Skip to main content

Docker image


ggshield docker scanning tool (ggshield secret scan docker) is used to scan local docker images for secrets present in the image's creation process (dockerfile and build arguments) and in the image's layers' filesystem.

ggshield is a wrapper around GitGuardian API for secrets detection that requires an API key to work.

If the image is not available locally on the user's machine, GitGuardian shield will attempt to pull the image using docker pull <IMAGE_NAME>.


docker preview


  • Docker: scan a Docker image after exporting its filesystem and manifest with the docker save command.

    Usage: ggshield secret scan docker [OPTIONS] IMAGE_NAME
      ggshield will try to pull the image if it's not available locallyOptions:  -h, --help  Show this message and exit.

Example: ggshield secret scan docker gitguardian/ggshield

Example integration (GitHub Actions)#

In this example integration we build and push the ggshield image on GitHub Actions and then scan this image.

name: ci
on:  push:    branches:      - 'master'
jobs:  docker:    runs-on: ubuntu-latest    services:      registry:        image: registry:2        ports:          - 5000:5000
    container: gitguardian/ggshield:latest    steps:      - name: Checkout        uses: actions/checkout@v2      - name: Set up QEMU        uses: docker/setup-qemu-action@v1      - name: Set up Docker Buildx        uses: docker/setup-buildx-action@v1        with:          driver-opts: network=host      - name: Build and push to local registry        uses: docker/build-push-action@v2        with:          context: .          push: true          tags: localhost:5000/gitguardian/ggshield:latest      - name: Scan image        run: |          ggshield secret scan docker localhost:5000/gitguardian/ggshield:latest