Skip to content

feat: add --insecure option and deprecate --allow-self-signed #1132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Oct 21, 2025
Merged

feat: add --insecure option and deprecate --allow-self-signed #1132

merged 19 commits into from
Oct 21, 2025

Conversation

@guischguardian
Copy link
Contributor

Context

We received a report about ggshield's --allow-self-signed option. The option name is misleading: it suggests that self-signed certificates are validated, when in reality it completely disables SSL verification, making connections vulnerable to man-in-the-middle attacks.

This PR addresses the issue by:

  1. Adding a clearer --insecure option (matching curl's convention)
  2. Deprecating --allow-self-signed with prominent warnings
  3. Adding security warnings explaining the risks and secure alternatives

See SCRT-5952.

What has been done

New Features

  • Added --insecure CLI option and insecure configuration setting as clearer alternatives to --allow-self-signed
  • Added prominent warning messages when SSL verification is disabled (via either option), explaining:
    • The security risks (MITM attacks, traffic interception)
    • The recommended secure alternative (system certificate trust store with Python >= 3.10)
    • Link to documentation for more information
  • Help text for --insecure matches curl's standard wording for consistency

Deprecation

  • The --allow-self-signed CLI option is now deprecated with a warning displayed on every use
  • The allow_self_signed config setting is now deprecated with a warning displayed when loading config files
  • Both options remain fully functional for backward compatibility
  • Deprecation warnings guide users to use --insecure instead

Implementation Details

  • Both --insecure and --allow-self-signed set both internal flags for consistency
  • Warnings use ui.display_warning() for proper user-facing output (not logger.warning())
  • Comprehensive test coverage for both old and new options

Validation

To validate the new --insecure option:

# Test the new --insecure flag works
ggshield --insecure secret scan path .

# Verify deprecation warning is shown for --allow-self-signed
ggshield --allow-self-signed secret scan path .

Expected behavior:

  • Both commands disable SSL verification
  • --allow-self-signed displays a deprecation warning guiding to --insecure
  • Both display security warnings about MITM risks and secure alternatives

To validate config file deprecation:

# Create a config with allow_self_signed
echo "version: 2" > .gitguardian.yaml
echo "allow_self_signed: true" >> .gitguardian.yaml

# Run any ggshield command
ggshield secret scan path .

Expected: Deprecation warning about allow_self_signed config key

PR check list

  • As much as possible, the changes include tests (unit and/or functional)
  • If the changes affect the end user (new feature, behavior change, bug fix) then the PR has a changelog entry (see doc/dev/getting-started.md). If the changes do not affect the end user, then the skip-changelog label has been added to the PR.

@guischguardian
feat(config): add insecure field to UserConfig
2bbfef3 
Add the 'insecure' configuration field alongside 'allow_self_signed' to
prepare for introducing the --insecure flag with clearer semantics.

Issue: SCRT-5952
@guischguardian
feat(cli): add --insecure option as an explicit alternative
a54458f 
Add the --insecure flag to clearly communicate that SSL verification
is being disabled, making the connection vulnerable to MITM attacks.
This option is clearer than --allow-self-signed about what it does.

Issue: SCRT-5952
@guischguardian
feat(client): add prominent warning when SSL verification is disabled
f054492 
Display clear warnings when SSL verification is disabled, explaining:
- The security risks (MITM attacks, interception)
- The recommended secure alternative (system trust store with Python >= 3.10)
- A link to documentation for more information

This warning appears every time a session is created with SSL verification
disabled, whether through --allow-self-signed or --insecure.

Issue: SCRT-5952
@guischguardian
feat(cli): handle both --insecure and --allow-self-signed options
fcecdb3 
Update the main CLI handler to accept both --insecure and --allow-self-signed
options. When either is set, both flags are enabled in the config to maintain
consistency and ensure they work as aliases.

This ensures backward compatibility while providing a clearer option name.

Issue: SCRT-5952
@guischguardian
test: add tests for --insecure option
f3faf06 
Add test coverage for the new --insecure flag to ensure it works
correctly and disables SSL verification as expected, matching the
behavior of --allow-self-signed.

Issue: SCRT-5952
@guischguardian
doc: add changelog entry for --insecure option
082e59e 
Document the addition of the --insecure option and improved security
warnings when SSL verification is disabled.

Issue: SCRT-5952
@guischguardian
fix(client): check both insecure and allow_self_signed flags
ceab4da 
Update create_client_from_config to check both the insecure and
allow_self_signed flags when creating the API client. This ensures
that either flag will correctly disable SSL verification.

Issue: SCRT-5952
@guischguardian
fix(client): correct documentation link in SSL warning message
12e9d66 
Fix the URL in the warning message to point to the correct documentation
page (remove 'reference/' from the path).

Issue: SCRT-5952
@guischguardian
refactor(client): use ui.display_warning instead of logger.warning
04c9810 
Switch from logger.warning to ui.display_warning for SSL verification
warnings to properly display messages to users through ggshield's UI
system rather than the logging system.

