Skip to content

chore(deps): bump GitGuardian/ggshield from 1.51.0 to 1.52.1#372

Closed
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/github_actions/GitGuardian/ggshield-1.52.1
Closed

chore(deps): bump GitGuardian/ggshield from 1.51.0 to 1.52.1#372
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/github_actions/GitGuardian/ggshield-1.52.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 17, 2026

Copy link
Copy Markdown
Contributor

Bumps GitGuardian/ggshield from 1.51.0 to 1.52.1.

Release notes

Sourced from GitGuardian/ggshield's releases.

1.52.1

Fixed

  • ggshield hmsl Vault integration: list secrets correctly when a KV path has a leading slash, instead of failing against recent HashiCorp Vault versions that reject non-canonical paths.

  • ggshield no longer crashes on startup when the optional truststore setup fails (for example on recent macOS versions where the OS version cannot be parsed). It now falls back to the bundled certifi certificates instead.

1.52.0

Added

  • ggshield ai discover --history backfills historical MCP tool calls to GitGuardian (parsed from ~/.claude/projects/*/*.jsonl). The API deduplicates events via idempotency keys, so reruns are safe.

  • Improved MCP server name detection for more human-readable names.

  • ggshield honeytoken plant reconciles this machine's honeytokens with GitGuardian and writes or removes the decoy AWS credential profiles on disk. Existing comments and file permissions are preserved.

  • ggshield install -t <agent> now verifies after installing the hooks that ggshield can authenticate to GitGuardian, and warns with remediation steps if it cannot. On macOS, this also triggers the Keychain authorization prompt at a time the user can answer it, instead of inside a non-interactive agent-spawned hook.

  • Standalone Linux artifacts are now also built for ARM (aarch64): tar.gz archive, .deb and .rpm packages.

Changed

  • Display an additional warning when the .gitguardian.yaml configuration file is missing the version field.

  • ggshield auth login now requests broader default scopes (scan, honeytokens:check, endpoints:send). If any scope is not granted, a warning is printed but login still succeeds.

  • ggshield install -t <agent> now pins the AI hook to the absolute path of the ggshield that ran the install, instead of a bare ggshield. The hook runs with a PATH that differs from the user's shell and across launch contexts, so on machines with several ggshield installations a bare command could resolve to a different binary than the one the user authenticated with. The stable launcher path is used (symlinks are not resolved) so it survives version upgrades; the bare command remains a fallback when the path cannot be determined.

  • ggshield plugin list shows a verified plugin simply as signed instead of signed (<signing-repository>). The signing identity is still recorded in the plugin manifest for auditing.

Fixed

  • AI hooks are debounced when an agent calls the same hook multiple times.

  • OAuth local server now uses OS-assigned port (port 0) instead of the hardcoded range 29170-29998, eliminating port conflicts when running multiple ggshield instances or other tools.

  • ggshield plugin uninstall no longer crashes with a raw PermissionError when plugin files cannot be removed. Read-only entries are now fixed automatically, and files owned by another user (e.g. residue from a legacy sudo install) produce a clear remediation message instead of a traceback.

  • The AI hook (ggshield secret scan ai-hook) no longer crashes when it cannot authenticate or reach GitGuardian (e.g. when the API token is stored in the macOS Keychain and is not readable from an agent-spawned process). It now allows the action and warns the user through the agent that the action was NOT scanned, with remediation steps.

  • AI hook: secrets in prompts submitted to GitHub Copilot CLI are now blocked before they reach the model. The prompt event was not recognized under Copilot CLI's native userPromptSubmitted name, and the inherited {"continue": false} output is ignored on the prompt event, so prompts containing secrets were let through. ggshield now maps the event and emits {"decision": "block"}, which Copilot CLI honors to cancel the prompt.

  • Ignored secrets (for example secrets on context or deleted lines of a patch) no longer appear in plaintext when they show up in the context lines of another displayed secret.

  • ggshield plugin install no longer fails with "failed to refresh TUF metadata" on locked-down or proxied networks (most often seen on Windows). Plugin signatures are

... (truncated)

Changelog

Sourced from GitGuardian/ggshield's changelog.

1.52.1 — 2026-06-16

Fixed

  • ggshield hmsl Vault integration: list secrets correctly when a KV path has a leading slash, instead of failing against recent HashiCorp Vault versions that reject non-canonical paths.

  • ggshield no longer crashes on startup when the optional truststore setup fails (for example on recent macOS versions where the OS version cannot be parsed). It now falls back to the bundled certifi certificates instead.

