A Deep Dive Into ggshield, The GitGuardian CLI

In this in-depth walkthrough, we will show you how to turn ggshield, the GitGuardian CLI, into a practical guardrail for keeping secrets out of your code and CI pipelines. You’ll see exactly how to install and authenticate ggshield, then use it to scan repositories, local paths, archives, Docker images, PyPI packages, and CI environments for hardcoded credentials. We’ll also walk through configuring Git hooks with ggshield install. We will also go over HasMySecretLeaked to check whether your secrets were exposed on public GitHub repositories, and how to deploy Honeytokens as active tripwires to detect attacker activity. If you already have Python, Git, and a GitGuardian account, this video will help you go from first install to production-ready workflows that give your developers and security teams fast, reliable secret scanning straight from the terminal. Additional resources: Installing Git: https://git-scm.com/install/ Installing Python: https://www.python.org/downloads/ ggshield GitHub repo: https://github.com/gitguardian/ggshield ggshield documentation: https://docs.gitguardian.com/ggshield-docs/home GitGuardian's website: https://www.gitguardian.com/ HasMySecretLeaked: https://www.gitguardian.com/hasmysecretleaked GitGuardian Honytoken: https://www.gitguardian.com/honeytoken Chapters 00:00 – Intro & agenda 00:58 – Installing ggshield 02:05 – Verifying your install with ggshield --version 02:15 – Authenticating with ggshield auth login 02:40 – Authenticating with tokens & on-prem instances 03:08 – Checking API connectivity with ggshield api-status 03:31 – Logging out and rotating credentials 04:04 – Understanding the ggshield CLI structure & help system 04:49 – Global options: config, updates, insecure mode, logging, debug, verbose 06:14 – Available commands overview 06:30 – Checking API quotas with ggshield quota 06:44 – Managing configuration with ggshield config (global vs local) 07:33 – Secret scanning overview (ggshield secret) 08:05 – Deep repo history scans with ggshield secret scan repo 09:33 – Local path scans with ggshield secret scan path 10:10 – Scanning changes and commit ranges for new secrets 10:55 – Archive scanning (zip/tar) for embedded secrets 11:10 – Scanning Docker images for hardcoded credentials 11:38 – Scanning PyPI packages & JSONL docsets 12:21 – Using ggshield in CI: overview and GitHub Actions Example 13:54 – Git hooks 101: pre-commit, pre-push, pre-receive 14:57 – Automating hook setup with ggshield install (local vs global) 17:09 – Ignoring non-sensitive secrets with ggshield secret ignore 18:03 – Intro to HasMySecretLeaked (HMSL) 18:51 – HMSL admin commands: quota & api-status 19:01 – Fingerprint → query → decrypt flow (hmsl fingerprint/query/decrypt) 20:16 – One-shot ggshield hmsl check usage 20:32 – Checking secrets stored in HashiCorp Vault 20:57 – Honeytokens overview & when to use them 21:41 – Permissions, plans, and required scopes for ggshield honeytoken 23:11 – Creating a basic honeytoken from the CLI 24:13 – Honeytokens via create-with-context 25:20 – Recap and closing thoughts