Security
ggshield-scanner
By Detect 500+ types of hardcoded secrets
---
name: ggshield-scanner
description: Detect 500+ types of hardcoded secrets (API keys, credentials, tokens) before they leak into git. Wraps GitGuardian's ggshield CLI.
homepage: https://github.com/GitGuardian/ggshield-skill
metadata:
clawdbot:
requires:
bins: ["ggshield"]
env: ["GITGUARDIAN_API_KEY"]
---
# ggshield Secret Scanner
## Overview
**ggshield** is a CLI tool that detects hardcoded secrets in your codebase. This Moltbot skill brings secret scanning capabilities to your AI agent.
### What Are "Secrets"?
Secrets are sensitive credentials that should NEVER be committed to version control:
- AWS Access Keys, GCP Service Accounts, Azure credentials
- API tokens (GitHub, Slack, Stripe, etc.)
- Database passwords and connection strings
- Private encryption keys and certificates
- OAuth tokens and refresh tokens
- PayPal/Stripe API keys
- Email server credentials
### Why This Matters
A single leaked secret can:
- 🔓 Compromise your infrastructure
- 💸 Incur massive cloud bills (attackers abuse your AWS account)
- 📊 Expose customer data (GDPR/CCPA violation)
- 🚨 Trigger security incidents and audits
ggshield catches these **before** they reach your repository.
## Features
### Commands Available
#### 1. `scan-repo`
Scans an entire git repository for secrets (including history).
```
@clawd scan-repo /path/to/my/project
```
**Output**:
```
🔍 Scanning repository...
✅ Repository clean: 1,234 files scanned, 0 secrets found
```
**Output on detection**:
```
❌ Found 2 secrets:
- AWS Access Key ID in config/prod.py:42
- Slack API token in .env.backup:8
Use 'ggshield secret ignore --last-found' to ignore, or remove them.
```
#### 2. `scan-file`
Scans a single file for secrets.
```
@clawd scan-file /path/to/config.py
```
#### 3. `scan-staged`
Scans only staged git changes (useful pre-commit check).
```
@clawd scan-staged
```
This runs on your `git add`-ed changes only (fast!).
#### 4. `install-hooks`
Installs ggshield as a git pre-commit hook.
```
@clawd install-hooks
```
After this, every commit is automatically scanned:
```
$ git commit -m "Add config"
🔍 Running ggshield pre-commit hook...
❌ Secrets detected! Commit blocked.
Remove the secrets and try again.
```
#### 5. `scan-docker`
Scans Docker images for secrets in their layers.
```
@clawd scan-docker my-app:latest
```
## Installation
### Prerequisites
1. **ggshield CLI**: Install via pip
```bash
pip install ggshield>=1.15.0
```
2. **GitGuardian API Key**: Required for secret detection
- Sign up: https://dashboard.gitguardian.com (free)
- Generate API key in Settings
- Set environment variable:
```bash
export GITGUARDIAN_API_KEY="your-api-key-here"
```
3. **Python 3.8+**: Required by ggshield
### Install Skill
```bash
clawdhub install ggshield-scanner
```
The skill is now available in your Moltbot workspace.
### In Your Moltbot Workspace
Start a new Moltbot session to pick up the skill:
```bash
moltbot start
# or via messaging: @clawd list-skills
```
## Usage Patterns
### Pattern 1: Before Pushing (Security Check)
```
Dev: @clawd scan-repo .
Moltbot: ✅ Repository clean. All good to push!
Dev: git push
```
### Pattern 2: Audit Existing Repo
```
Dev: @clawd scan-repo ~/my-old-project
Moltbot: ❌ Found 5 secrets in history!
- AWS keys in config/secrets.json
- Database password in docker-compose.yml
- Slack webhook in .env.example
Moltbot: Recommendation: Rotate these credentials immediately.
Consider using git-filter-repo to remove from history.
```
### Pattern 3: Pre-Commit Enforcement
```
Dev: @clawd install-hooks
Moltbot: ✅ Installed pre-commit hook
Dev: echo "SECRET_TOKEN=xyz" > config.py
Dev: git add config.py
Dev: git commit -m "Add config"
Moltbot: ❌ Pre-commit hook detected secret!
Dev: rm config.py && git reset
Dev: (add config to .gitignore and to environment variables instead)
Dev: git commit -m "Add config" # Now works!
