Skip to content
Latchkey

GitGuardian ggshield "1 incident detected" fails CI

ggshield sent the scanned content to GitGuardian, which matched a secret detector and returned an incident. ggshield exits 1 on any detected incident so CI blocks the merge.

What this error means

ggshield prints a summary like "1 incident detected" with the secret type, filename, and validity, and the ggshield secret scan step exits non-zero.

ggshield
secret scan
> commit-range: origin/main..HEAD

1 incident detected.

>> Secret detected: Generic High Entropy Secret
   Validity: Valid
   Filepath: config/prod.env
   Occurrence: line 12

Common causes

A secret matched a GitGuardian detector

GitGuardian identified a credential in the scanned diff or commit range; a "Valid" validity means it was checked and is live.

A false positive on a high-entropy string

A generic high-entropy detector can flag a random-looking test value that is not an actual secret.

How to fix it

Rotate a valid secret, ignore a confirmed false positive

  1. Open the filepath and occurrence line in the incident.
  2. If validity is Valid, revoke and rotate the credential and remove it from the code.
  3. If it is a verified false positive, add it to .gitguardian.yaml or a .gitguardian.yml ignore, or use the incident SHA.
.gitguardian.yaml
# .gitguardian.yaml
secret:
  ignored-matches:
    - name: prod env example
      match: 3f2a9c1e...incident-sha

Scan the same range locally

Run the CI scan command locally so incidents surface before the push.

Terminal
ggshield secret scan commit-range origin/main..HEAD

How to prevent it

  • Rotate any credential reported with Valid validity.
  • Keep ignore matches in .gitguardian.yaml, reviewed, for real false positives.
  • Run ggshield in a pre-commit hook so incidents do not reach CI.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →