Skip to content

ggshield scan pre-commit does not detect secret on multiple lines #1142

New issue
New issue
Open
Open
ggshield scan pre-commit does not detect secret on multiple lines#1142
Labels
status:newThis issue needs to be reviewedtype:bugSomething isn't working
@jimmy-grande

Description

@jimmy-grande
jimmy-grande
opened on Oct 29, 2025

Environment

  • ggshield version: 1.44.1
  • Operating system (Linux, macOS, Windows): macOS
  • Operating system version: 26.0.1
  • Python version: 3.10.17

Describe the bug

scan pre-commit does not work with secret on multiple lines

Steps to reproduce:

  1. Create an empty git repository:
mkdir ggshield-test && cd ./ggshield-test && git init
  1. Create file with fake secret:
echo "export const someApiSecret =
  '5J5vctP38rp2+CrzwF2y3xe3i0iheV51xz12BUFMH7akEPgEyW+aMDlW4rm3O1jDgmUUhAJhsjbXe0bE1BGYfA==';" > sample.ts
  1. Add file to staged changes:
git add sample.ts
  1. Run ggshield:
ggshield secret scan pre-commit

Actual result:

Scanned sample.ts
Scanning... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 1 / 1

secrets-engine-version: 2.150.0

No secrets have been found

Expected result:

Scanned sample.ts
Scanning... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 1 / 1

secrets-engine-version: 2.150.0

> commit://staged/sample.ts: 1 secret detected

>> Secret detected: Generic High Entropy Secret
   Validity: No Checker
   Occurrences: 1
   Known by GitGuardian dashboard: NO
   Incident URL: N/A
   Secret SHA: 26f355a538a0890faef10c8e694032222ad03e556c624a982cd44c33481568c8
   Secret found in vault: No
   Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/generics/generic_high_entropy_secret

    | @@ -0,0 +1 @@
  1 | +export const someApiSecret = "5J5vctP38rp2+Cr***********************************+**********************jbXe0bE1BGYfA==";


> How to remediate

  Since the secret was detected before the commit was made:
  1. replace the secret with its reference (e.g. environment variable).
  2. commit again.

> [Apply with caution] If you want to bypass ggshield (false positive or other reason), run:
  - if you use the pre-commit framework:

    SKIP=ggshield git commit -m "<your message>"

To give you more context, the reason why the secret was on multiple lines is due to a git hook that format code with prettier. My prettier config was allowing line with a size of 80 characters. (printWidth = 80)

If the content of the file is on a single line, ggshield can detect the secret.

echo "export const someApiSecret = '5J5vctP38rp2+CrzwF2y3xe3i0iheV51xz12BUFMH7akEPgEyW+aMDlW4rm3O1jDgmUUhAJhsjbXe0bE1BGYfA==';" > sample.ts

Metadata

Metadata

Assignees

No one assigned

    Labels

    status:newThis issue needs to be reviewedtype:bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions