ggshield hmsl fingerprint
Please note that Has My Secret Leaked features are currently in beta.
Collect secrets and compute fingerprints.
ggshield hmsl fingerprint [OPTIONS] PATH
Fingerprints are to be used later by the
Note: Secrets can be read from stdin using
ggshield hmsl fingerprint -.
--prefix PREFIX: Prefix for output file names. For instance
--full-hashes: Put the full hashes into the payload instead of the prefixes. This is useful for partners that trust GitGuardian because it allows to send more hashes per batch, and consumes less credits, but leaks more data to GitGuardian.
--naming-strategy [censored|cleartext|none|key]: Strategy to generate the hints in the output.
censored: only the first and last characters are displayed.
cleartext: the full secret is used as a hint (Not recommended!).
none: no hint is generated.
key: the key name is selected if available (e.g. in .env files), otherwise censored is used.
--type [file|env]: Type of input to process.
file: the input is a simple file containing secrets.
env: the input is a file containing environment variables.
This command supports all ggshield global options.
Create a file, for instance
secrets.txt, containing some secrets:
Here we have two “unsafe” passwords and a GitGuardian API key (invalid).
The first step is to compute all the data that we will need in the two other stages:
$ ggshield hmsl fingerprint secrets.txt
payload.txt and mapping.txt files have been written.
Prepared 3 secrets.
This command produces two files:
mapping.txt. The first one contains the prefixes that will be queried to HMSL, and the second one an association between the hashes of your secrets and their “names”, a censored version of their values that is more human readable.