ggshield icon indicating copy to clipboard operation
ggshield copied to clipboard
verified publisher icon GitGuardian

ggshield scan pre-commit does not detect secret on multiple lines

Open jimmy-grande opened this issue 1 month ago • 2 comments

Environment

  • ggshield version: 1.44.1
  • Operating system (Linux, macOS, Windows): macOS
  • Operating system version: 26.0.1
  • Python version: 3.10.17

Describe the bug

scan pre-commit does not work with secret on multiple lines

Steps to reproduce:

  1. Create an empty git repository:
mkdir ggshield-test && cd ./ggshield-test && git init
  1. Create file with fake secret:
echo "export const someApiSecret =
  '5J5vctP38rp2+CrzwF2y3xe3i0iheV51xz12BUFMH7akEPgEyW+aMDlW4rm3O1jDgmUUhAJhsjbXe0bE1BGYfA==';" > sample.ts
  1. Add file to staged changes:
git add sample.ts
  1. Run ggshield:
ggshield secret scan pre-commit

Actual result:

Scanned sample.ts
Scanning... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 1 / 1

secrets-engine-version: 2.150.0

No secrets have been found

Expected result:

Scanned sample.ts
Scanning... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 1 / 1

secrets-engine-version: 2.150.0

> commit://staged/sample.ts: 1 secret detected

>> Secret detected: Generic High Entropy Secret
   Validity: No Checker
   Occurrences: 1
   Known by GitGuardian dashboard: NO
   Incident URL: N/A
   Secret SHA: 26f355a538a0890faef10c8e694032222ad03e556c624a982cd44c33481568c8
   Secret found in vault: No
   Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret

    | @@ -0,0 +1 @@
  1 | +export const someApiSecret = "5J5vctP38rp2+Cr***********************************+**********************jbXe0bE1BGYfA==";


> How to remediate

  Since the secret was detected before the commit was made:
  1. replace the secret with its reference (e.g. environment variable).
  2. commit again.

> [Apply with caution] If you want to bypass ggshield (false positive or other reason), run:
  - if you use the pre-commit framework:

    SKIP=ggshield git commit -m "<your message>"

To give you more context, the reason why the secret was on multiple lines is due to a git hook that format code with prettier. My prettier config was allowing line with a size of 80 characters. (printWidth = 80)

If the content of the file is on a single line, ggshield can detect the secret.

echo "export const someApiSecret = '5J5vctP38rp2+CrzwF2y3xe3i0iheV51xz12BUFMH7akEPgEyW+aMDlW4rm3O1jDgmUUhAJhsjbXe0bE1BGYfA==';" > sample.ts

jimmy-grande avatar Oct 29 '25 20:10 jimmy-grande

Hi @jimmy-grande, Thank you for reporting this. We will look into it and keep you posted.

sevbch avatar Oct 30 '25 09:10 sevbch

@sevbch any update about the issue? Should I use an alternative method?

jimmy-grande avatar Nov 18 '25 16:11 jimmy-grande