Version	Release Date
2026.6.0	June 19, 2026
2026.6.1	June 23, 2026

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Feature highlights​

• Premium scan retry worker (Helm only) — a new optional, dedicated worker retries failed premium (VCS) scans on a high-memory pod. Large repositories that fail a scan — most often on out-of-memory errors — are retried here instead of repeatedly failing on the standard scanner pool. This lets you keep your base worker-scanners pods small and route only the heavy retries to one or two large, scale-to-zero pods. Learn more.
• Open-source agent skills for ggshield — the new GitGuardian/agent-skills repository ships open-source skills that teach AI coding assistants like Claude Code and Cursor when to scan, how to read findings, and how to walk developers through remediation. Learn more.

Secrets Detection Engine​

• v2.163 — 6 new detectors (Aikido API OAuth2 Credentials, Logflare Access Token, PolyAPI API Key, Apollo.io API Key, AES Cipher Key, SAP OAuth Credentials — replacing sap_ai_core_credentials), 1 new checker (SAP OAuth Credentials), 3 detector precision/format improvements (Azure DevOps PAT, GitHub App Token, Pagar.me API Key), 1 updated checker (Coralogix Personal Key), 2 analyzer updates (Datadog API Credentials, Azure OpenAI).
• v2.164 — 6 new detectors (Authentik API Token, Pagar.me Encryption Key, Adobe Refresh Token, LiteLLM API Key, brapi.dev API Key, Open VSX Access Token), 1 new checker (Google OAuth2 Keys), 6 detector precision improvements (Snyk Key, Finicity Authentication Keys, Hunter API Key, Datadog API Credentials, GitHub PAT, Heroku Platform Key), 1 new analyzer (Adafruit IO API Key).
• v2.165 — 8 new detectors (Stitch API Key, ActiveMQ Credentials, Instantly API Key, Gitea Access Token, Fal.ai API Key, SurrealDB Cloud JWT Token, Kimi API Key, Wiz OAuth Credentials), 8 new checkers (Okta Token, Okta OAuth Credentials, Azure Communication Services Connection String, Azure Storage Account Key, AWS Cognito OAuth 2.0 Credentials, LaunchDarkly SDK Key, Pulumi Access Token, Python Package Index Key), 6 updated checkers (AWS IAM Keys — all regions, Sumo Logic Keys, Supabase API Key, Vultr Key — v2 API, Baidu AI API Key, SAP OAuth Credentials), 1 detector precision improvement (Azure Active Directory API Keys).

Enhancements​

• Microsoft Teams granular alerting for internal monitoring — subscribe to specific incident event types per channel for fine-grained control over notification preferences. Learn more.
• Jira Cloud recurrent scanning instead of webhooks, and VCS historical scans now cover orphaned commits, Git notes, and pull/merge request refs. Learn more.
• Overview analytics now include NHI; GitHub check runs can skip merge commits; dissociate Jira/ServiceNow tickets from incidents; GitLab read-only group hook tokens. Learn more.

Fixes​

• Fixed an issue where unmonitored sources were incorrectly displayed as deleted in the user interface. Learn more.
• Security XSS fix on the mTLS redirect page; custom remediation guidelines now shown on developer share links; Jira & Confluence rate-limit scanning error; GitHub Forbidden error on unauthenticated API root requests. Learn more.
• Self-Hosted: Fixed an in-app Analytics failure that blocked the analytics run from completing.

Hotfixes​

2026.6.1​

  Release Date: June 23, 2026

Fixes​

• ggshield: Fixed ggshield auth login on self-hosted.

Version	Release Date
2026.4.0	April 22, 2026

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

⚠️ Important: This is a required release and cannot be skipped.

Feature highlights​

• Email verification MFA — email-based verification codes are now required at login and before sensitive workspace actions for users authenticating with email and password. Learn more.
• Secret scanning for AI coding tools — ggshield now scans prompts, tool calls, and agent actions in real time to prevent secrets from leaking through Cursor, Claude Code, and GitHub Copilot. Learn more.
• Team perimeter for non-VCS sources — scope incident visibility by team across container registries, messaging, docs, tickets, package registries and custom sources. Learn more.
• In-cluster support bundle generation — Helm administrators can now generate, download, and upload support bundles directly from the Admin area > Support Bundle page, without kubectl access or the Krew plugin. Learn more.

  Init container memory scales with bundle size (~45 Mi/MB); large bundles may need higher limits to avoid OOMKilled. See Sizing the init container.