This ensures warnings are properly formatted and visible to end users
regardless of their logging configuration.

Issue: SCRT-5952
@guischguardian
refactor(cli): update --insecure help text to match curl's wording
19ed2a2 
Use curl's standard wording for the --insecure option to maintain
consistency with widely-used tools and make the security implications
immediately clear to users familiar with curl.

Issue: SCRT-5952
@guischguardian
feat(cli): add deprecation warning for --allow-self-signed option
510fd39 
Display a deprecation warning when --allow-self-signed is used,
guiding users to use --insecure instead, which more accurately
describes the behavior (disabling all certificate validation).

The option remains functional for backward compatibility but now
clearly indicates it will be removed in a future version.

Issue: SCRT-5952
@guischguardian
feat(config): add deprecation warning for allow_self_signed config key
c973036 
Display a deprecation warning when 'allow_self_signed' is used in
configuration files, guiding users to use 'insecure' instead.

The option remains functional for backward compatibility but now
clearly indicates it will be removed in a future version.

Issue: SCRT-5952
@guischguardian
doc: update changelog to mention deprecation of allow_self_signed
2e88c0e 
Add a Deprecated section to the changelog documenting that
allow_self_signed is now deprecated in favor of the insecure option.

Issue: SCRT-5952
@codecov
Copy link

codecov bot commented Oct 16, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.98%. Comparing base (b91c894) to head (8983a6e).
⚠️ Report is 24 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1132      +/-   ##
==========================================
+ Coverage   91.95%   91.98%   +0.02%     
==========================================
  Files         144      144              
  Lines        6166     6188      +22     
==========================================
+ Hits         5670     5692      +22     
  Misses        496      496
Flag Coverage Δ
unittests 91.98% <100.00%> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@guischguardian
style: apply pre-commit formatting fixes
0855177 
Apply black formatting and fix end-of-file for changelog.

Issue: SCRT-5952
@guischguardian
test: add coverage for allow_self_signed config deprecation warning
8b5bcd3 
Add test to verify that the deprecation warning is properly added to
deprecation_messages when allow_self_signed is used in config files.

This brings the patch coverage to 100%.

Issue: SCRT-5952
@guischguardian guischguardian marked this pull request as ready for review October 16, 2025 12:20
@guischguardian guischguardian requested a review from a team as a code owner October 16, 2025 12:20
agateau-gg
agateau-gg requested changes Oct 17, 2025
View reviewed changes
@guischguardian
refactor: implement review feedback - simplify SSL verification config
5f34673 
Implement all review feedback from @agateau-gg:

- Remove allow_self_signed field from UserConfig, keep only insecure
- Convert allow_self_signed to insecure during config loading
- Use ui.display_warning() directly instead of deprecation_messages
- Shorten all deprecation warning messages
- Reorder --insecure help text (functionality before warning)
- Update v1 config converter to map allow_self_signed to insecure
- Simplify code by eliminating dual field state

This makes the code cleaner and prevents inconsistent state where
allow_self_signed and insecure could have different values.

Issue: SCRT-5952
@guischguardian
fix: replace all allow_self_signed usages with insecure
9deb1cf 
Update remaining references to allow_self_signed attribute in:
- ggshield/verticals/hmsl/utils.py
- ggshield/verticals/auth/oauth.py
- ggshield/cmd/auth/logout.py
- ggshield/cmd/auth/login.py

Issue: SCRT-5952
cursor[bot]

This comment was marked as outdated.

Sign in to view

agateau-gg
agateau-gg requested changes Oct 17, 2025
View reviewed changes
Copy link
Collaborator

@agateau-gg agateau-gg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One last change and this can go in.

@guischguardian
fix: ensure --allow-self-signed works when placed before subcommand
3e667d9 
The cli() function needs to accept the allow_self_signed parameter
to handle the case where --allow-self-signed is placed before the
subcommand (e.g., 'ggshield --allow-self-signed api-status').

Without this, the callback can't update the config at that stage
because ctx.obj is None, breaking backward compatibility.

Added test to verify both placements work:
- ggshield api-status --allow-self-signed ✓
- ggshield --allow-self-signed api-status ✓

Issue: SCRT-5952
cursor[bot]

This comment was marked as outdated.

Sign in to view

@guischguardian
doc: update documentation link for SSL verification
8983a6e 
Updated the documentation link in the SSL verification warning message to point
to the correct anchor in the public documentation. The link now points to the
'support-for-self-signed-certificates' section instead of 'allow_self_signed'.

Issue: SCRT-5952
@agateau-gg agateau-gg merged commit e5aa4a9 into main Oct 21, 2025
31 checks passed
@agateau-gg agateau-gg deleted the gcasier/SCRT-5952/add_insecure_option branch October 21, 2025 15:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@agateau-gg agateau-gg agateau-gg approved these changes

Assignees

@agateau-gg agateau-gg

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@guischguardian @agateau-gg