Version	Release Date
2026.5.0	May 21, 2026

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Feature highlights​

• Advanced Analytics enabled by default for Helm installation — actionable dashboards for detection, remediation, and prevention of secret leaks are now activated by default on all instances, including the new Analytics Overview page, previously available in early access, that aggregates KPIs across Protect, Detect, Remediate, and Govern in a single dashboard. Learn more.

  Requires ~12 GB extra memory and increases database usage by 15-20% (min. 5-6 GB). Data refreshes once a day. KOTS installation must enable the new analytics in KOTS admin console.

• New AI workspace setting — workspace owners now have a self-service Settings → Workspace → AI page to enable or disable external LLM calls and configure Bring Your Own Cloud (BYOC) providers, with AWS Bedrock supported at launch. External LLM features are disabled by default on self-hosted instances. Once the integration is up and running, the selected Anthropic model powers every LLM-driven feature in the app. See AI settings and the AWS Bedrock setup guide.
• NHI admin and overprivilege flags — NHI Governance now flags admin-level and overprivileged non-human identities across AWS IAM, Microsoft Entra, and Okta, and automatically bumps the severity of any policy breach landing on an admin NHI. Learn more.
• Attachment scanning across Atlassian — secret detection now covers file attachments on Jira Cloud, Jira Data Center, Confluence Cloud, and Confluence Data Center. Reinstall your Atlassian integrations to grant the new attachment scopes. Learn more.

Secrets Detection Engine​

• v2.161 — 7 new detectors (Payhere App Credentials, HubSpot API Key, Birdeye API Key, Datadog API Credentials, Payhere Merchant Secret, GitGuardian Personal Access Token, GitGuardian Service Access Token), 1 new checker (Azure SignalR Connection String), 4 detector precision improvements (Jira Basic Auth, Atlassian OAuth2, npm Token, OpenWeatherMap Token), 5 new analyzers (Intercom Access Token, GitGuardian PAT/SAT, Notion Integration Token, Azure Cosmos DB Credentials).
• v2.162 — 16 new detectors (Aikido CI Scanning Token, Baidu AI API Key, Baidu Cloud API Keys, Bitrise Personal/Workspace Access Tokens, Canva Integration OAuth2, Cloudflare API Token V2, CockroachDB API Key, Coder Session Token, Datadog Application Key, ElevenLabs API Key, HashiCorp Consul ACL Token, MaxMind License Key, QQ Robot API Keys, Snyk Key V2, Volcengine API Key), 6 detector updates (Azure OpenAI, GitLab Token, Google Cloud Keys, Grafbase, PayPal Braintree, Slack Bot Token), 2 new analyzers (Azure AI Search Key, Azure OpenAI), 3 analyzer updates (Anthropic Admin Key, GitLab Token, PostgreSQL Credentials).

Enhancements​

• Slack Marketplace listing (US and EU), channel selection at setup, file attachment scanning, interactive thread responses (beta), privacy controls, Ctrl+Enter form submission. Learn more.
• Deprecated Honeytoken Labels Public API removed (use Custom Tags), Jira templates flag unsupported required fields, GitHub Check runs reliability during partial outages. Learn more.
• Microsoft Teams notifications expanded to full incident lifecycle; new Public API Health Checks endpoints; archived-source filters on Sources and Incidents endpoints. Learn more.
• Microsoft Teams Issue Regression event backfilled for existing notifiers, leak author now captured on JFrog Artifactory incidents. Learn more.
• Self-Hosted:
  • Improved the support bundle upload with a more descriptive filename (including hostname, date, and ticket ID and an instance ID display.
  • Added logCollector.supportBundle.logLevel to filter Loki queries when generating a support bundle.
  • Added dedicated celeryWorkers.automatic-severities worker — moves the automatic_severities queue out of the long worker into its own scalable worker. See the updated application topology.
  • Helm upgrades no longer fail when the chart is configured with a third-party cert-manager issuer plugin. The certManager values schema now accepts plugin issuer kinds in addition to the built-in Issuer and ClusterIssuer.

Fixes​

• PAT source scopes not applied correctly, Bitbucket Cloud workspace-scoped APIs. Learn more.
• Dashboard unresponsive when filtering PATs, Bitbucket Cloud cross-workspace API deprecation handled. Learn more.
• SendGrid revocation error, JFrog Artifactory bulk select-all in team perimeters, GitHub Enterprise health check on GHES 3.19.4, GitHub Enterprise PR Check runs analytics dashboards, perimeter page rendering on workspaces with 200k+ sources. Learn more.

Version	Release Date
2026.4.0	April 22, 2026

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

⚠️ Important: This is a required release and cannot be skipped.

Feature highlights​

• Email verification MFA — email-based verification codes are now required at login and before sensitive workspace actions for users authenticating with email and password. Learn more.
• Secret scanning for AI coding tools — ggshield now scans prompts, tool calls, and agent actions in real time to prevent secrets from leaking through Cursor, Claude Code, and GitHub Copilot. Learn more.
• Team perimeter for non-VCS sources — scope incident visibility by team across container registries, messaging, docs, tickets, package registries and custom sources. Learn more.
• In-cluster support bundle generation — Helm administrators can now generate, download, and upload support bundles directly from the Admin area > Support Bundle page, without kubectl access or the Krew plugin. Learn more.

  Init container memory scales with bundle size (~45 Mi/MB); large bundles may need higher limits to avoid OOMKilled. See Sizing the init container.

Secrets Detection Engine​

• v2.159 — 16 new detectors and checkers (Polar Organization Access Token, Microsoft Azure Storage Account Key, Azure Language API Key, Azure IoT Hub Connection String, DeepL Free/Pro API Keys, Azure Document Intelligence Key, Azure Speech Services Key, Azure Computer Vision Key, Azure Text Translation Key, Oracle Credentials, Google Cloud Express API Key, GitGuardian Public/Internal Monitoring Keys, SAP AI Core Credentials, Odoo External API Key), 3 new detectors (K3s Token, Zoho API Key, ServiceNow Generic Password), 4 new analyzers, 5 detector upgrades, 9 checker upgrades, 2 analyzer upgrades.
• v2.160 — 2 new detectors and checkers (Paymob API Key, Paymob Secret Key), 2 new detectors (ConvertTo-SecureString Password, Paymob HMAC Secret), 5 new checkers (Kubernetes Docker Secret, Generic/OpenSSH/RSA/Elliptic Curve Private Keys with GitLab/GitHub registration checks), 4 new analyzers (Sentry, Figma, Datadog, Google Cloud Keys), 2 detector upgrades, 1 checker upgrade.

Enhancements​

• Bring Your Own Sources location.url field, v2 format for Personal and Service Account Tokens. Learn more.
• Critical saved view as default, privacy mode in public API, historical scan trigger/cancel endpoints, severity rule ID and detector category on incidents, /v1/severity-rules endpoint. Learn more.
• Workspace-level privacy mode enforcement, audit log event types exposed via public API. Learn more.
• Self-Hosted:
  • New namespace-scoped NetworkPolicy support for the GIM namespace, configurable via networkPolicy.* Helm values with a dryrun → enforce rollout. See Network policies.
  • Manual encryption secret creation is now required for all new Helm installations (Helm, Argo CD, Flux). Existing installations are unaffected. See Mandatory secret.
  • Removed the API quota page for self-hosted instances, as quotas do not apply. The API endpoint helper banner is now displayed on the Personal Access Tokens and Service Accounts pages.
  • Added support for bundling JSON schemas into the deployment package, removing the need to fetch them at runtime in air-gapped environments.
  • Added support for replicated.readOnlyMode, which prevents the Replicated subchart from creating or patching Secrets, enabling deployments in environments with strict admission policies.

Fixes​

• Audit log actor display, missing audit logs for Custom Sources via API, bulk filter select-all, NHI Governance timeouts on large Entra ID datasets. Learn more.
• ggshield incident URL for shared-hash secrets, analytics "All time" date range, Jira Data Center authentication drops, Honeytoken GitLab deployment encoding. Learn more.
• GitLab instance health check compatibility with GitLab.com and upcoming GitLab 19 self-hosted versions. Learn more.

Version	Release Date
2026.3.0	March 16, 2026
2026.3.1	March 23, 2026
2026.3.2	March 26, 2026
2026.3.3	April 2, 2026

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Using Argo CD? A pre-created encryption secret is required before deploying — see the Argo CD installation guide.

