ggshield iac scan ci
Beta program
Please note that IaC Prevention features are currently in beta.
info
This command was implemented in version 1.18.0
Description
Scan in CI for IaC vulnerabilities. By default, it will return vulnerabilities added in the new commits.
ggshield iac scan ci [OPTIONS] [DIRECTORY]
The scan is successful if no new IaC vulnerability was found, unless --all
is used,
in which case the scan is only successful if no IaC vulnerability (old and new) was found.
Options
--format [text|json]
: Format to use for the output.--json
: Shorthand for--format json
.--ignore-path
,--ipa PATTERN
: Do not scan paths that match the specified glob-like patterns.--ignore-policy
,--ipo TEXT
: Policies to exclude from the results.--minimum-severity [LOW|MEDIUM|HIGH|CRITICAL]
: Minimum severity of the policies.--exit-zero
: Always return a 0 (non-error) status code, even if incidents are found. This option can also be set with theGITGUARDIAN_EXIT_ZERO
environment variable.
This command supports all ggshield global options.
Ignore error exit codes
If you need this command to exit with a code 0 even when IaC vulnerabilities are found in a scan, you can pass the option --exit-zero
See also
Go to our dedicated documentation for more details about CI/CD integrations with ggshield.