OpenSec Atlas

Name: gg-shield-orb
Author: GitGuardian

gg-shield-orb: An Open Source Tool for Data Security | OpenSec Atlas

Back to Browse

Data Security

Tool

gg-shield-orb

GitGuardian Shield CircleCI Orb scans commits to detect exposed credentials and potential security vulnerabilities automatically in CI pipelines.

View on GitHub

About This Tool

GitGuardian Shield Circle CI Orb - Find exposed credentials in your commits

Primary Use Case

This tool is designed for developers and DevOps teams who want to automate the detection of secrets and sensitive information in their code commits during continuous integration workflows. It integrates with CircleCI to scan commits for over 200 types of secrets and policy violations, helping prevent accidental exposure of credentials before code is merged or deployed.

Key Features

Detects more than 200 types of secrets in commits
Integrates seamlessly with CircleCI pipelines via an Orb
Uses GitGuardian public API for scanning without storing files
Supports scanning in local or CI environments
Stateless scanning ensuring no data retention of scanned files or secrets
Requires API key authentication for secure access
Provides CLI tool for easy integration and automation

Insights & Recommendations

An API key from GitGuardian is required to use this tool. The scanning is stateless and does not store any scanned files or detected secrets, ensuring privacy. Best practice includes naming each orb job distinctly in CircleCI workflows for clarity.

Installation

Configure your .circleci/config.yml to add the ggshield orb
Add the following to your config.yml under orbs: ggshield: gitguardian/ggshield@volatile
Define a workflow and add the ggshield/scan job with base_revision and revision parameters
Set the GITGUARDIAN_API_KEY environment variable in your project settings with your GitGuardian API key

Usage

ggshield/scan

Orb job to scan commits between base_revision and revision for exposed secrets

Smart Usage Notes

Integrate gg-shield in CI/CD pipelines to automate early detection of exposed secrets before deployment.Combine with secret rotation policies to reduce risk from leaked credentials detected by the tool.Use gg-shield scan results to enrich blue team threat intelligence and improve incident response playbooks.Leverage the stateless API scanning to maintain privacy and compliance while scanning sensitive codebases.Incorporate gg-shield in purple team exercises to simulate credential exposure scenarios and validate detection capabilities.