Skip to main content

ggshield iac scan pre-receive

Beta program

Please note that IaC Prevention features are currently in beta.


This command was implemented in version 1.18.0


Scan a Git repository for changes in IaC vulnerabilities in the received pushed commits.

ggshield iac scan pre-receive [OPTIONS]

This is intended to be used as a pre-receive hook.

The scan is successful if no new IaC vulnerability was found, unless --all is used, in which case the scan is only successful if no IaC vulnerability (old and new) was found.

By default, the output will show:

  • The number of known IaC vulnerabilities resolved by the changes
  • The number of known IaC vulnerabilities left untouched
  • The number and the list of new IaC vulnerabilities introduced by the changes

It is the remote equivalent of the iac scan pre-push command.

Note that it is not currently possible to scan a specific sub-directory of the repo.


  • --json: Use JSON output.
  • --ignore-path, --ipa PATTERN: Do not scan paths that match the specified glob-like patterns.
  • --ignore-policy, --ipo TEXT: Policies to exclude from the results.
  • --minimum-severity [LOW|MEDIUM|HIGH|CRITICAL]: Minimum severity of the policies.
  • --exit-zero: Always return a 0 (non-error) status code, even if incidents are found. This option can also be set with the GITGUARDIAN_EXIT_ZERO environment variable.
  • --all: Reports all vulnerabilities in the final state.

This command supports all ggshield global options.

How to

Install the command as a git hook

In the .git/hooks/pre-receive file:

ggshield iac scan pre-receive

Go to our dedicated documentation for more details about pre-receive integration with ggshield.

How can I help you ?