```
### Pattern 4: Docker Image Security
```
Dev: @clawd scan-docker my-api:v1.2.3
Moltbot: ✅ Docker image clean
```
## Configuration
### Environment Variables
These are required for the skill to work:
| Variable | Value | Where to Set |
| :-- | :-- | :-- |
| `GITGUARDIAN_API_KEY` | Your API key from https://dashboard.gitguardian.com | `~/.bashrc` or `~/.zshrc` |
| `GITGUARDIAN_ENDPOINT` | `https://api.gitguardian.com` (default, optional) | Usually not needed |
### Optional ggshield Config
Create `~/.gitguardian/.gitguardian.yml` for persistent settings:
```yaml
verbose: false
output-format: json
exit-code: true
```
For details: https://docs.gitguardian.com/ggshield-docs/
## Privacy & Security
### What Data is Sent to GitGuardian?
✅ **ONLY metadata is sent**:
- Hash of the secret pattern (not the actual secret)
- File path (relative path only)
- Line number
❌ **NEVER sent**:
- Your actual secrets or credentials
- File contents
- Private keys
- Credentials
**Reference**: GitGuardian Enterprise customers can use on-premise scanning with no data sent anywhere.
### How Secrets Are Detected
ggshield uses:
1. **Entropy-based detection**: Identifies high-entropy strings (random tokens)
2. **Pattern matching**: Looks for known secret formats (AWS key prefixes, etc.)
3. **Public CVEs**: Cross-references disclosed secrets
4. **Machine learning**: Trained on leaked secrets database
## Troubleshooting
### "ggshield: command not found"
ggshield is not installed or not in your PATH.
**Fix**:
```bash
pip install ggshield
which ggshield # Should return a path
```
### "GITGUARDIAN_API_KEY not found"
The environment variable is not set.
**Fix**:
```bash
export GITGUARDIAN_API_KEY="your-key"
# For persistence, add to ~/.bashrc or ~/.zshrc:
echo 'export GITGUARDIAN_API_KEY="your-key"' >> ~/.bashrc
source ~/.bashrc
```
### "401 Unauthorized"
API key is invalid or expired.
**Fix**:
```bash
# Test the API key
ggshield auth status
# If invalid, regenerate at https://dashboard.gitguardian.com → API Tokens
# Then: export GITGUARDIAN_API_KEY="new-key"
```
### "Slow on large repositories"
Scanning a 50GB monorepo takes time. ggshield is doing a lot of work.
**Workaround**:
```bash
# Scan only staged changes (faster):
@clawd scan-staged
# Or specify a subdirectory:
@clawd scan-file ./app/config.py
```
## Advanced Topics
### Ignoring False Positives
Sometimes ggshield flags a string that's NOT a secret (e.g., a test key):
```bash
# Ignore the last secret found
ggshield secret ignore --last-found
# Ignore all in a file
ggshield secret ignore --path ./config-example.py
```
This creates `.gitguardian/config.json` with ignore rules.
### Integrating with CI/CD
You can add secret scanning to GitHub Actions / GitLab CI:
```yaml
# .github/workflows/secret-scan.yml
name: Secret Scan
on: [push]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: pip install ggshield
- run: ggshield secret scan repo .
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
```
### Enterprise: On-Premise Scanning
If your company uses GitGuardian Enterprise, you can scan without sending data to the cloud:
```bash
export GITGUARDIAN_ENDPOINT="https://your-instance.gitguardian.com"
export GITGUARDIAN_API_KEY="your-enterprise-key"
```
## Related Resources
- **ggshield Documentation**: https://docs.gitguardian.com/ggshield-docs/
- **GitGuardian Dashboard**: https://dashboard.gitguardian.com (view all secrets found)
- **Moltbot Skills**: https://docs.molt.bot/tools/clawdhub
- **Secret Management Best Practices**: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
## Support
- **Bug reports**: https://github.com/GitGuardian/ggshield-skill/issues
- **Questions**: Open an issue or comment on ClawdHub
- **ggshield issues**: https://github.com/GitGuardian/ggshield/issues
## License
MIT License - See LICENSE file
## Contributors
- GitGuardian Team
- [Your contributions welcome!]
---
**Version**: 1.0.0
**Last updated**: January 2026
**Maintainer**: GitGuardian
security
Comments
Sign in to leave a comment