Secrets Detection Engine​

• v2.159 — 16 new detectors and checkers (Polar Organization Access Token, Microsoft Azure Storage Account Key, Azure Language API Key, Azure IoT Hub Connection String, DeepL Free/Pro API Keys, Azure Document Intelligence Key, Azure Speech Services Key, Azure Computer Vision Key, Azure Text Translation Key, Oracle Credentials, Google Cloud Express API Key, GitGuardian Public/Internal Monitoring Keys, SAP AI Core Credentials, Odoo External API Key), 3 new detectors (K3s Token, Zoho API Key, ServiceNow Generic Password), 4 new analyzers, 5 detector upgrades, 9 checker upgrades, 2 analyzer upgrades.
• v2.160 — 2 new detectors and checkers (Paymob API Key, Paymob Secret Key), 2 new detectors (ConvertTo-SecureString Password, Paymob HMAC Secret), 5 new checkers (Kubernetes Docker Secret, Generic/OpenSSH/RSA/Elliptic Curve Private Keys with GitLab/GitHub registration checks), 4 new analyzers (Sentry, Figma, Datadog, Google Cloud Keys), 2 detector upgrades, 1 checker upgrade.

Enhancements​

• Bring Your Own Sources location.url field, v2 format for Personal and Service Account Tokens. Learn more.
• Critical saved view as default, privacy mode in public API, historical scan trigger/cancel endpoints, severity rule ID and detector category on incidents, /v1/severity-rules endpoint. Learn more.
• Workspace-level privacy mode enforcement, audit log event types exposed via public API. Learn more.
• Self-Hosted:
  • New namespace-scoped NetworkPolicy support for the GIM namespace, configurable via networkPolicy.* Helm values with a dryrun → enforce rollout. See Network policies.
  • Manual encryption secret creation is now required for all new Helm installations (Helm, Argo CD, Flux). Existing installations are unaffected. See Mandatory secret.
  • Removed the API quota page for self-hosted instances, as quotas do not apply. The API endpoint helper banner is now displayed on the Personal Access Tokens and Service Accounts pages.
  • Added support for bundling JSON schemas into the deployment package, removing the need to fetch them at runtime in air-gapped environments.
  • Added support for replicated.readOnlyMode, which prevents the Replicated subchart from creating or patching Secrets, enabling deployments in environments with strict admission policies.

Fixes​

• Audit log actor display, missing audit logs for Custom Sources via API, bulk filter select-all, NHI Governance timeouts on large Entra ID datasets. Learn more.
• ggshield incident URL for shared-hash secrets, analytics "All time" date range, Jira Data Center authentication drops, Honeytoken GitLab deployment encoding. Learn more.
• GitLab instance health check compatibility with GitLab.com and upcoming GitLab 19 self-hosted versions. Learn more.

Version	Release Date
2025.10.0	October 27, 2025

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

⚠️ Important: This is a required release and cannot be skipped.

Feature highlights​

• Secret Revocation — revoke supported secrets directly from incidents. Learn more
• Context preview for non‑VCS incidents — see surrounding content for leaks in SharePoint, OneDrive, Slack, Confluence. Learn more
• Microsoft Teams attachment scanning — detect secrets in files shared in Teams. Learn more
• ggshield: vault name and path — show secret manager details for vaulted secrets. Learn more
• Unified graph with public leak intelligence — correlate internal and public exposures in one view. Learn more

Secrets Detection Engine​

• v2.147 — 2 new detectors, 4 improved, 4 new checkers.
• v2.148 — 21 new detectors, 3 improved, multiple new checkers.
• v2.149 — 4 new detectors, 1 improved, 4 new checkers, 2 analyzer upgrades.

Enhancements​

• Pattern exclusion performance. Learn more.
• Base64 token decoding, new ignore reasons. Learn more.
• Generic Secret Enricher v2, False Positive Remover v2.5, Jira auto-assignment. Learn more.
• Incident developer identity. Learn more.
• GitLab integration performance, Public API perimeter editing. Learn more.
• Playbooks: Updated the Playbooks settings page with a refreshed, modern interface design.
• Self-Hosted:
  • All GitGuardian images are now multi-arch. Helm deployments now support ARM64 clusters in addition to AMD64. KOTS and Embedded Cluster installations remain AMD64-only. See system requirements.
  • Added support for read-only root filesystem constraint to meet security compliance requirements and enhance container runtime protection.

Fixes​

• Google Artifact Registry auth. Learn more.
• Weekly summary email dates, Jira DC admin detection, historical scan duplicates. Learn more.
• Incident search filters, secret view links. Learn more.
• Occurrence commit info, perimeter scan button visibility. Learn more.
• Self-Hosted:
  • Updated KOTS embedded cluster installation requirements to match documented system requirements.
  • Added missing toleration configuration for secretEngine deployment.
  • Fixed license verification when using a proxy by adding the NO_PROXY to replicated.extraEnv default values.