Feature highlights​

• JFrog Artifactory Package Registries — scan Maven, npm, PyPI, NuGet, Go, and 7 more package ecosystems for secrets hiding in your software supply chain, with historical and incremental scanning support. Currently in beta. Learn more.
• Red Hat Quay Integration — detect secrets in container images across quay.io and self-hosted Quay deployments, with full image layer analysis and OAuth2 authentication. Currently in beta. Learn more.
• Okta Integration Network — GitGuardian is now an Okta-verified app with one-click SAML SSO, SCIM provisioning, and Group Push for streamlined identity management. Learn more.

Secrets Detection Engine​

• v2.157 — 26 new detectors (WooCommerce, Iyzico, Mercado Pago, Bitbucket HTTP Access Token, PostgreSQL, MariaDB, Azure Event Hub, Azure Container Registry, Coralogix, Azure Web PubSub, Azure Batch, Azure APIM Gateway, Azure IoT Provisioning, Azure AI Search, GitLab CI/CD Job Token, PostHog, and more), 13 improved, 4 analyzer upgrades, 4 new revokers (SendGrid, Slack User Token, Slackbot, Heroku), scanning throughput nearly doubled.
• v2.158 — 4 new detectors (MiniMax, Retell, Azure Storage Account Key, Curl Username Password), 2 improved (Azure Container Registry, MongoDB), scanning speed improved by 12%.

Enhancements​

• Improved scanning for SharePoint Online and OneDrive integrations. Self-hosted customers using these integrations should ensure all required pods are active and properly scaled. See the scaling documentation and non-VCS sources configuration for details.
• Audit logs now display scope information for PAT and SAT creation events. Learn more.
• Workspace managers can restrict Personal Access Token scopes for members. Learn more.
• Customizable session duration for dashboard sessions. Learn more.
• Slack and Webhook alerts now include feedback content (remarks) for incidents. Learn more.
• Enhanced Slack incident notification messages with improved formatting and additional context. Learn more.
• Jira templates now support filename and line number fields. Learn more.
• "System" theme mode option that follows OS light/dark preference. Learn more.
• Public API endpoint for retrieving GitGuardian egress IP addresses. Learn more.
• Custom perimeter support for Microsoft Teams, Confluence Cloud, Confluence Data Center, Jira Cloud, and Jira Data Center. Learn more.
• Self-Hosted:
  • Allow to have fixed tags for the Custom CA image, to support environments enforcing fixed tags
  • Added ALB ingress support for autoscaling and improved templating of custom autoscaling metrics in Helm charts.
  • Added missing queues to KEDA ScaledObjects configuration for improved autoscaling coverage.

Fixes​

• Jira Cloud installations unexpectedly soft-deleted. Learn more.
• API schema validation error for response path 'id'. Learn more.
• Timeout issues when bulk-updating incident custom tags. Learn more.
• Authorization issue allowing Team Leaders to delete "All Incidents" team notification settings. Learn more.
• Self-Hosted:
  • Fixed Redis password handling issue when using existing secrets in ArgoCD environments.

Hotfixes​

2026.3.1​

  Release Date: March 24, 2026

Fixes​

• GitHub Enterprise integration: Fixed issue where repositories appeared as "Unmonitored" after upgrading to 2026.3 despite being correctly selected in Integration settings.
• JFrog Package Registries: Fixed payload mismatch error during JFrog Artifactory package registry scans.
• API documentation link: Fixed incorrect API documentation link in the self-hosted help menu.
• Audit logs: Fixed actor filter in audit logs where selected users were lost after using and clearing the search field.

2026.3.2​

  Release Date: March 26, 2026

Fixes​

• Database migration on upgrade: Fixed a pre-deploy migration failure blocking upgrades to 2026.3 on instances originally installed before version 2025.7.

2026.3.3​

  Release Date: April 2, 2026

Fixes​

• In-app analytics optimization: Fixed excessive data footprint from inAppAnalytics, reducing storage and memory usage.

Version	Release Date
2026.2.0	February 23, 2026

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Using Argo CD? A pre-created encryption secret is now required before deploying — see the Argo CD installation guide.

Feature highlights​

• Dark Mode — we've refreshed the GitGuardian interface and introduced Dark Mode so you can work comfortably in any environment, with cleaner layouts, improved contrast, and polished navigation. Head to Account → Interface → Theme to pick your preference. Learn more.

Secrets Detection Engine​

• v2.156 — 7 new detectors (Modelscope, Proxmox, ZegoCloud, Deepgram, Microsoft Power Apps Webhook, Mem0, Obsidian), 4 improved (Azure SAS URL, Okta OAuth, Azure Entra Access Token, Azure OpenAI), 1 analyzer upgrade (Azure SAS URL expiration check), 1 deprecated (Azure Logic App Sig Key).

Enhancements​

• Incidents API enhanced with external ticket information (Jira/ServiceNow), analytics period selector with flexible date range options, improved SSO certificate editing experience. Learn more.
• ggshield correctly ignores secrets with closed related incidents. Learn more.
• Self-Hosted:
  • Helm charts now include a strict JSON schema generated from values.yaml. Any property not defined in values.yaml will be rejected at install or upgrade time. If you encounter validation errors, you can temporarily use the --skip-schema-validation Helm flag while we address any missing properties.
  • The background_validity_check queue has moved from worker-long to worker-worker. If you have scaled your workers for validity checks, you may need to adjust your worker-worker replicas accordingly. See the application topology page for the full queue mapping.
  • New optional worker-check-runs worker to offload check_run processing from worker-worker. Disabled by default. Enable it by setting celeryWorkers.check-runs.replicas in your Helm values.
  • Remove terms and conditions acceptance requirement for self-hosted instance.
  • License grace period extended from 10 hours to 120 hours when ReplicatedSDK is unreachable.

Fixes​

• Validity checks automatic retry mechanism, CSV export JSON format. Learn more.
• Validity checks periodic re-check for invalid secrets, analytics tooltip dates, Developer in the Loop duplicate submissions, SCIM email notification defaults. Learn more.
• Self-Hosted: Fixed Redis password handling when using existing secrets in ArgoCD environments.

Version	Release Date
2026.1.0	January 28, 2026

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

⚠️ Important: This is a required release and cannot be skipped.

Feature highlights​

• Secret Enricher — generic incidents now display enriched secret names powered by our ML model, transforming vague findings into precise, actionable insights. Learn more.
• More NHI Integrations — discover and secure non-human identities across Datadog, Snowflake, Okta, and Auth0. Learn more.
• Unified Identity Governance for Entra & AWS IAM — unified visibility and risk-based prioritization for Microsoft Entra ID and AWS IAM with secret-less OIDC authentication. Learn more.
• GCP Marketplace — GitGuardian is now available on Google Cloud Marketplace, enabling deployment on GKE with consolidated billing through your GCP account. Learn more.

Secrets Detection Engine​

• v2.153 — 6 new detectors (HighLevel, Elastic, Google Cloud Keys, Socket Dev, Upstash Redis, Vapid Key), 8 improved (Cloudflare, MySQL, GitLab Token, Fireworks AI, JSON Web Token, SSH, Duo, Azure Event Grid), 1 new checker (Oracle), 883 new secret providers.
• v2.154 — 3 new detectors (Cloudflare R2, Azure SAS URL, MySQL), 1 new checker (Tailscale SCIM), 10 improved (SendGrid, Dwolla, PubNub, Google OAuth2, Azure Cosmos DB, Generic High Entropy, HashiCorp Vault, Discord Webhook, Alchemy, Fireworks AI), 378 new secret providers.
• v2.155 — 18 new detectors (Oracle, Azure Entra App Secret, Azure Entra Access Token, GitLab SCIM, GitLab Agent Kubernetes, ASI:One, Azure IoT Device, Xendit, Supabase, Neoload, MongoDB, Azure Cache for Redis, GitLab Feed, Clerk Webhook, Better Auth, Elastic Search, Redis, Azure Relay), 8 improved (Doppler, Databricks, TeamCity, Scraper API, Slack Webhook, MongoDB, Okta, Tailscale), 3 analyzer upgrades.

Enhancements​

• Incident API enhanced to include enriched secret names, CSV/JSON exports now include both original detector name and enriched secret name. Learn more.
• Some detectors are now flagged as non-business and disabled by default for business accounts to reduce noise. Use the new "Recommended for business" filter in detector settings to identify and re-enable them if needed. Learn more.
• Improved token refresh reliability for Slack and Atlassian Cloud integrations with automatic retry on transient failures. Learn more.
• GitHub Check Runs message updated for merge queues. Learn more.

