Removed
- Pre-receive hook on GitHub Enterprise Server v3.9 to v3.13 is no longer supported. v3.13 is EOL since 2025-06-19 and previous versions were discontinued earlier.
Added
-
Add
@filesupport tosecret scan pathto load scan paths from a file. -
Add
ggshield secret scan ai-hookcommand to scan AI coding tool hook payloads for secrets in real time. -
Add new types
claude-code|cursor|copilotto theggshield installcommand to install hooks into AI coding tool configurations. -
Pre-receive hook can now be set up on GitHub Enterprise Server from v3.14 to higher.
-
api-status: display the scopes of the current authentication token.
Fixed
-
secret scan ci: fetch the target branch before computing the MR/PR commit range. In CI environments with cached repos or shallow clones, a stale target branch ref could cause ggshield to scan unrelated commits, leading to excessive API calls and secrets reported in files not modified by the MR. -
hmsl vault-scan: fixed a hang when the HashiCorp Vault server is unresponsive; requests now time out after 30 seconds and network errors are reported with a clear message. -
Fixed a path traversal security issue in tar archives used for git-based scans; member names with absolute paths or
..components are now sanitized. -
Fixed an issue where an invalid option for a
secret scansubcommand could be silently treated as a request to run the default command, producing a confusing error instead of the expected usage error.