Install ggshield via pip: pip install ggshield, or via Homebrew on macOS.
Authenticate by running ggshield auth login, which opens a browser flow and stores a token locally; alternatively set GITGUARDIAN_API_KEY in your environment.
Install the hook locally for a single repository with ggshield install -m local, or globally for all repositories with ggshield install -m global.
Verify the hook is active by running git diff --cached | ggshield secret scan pre-commit in the repo and checking for output.
To integrate with the pre-commit framework instead, add an entry referencing the GitGuardian/ggshield repo in your .pre-commit-config.yaml and run pre-commit install.
Test by staging a dummy credential-like string in a file and attempting git commit; ggshield should block the commit and print the finding.
Known gotchas
The global hook only applies to repositories initialized after installation; existing repos need ggshield install -m local run inside them.
ggshield requires network access to the GitGuardian API for scanning; air-gapped environments must use a self-hosted GitGuardian instance.
False positives can be allowlisted per-repo in a .gitguardian.yaml file; suppressing alerts without reviewing them defeats the purpose.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp