Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
ggshield: gitguardian/ggshield@1.1.4
Use ggshield
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
Scan commits when they land on VCS. Do not forget to add an environment variable GITGUARDIAN_API_KEY with your API Key in the project settings
1
2
3
4
5
6
7
8
9
10
version: 2.1
orbs:
ggshield: gitguardian/ggshield@x.y
workflows:
scan_my_commits:
jobs:
- ggshield/scan:
name: ggshield-scan
base_revision: <<pipeline.git.base_revision>>
revision: <<pipeline.git.revision>>
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
base_revision | ID of the first commit to scan. Leave empty to only scan the latest
commit.
| No | '' | string |
revision | ID of the last commit to scan. | Yes | - | string |
tag | Pick a specific gitguardian/ggshield image variant:
https://hub.docker.com/r/gitguardian/ggshield/tags
| No | latest | string |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
---
version: 2.1
description: >
Easily integrate GitGuardian shield into your CircleCI projects.
Scan your commits for secrets and other policy breaks
display:
source_url: https://github.com/GitGuardian/gg-shield-orb
home_url: https://dashboard.gitguardian.com/
examples:
scan:
description: |
Scan commits when they land on VCS. Do not forget to add an environment
variable GITGUARDIAN_API_KEY with your API Key in the project settings
usage:
version: 2.1
orbs:
# This version number refers to the version of the orb
ggshield: gitguardian/ggshield@x.y
workflows:
scan_my_commits:
jobs:
- ggshield/scan:
name: ggshield-scan # best practice is to name each orb job
base_revision: <<pipeline.git.base_revision>>
revision: <<pipeline.git.revision>>
jobs:
scan:
parameters:
base_revision:
description: |
ID of the first commit to scan. Leave empty to only scan the latest
commit.
type: string
default: ""
revision:
description: ID of the last commit to scan.
type: string
tag:
description: |
Pick a specific gitguardian/ggshield image variant:
https://hub.docker.com/r/gitguardian/ggshield/tags
default: latest
type: string
docker:
- image: gitguardian/ggshield:<<parameters.tag>>
environment:
CIRCLE_RANGE: <<parameters.base_revision>>...<<parameters.revision>>
steps:
- checkout
- run: ggshield secret scan -v ci