Skip to main content

ggshield iac scan ci

Beta program

Please note that IaC Prevention features are currently in beta.


This command was implemented in version 1.18.0


Scan in CI for IaC vulnerabilities. By default, it will return vulnerabilities added in the new commits.

ggshield iac scan ci [OPTIONS] [DIRECTORY]

The scan is successful if no new IaC vulnerability was found, unless --all is used, in which case the scan is only successful if no IaC vulnerability (old and new) was found.


  • --json: Use JSON output.
  • --ignore-path, --ipa PATTERN: Do not scan paths that match the specified glob-like patterns.
  • --ignore-policy, --ipo TEXT: Policies to exclude from the results.
  • --minimum-severity [LOW|MEDIUM|HIGH|CRITICAL]: Minimum severity of the policies.
  • --exit-zero: Always return a 0 (non-error) status code, even if incidents are found. This option can also be set with the GITGUARDIAN_EXIT_ZERO environment variable.
  • --all: Reports all vulnerabilities in the final state.

This command supports all ggshield global options.

Ignore error exit codes

If you need this command to exit with a code 0 even when IaC vulnerabilities are found in a scan, you can pass the option --exit-zero

See also

Go to our dedicated documentation for more details about CI/CD integrations with ggshield.

How can I help you ?