known_secret` key is now always present and defaults to `false` if the incident is unknown to the dashboard.

Fixed

- Fixed a regression introduced in 1.15.0 which caused the `--ignore-known-secrets` option to be ignored.

<a id='changelog-1.15.0'></a>

Changed

- `ggshield secret scan` output now includes a link to the incident if the secret is already known on the user's GitGuardian dashboard.

- `ggshield secret scan docker` no longer rescans known-clean layers, speeding up subsequent scans. This cache is tied to GitGuardian secrets engine version, so all layers are rescanned when a new version of the secrets engine is deployed.

Fixed

- Fixed an issue where the progress bar for `ggshield secret scan` commands would sometimes reach 100% too early and then stayed stuck until the end of the scan.

Removed

- The deprecated commands `ggshield scan` and `ggshield ignore` have been removed. Use `ggshield secret scan` and `ggshield secret ignore` instead.

<a id='changelog-1.14.5'></a>

Changed

- `ggshield iac scan` can now be called without arguments. In this case it scans the current directory.

- GGShield now displays an easier-to-understand error message when no API key has been set.

Fixed

- Fixed GGShield not correctly reporting misspelled configuration keys if the key name contained `-` characters (480).

- When called without an image tag, `ggshield secret scan docker` now automatically uses the `:latest` tag instead of scanning all versions of the image (468).

- `ggshield secret scan` now properly stops with an error message when the GitGuardian API key is not set or invalid (456).

<a id='changelog-1.14.4'></a>

Fixed

- GGShield Docker image can now be used to scan git repositories even if the repository is mounted outside of the /data directory.

- GGShield commit hook now runs correctly when triggered from Visual Studio (467).

<a id='changelog-1.14.3'></a>

Fixed

- `ggshield secret scan pre-receive` no longer scans deleted commits when a branch is force-pushed (437).

- If many GGShield users are behind the same IP address, the daily update check could cause GitHub to rate-limit the IP. If this happens, GGShield honors GitHub rate-limit headers and no longer checks for a new update until the rate-limit is lifted (449).

- GGShield once again prints a "No secrets have been found" message when a scan does not find any secret (448).

- Installing GGShield no longer creates a "tests" directory in "site-packages" (383).

- GGShield now shows a clear error message when it cannot use git in a repository because of dubious ownership issues.

Deprecated

- The deprecation message when using `ggshield scan` instead of `ggshield secret scan` now states the `ggshield scan` commands are going to be removed in GGShield 1.15.0.

<a id='changelog-1.14.2'></a>