ggshield iac scan pre-push
Please note that IaC Prevention features are currently in beta.
This command was implemented in version 1.18.0
Scan a Git repository for changes in IaC vulnerabilities in the pushed commits.
ggshield iac scan pre-push [OPTIONS] [PREPUSH_ARGS]...
This is intended to be used as a pre-push hook.
The scan is successful if no new IaC vulnerability was found, unless
--all is used,
in which case the scan is only successful if no IaC vulnerability (old and new) was found.
By default, the output will show:
- The number of known IaC vulnerabilities resolved by the changes
- The number of known IaC vulnerabilities left untouched
- The number and the list of new IaC vulnerabilities introduced by the changes
--json: Use JSON output.
--ipa PATTERN: Do not scan paths that match the specified glob-like patterns.
--ipo TEXT: Policies to exclude from the results.
--minimum-severity [LOW|MEDIUM|HIGH|CRITICAL]: Minimum severity of the policies.
--exit-zero: Always return a 0 (non-error) status code, even if incidents are found. This option can also be set with the
--all: Reports all vulnerabilities in the final state.
This command supports all ggshield global options.
Install the command as a git hook
- IaC pre-push command can be installed as a git hook by adding the following configuration to the
- repo: https://github.com/gitguardian/ggshield
- id: ggshield-iac-push
name: ggshield-iac (pre-push)
entry: pipenv run ggshield iac scan pre-push
Go to our dedicated documentation for more details about pre-push integration with ggshield.