ggshield hmsl fingerprint
Please note that Has My Secret Leaked features are currently in beta.
Description
Collect secrets and compute fingerprints.
ggshield hmsl fingerprint [OPTIONS] PATH
Fingerprints are to be used later by the decrypt command.
Note: Secrets can be read from stdin using ggshield hmsl fingerprint -.
Options
-p,--prefix PREFIX: Prefix for output file names. For instance-p fooproducesfoo-payload.txtandfoo-mapping.txt.-f,--full-hashes: Put the full hashes into the payload instead of the prefixes. This is useful for partners that trust GitGuardian because it allows to send more hashes per batch, and consumes less credits.-n,--naming-strategy [censored|cleartext|none|key]: Strategy to generate the hints in the output.censored: only the first and last characters are displayed.cleartext: the full secret is used as a hint (Not recommended!).none: no hint is generated.key: the key name is selected if available (e.g. in .env files), otherwise censored is used.
Default:
key.-t,--type [file|env]: Type of input to process.file: the input is a simple file containing secrets.env: the input is a file containing environment variables.
Default:
file.
This command supports all ggshield global options.
Example
Create a file, for instance secrets.txt, containing some secrets:
sup3rstr0ngpass1ForGG
hjshnk5ex5u34565AWS654/JKGjhz545d89sjkja
hjshmq1no2v59001AWS792/PMDaax001t52sjkja
Here we have two “unsafe” passwords and a GitGuardian API key (invalid).
The first step is to compute all the data that we will need in the two other stages:
$ ggshield hmsl fingerprint secrets.txt
payload.txt and mapping.txt files have been written.
Prepared 3 secrets.
This command produces two files: payload.txt and mapping.txt. The first one contains the prefixes that will be queried to HMSL, and the second one an association between the hashes of your secrets and their “names”, a censored version of their values that is more human readable.
