ggshield iac scan pre-push

Beta program

Please note that IaC Prevention features are currently in beta.

info

This command was implemented in version 1.18.0

Description

Scan a Git repository for changes in IaC vulnerabilities in the pushed commits.

ggshield iac scan pre-push [OPTIONS] [PREPUSH_ARGS]...

This is intended to be used as a pre-push hook.

The scan is successful if no new IaC vulnerability was found, unless --all is used, in which case the scan is only successful if no IaC vulnerability (old and new) was found.

By default, the output will show:

• The number of known IaC vulnerabilities resolved by the changes
• The number of known IaC vulnerabilities left untouched
• The number and the list of new IaC vulnerabilities introduced by the changes

Options

• --json: Use JSON output.
• --ignore-path, --ipa PATTERN: Do not scan paths that match the specified glob-like patterns.
• --ignore-policy, --ipo TEXT: Policies to exclude from the results.
• --minimum-severity [LOW|MEDIUM|HIGH|CRITICAL]: Minimum severity of the policies.
• --exit-zero: Always return a 0 (non-error) status code, even if incidents are found. This option can also be set with the GITGUARDIAN_EXIT_ZERO environment variable.
• --all: Reports all vulnerabilities in the final state.

This command supports all ggshield global options.

How to

Install the command as a git hook

• IaC pre-push command can be installed as a git hook by adding the following configuration to the .pre-commit-config.yaml file:

repos:
  - repo: https://github.com/gitguardian/ggshield
    rev: v1.27.0
    hooks:
      - id: ggshield-iac-push
        name: ggshield-iac (pre-push)
        entry: pipenv run ggshield iac scan pre-push
        language: system
        pass_filenames: false
        stages: [push]

Go to our dedicated documentation for more details about pre-push integration with ggshield.

Was this page helpful?