Fixes​

• Docker Hub Integration configuration error. Learn more.
• GitHub Check runs blocking pull requests when disabled. Learn more.
• Playbooks auto-ignore reactivation issue, Historical Scans queueing for bulk operations. Learn more.
• Google Cloud Keys validation, detector validity check filter, GitLab health check link, Health Check email notifications, JFrog Container Registry compatibility. Learn more.

Version	Release Date
2025.12.0	December 15, 2025

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Feature highlights​

• Advanced Analytics for Internal Monitoring — track the detection, remediation and prevention of secret leaks with actionable dashboards. Learn more.

  ⚠️ This feature is in beta. It is disabled by default and requires additional resources (12 GB memory). Enabling Analytics also increases database usage by 15-20% (minimum 5-6 GB). Analytics are computed once a day, so data may take up to 24 hours to appear after activation. To enable: set inAppAnalytics.enabled: true in Helm values, or enable "In-App Analytics" in the KOTS Admin Console.

• SCIM team provisioning — automate team creation and sync from Okta and Microsoft Entra ID. Learn more
• Enhanced Slack notifications — complete incident lifecycle coverage for internal monitoring and honeytoken alerting. Learn more.
• CyberArk Secrets Manager Self Hosted integration — discover and enumerate non-human identities stored in your self-hosted CyberArk (Conjur) vault. Learn more.

Secrets Detection Engine​

• v2.151 — 13 new detectors (Hume AI, Azure AI Face, Neon, E2B, MailerSend, Scraper API, AIProxy, Cloudsmith, AWS Bedrock, Harness, Grafbase, AssemblyAI), 8 improved (Generic Password, Pinecone, Keycloak, Discord, Kubernetes JWT, Tableau, Sendinblue), 3 analyzer upgrades.
• v2.152 — 1 new detector (Google Cloud Access Token), 3 improved (Hashicorp Vault Token, PagerDuty, Google Cloud Access Token), 2 analyzer upgrades.

Enhancements​

• New "Valid" saved view for incidents, API filtering by triggered date, GitLab validation and health checks, Docker Hub organization namespaces, Custom Monitored Perimeter for Container Registries, SharePoint, OneDrive, ServiceNow, and Slack, GitLab empty namespaces hidden by default. Learn more.
• Self-Hosted:
  • Added multiple hostname support via extra_hostnames parameter, enabling access through additional domain names. Learn more.
  • Added global podDisruptionBudget.enabled parameter to disable automatic PDB creation for restricted Kubernetes environments that prohibit PodDisruptionBudget resources. Learn more.
  • Added official support for Helm v4.
  • Added IPv6 support via network.ipFamily parameter for Service resources. Learn more.

Fixes​

• Jira Data Center historical scans for large projects, incident details "First detected" date display, Slack notifications user association, Health Check error differentiation. Learn more.
• Bulk action filters, Jira ticketing issues, Perimeter scan behavior, GitLab namespace display and search, Container Registry URLs and caching. Learn more.
• Self-Hosted: Resolved NHI Governance access for manager roles.

Version	Release Date
2025.11.0	November 19, 2025
2025.11.1	November 27, 2025

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Secrets Detection Engine​

• v2.150 — 1 new detector (Coveo API Key), 1 improved (Resend), 1 new checker, 1 analyzer upgrade, 1 engine enhancement.

Enhancements​

• Large occurrence patches display. Learn more.
• Incident list source links, API change_type field. Learn more.
• Dev-in-the-Loop incident ID display and dashboard navigation. Learn more.
• Self-Hosted:
  • Added official support for PostgreSQL 18 and Redis 8.
  • Added terms and conditions acceptance requirement during self-hosted instance setup.
  • Replicated now inherits global image pull secrets, simplifying Helm configuration by removing the need for separate imagePullSecrets in the replicated section. Learn more.

Fixes​

• Perimeter scan button visibility, SSO IDP configuration, sources tooltips and health checks, incidents commit info and code fixing section. Learn more.
• GitLab PAT updates 403 error, SharePoint health-check error 9999. Learn more.
• Microsoft Teams notifier client secret update, incident feedback registration. Learn more.
• Container Registry automatic monitoring, Jira Data Center webhook version. Learn more.
• Fixed an issue where filepath exclusions failed to apply when selecting individual repositories, while working correctly with select all repositories.
• Self-Hosted:
  • Dashboard access now blocked when ReplicatedSDK is not running to enforce proper license validation (cached license fallback up to 10 hours).
  • Fixed PostgreSQL and Redis preflights failing when CA certificate was provided without client certificate and key.

Hotfixes​

2025.11.1​

  Release Date: November 27, 2025

Fixes​

• GitLab Integration:
  • Fixed an issue where GitLab namespaces and projects were incorrectly displayed as "banned" when the instance was actually temporarily detected as unhealthy.
  • Fixed search functionality not working in the entity tree displayed as List view.
• Google Artifact Registry Integration: Source URL now redirects to the Google Artifact Registry repository as expected.
• Incident Management: Fixed filters not being applied to bulk actions when using "select all".

Version	Release Date
2025.10.0	October 27, 2025

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

⚠️ Important: This is a required release and cannot be skipped.

Feature highlights​

• Secret Revocation — revoke supported secrets directly from incidents. Learn more
• Context preview for non‑VCS incidents — see surrounding content for leaks in SharePoint, OneDrive, Slack, Confluence. Learn more
• Microsoft Teams attachment scanning — detect secrets in files shared in Teams. Learn more
• ggshield: vault name and path — show secret manager details for vaulted secrets. Learn more
• Unified graph with public leak intelligence — correlate internal and public exposures in one view. Learn more

Secrets Detection Engine​

• v2.147 — 2 new detectors, 4 improved, 4 new checkers.
• v2.148 — 21 new detectors, 3 improved, multiple new checkers.
• v2.149 — 4 new detectors, 1 improved, 4 new checkers, 2 analyzer upgrades.

Enhancements​

• Pattern exclusion performance. Learn more.
• Base64 token decoding, new ignore reasons. Learn more.
• Generic Secret Enricher v2, False Positive Remover v2.5, Jira auto-assignment. Learn more.
• Incident developer identity. Learn more.
• GitLab integration performance, Public API perimeter editing. Learn more.
• Playbooks: Updated the Playbooks settings page with a refreshed, modern interface design.
• Self-Hosted:
  • All GitGuardian images are now multi-arch. Helm deployments now support ARM64 clusters in addition to AMD64. KOTS and Embedded Cluster installations remain AMD64-only. See system requirements.
  • Added support for read-only root filesystem constraint to meet security compliance requirements and enhance container runtime protection.

Fixes​

• Google Artifact Registry auth. Learn more.
• Weekly summary email dates, Jira DC admin detection, historical scan duplicates. Learn more.
• Incident search filters, secret view links. Learn more.
• Occurrence commit info, perimeter scan button visibility. Learn more.
• Self-Hosted:
  • Updated KOTS embedded cluster installation requirements to match documented system requirements.
  • Added missing toleration configuration for secretEngine deployment.
  • Fixed license verification when using a proxy by adding the NO_PROXY to replicated.extraEnv default values.

Version	Release Date
2025.9.0	September 17, 2025
2025.9.1	October 1, 2025

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Feature highlights​

• Bring Your Own Sources — extend secret detection to any data source (CI logs, legacy systems, SFTP). Learn more
• Quick Access — unified search interface for faster navigation (Ctrl+K/Cmd+K). Learn more
• AI Filters — use natural language to filter incidents, perimeter, and audit logs. Learn more
• Microsoft SharePoint and OneDrive scanning — detect secrets in your knowledge base. Learn more

Secrets Detection Engine​

• v2.145 — 1 improved detector (GitLab Token broader regex for longer tokens).
• v2.146 — 4 new detectors (Africa's Talking, Clipdrop, StackHawk, Murf), 1 improved (Stripe checker timeout prevention).

Enhancements​

• Confluence Cloud outbound-only OAuth2, GitHub PR public share links, CSP headers. Learn more.
• User comment permissions. Learn more.
• Self-Hosted:
  • Improved ML Secret Engine Docker image permissions for custom user/group IDs.
  • Enhanced Docker image permissions for custom security contexts.
  • Improved failed index migration handling for safe re-execution.
  • Added node affinity scheduling for one worker per node constraint.

Fixes​

• Remediation tracking for non-default branches, perimeter filter errors, Honeytoken notifications, webhook URL validation, JFrog integration validation, Confluence DC URLs. Learn more.
• Token management link removal. Learn more.
• Self-Hosted:
  • Fixed Loki image not being pulled from private Docker registry during airgap Helm installations.
  • Resolved KOTS rendering issue on existing cluster with KOTS installation. Note: KOTS installation will be deprecated soon. We encourage customers to migrate to Helm installation.

Hotfixes​

2025.9.1​

  Release Date: October 1, 2025

Fixes​

• SharePoint integration: Fixed issue where SharePoint Online tenants appeared as monitored but failed to display nested sites and resources properly.
• Jira Data Center integration: Update Jira DC webhook creation to use version-specific endpoints based on the instance version.

Version	Release Date
2025.8.0	August 18, 2025

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Feature highlights​

• AWS ECR Container Registry — detect hardcoded secrets in Amazon Elastic Container Registry. Learn more

Secrets Detection Engine​

• v2.144 — 3 new detectors (Weights & Biases, Bitbucket App Password, Mercado Pago), 4 improved, 1 new checker.

Enhancements​

• Custom webhook granular event selection. Learn more.
• VCS auto-monitoring toggle, Bitbucket Cloud API token auth. Learn more.
• Self-Hosted:
  • Valkey support (Redis 7.2 fork) for Redis-compatible deployments.

Fixes​

• Incident assignee visibility, Slack duplicate occurrences, JFrog registry scan errors. Learn more.
• Email notification preferences, Confluence DC private spaces. Learn more.
• Token management link removal. Learn more.

Version	Release Date
2025.7.0	July 25, 2025
2025.7.1	August 8, 2025

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

⚠️ Important: This is a required release and cannot be skipped.

Feature highlights​

• Jira and Confluence Data Center historical scanning — scan past content for secrets. Learn more
• Auto-ignore invalid incidents playbook — automatically clear confirmed invalid secrets. Learn more

Secrets Detection Engine​

• v2.141 — 12 new detectors (Kubernetes User Certificate with Port, NVIDIA, Alchemy v2, OpenRouter, Duffel, Apify, Jina, Deno Account, Segment Workspace v2, Resend, VKontakte, Fireworks AI), 6 improved, 10 new checkers.
• v2.142 — 2 new detectors (AI71, AMP), 9 improved (Kubernetes Docker, MySQL, Sourcegraph, GitHub, HashiCorp Vault, Confluent, GitHub Fine-Grained PAT, Slack, DigitalOcean Spaces), 2 new checkers.
• v2.143 — 7 new detectors (GitLab Incoming Mail, Coze PAT, Tavus, Heroku Platform, SSH with port, Tableau Cloud PAT, Notion v2), 7 improved, 6 new checkers. All JWT detectors now only catch signed JWTs.

Enhancements​

• Custom tags API key/value filtering, auto-resolve revoked secrets playbook, custom remediation links. Learn more.
• Jira DC leaker emails. Learn more.
• Custom tags API documentation. Learn more.
• GitLab multi-hook support. Learn more.

Fixes​

• Custom tags bulk assignment, Azure DevOps token handling. Learn more.
• GitHub installation checks. Learn more.
• Teams email notifications. Learn more.
• SCIM case-insensitive emails. Learn more.
• Deletion line scanning. Learn more.

Hotfixes​

2025.7.1​

  Release Date: August 8, 2025

Fixes​

• Self-Hosted:
  • Embedded Cluster with Embedded Redis configuration to use bitnamilegacy/redis registry following Bitnami's registry changes.
  • ML Secret Engine updated to version 20250806 fixing critical CVE-2025-54381.
  • NHI Scout bumped to version 0.18.2.

Version	Release Date
2025.6.0	June 20, 2025

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Feature highlights​

• Secure API access to secret values — retrieve secret values via API endpoint for automation workflows. Learn more
• Microsoft Teams secret detection — scan Teams messages for hardcoded secrets with real-time and historical scanning. Learn more
• Jira and Confluence Cloud historical scanning — detect secrets leaked in the past across Jira and Confluence Cloud. Learn more
• Container Registries secret detection — detect hardcoded secrets in Azure, Google, JFrog, and DockerHub registries. Learn more
• Self-Hosted: Export GitGuardian logs to Splunk, Loki, Elasticsearch, Kafka, and Datadog for centralized monitoring. Learn more

Secrets Detection Engine​

• v2.139 — 1 new detector (GitLab Feature Flags Client Token), 6 improved (AMQP, Confluent, Generic High Entropy, Artifactory, Azure Storage), 1 engine enhancement.
• v2.140 — 12 new detectors (Laravel, GitLab tokens, Kubernetes JWT, Brave Search, Dify, Firecrawl, Ubidots, Vapi, Llama Cloud), 4 improved, 7 new checkers, 2 engine enhancements.

Enhancements​

• Teams API endpoint optimization. Learn more.
• Self-Hosted:
  • Improved ML Secret Engine Docker image permissions to support running with custom user and group IDs for better Kubernetes security contexts.
  • Improved Docker image permissions to support running with custom user and group IDs for better Kubernetes security contexts.
  • Improved handling of failed index creation migrations to allow safe re-execution of database updates.
  • Added capability to specify constraint of only one worker per node in Kubernetes deployments to optimize resource allocation. Learn more about scaling.

Fixes​

• Email alerts to inactive members, custom tags pagination, GitLab parent group permissions, secret analyzer validity checking. Learn more.
• Self-Hosted:
  • Corrected an issue preventing Self-Hosted customers from adding or editing custom severity rule sets.
  • Fixed an issue with ACL limitations on GCP and Azure cloud platforms where Redis deployments disable the ACL command, causing pre-deployment checks for the FLUSHDB command to fail. The system now gracefully handles scenarios where ACL commands are unavailable.

Version	Release Date
2025.5.0	May 22, 2025

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version.

FIPS: This release uses Chainguard images without FIPS-approved cryptographic modules. If you would like to use Chainguard images with FIPS, please contact our support team.

Feature highlights​

• ServiceNow secret scanning — detect secrets and honeytokens in ServiceNow for automated incident tracking. Learn more
• Customizable incidents view — create custom views with specific properties for better context exploration and prioritization. Learn more
• SCIM user provisioning — automate user onboarding and offboarding with Okta and Microsoft Entra ID integration. Learn more
• NHI Policies improvements — enhanced policy breach visibility with filtering, analytics, and Secret Reuse policy support.

Secrets Detection Engine​

• v2.136 + v2.137 — 5 new detectors (Perplexity AI, Azure SignalR, Azure Event Grid, Anthropic Admin, GitGuardian Magic Link), 7 improved (LDAP, JWT, Cloudinary, Auth0, Claude, Riot Games, LINE Notify), 2 new checkers.
• v2.138 — 6 new detectors (Azure Entra ID, Azure Communication Services, Azure DevOps PAT, Laravel, Azure App Configuration, X AI), 5 improved (Azure Storage, ODBC, Jira, SMB, Octopus).

Enhancements​

• Weekly digest and historical scan email subject lines, Jira DC ticket creation permissions. Learn more.
• Self-Hosted:
  • Ensured that the Redis FLUSHDB command is available for use before installing or upgrading GitGuardian. Learn more.
  • Added support for configuring proxy username and password using Kubernetes secrets. Learn more.
  • GitGuardian Chainguard images are now used by default and include a shell for troubleshooting and maintenance.
  • Implemented a Content Security Policy in response headers to better control which resources can be loaded, strengthening overall security.

Fixes​

• GitLab read-only token errors, dashboard toast messages, empty GitHub repo scans, deleted sources API display. Learn more.
• Self-Hosted:
  • Resolved an issue where deployment failed when using Kustomize.
  • Increased the readiness probe timeout for public-api to enhance stability and prevent failures.

Version	Release Date
2025.4.0	April 25, 2025
2025.4.1	April 30, 2025
2025.4.2	August 8, 2025

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version.

⚠️ Important: This is a required release and cannot be skipped.

Feature highlights​

• NHI Governance — manage and secure Non-Human Identities with comprehensive observability and lifecycle management. Learn more
• Secrets Analyzer — enrich detected secrets with scope, permission, and ownership details for faster risk assessment. Learn more
• Custom tags — categorize and filter incidents with customized labels for improved remediation workflows. Learn more
• Log collector for Self-Hosted — seamless log collection system with Loki, MinIO, and Fluent Bit for faster troubleshooting. Learn more

Secrets Detection Engine​

• v2.134 — 1 new detector (Azure Logic App), 2 improved (LINE Messaging, OpenAI), 1 analyzer enhancement.
• v2.135 — 4 new detectors (Artifactory Reference Token, Artifactory Master Key, Artifactory Basic Auth), 4 improved (Snowflake, IBM Cloud, PlanetScale, Artifactory).

Enhancements​

• Jira DC incident filter, custom tags from search, custom webhook payload. Learn more.
• Jira configuration layout, navigation improvements, invitations API. Learn more.
• Self-Hosted:
  • Improved error messages for email configuration setup.
  • Enhanced debug capabilities with network diagnostic tools (netcat, openssl) in debug image. Learn more.
  • Extended readiness probe timeout on public-api for enhanced stability.
  • Added OpenShift restricted-v2 SCC support via global.compatibility.openshift.adaptSecurityContext. Learn more.
  • Added default support-bundle Role and optional ClusterRole creation.
  • PostgreSQL pgvector extension now required by default for upcoming ML features. Learn more.
  • Improved response times for issue occurrence queries through optimized request routing.
  • Standardized health check endpoint routing under main API hostname.

Fixes​

• Jira Cloud project key synchronization. Learn more.
• GitLab multiple group hook emails, read-only token webhook detection, system hook 403 errors, unnecessary webhook scans, incidents list refresh. Learn more.
• GitLab system hook 403 errors. Learn more.
• Self-Hosted:
  • Updated license expiration notification message for clearer guidance.
  • Added Content Security Policy (CSP) headers to HTTP responses for enhanced browser security.

Hotfixes​

2025.4.1​

  Release Date: April 30, 2025

Fixes​

• Self-Hosted:
  • Support Bundle Role creation disabled by default to accommodate customers with high security requirements (Helm).

2025.4.2​

  Release Date: August 8, 2025

Fixes​

• Self-Hosted:
  • Embedded Cluster with Embedded Redis configuration to use bitnamilegacy/redis registry following Bitnami's registry changes.

  Release Date: March 20, 2025

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version.

Feature highlights​

• Generic Secret Enricher — ML model that analyzes context to identify secret providers and categories with new filters. Learn more
• Secrets Managers integration — sync incidents with AWS, HashiCorp Vault, Azure, Google, Delinea, and Akeyless via ggscout. Learn more

Secrets Detection Engine​

• v2.132 — 5 new detectors (SMB Credentials, Azure Blob Storage, DeepSeek, Netlify v2, 1Password Service Account), 4 improved (Azure Storage Account, Generic Password, Groq, Netlify), 3 new checkers, 2 engine enhancements.
• v2.133 — 5 new detectors (OpenAI Project v2, OpenAI Admin, Netlify v2, 1Password Service Account, DeepSeek), 8 improved (OpenAI Service Account, Rails, GitHub, Groq, Artifactory, Generic Password, Dropbox, FCM).

Enhancements​

• Jira ticket templates with Incident ID variable, instant ticket creation. Learn more.
• Self-Hosted:
  • ggscout improvements: Vault preflight checks, hardened Helm chart, Replicated Proxy support, embedded cluster deployment, support bundle logs. Learn more.
  • Customizable Public API pagination maximum page size. Learn more.
  • Machine learning activated by default for embedded cluster installations. Learn more.
  • Automatic license synchronization for non-air-gap environments.
  • Added nodeSelector support in Helm jobs for enhanced node scheduling flexibility.

Fixes​

• Jira Cloud invalid state after uninstall, Microsoft Teams wrong team display. Learn more.
• Self-Hosted:
  • Added custom security contexts support for machine learning pods. Learn more.
  • Fixed Redis TLS connection errors in preflights.

  Release Date: February 20, 2025

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Feature highlights​

• Search incidents by secret value — monitor secret leaks across thousands of repositories and sources. Learn more
• Bitbucket Cloud scanning — detect exposed credentials in Bitbucket Cloud repositories in real-time. Learn more
• Custom Tags Early Access — organize incidents with custom tags via API (UI support coming soon). Learn more
• Enhanced email incident alerting controls — manage email notification settings via API and customize account-level defaults. Learn more
• Autoscaling — HPA support for web applications with automatic scaling based on demand. Learn more

Secrets Detection Engine​

• v2.130 — 2 new detectors (Artifactory Token With Host, HubSpot Private App), 6 improved GitHub tokens (Enterprise, OAuth, PAT, Server-to-Server, User-to-Server).
• v2.131 — 2 new detectors (Azure Storage Connection String, HashiCorp Vault AppRole).

Enhancements​

• Scan only addition lines in commits, Jira custom fields support. Learn more.
• Jira Data Center user picker custom fields. Learn more.

Fixes​

• GitLab revocation on plan downgrades, Confluence Cloud spaceKey events, restricted user incident view, teammates table action menus, email notifications team routing. Learn more.
• GitLab large instance support, Azure Repos organization sync, PagerDuty real-time alerts. Learn more.
• User deletion with saved views, Azure Repos organization sync. Learn more.
• Self-Hosted:
  • Fixed Redis Sentinel connection with special characters in password (Helm).
  • Restored left navigation menu in KOTS admin console for embedded cluster installations (KOTS).

Version	Release Date
2025.1.0	January 20, 2025
2025.1.1	January 23, 20255

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

⚠️ Important: This is a required release and cannot be skipped.

Feature highlights​

• Microsoft Teams security alerts — real-time GitGuardian alerts in Microsoft Teams with instant notifications. Learn more
• Jira Data Center auto-tracking — auto-create Jira issues, sync custom fields, and auto-resolve incidents. Learn more
• False Positive Remover v1 — internal ML model that halves false positives for Self-Hosted deployments. Learn more
• Slack secret scanning — scan full history of public and private Slack channels to detect leaked secrets. Learn more
• Remediation tracking — enhanced workflow with precise location details and real-time tracking of remediation progress. Learn more. ⚠️ You can adjust the scan rate limit for the file tracking engine via the scan_after_push_force_rate_limit preference on the Preferences page. Historical scans are recommended to ensure incidents requiring fixes are available in the dashboard.
• SCIM user deprovisioning — automatic user deprovisioning when users are removed from your IdP. Learn more

Secrets Detection Engine​

• v2.128 — 4 new detectors (Jenkins API, chpasswd, Nessus Agent, Statsig Server), 1 improved (FTP).
• v2.129 — 1 new detector (GitLab OAuth), 4 improved (Base64 High Entropy, GitGuardian Test Token, MSSQL, Zendesk).

Enhancements​

• Redesigned navigation menu, automatic repository monitoring control. Learn more.
• Jira Data Center user picker custom fields. Learn more.
• Self-Hosted:
  • GitHub integration: Improved real-time event handling for >100 commits and enhanced large patch processing.
  • Configurable commit length scanning via repo_scan_max_commit_length preference. Learn more.
  • ReplicatedSDK image now pulled from Replicated registry. Learn more.
  • Improved error messages for partially initialized databases.
  • Introduced Periodic Tasks page to adjust schedules and fine-tune execution.
  • Merged secrets_checks queue with background validity checks queue for optimized performance.

Fixes​

• Check runs messages, validity check tooltip, Jira issue tracking line feeds. Learn more.
• GitLab large instance support. Learn more.
• User deletion with saved views. Learn more.
• Self-Hosted:
  • Corrected sorting and filters on Worker Tasks page in the Admin area for improved usability.

Hotfixes​

2025.1.1​

  Release Date: January 23, 2025

Fixes​

• Self-Hosted:
  • Fixed GitGuardian dashboard 404 error in embedded cluster installations (excluding legacy Kurl clusters).
  • Fixed embedded cluster deployment with custom CA.
  • Fixed 404 error on /metrics endpoint for applicative metrics (Helm).
  • Fixed Replicated RBAC resources created despite rbac.enabled: false in Helm values.

Browse all past GitGuardian Self-Hosted releases, feature updates, and hotfixes below.

2024.12.1​

Bug fixes​

• Jira Issue tracking integration: Fixed an issue where the project page did not display any items.
• SCA: Removed SCA from the left bar menu, which was incorrectly displayed for Managers.

2024.12.0​

⚠️ Check the Helm values file changes from the previous version here.

Secrets Detection​

• Secrets detection engine upgrade to version 2.127.0:

  • Added 7 detectors:
    • X-API-Key Secret
    • Azure Functions App Key Header
    • Azure Functions App Key Query Parameter
    • Jenkins API token
    • chpasswd Username Password
    • Nessus Agent Key
    • Statsig Server Secret Key
  • Modified 1 detector:
    • FTP credentials assignment

• Secret pattern exclusion: This feature allows users to define patterns and therefore hide any secret matching the pattern defined. Secret pattern can be applied to all repositories or a defined set of repositories. It provides greater control over exclusion rules, allowing for more precise management of incidents. Learn more.

• Jira Data Center integration: Jira Data Center integration is now supported for real-time secret detection and honeytoken detection. For more details, refer to the documentation here.

Platform​

• Jira Data Center issue tracking integration: We now support Jira Data Center integration for issue tracking. This feature includes:
  • automatic creation of a Jira issue as soon as a new incident is triggered,
  • management of Jira custom fields,
  • and an auto-resolve feature that marks the incident as resolved in your dashboard when the issue is closed in Jira. More information available in the documentation.
• GitLab integration: Added the ability to configure an instance-level GitLab integration using a read-only admin token. However, since the token lacks permissions for creating system hooks, manual setup is required. Learn more.
• Check runs: Added the option to improve your code security by enabling GitGuardian check runs on their GitHub forked repositories. Learn more here.
• VCS integration: Workspace Managers can now disable automatic repository monitoring in GitGuardian, giving you more control when adding new repositories to your perimeter. For an example, see GitHub integration.

Self-Hosted​

• Helm: front.ingress has been renamed ingress to improve consistency and standardize the ingress object across the Helm chart. ⚠️ This release includes breaking changes. Upgrade to 2024.12.0 using the upgrade notes.
• Cluster management: Replaced the nginx container with Ingress support, compatible with several controllers (ingress-nginx, traefik, contour, aws_alb, openshift, istio). This feature is optional and disabled by default. For more details, refer to the ingress page.
• Admin Area: Added a Worker Tasks page for monitoring task activity and worker usage to help optimize scaling and performance.
• Applicative Metrics: Added the following metrics: gim_periodic_task_period_seconds, gim_periodic_task_not_run_for_seconds, gim_check_runs_long_running, gim_health_check_result_count, and gim_outdated_health_check_count for better monitoring and insight. For more details, refer to the Applicative metrics page.
• Support Bundle: Enhanced diagnose_instance to include celery worker data.
• KOTS: Minor UI updates to the KOTS Admin Console, replacing radio buttons with dropdowns in some cases.
• Historical Scan: Added minutes_between_scans_per_source in the preference table.
• License: The license check is now managed by the ReplicatedSDK for all installation types, replacing the previous reliance on KOTS for this function in KOTS installations.

Bug fixes​

• Health Check: Fixed issue where health checks were run for all GitHub installations. Now only the first installation is checked.
• License: Corrected license info display in the Admin Area for Helm installations.
• Historical Scans: Categorized certain unknown scans that should have been identified as timeout failures.

Deprecation notice​

• Policy breaks: Starting with the 2024.12 version, the Policy Breaks module will be removed from your dashboard as we enhance our focus on our core Secrets Security offering.
  Deprecating the Policy Breaks module will not affect your overall security coverage; it will only reduce the number of alerts you receive. Previously, alerts for Policy Breaks incidents (such as an exposed .env  file) required manual investigation to determine if they contained secrets. Our “Secrets detection” module already handles the detection, incident creation, and alerting for these secrets.

2024.11.2​

Bug fixes​

• Performance: Fixed an issue to retrieve the memberships, which sometimes lead to "504 Gateway Time-out" errors.
• Tasks Management: Fixed an issue in Celery where database connection errors were not properly handled, leading to errors while handling tasks in rare cases.

2024.11.1​

Bug fixes​

• Historical Scan: Resolved an issue where historical scans failed due to the repository size being represented as a float instead of an integer.
• License: Resolved an issue with the Replicated license (impact limited to GitGuardian internal operations).

2024.11.0​

⚠️ Check the Helm values file changes from the previous version here.

Secrets Detection​

• Secrets detection engine upgrade to version 2.125.0:

  • Added 5 detectors:
    • BitBucket App Password
    • Cloudflare Tunnel Credentials
    • InfluxDB Token
    • InfluxDB Token with Host
    • Rails Master Key Assignment
  • Modified 5 detectors:
    • Generic CLI Option Secret
    • MongoDB CLI Credentials
    • MySQL CLI Credentials
    • PostgreSQL CLI Credentials
    • Redis CLI Password

• Confluence Data Center integration: Confluence Data Center integration is now supported for real-time secret detection and honeytoken detection. For more details, refer to the documentation here.

Platform​

• ServiceNow integration: This new issue tracking integration allows to create ServiceNow issues from GitGuardian incidents. The feature includes the following:

  • possibility to create a ServiceNow issue directly from a GitGuardian incident;
  • possibility to automate the creation of a ServiceNow issue for any new GitGuardian incident;
  • auto-resolve setting to mark the incident as resolved in your dashboard when the issue is closed in ServiceNow.

  Follow our documentation to configure the integration.

• Check runs: GitHub's custom properties can now be leveraged to override the GitGuardian global configuration of check runs. This allows customization at both the repository and organization levels. For more details, please refer to our dedicated documentation.

• Historical Scan: New "Bulk Historical Scans Management" page for easy tracking, filtering, and detailed insights on all scans.

• Members: You now have the option to deactivate a member instead of deleting them. For more details, refer to our documentation.

• API:

  • All Sources endpoints now require specific scopes for access. The new sources:read scope is required for all GET endpoints to retrieve source information, while the sources:write scope is required for the PATCH endpoint to update a source's attributes, monitoring status, and business criticality.
  • A new parameter, send_email: true|false, is now available on endpoints that trigger an email notification, such as when an invitation is created. This allows you to determine whether an email should be sent when using these endpoints. By default, if the parameter is not specified, the email will be sent.

Self-Hosted​

• Helm:

  • Replace the legacy parameter replicated.images.replicated-sdk with the new parameters replicated.image.repository and replicated.image.tag. ⚠️ This release includes breaking changes. Upgrade to 2024.11.0 using the upgrade notes.
  • Added replicated.privateCASecret parameter to specify a custom CA when using a proxy. Learn more.

• Health Check: Distribute health checks over time rather than executing them simultaneously. This reduces system load, avoids bottlenecks, and enhances monitoring accuracy.

  ⚠️ The settings.healthCheck.periodicInterval in the Helm chart is now deprecated and replaced by spread_periodic_range_minutes in the admin area.

• Applicative Metrics: If you are using Prometheus to export GitGuardian metrics or to leverage our autoscaling capabilities, and your installation type is KOTS, ensure that you update the Kubernetes Application RBAC by adding the patch permission to the servicemonitors resource.

Bug fixes​

• Incidents: Notify team leaders only when a valid secret is intentionally ignored.
• Perimeter: Fixed inaccurate historical scanning statistics displayed on the side panel of the perimeter page.
• Historical Scans:
  • Fixed UI count on the perimeter page so that "sources successful" now shows the total count of monitored sources, regardless of failed or unscanned sources.
  • Standardized the date format for start and end dates in the status tooltip.
  • Corrected the repo size display in the status tooltip.
• API: Resolved an issue where an error was raised if the IP address could not be found, even when the IP allowlist setting was disabled. This occurred in an on-premises instance, causing the PAT endpoint of the public API to become non-functional.
• Proxy: Support HTTP proxy when customCA is used for the Replicated SDK used for license management and telemetry collection. Nothing to do if you are using KOTS, if you are using helm, set isAirgap to false and configure your HTTP proxy following the example.

2024.10.2 - Required​

Bug fixes​

• Cluster Management: Added an option to disable server side Postgres cursors (for better PGBouncer compatibility).

2024.10.1​

Bug fixes​

• Secrets detection engine: Resolved an issue where GitLab keys for disabled accounts were incorrectly flagged as valid.

2024.10.0​

⚠️ Check the Helm values file changes from the previous version here.

Secrets Detection​

• Secrets detection engine upgrade to version 2.122.1: Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.
  • Added 3 detectors:
    • Atlassian Access Token
    • Bitbucket Access Token
    • Mistral AI API Key
  • Modified 1 detector:
    • Base64 Generic High Entropy Secret
• VSCode extension: We are excited to announce the release of GitGuardian CLI (ggshield) as a VS Code extension! Files are now automatically scanned upon saving, with detected secrets highlighted in your code and listed as warnings. Additionally, custom remediation messages are provided within your IDE to guide you in resolving any issues efficiently. Download from the marketplace

Platform​

• Occurrence grouping: Added ability to group secret occurrences per secret x source, allowing separate secret incidents for the same secret found in different sources. This enhances remediation processes tailored to your company's data privacy policies. Learn more.
• Filepath exclusion: File path exclusions are now applicable to one or more repositories. By targeting file path exclusions to specific repositories, users can significantly reduce the number of irrelevant incidents, enabling more accurate incident management. Learn more.
• Saved views: Saved views can now be created in Honeytoken.

Self-Hosted​

• Certificate-based authentication: Introduced support for multi-authentication alongside certificate-based authentication and Certificate Revocation List (CRL). For more details, see the documentation here.
• New Embedded Cluster Install (Early Access): Installation is now 4x faster, improving the proof-of-concept experience. Simplified management of Kubernetes, KOTS, and app updates streamlines maintenance. More information in the Embedded cluster V2 page.
• Cluster Management:
  • ⚠️ Before upgrading GitGuardian, you must upgrade to KOTS version 1.117.3 or later for optimal performance and compatibility.
  • Removed resources limits for Postgres and Redis on the Embedded cluster installation.
  • Added two new worker types long-ods (Productivity tools such as Slack, Jira Cloud, Confluence, ...) and long-ods-io (long tasks specialized in Input/Output).
• Historical Scan: Added minutes_between_scans_per_source in the preference table.
• Teams: Added max_teams in the preference table.

Bug fixes​

• Personal access token: Resolved a bug to ensure the lifetime of a newly generated personal access token is strictly less than the maximum permissible duration.
• Validity check: Fixed GitLab checker wrongly marking some secrets as valid by improving token validation (impacting custom host validity checks).

2024.9.0​

⚠️ Check the Helm values file changes from the previous version here.

Secrets Detection​

• Secrets detection engine upgrade to v2.120: Enhance recall and coverage while expanding the range of detectable secrets with updated detectors.

  • Added 2 detectors:

    • Generic Password YAML
    • Buildkite API Token V2

  • Modified 6 detectors:

    • Generic Database Assignment
    • Base64 Generic High Entropy Secret
    • Generic Password
    • Username Password
    • DigitalOcean Spaces Keys
    • reCAPTCHA Key

    Note concerning the reCAPTCHA Key detector: Due to changes in the behavior of some Google APIs, we are no longer able to ensure the validity of reCaptcha keys. As this detector could be quite "noisy" the validity of the keys was a mandatory prerequisite in the detection flow and this can no longer be the case. We have however improved this detector to be as efficient as possible.

• Validity check: Specify the host of your own provider instances for GitGuardian to perform validity checks and obtain the exact validity information. For example you can perform a validity check for a GitLab token secret against your own GitLab instance. For more details, refer to our dedicated documentation.

Platform​

• GitGuardian CLI (ggshield) custom remediation message: Admins can now customize remediation messages at pre-commit, pre-push or pre-receive stages and provide to developers useful guidance on how to use internal Vaults etc ... See documentation here.
• Historical Scan: Streamline source management with new filters for failure reasons, instances (e.g. prod/staging), and last scan date.

Self-Hosted​

• Horizontal Pod Autoscaling (HPA): Dynamically scale worker pods based on application load, reducing infrastructure costs and optimizing resource usage. Learn more in the Scaling page. Exclusive to the new architecture.
  
• Kubernetes Version Support: GitGuardian now supports Kubernetes version 1.30. More information in the System requirements page.
• Historical Scan: Removed is_repo_size_controlled (redundant with repo_scan_size_limit) in the preference table.
• Support Bundle: Improve troubleshooting by adding an option to customize the maximum amount of logs captured for Helm and KOTS installations.

Bug fixes​

• Jira Cloud Alerting: Fixed an issue where the assignee dropdown in Jira template creation was incomplete for projects with a large number of assignees due to pagination limits.
• Historical Scan: Improved handling of pending states and fixed an issue where sources were reaching the timeout limit.
• API: Corrected the pagination link in the header to use HTTPS instead of HTTP when querying the API.
• Helm preflights: Fixed an issue with Redis and PostgreSQL preflight checks where passwords containing special characters were not functioning correctly.

2024.8.2​

Bug fixes​

• Cluster Management: Resolved an issue where the Scanner pod was spawning zombie processes (legacy architecture).

2024.8.1​

Bug fixes​

• Cluster Management: Resolved an issue where the Scanner pod was spawning zombie processes (new architecture).
• Historical Scan: Resolved an issue with the formatting of days in the last scan duration on the perimeter page.
• Secrets detection engine: Due to changes in the google reCAPTCHA API, the checker for reCAPTCHA key detector has been removed and the detector has been updated to remove false positives.
• Helm preflights: Resolved an issue with Redis preflights where passwords containing special characters were not properly URL encoded.

2024.8.0​

⚠️ Check the Helm values file changes from the previous version here.

Secrets Detection​

• Secrets detection engine upgrade to version 2.117: Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.

  Added 3 detectors

  • JetBrains TeamCity config value
  • Serpapi Token
  • Tavily API Key
  Modified 3 generic detectors

  • Base64 Generic High Entropy Secret
  • Base64 Generic High Entropy Secret
  • Generic Password
  Modified 78 specific detectors

  We have enhanced our approach to searching for the prefix linked to the secret, considering more complex scenarios. This allows us to improve recall.

  
  

  • Adafruit IO API Key
  • Airtable API Key v2
  • Alchemy API Key
  • Amazon MWS Token
  • Checkout.com Sandbox API Secret Key
  • CircleCI Personal Token
  • Claude API Key
  • Clojars Deploy Token
  • Cloudinary API key URL
  • Contentful Content Management API Key
  • DigitalOcean OAuth Application Token V1
  • DigitalOcean Personal Access Token V1
  • DigitalOcean Refresh Token V1
  • Discord Webhook URL
  • Docker Swarm Join Token
  • Docker Swarm Unlock Key
  • EasyPost API Key
  • Firebase Cloud Messaging API Key
  • Figma Personal Access Token
  • Flutterwave API Key
  • Frame IO Token
  • GitHub fine-grained personal access token
  • GitHub Oauth Access Token
  • GitHub Personal Access Token
  • GitHub Server-to-server Token
  • GitHub User-to-server Token
  • GitLab Token
  • Grafana Cloud API Key
  • Grafana Service Account Token
  • Groq API Key
  • Heartland API key
  • Langchain API Key
  • Linear API Key
  • Base64 Midtrans API Key
  • Notion Integration Token
  • npm Token Prefixed
  • Nylas API Key
  • OpenAI Project API Key
  • Paystack Key
  • Plaid Access Token
  • PlanetScale OAuth Token
  • Postman API Key
  • PubNub Publish Key
  • Readme API Key
  • Riot Games API Key
  • RubyGems.org API Key
  • Samsara API Key
  • SendinBlue Key v3
  • Sentry Org Auth Token
  • Sentry User Auth Token v2
  • Shippo API token
  • Shopify Generic App Token
  • Shopify Private App Token
  • Slack App Token
  • Slack Configuration Refresh Token
  • Slack Configuration Token
  • Slack User Token
  • Sourcegraph Access Token v3
  • Sourcegraph Enterprise subscription Token
  • Sourcegraph License Key Token
  • Sourcegraph Access Token v2
  • Sourcegraph User Gateway Access Token
  • Sqreen Token
  • Square Access Token
  • Stripe Webhook Secret
  • Tailscale API Key
  • Tailscale OAuth Key
  • Tailscale Pre-Authentication Key
  • Tailscale SCIM Key
  • Tailscale Webhook Key
  • Typeform API Token
  • Ubidots Token
  • Vercel Blob Token
  • WakaTime API Key
  • WePay token
  • Yandex Predictor API Key
  • Zillow Key
  • Zuplo API Key

• API Enhancements: User feedback on secret incidents is now accessible via the API, providing better incident management and insights. This information is included in the feedback_list field within the secret incidents' payload.

• Incident Notifications: Team managers will receive email notifications when incidents with valid secrets are ignored, ensuring critical issues are not overlooked.

• Weekly Email Recap: New section displaying ignored incidents with valid secrets, improving visibility and actionability for security teams.

Platform​

• Saved views: You can now save your most frequently used filters as views for quicker access. Learn more about about saved views here.
• Historical Scan Enhancements: These enhancements provide better visibility and management of the scanning process. They include progress estimation for both individual and bulk scans, along with comprehensive scan status details such as size, duration, start/end dates, number of commits, branches, queue duration, and more.
• Health Check: Let managers manually start health checks from the GitGuardian dashboard so they can address any failed checks immediately without waiting for the next scheduled run.
• GitLab integration: Upon installing a new integration for GitLab Community Edition, it is now possible to skip the historical scan (to launch it manually later).
• Teams: Get simplified team management with a clear designation of team leaders. Changing "can_manage|cannot_manage team permissions" to a "team leader" boolean attribute to designate the team owner. ⚠️ The team_permissions field has been deprecated and replaced by the is_team_leader field in our API for the endpoints /v1/teams/{team_id}/team_memberships and /v1/teams/{team_id}/team_invitations.

