ggshield iac scan pre-receive
Please note that IaC Prevention features are currently in beta.
This command was implemented in version 1.18.0
Description
Scan a Git repository for changes in IaC vulnerabilities in the received pushed commits.
ggshield iac scan pre-receive [OPTIONS]
This is intended to be used as a pre-receive hook.
The scan is successful if no new IaC vulnerability was found, unless --all
is used,
in which case the scan is only successful if no IaC vulnerability (old and new) was found.
By default, the output will show:
- The number of known IaC vulnerabilities resolved by the changes
- The number of known IaC vulnerabilities left untouched
- The number and the list of new IaC vulnerabilities introduced by the changes
It is the remote equivalent of the iac scan pre-push
command.
Note that it is not currently possible to scan a specific sub-directory of the repo.
Options
--json
: Use JSON output.--ignore-path
,--ipa PATTERN
: Do not scan paths that match the specified glob-like patterns.--ignore-policy
,--ipo TEXT
: Policies to exclude from the results.--minimum-severity [LOW|MEDIUM|HIGH|CRITICAL]
: Minimum severity of the policies.--exit-zero
: Always return a 0 (non-error) status code, even if incidents are found. This option can also be set with theGITGUARDIAN_EXIT_ZERO
environment variable.--all
: Reports all vulnerabilities in the final state.
This command supports all ggshield global options.
How to
Install the command as a git hook
In the .git/hooks/pre-receive
file:
ggshield iac scan pre-receive
Go to our dedicated documentation for more details about pre-receive integration with ggshield.