Skip to main content



The secret scan command is the entry point to secrets detection using ggshield.

ggshield secret scan [OPTIONS] <SUBCOMMAND> [ARGS]...


It supports a few options that can be used to adapt the output behavior.

  • --json: output results in JSON [default:false]
  • --show-secrets: show secrets in plaintext instead of hiding them.
  • --exit-zero: always return a 0 (non-error) status code, even if incidents are found. The env var GITGUARDIAN_EXIT_ZERO can also be used to set this option.
  • -v, --verbose: verbose display mode.
  • -o, --output <PATH>: route ggshield output to file.
  • -b, --banlist-detector <TEXT>: exclude results from a detector.
  • --exclude <PATH>: do not scan paths that match the specified glob-like patterns.
  • --ignore-known-secrets: ignore secrets already detected in post-receive and therefore known by your GitGuardian dashboard. [default: False]
    We strongly recommend that you do not use this option in CI mode (ggshield secret scan ci) as race conditions will affect detection.

ggshield global options

  • -h, --help: display detailed help


The command can be used with several subcommands depending on the data that needs to be scanned.

How can I help you ?