chore(deps): bump GitGuardian/ggshield from 1.51.0 to 1.52.2

[dependabot]

Bumps GitGuardian/ggshield from 1.51.0 to 1.52.2.

Release notes

Sourced from GitGuardian/ggshield's releases.

1.52.2

Added

• Install and uninstall scripts under scripts/install/: a one-line curl | bash (Linux/macOS) and irm | iex (Windows) installer for the standalone ggshield build that authenticates and optionally installs plugins, plus a matching uninstaller that removes the install it created.

Changed

• Clarified the description of the ggshield honeytoken plant command.

• Widened the marshmallow dependency constraint to >=3.18,<5, so ggshield is now compatible with marshmallow 4. This unblocks environments (such as nixpkgs) that ship marshmallow 4.

Fixed

• macOS: ggshield machine scan is no longer several times slower than on other platforms. The signed launcher now carries the com.apple.security.cs.allow-jit entitlement, so the scanner's PCRE2 JIT works under the hardened runtime instead of silently falling back to the interpreter.

1.52.1

Fixed

• ggshield hmsl Vault integration: list secrets correctly when a KV path has a leading slash, instead of failing against recent HashiCorp Vault versions that reject non-canonical paths.

• ggshield no longer crashes on startup when the optional truststore setup fails (for example on recent macOS versions where the OS version cannot be parsed). It now falls back to the bundled certifi certificates instead.

1.52.0

Added

• ggshield ai discover --history backfills historical MCP tool calls to GitGuardian (parsed from ~/.claude/projects/*/*.jsonl). The API deduplicates events via idempotency keys, so reruns are safe.

• Improved MCP server name detection for more human-readable names.

• ggshield honeytoken plant reconciles this machine's honeytokens with GitGuardian and writes or removes the decoy AWS credential profiles on disk. Existing comments and file permissions are preserved.

• ggshield install -t <agent> now verifies after installing the hooks that ggshield can authenticate to GitGuardian, and warns with remediation steps if it cannot. On macOS, this also triggers the Keychain authorization prompt at a time the user can answer it, instead of inside a non-interactive agent-spawned hook.

• Standalone Linux artifacts are now also built for ARM (aarch64): tar.gz archive, .deb and .rpm packages.

Changed

• Display an additional warning when the .gitguardian.yaml configuration file is missing the version field.

• ggshield auth login now requests broader default scopes (scan, honeytokens:check, endpoints:send). If any scope is not granted, a warning is printed but login still succeeds.

• ggshield install -t <agent> now pins the AI hook to the absolute path of the ggshield that ran the install, instead of a bare ggshield. The hook runs with a PATH that differs from the user's shell and across launch contexts, so on machines with several ggshield installations a bare command could resolve to a different binary than the one the user authenticated with. The stable launcher path is used (symlinks are not resolved) so it survives version upgrades; the bare command remains a fallback when the path cannot be determined.

• ggshield plugin list shows a verified plugin simply as signed instead of signed (<signing-repository>). The signing identity is still recorded in the plugin manifest for auditing.

Fixed

... (truncated)

Changelog

Sourced from GitGuardian/ggshield's changelog.

1.52.2 — 2026-06-17

Added

• Install and uninstall scripts under scripts/install/: a one-line curl | bash (Linux/macOS) and irm | iex (Windows) installer for the standalone ggshield build that authenticates and optionally installs plugins, plus a matching uninstaller that removes the install it created.

Changed

• Clarified the description of the ggshield honeytoken plant command.

• Widened the marshmallow dependency constraint to >=3.18,<5, so ggshield is now compatible with marshmallow 4. This unblocks environments (such as nixpkgs) that ship marshmallow 4.

Fixed

• macOS: ggshield machine scan is no longer several times slower than on other platforms. The signed launcher now carries the com.apple.security.cs.allow-jit entitlement, so the scanner's PCRE2 JIT works under the hardened runtime instead of silently falling back to the interpreter.

1.52.1 — 2026-06-16

Fixed

• ggshield hmsl Vault integration: list secrets correctly when a KV path has a leading slash, instead of failing against recent HashiCorp Vault versions that reject non-canonical paths.

• ggshield no longer crashes on startup when the optional truststore setup fails (for example on recent macOS versions where the OS version cannot be parsed). It now falls back to the bundled certifi certificates instead.

1.52.0 — 2026-06-15

Added

• ggshield ai discover --history backfills historical MCP tool calls to GitGuardian (parsed from ~/.claude/projects/*/*.jsonl). The API deduplicates events via idempotency keys, so reruns are safe.

• Improved MCP server name detection for more human-readable names.

• ggshield honeytoken plant reconciles this machine's honeytokens with GitGuardian and writes or removes the decoy AWS credential profiles on disk. Existing comments and file permissions are preserved.

• ggshield install -t <agent> now verifies after installing the hooks that ggshield can authenticate to GitGuardian, and warns with remediation steps if it cannot. On macOS, this also triggers the Keychain authorization prompt at a time the user can answer it, instead of inside a non-interactive agent-spawned hook.

• Standalone Linux artifacts are now also built for ARM (aarch64): tar.gz archive, .deb and .rpm packages.

Changed

• Display an additional warning when the .gitguardian.yaml configuration file is missing the version field.

• ggshield auth login now requests broader default scopes (scan, honeytokens:check, endpoints:send). If any scope is not granted, a warning is printed but login still succeeds.

... (truncated)

Commits

• aaada88 chore(release): 1.52.2
• c48c5cf Merge pull request #1296 from GitGuardian/benjaminrigaud/end-315-choco-captur...
• 1dda21b fix(ci): keep 409 guidance when chocolatey.log read fails
• 2b55bdb chore(ci): dump chocolatey.log on failed push
• 158ff03 Merge pull request #1295 from GitGuardian/benjaminrigaud/end-315-choco-push-d...
• 150303d Merge pull request #1293 from GitGuardian/ctourriere/fix_macos_jit_entitlement
• edcf191 chore(ci): capture choco push --debug --verbose output
• 0576c55 Merge pull request #1294 from GitGuardian/benjaminrigaud/end-551-support-mars...
• a405e0b Merge pull request #1287 from GitGuardian/benjaminrigaud/-/simplify_install_s...
• 2732249 build(deps): support marshmallow 4
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)