ggshield secret scan docker

Description

Scan a Docker image after exporting its filesystem and manifest with the docker save command.

ggshield secret scan docker [OPTIONS] NAME

ggshield tries to pull the image if it's not available locally.

Options

• --docker-timeout SECONDS: Timeout for Docker commands.

  Default: 360.

• --source-uuid TEXT: Identifier of the custom source in GitGuardian. If used, incidents will be created and visible on the dashboard. Requires the 'scan:create-incidents' scope.

• --all-secrets: Do not ignore any secret. Possible ignore-reason is shown as well.

• --instance URL: URL of the instance to use.

• --with-incident-details: Display full details about the dashboard incident if one is found (JSON and SARIF formats only). Requires the 'incidents:read' scope.

• -b, --banlist-detector DETECTOR: Exclude results from a detector.

• --ignore-known-secrets: Ignore secrets already known by GitGuardian dashboard.

• --exclude PATTERNS: Do not scan paths that match the specified glob-like patterns.

• --exit-zero: Return a 0 (non-error) status code, even if incidents are found. An error status code will still be returned for other errors, such as connection errors. This option can also be set with the GITGUARDIAN_EXIT_ZERO environment variable.

• --show-secrets: Show secrets in plaintext instead of hiding them.

• -o, --output PATH: Redirect ggshield output to PATH.

• --format [text|json|sarif]: Format to use for the output.

• --json: Shorthand for --format json.

This command supports all ggshield global options.

Examples

$ ggshield secret scan docker gitguardian/ggshield

About caching

When scanning a Docker image for the first time, ggshield stores the DiffID of the layers which have been found to be clean in a disk cache. If the same image is scanned a second time, ggshield skips scanning known clean layers. This can greatly speed-up scanning of large Docker images, since only modified layers are rescanned.

This cache depends on the version of GitGuardian secrets engine. When a new version of the secrets engine is deployed, all layers are rescanned.

When using ggshield secret scan docker in a CI, it is important to retain the cache directory between CI runs, otherwise the cache is never reused. ggshield default cache location depends on the operating system:

• Linux: $XDG_CACHE_HOME/ggshield, or ~/.cache/ggshield if $XDG_CACHE_HOME is not defined
• macOS: ~/Library/Caches/ggshield
• Windows: %LOCALAPPDATA%\GitGuardian\ggshield\Cache

Alternatively, you can define the cache directory using the $GG_CACHE_DIR environment variable.

Note that the Docker cache is in a docker subdirectory of the cache directory.