ggshield
ggshield is an open-source CLI tool that detects 500+ types of hardcoded secrets in code before they reach repositories. It integrates as a pre-commit hook, GitHub Action, or standalone CLI and sends only metadata to GitGuardian's API—your actual secrets remain local.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | GitGuardian/ggshield |
| Owner | GitGuardian |
| Primary language | Python |
| License | MIT — OSI-approved |
| Stars | 2k |
| Forks | 207 |
| Open issues | 55 |
| Latest release | v1.52.2 (2026-06-17) |
| Last updated | 2026-07-07 |
| Source | https://github.com/GitGuardian/ggshield |
What ggshield is
Python-based secrets detection engine using GitGuardian's public API via py-gitguardian library. Scans files, repositories, Docker images, and PyPI packages. Operates in local or CI/CD environments; only metadata (call time, request size, scan mode) is transmitted, secrets are not stored or logged.
Get the ggshield source
Clone the repository and explore it locally.
git clone https://github.com/GitGuardian/ggshield.gitcd ggshield# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Python (non-EOL version) for pip/pipx installation; standalone packages available for macOS, Windows, Linux to avoid Python dependency.
- API authentication via GITGUARDIAN_API_KEY environment variable or ggshield auth login command—plan token lifecycle and rotation in your secrets management workflow.
- Configuration via .gitguardian.yaml/.gitguardian.yml; legacy config format requires migration using ggshield config migrate before use.
- Scanning Docker images and PyPI packages requires docker and pip commands available in the environment respectively.
- Performance may vary by scope (file count, repository size); test pre-commit hook on your typical workflow to ensure acceptable latency.
When to avoid it — and what to weigh
- Requires air-gapped / offline secret detection — ggshield requires internet access to GitGuardian's API. If your environment cannot reach external APIs, this tool will not function—consider self-hosted alternatives.
- No use case for GitGuardian's 500+ pattern library — If you only need detection of a handful of custom secret patterns, the overhead of integrating ggshield may not justify its scope. A simpler regex-based pre-commit hook may suffice.
- Cannot use cloud-based API or API key management — ggshield requires provisioning a personal access token or API key and storing it in environment variables. If your security policy forbids cloud API keys, this approach will conflict.
- Organizational policy requires zero external API calls — Even though secrets are not stored, all scans transmit metadata to GitGuardian servers. If policy mandates purely on-premise/offline tooling, this will not meet compliance.
License & commercial use
MIT License (OSI-approved, permissive). Allows commercial use, modification, and redistribution with inclusion of license text and copyright notice.
MIT is a permissive OSI license that permits commercial use without restriction. However, ggshield depends on GitGuardian's public API; commercial reliance on that API service should be validated separately with GitGuardian (SLA, uptime guarantees, rate limits).
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Scans run locally; only metadata (call time, request size, scan mode) is sent to GitGuardian API—actual secret content is not transmitted or logged. Authentication requires API key in environment; follow standard key rotation practices. External API dependency introduces trust model with GitGuardian's infrastructure—verify their security posture and data handling practices independently.
Alternatives to consider
TruffleHog (open-source)
Open-source alternative with broader pattern detection and entropy-based scanning. Works offline without external API dependency; lower barrier to self-hosting.
GitLab SecretDetection / GitHub secret scanning (native)
Platform-native secret scanning built into GitHub/GitLab; no additional tool needed. Simpler for organizations already heavy on GitHub/GitLab but less flexible for custom patterns.
Semgrep (open-source)
General-purpose code scanning engine with secret detection as one capability. Allows rule customization and runs fully offline; wider scope beyond secrets alone.
Build on ggshield with DEV.co software developers
Assess whether ggshield's API-based detection and GitGuardian integration align with your security posture, deployment model, and offline requirements.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
ggshield FAQ
Are my secrets sent to GitGuardian's servers?
What happens if I have an existing secret in my history?
Can I use ggshield offline or air-gapped?
Does ggshield support custom secret patterns?
Software developers & web developers for hire
Need help beyond evaluating ggshield? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Evaluate ggshield for your team
Assess whether ggshield's API-based detection and GitGuardian integration align with your security posture, deployment model, and offline requirements.