ggshield secret scan docker
Description
Scan a Docker image after exporting its filesystem and manifest with the docker save
command.
ggshield secret scan docker [OPTIONS] NAME
ggshield tries to pull the image if it's not available locally.
Options
--docker-timeout SECONDS
: Timeout for Docker commands.Default:
360
.--instance URL
: URL of the instance to use.--with-incident-details
: Display full details about the dashboard incident if one is found (JSON and SARIF formats only). Requires the 'incidents:read' scope.-b
,--banlist-detector DETECTOR
: Exclude results from a detector.--ignore-known-secrets
: Ignore secrets already known by GitGuardian dashboard.--exclude PATTERNS
: Do not scan paths that match the specified glob-like patterns.--exit-zero
: Always return a 0 (non-error) status code, even if incidents are found. This option can also be set with theGITGUARDIAN_EXIT_ZERO
environment variable.--show-secrets
: Show secrets in plaintext instead of hiding them.-o
,--output PATH
: Redirect ggshield output to PATH.--format [text|json|sarif]
: Format to use for the output.--json
: Shorthand for--format json
.
This command supports all ggshield global options.
Examples
$ ggshield secret scan docker gitguardian/ggshield
About caching
When scanning a Docker image for the first time, ggshield stores the DiffID of the layers which have been found to be clean in a disk cache. If the same image is scanned a second time, ggshield skips scanning known clean layers. This can greatly speed-up scanning of large Docker images, since only modified layers are rescanned.
This cache depends on the version of GitGuardian secrets engine. When a new version of the secrets engine is deployed, all layers are rescanned.
When using ggshield secret scan docker
in a CI, it is important to retain the cache directory between CI runs, otherwise the cache is never reused. ggshield default cache location depends on the operating system:
- Linux:
$XDG_CACHE_HOME/ggshield
, or~/.cache/ggshield
if$XDG_CACHE_HOME
is not defined - macOS:
~/Library/Caches/ggshield
- Windows:
%LOCALAPPDATA%\GitGuardian\ggshield\Cache
Alternatively, you can define the cache directory using the $GG_CACHE_DIR
environment variable.
Note that the Docker cache is in a docker
subdirectory of the cache directory.