Skip to main content


Why should organizations shift security testing left?#

Shift left is a development principle which states that code quality and security should move from the right or at the very end of the software development life cycle (after code is deployed to runtime environments) to the left – in developer workstations and IDEs, in Continuous Integration (CI) pipelines, etc.

In other words, security, and secrets detection, should be integrated and designed into all stages of the development process. This new shift requires developers to take more ownership of security and security principles.

GitGuardian Shield or ggshield (GitGuardian CLI)#

ggshield, the GitGuardian CLI (command-line interface) integrates GitGuardian's secrets detection engine in your developer workflows,

Getting started with ggshield.


I have GitHub, GitLab or an other VCS configured. Why should I use ggshield?#

GitGuardian Shield or ggshield helps you catch hardcoded secrets earlier in the software development lifecycle. In cases where pre-commit or pre-receive hooks are configured with ggshield, you will be alerted before secrets leave your local workstation and enter the shared/central repositories. This prevents secrets from getting exposed and in turn, avoids you the pain of incident remediation and the revoking and rotating of secrets.

I have ggshield configured. Should I also scan my GitHub, GitLab and other VCS?#

GitGuardian Shield is a very flexible tool. It is fast and easy to integrate but does not provide the same security guarantees as real-time monitoring of your Version Control System (VCS). Pre-commit or pre-receive hooks can be bypassed for example on developer workstations. In Continuous Integration (CI) pipelines, ggshield has to be configured individually for each workflow/pipeline to add a secrets scanning job.

The GitGuardian Internal Monitoring platform and its native VCS integrations give you:

  • Complete visibility over all repositories in your perimeter in addition to the possibility to scan their entire commit history (periodically and on-demand),
  • Real-time protection with automated scanning of every new code commit that reaches the VCS.