1.52.0 — 2026-06-15

Added

  • ggshield ai discover --history backfills historical MCP tool calls to GitGuardian (parsed from ~/.claude/projects/*/*.jsonl). The API deduplicates events via idempotency keys, so reruns are safe.

  • Improved MCP server name detection for more human-readable names.

  • ggshield honeytoken plant reconciles this machine's honeytokens with GitGuardian and writes or removes the decoy AWS credential profiles on disk. Existing comments and file permissions are preserved.

  • ggshield install -t <agent> now verifies after installing the hooks that ggshield can authenticate to GitGuardian, and warns with remediation steps if it cannot. On macOS, this also triggers the Keychain authorization prompt at a time the user can answer it, instead of inside a non-interactive agent-spawned hook.

  • Standalone Linux artifacts are now also built for ARM (aarch64): tar.gz archive, .deb and .rpm packages.

Changed

  • Display an additional warning when the .gitguardian.yaml configuration file is missing the version field.

  • ggshield auth login now requests broader default scopes (scan, honeytokens:check, endpoints:send). If any scope is not granted, a warning is printed but login still succeeds.

  • ggshield install -t <agent> now pins the AI hook to the absolute path of the ggshield that ran the install, instead of a bare ggshield. The hook runs with a PATH that differs from the user's shell and across launch contexts, so on machines with several ggshield installations a bare command could resolve to a different binary than the one the user authenticated with. The stable launcher path is used (symlinks are not resolved) so it survives version upgrades; the bare command remains a fallback when the path cannot be determined.

  • ggshield plugin list shows a verified plugin simply as signed instead of signed (<signing-repository>). The signing identity is still recorded in the plugin manifest for auditing.

Fixed

  • AI hooks are debounced when an agent calls the same hook multiple times.

  • OAuth local server now uses OS-assigned port (port 0) instead of the hardcoded range 29170-29998, eliminating port conflicts when running multiple ggshield instances or other tools.

  • ggshield plugin uninstall no longer crashes with a raw PermissionError when plugin files cannot be removed. Read-only entries are now fixed automatically, and files owned by another user (e.g. residue from a legacy sudo install) produce a clear remediation message instead of a traceback.

  • The AI hook (ggshield secret scan ai-hook) no longer crashes when it cannot authenticate or reach GitGuardian (e.g. when the API token is stored in the macOS Keychain and is not readable from an agent-spawned process). It now allows the action and warns the user through the agent that the action was NOT scanned, with remediation steps.

  • AI hook: secrets in prompts submitted to GitHub Copilot CLI are now blocked before they reach the model. The prompt event was not recognized under Copilot CLI's native userPromptSubmitted name, and the inherited {"continue": false} output is ignored on the prompt event, so prompts containing secrets were let through. ggshield now maps the event and emits {"decision": "block"}, which Copilot CLI honors to cancel the prompt.

... (truncated)

Commits
  • 408d9c2 chore(release): 1.52.1
  • a7d328d Merge pull request #1289 from GitGuardian/benjaminrigaud/bump-pygitguardian-1...
  • 637d67b chore: update pygitguardian to pypi release v1.32.0
  • 1bc0e8f Merge pull request #1284 from GitGuardian/henrihubert/fix-truststore-crash-1265
  • 65ecebc test: cover truststore import failure, not just injection
  • f30d564 Merge branch 'main' into henrihubert/fix-truststore-crash-1265
  • 0e2bfe6 Merge pull request #1285 from GitGuardian/benjaminrigaud/update-ggshield-version
  • af57ece chore(pre-commit): update to ggshield 1.52.0
  • 047f329 fix: don't crash when truststore setup fails
  • abff6f9 Merge pull request #1283 from GitGuardian/benjaminrigaud/fix-vault-canonical-...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [GitGuardian/ggshield](https://github.com/gitguardian/ggshield) from 1.51.0 to 1.52.1.
- [Release notes](https://github.com/gitguardian/ggshield/releases)
- [Changelog](https://github.com/GitGuardian/ggshield/blob/main/CHANGELOG.md)
- [Commits](GitGuardian/ggshield@v1.51.0...v1.52.1)

---
updated-dependencies:
- dependency-name: GitGuardian/ggshield
  dependency-version: 1.52.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 17, 2026
@dependabot dependabot Bot requested a review from ceilf6 as a code owner June 17, 2026 03:53
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 17, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #378.

@dependabot dependabot Bot closed this Jun 29, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/GitGuardian/ggshield-1.52.1 branch June 29, 2026 04:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants