Detect secrets on developer workstations

Overview

Secrets detection can be integrated very early on in the development process. GitGuardian empowers developers, with ggshield (our command-line interface application) to scan their commits for hardcoded secrets before pushing them.

The cost of fixing hardcoded secrets is much lower at this stage than once they have reached the central/shared repository, hence the importance of shifting security left and providing developers with early and frequent feedback.

ggshield can be integrated into git hooks to automatically scan code before committing staged changes (pre-commit hook) or before pushing code to the shared repository (pre-push hook).

What are git hooks?

Like many Version Control Systems, git has a way to fire off custom scripts when certain actions are triggered. There are two groups of these hooks: client-side and server-side. Client-side hooks are triggered by operations such as committing and merging, while server-side hooks run on network operations such as receiving pushed commits. The custom scripts running in git hooks can be used for a variety of purposes like linting, testing, and running security scans on your code.

Getting started with ggshield

1. Set up ggshield on your workstation
2. Configure the git hooks with ggshield:
   • pre-commit hook
   • pre-push hook

Additional resources

• How To Use ggshield To Avoid Hardcoded Secrets [cheat sheet included]
• Using ggshield Throughout The Software Development Lifecycle - A Developer's View of GitGuardian [video]

Was this page helpful?