Skip to main content

ggshield hmsl fingerprint

Beta program

Please note that Has My Secret Leaked features are currently in beta.


Collect secrets and compute fingerprints.

ggshield hmsl fingerprint [OPTIONS] PATH

Fingerprints are to be used later by the decrypt command.

Note: Secrets can be read from stdin using ggshield hmsl fingerprint -.


  • -p, --prefix PREFIX: Prefix for output file names. For instance -p foo produces foo-payload.txt and foo-mapping.txt.

  • -f, --full-hashes: Put the full hashes into the payload instead of the prefixes. This is useful for partners that trust GitGuardian because it allows to send more hashes per batch, and consumes less credits, but leaks more data to GitGuardian.

  • -n, --naming-strategy [censored|cleartext|none|key]: Strategy to generate the hints in the output.

    • censored: only the first and last characters are displayed.
    • cleartext: the full secret is used as a hint (Not recommended!).
    • none: no hint is generated.
    • key: the key name is selected if available (e.g. in .env files), otherwise censored is used.

    Default: key.

  • -t, --type [file|env]: Type of input to process.

    • file: the input is a simple file containing secrets.
    • env: the input is a file containing environment variables.

    Default: file.

This command supports all ggshield global options.


Create a file, for instance secrets.txt, containing some secrets:


Here we have two “unsafe” passwords and a GitGuardian API key (invalid).

The first step is to compute all the data that we will need in the two other stages:

$ ggshield hmsl fingerprint secrets.txt
payload.txt and mapping.txt files have been written.
Prepared 3 secrets.

This command produces two files: payload.txt and mapping.txt. The first one contains the prefixes that will be queried to HMSL, and the second one an association between the hashes of your secrets and their “names”, a censored version of their values that is more human readable.