What is scanned

ggshield machine scan operates in three modes that control coverage depth:

• Quick mode: focuses on credential-dense paths (shell history, config files, dotfiles). Fastest, lowest overhead.
• Standard mode: full filesystem traversal plus supplemental sources such as environment variables and secret stores. The default for machine inventory.
• Full mode: same as standard but also includes build artifacts and dependency directories that are skipped by default.

Files

The engine performs a full filesystem traversal, covering any file that may contain a secret:

• Shell history files (.zsh_history, .bash_history, etc.)
• Configuration files (.env, .gitconfig, .npmrc, SSH configs, credential files)
• Cloud credential stores (for example ~/.aws, GCP, or Azure CLI caches)
• AI coding agent caches and histories (Cursor, Claude Code, Copilot, MCP configs, etc.)
• Temporary directories and browser storage
• Structured data files (CSV, SQL, XLSX, PDF, SQLite)
• Archives (.zip, .jar, .war, .ear) and compressed files (.gz, .bz2, .xz, .zst)
• Any file matching patterns associated with secrets (API keys, tokens, certificates, private keys)

Security teams can define exclusion lists to exclude specific directories or file types from the scan scope.

note

Machine scan focuses on credential accumulation across the full filesystem and does not limit itself to Git repositories.

Non-file sources

Machine scan also scans local sources that are not ordinary files. These are included by default in standard and full modes:

Source	What is scanned	Opt-out
Environment variables	Current process environment values.	--no-scan-env
OS keyring / secret store	User-readable secret store entries. Linux and Windows are on by default; macOS Keychain scanning is opt-in via config.	--no-scan-keyring
Windows registry	User-readable registry credential locations on Windows.	--no-scan-registry
Temporary directory	$TMPDIR, /tmp, platform temp roots; on macOS only the per-user temp root.	--no-scan-temp

Quick mode focuses on credential paths and may not include every supplemental source depending on the command wrapper.

Built-in directory exclusions

In standard mode, ggshield automatically skips directories that are typically large, generated, binary-heavy, or unlikely to contain user secrets:

Category	Examples
Dependency and build output	node_modules, .venv, venv, target, dist, build, .next, .nuxt, Pods, DerivedData
Caches and package caches	.cache, __pycache__, .npm/_cacache, .cargo/registry, .m2/repository, .gradle/caches, .pnpm-store
Version control internals	.git, .svn, .hg
Media and user libraries	Movies, Music, Pictures, Photos Library.photoslibrary
Virtual machines and runtimes	OrbStack, Parallels, VirtualBox VMs, .colima, .lima, .multipass, .vagrant.d
Browser and app caches	Chrome/Edge cache and service worker caches, Firefox crash reports, Slack logs
Scanner state	.ggshield, .gitguardian

To include build and dependency directories, use --thorough with the plugin or --full on the native CLI. For persistent overrides, use scan.extra_skip_dirs and scan.include_dirs in your configuration file.

Areas skipped by default

Some areas are deliberately excluded unless you opt in, for privacy, performance, or safety reasons:

Area	Why skipped	Opt in
macOS TCC-protected directories	Desktop, Documents, Downloads, Mail, Messages, Safari, and similar paths trigger macOS privacy prompts.	--include-protected
Remote and network filesystems	NFS, SMB, SSHFS, and cloud drives can be slow, shared, or trigger cloud downloads.	Native CLI: --include-remote-fs; config: scan.skip_remote_fs: false
Kernel pseudo filesystems	procfs, sysfs, cgroupfs, debugfs entries can misreport size and stream unbounded data.	--include-pseudo-fs
Other users' home directories	Requires elevated privileges and changes the privacy boundary.	--scan-all-users; add --include-root for root homes
Public repository checkouts	Open-source clones often create noise unrelated to local machine risk.	scan.skip_public_repositories: false