Skip to main content



The secret scan command is the main command for ggshield, it has a few options that can be used to override output behaviour.

ggshield secret scan [OPTIONS] <SUBCOMMAND> [ARGS]...


  • --show-secrets: show secrets in plaintext instead of hiding them.
  • --exit-zero: always return a 0 (non-error) status code, even if incidents are found. The env var GITGUARDIAN_EXIT_ZERO can also be used to set this option.
  • --all-policies: present fails of all policies (Filenames, FileExtensions, Secret Detection). By default, only Secret Detection is shown.
  • -v, --verbose: verbose display mode.
  • -o, --output <PATH>: route ggshield output to file.
  • -b, --banlist-detector <TEXT>: exclude results from a detector.
  • --exclude <PATH>: do not scan the specified path.
  • --ignore-default-excludes: ignore excluded patterns by default. [default: False]

ggshield global options#

  • -h, --help: display detailed help
  • --json: output results in JSON [default:false]


ggshield secret scan has different subcommands for each type of scan.