ggshield secret scan pre-commit

Description

Scan as a pre-commit hook all changes that have been staged in a git repository.

ggshield secret scan pre-commit [OPTIONS] [PRECOMMIT_ARGS]...

Options

• --scan-all-merge-files: When scanning a merge commit, scan all files, including those that merged without conflicts.
• --source-uuid TEXT: Identifier of the custom source in GitGuardian. If used, incidents will be created and visible on the dashboard. Requires the 'scan:create-incidents' scope.
• --all-secrets: Do not ignore any secret. Possible ignore-reason is shown as well.
• --instance URL: URL of the instance to use.
• --with-incident-details: Display full details about the dashboard incident if one is found (JSON and SARIF formats only). Requires the 'incidents:read' scope.
• -b, --banlist-detector DETECTOR: Exclude results from a detector.
• --ignore-known-secrets: Ignore secrets already known by GitGuardian dashboard.
• --exclude PATTERNS: Do not scan paths that match the specified glob-like patterns.
• --exit-zero: Return a 0 (non-error) status code, even if incidents are found. An error status code will still be returned for other errors, such as connection errors. This option can also be set with the GITGUARDIAN_EXIT_ZERO environment variable.
• --show-secrets: Show secrets in plaintext instead of hiding them.
• -o, --output PATH: Redirect ggshield output to PATH.
• --format [text|json|sarif]: Format to use for the output.
• --json: Shorthand for --format json.
• --fail-on-server-error / --no-fail-on-server-error: Whether git hook and CI scan commands should fail when the GitGuardian server is unreachable or returns a 5xx response. When disabled, the command exits with code 0 and a warning is displayed instead of blocking the git operation. Defaults to enabled. Can also be set with the GITGUARDIAN_FAIL_ON_SERVER_ERROR environment variable.

This command supports all ggshield global options.

See also

Go to our dedicated documentation for more details about pre-commit integration with ggshield.