GitGuardian ggshield "1 incident detected" fails CI
ggshield sent the scanned content to GitGuardian, which matched a secret detector and returned an incident. ggshield exits 1 on any detected incident so CI blocks the merge.
What this error means
ggshield prints a summary like "1 incident detected" with the secret type, filename, and validity, and the ggshield secret scan step exits non-zero.
ggshield
secret scan
> commit-range: origin/main..HEAD
1 incident detected.
>> Secret detected: Generic High Entropy Secret
Validity: Valid
Filepath: config/prod.env
Occurrence: line 12Common causes
A secret matched a GitGuardian detector
GitGuardian identified a credential in the scanned diff or commit range; a "Valid" validity means it was checked and is live.
A false positive on a high-entropy string
A generic high-entropy detector can flag a random-looking test value that is not an actual secret.
How to fix it
Rotate a valid secret, ignore a confirmed false positive
- Open the filepath and occurrence line in the incident.
- If validity is Valid, revoke and rotate the credential and remove it from the code.
- If it is a verified false positive, add it to
.gitguardian.yamlor a.gitguardian.ymlignore, or use the incident SHA.
.gitguardian.yaml
# .gitguardian.yaml
secret:
ignored-matches:
- name: prod env example
match: 3f2a9c1e...incident-shaScan the same range locally
Run the CI scan command locally so incidents surface before the push.
Terminal
ggshield secret scan commit-range origin/main..HEADHow to prevent it
- Rotate any credential reported with Valid validity.
- Keep ignore matches in
.gitguardian.yaml, reviewed, for real false positives. - Run ggshield in a pre-commit hook so incidents do not reach CI.
Related guides
ggshield "Invalid API key" (GITGUARDIAN_API_KEY) in CIFix ggshield "Error: Invalid API key" in CI - GITGUARDIAN_API_KEY is missing, empty, or malformed, so ggshiel…
ggshield "401 Unauthorized" from the GitGuardian API in CIFix ggshield "401 Unauthorized" in CI - the GitGuardian API rejected the key because it is expired, revoked,…
gitleaks "leaks found" exit code 1 fails the build in CIFix gitleaks "leaks found: N" with exit code 1 in CI - gitleaks matched one or more secret rules in the scann…