DEV.co
Open-Source Security · GitGuardian

ggshield

ggshield is an open-source CLI tool that detects 500+ types of hardcoded secrets in code before they reach repositories. It integrates as a pre-commit hook, GitHub Action, or standalone CLI and sends only metadata to GitGuardian's API—your actual secrets remain local.

Source: GitHub — github.com/GitGuardian/ggshield
2k
GitHub stars
207
Forks
Python
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryGitGuardian/ggshield
OwnerGitGuardian
Primary languagePython
LicenseMIT — OSI-approved
Stars2k
Forks207
Open issues55
Latest releasev1.52.2 (2026-06-17)
Last updated2026-07-07
Sourcehttps://github.com/GitGuardian/ggshield

What ggshield is

Python-based secrets detection engine using GitGuardian's public API via py-gitguardian library. Scans files, repositories, Docker images, and PyPI packages. Operates in local or CI/CD environments; only metadata (call time, request size, scan mode) is transmitted, secrets are not stored or logged.

Quickstart

Get the ggshield source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/GitGuardian/ggshield.gitcd ggshield# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Pre-commit / Pre-push Git hooks

Catch hardcoded secrets before developers push to any branch. Integrates directly into Git workflows to block commits containing exposed API keys, tokens, or credentials.

CI/CD pipeline gating

Automated secret detection in GitHub Actions, GitLab CI, and other CI systems. Fails builds if secrets are detected, enforcing a security checkpoint before merge or deployment.

Bulk scanning of legacy repositories

Scan existing codebases, Docker images, and PyPI packages to discover and audit secrets already in circulation. Supports batch operations for organization-wide compliance audits.

Implementation considerations

  • Requires Python (non-EOL version) for pip/pipx installation; standalone packages available for macOS, Windows, Linux to avoid Python dependency.
  • API authentication via GITGUARDIAN_API_KEY environment variable or ggshield auth login command—plan token lifecycle and rotation in your secrets management workflow.
  • Configuration via .gitguardian.yaml/.gitguardian.yml; legacy config format requires migration using ggshield config migrate before use.
  • Scanning Docker images and PyPI packages requires docker and pip commands available in the environment respectively.
  • Performance may vary by scope (file count, repository size); test pre-commit hook on your typical workflow to ensure acceptable latency.

When to avoid it — and what to weigh

  • Requires air-gapped / offline secret detection — ggshield requires internet access to GitGuardian's API. If your environment cannot reach external APIs, this tool will not function—consider self-hosted alternatives.
  • No use case for GitGuardian's 500+ pattern library — If you only need detection of a handful of custom secret patterns, the overhead of integrating ggshield may not justify its scope. A simpler regex-based pre-commit hook may suffice.
  • Cannot use cloud-based API or API key management — ggshield requires provisioning a personal access token or API key and storing it in environment variables. If your security policy forbids cloud API keys, this approach will conflict.
  • Organizational policy requires zero external API calls — Even though secrets are not stored, all scans transmit metadata to GitGuardian servers. If policy mandates purely on-premise/offline tooling, this will not meet compliance.

License & commercial use

MIT License (OSI-approved, permissive). Allows commercial use, modification, and redistribution with inclusion of license text and copyright notice.

MIT is a permissive OSI license that permits commercial use without restriction. However, ggshield depends on GitGuardian's public API; commercial reliance on that API service should be validated separately with GitGuardian (SLA, uptime guarantees, rate limits).

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Scans run locally; only metadata (call time, request size, scan mode) is sent to GitGuardian API—actual secret content is not transmitted or logged. Authentication requires API key in environment; follow standard key rotation practices. External API dependency introduces trust model with GitGuardian's infrastructure—verify their security posture and data handling practices independently.

Alternatives to consider

TruffleHog (open-source)

Open-source alternative with broader pattern detection and entropy-based scanning. Works offline without external API dependency; lower barrier to self-hosting.

GitLab SecretDetection / GitHub secret scanning (native)

Platform-native secret scanning built into GitHub/GitLab; no additional tool needed. Simpler for organizations already heavy on GitHub/GitLab but less flexible for custom patterns.

Semgrep (open-source)

General-purpose code scanning engine with secret detection as one capability. Allows rule customization and runs fully offline; wider scope beyond secrets alone.

Software development agency

Build on ggshield with DEV.co software developers

Assess whether ggshield's API-based detection and GitGuardian integration align with your security posture, deployment model, and offline requirements.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

ggshield FAQ

Are my secrets sent to GitGuardian's servers?
No. Only metadata (call time, request size, scan mode) is transmitted. Actual secret content and file contents remain local and are not stored or logged on GitGuardian's servers.
What happens if I have an existing secret in my history?
ggshield detects secrets in live scans but does not automatically remediate historical commits. You will need to manually rotate exposed credentials and use git history rewriting (e.g., git-filter-repo) to remove them from the repository.
Can I use ggshield offline or air-gapped?
No. ggshield requires internet access to GitGuardian's public API to perform detection. Fully offline environments require alternative tooling.
Does ggshield support custom secret patterns?
Not clearly stated in the README excerpt. You can configure scanning via .gitguardian.yaml, but extent of custom pattern support requires consulting full documentation.

Software developers & web developers for hire

Need help beyond evaluating ggshield? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Evaluate ggshield for your team

Assess whether ggshield's API-based detection and GitGuardian integration align with your security posture, deployment model, and offline requirements.