ggshield iac scan pre-commit

Beta program

Please note that IaC Prevention features are currently in beta.

info

This command was implemented in version 1.18.0

Description

Scan a Git repository for changes in IaC vulnerabilities between HEAD and current staged changes.

ggshield iac scan pre-commit [OPTIONS] [DIRECTORY]

The scan is successful if no new IaC vulnerability was found, unless --all is used, in which case the scan is only successful if no IaC vulnerability (old and new) was found.

By default, the output will show:

The number of known IaC vulnerabilities resolved by the changes
The number of known IaC vulnerabilities left untouched
The number and the list of new IaC vulnerabilities introduced by the changes

Options

--json: Use JSON output.
--ignore-path, --ipa PATTERN: Do not scan paths that match the specified glob-like patterns.
--ignore-policy, --ipo TEXT: Policies to exclude from the results.
--minimum-severity [LOW|MEDIUM|HIGH|CRITICAL]: Minimum severity of the policies.
--exit-zero: Always return a 0 (non-error) status code, even if incidents are found. This option can also be set with the GITGUARDIAN_EXIT_ZERO environment variable.
--all: Reports all vulnerabilities in the final state.

This command supports all ggshield global options.

Install the command as a git hook

IaC pre-commit command can be installed as a git hook by adding the following configuration to the .pre-commit-config.yaml file:

repos:
  - repo: https://github.com/gitguardian/ggshield
    rev: v1.19.1
    hooks:
      - id: ggshield-iac
        name: ggshield-iac (pre-commit)
        entry: pipenv run ggshield iac scan pre-commit
        language: system
        pass_filenames: false
        stages: [commit]