Scan secrets in CI with ggshield (GitHub Actions example)

Description

Next up is ggshield secret scan ci, the mode built for continuous integration, not your local machine. https://docs.gitguardian.com/ggshield-docs/home In this section, we’ll show how CI scanning works and why it’s different. Instead of scanning your whole repo, it scans the set of commits that triggered your pipeline, whether that build came from a direct push or a pull request. That means you catch secrets at the exact moment they’re introduced, before they get merged or released. ggshield supports CI integrations across the major platforms, including Azure Pipelines, Bitbucket Pipelines, CircleCI, Drone CI, GitLab Pipelines, GitHub Actions, Jenkins, and Travis CI. For this walkthrough, we’ll use GitHub Actions as the example. To run ggshield in GitHub Actions, you’ll authenticate GitHub to GitGuardian using an API key. We’ll generate that key in the API section of your GitGuardian workspace using either a service account (available on Business plans and above) or a personal access token. For this demo, we only need the Scan scope. We’ll also set a short expiration time (like one week) to follow good token hygiene, then store the key in your repo’s GitHub Secrets as the GITGUARDIAN_API_KEY environment variable (for example, under Settings - Secrets and variables - Actions). Once that’s in place, we’ll add a job to your GitHub workflow using GitGuardian’s official example configuration. GitGuardian provides ready-to-use examples for every supported CI provider, so you can follow the same pattern no matter what your team runs.