Self-Hosted​

• Certificate-based authentication: Support for CAC or PIV cards, enhancing security for organizations with strict authentication requirements. For more information, see the documentation here. This feature is available upon request and is exclusive to the new architecture.
• Helm: You can now customize the rolling upgrade strategy with the updateStrategy parameter, providing greater control over deployments. More info on the upgrade page.
• Cluster Management:
  • Productivity tools (such as Slack, Jira Cloud, Confluence, ...) tasks are now defaulted to the worker-worker node in KOTS installations, with the option to scale using dedicated workers. More info on the Scaling page.
  • Added user input validation in KOTS configurations to prevent errors and improve user experience.

Bug fixes​

• API: Fixed an issue where a 502 error returned HTML instead of a JSON response in the legacy architecture.
• Health Check: Corrected the error code for Slack refresh token errors.
• SSO: When force-SSO is deactivated but SSO is configured, users now have the option to log in via SSO in the invitation email.
• Audit Logs: Resolved missing audit logs for Scan All operations.
• SMTP Configuration: Fixed an issue with sending emails using an SMTP server with a custom CA.
• Incident: Fixed an issue in the commit cache preventing incidents from being raised in some cases.

2024.7.0 - Required​

⚠️ Check the Helm values file changes from the previous version here.

Secrets Detection​

• Confluence Cloud integration: Now supports real-time secret and honeytoken detection for seamless security.
• Secrets detection engine upgrade to version 2.115: Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.
  • 4 detectors added: Sentry Org Auth Token, Sentry User Auth Token v2, Slack Configuration Refresh Token, Slack Configuration Token
  • 5 detectors updated: Equinix Authentication Token, Sentry User Auth Token v1, Signifyd API Key, Slack Bot Token, Slack User Token
• Incident details: Added a 'per page' selector on the occurrences table for improved navigation.
• Historical Scan:
  • Skip historical scan of unchanged repositories since the last scan to save time and resources.
  • Filter and sort repositories by scan duration on the Perimeter page for better management.
  • Introduced pending_timeout status in the API to differentiate between scans failing due to timeouts (timeout) and those in the queue (pending_timeout).

Platform​

• Members: Renamed 'role' to 'access level' for clarity.
  ⚠️ The role field has been deprecated and replaced by the access_level field in our API for the endpoints /v1/members and /v1/invitations.
• Health Check: Moved the periodic_interval preference to the KOTS Admin Console or Helm value file.

Self-Hosted​

• Helm: Standardize existingSecret across the Helm chart to ensure uniform configuration for Redis Sentinel, Ingress, and CustomCA. ⚠️ This release includes breaking changes. Upgrade to 2024.7.0 using the upgrade notes.
• Cluster Management:
  • New embedded cluster installations now use PostgreSQL 16 for better performances and security. Follow the migration guide to migrate your existing embedded cluster to PostgreSQL 16.
  • Reorganized KOTS Admin Console configuration for better clarity, including moving the TLS certificate configuration to its own section.
  • Added a pre-deploy job check to ensure asynchronous migrations are complete before upgrading to a new version.
  • Included missing scaling parameters webapp-internal_api and webapp-public_api in KOTS Admin for the new architecture.
• API: Removed monthly sliding quotas for API calls in the preference table.
• Applicative Metrics: Removed gim_version_info and added the following metrics: gim_celery_queue_length, gim_celery_active_consumer_count, gim_repo_scan_active_statuses_total, gim_http_request_started_total, gim_http_request_success_total, and gim_http_request_failure_total for better monitoring and insight. For more details, refer to the Applicative metrics page.

Bug fixes​

• Filepath Exclusion: Fixed a bug causing the * character in exclusion patterns to match at least one character instead of zero or more.
• Check Runs: Added an optional Skip action for check runs on forked repositories that detect secrets, preventing a complete blockage for developers.
• Argo CD: Fixed the upgrade-path-check tool to ensure unskippable versions are not bypassed during upgrades.
• API: Corrected the base URL in the API documentation for new architecture installations.
• KOTS: Fixed an error with preflights failing due to "Analyzer Failed file secrets/default.json was not collected".

2024.6.0​

⚠️ Check the Helm values file changes from the previous version here.

Secrets Detection​

• Secrets detection engine upgrade to version 2.114: Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.
  • 14 new detectors added: Nylas API Key,Sourcegraph Access Token v3, Duplo Cloud API Key,Fernet Key, Vercel Blob Token, ASP.NET Decryption Key, ASP.NET Validation Key, Langchain API Key, OpenAI Project API Key, OpenAI Service Account, Sourcegraph Enterprise Subscription Token, Sourcegraph License Key Token, Sourcegraph User Gateway Access Token, WakaTime API Key
  • 14 detectors updated: Base64 Generic High Entropy Secret, Generic Database Assignment, Generic High Entropy Secret , PostgreSQL CLI Credentials, Postgres assignment attached port, PostgreSQL Pgpass Credentials, PostgreSQL URI, Sourcegraph Access Token v2, Yelp API Key, Google Gemini API Key,Sentry Token, Generic Database assignment, Generic FTP Assignment, Generic Username Password
• Incidents details: merge commit authors from GitHub are now identified. It is not retroactive.
• Incidents: periodic secret validity checks enable for ignored incidents. See documentation here.
• GitLab integration: when a GitLab webhook is found disabled, GitGuardian now attempts to reactivate it automatically (by sending a test payload) before triggering an error message.
• API: new endpoint to query the secret incidents of a source.
• Filepath exclusions: when adding a new rule, show how many new secret incidents will be hidden by the new filepath exclusion, without recalculating existing hidden incidents.

Platform​

• Health Check:
  • implement periodic health checks on all integrations type (VCS, Messaging, Ticketing, Documentation) to run every hour, with the frequency being configurable in the Admin Area.
  • send email notifications when a integration health check fails. For further details, refer to the Configure email preferences page. Note that the notification is not enabled by default for existing accounts and must be turned on manually.
• Audit Logs:
  • introduce audit logs for actions in the Admin Area visible only for promoted-admin users.
  • alert in the event of an audit logging process failure. More information is available on the email alerts for audit log failures page.

Self-Hosted​

• Cluster management:
  • Kubernetes 1.30 is now under experimental support.
  • you have now the ability to use a load balancer in front of an embedded cluster installation, for further details, refer to the Load balancer page.

Bug fixes​

• Jira Cloud Alerting: fix an issue where Jira automatic configurations remained invisible to 'member' role users within the 'All Incidents' team, ensuring uniform visibility across teams.
• API:
  • fix a problem causing conflicting information between the UI and the API regarding team permissions.
  • fix an incorrect self-hosted instance URL in the API documentation.
• Historical scan: attribute automatic historical scans of new repositories to "GitGuardian Bot" in audit logs.
• Cluster management:
  • add missing readiness/liveness probes in gitguardian-app pods in the legacy architecture.
  • fixed issue preventing bundle generation in Openshift environments.

2024.5.1​

Bug fixes​

• Custom webhook: fix a bug sending notifications for deactivated secret detectors.
• Helm: fix an issue with the upgrade-path-check job failing on OpenShift cluster due to RBAC resource creation order.

2024.5.0​

⚠️ Check the Helm values file changes from the previous version here.

Secrets Detection​

• Secrets detection engine: upgrade to version 2.111 with the addition of 7 new detectors (Dropbox Key, Midtrans API Key, Sanity Token, Zuplo API Key, Grafana Cloud API Key, Groq API Key, Nx Cloud Token) and the improvement of 4 detectors (Artifactory Token, GoCardless API Key, Plivo Auth Tokens, Generic High Entropy Secret)
• Secrets detection engine: Generic CLI Secret and Generic Database Assignment detectors are now supported and active by default for data sources other than VCS.
• Jira Cloud Issue tracking integration: introduction of a new version of our Jira Cloud integration for issue tracking. It now offers
  • automatic creation of a Jira issue as soon as a new incident is triggered,
  • management of Jira custom fields,
  • and an auto-resolve feature that marks the incident as resolved in your dashboard when the issue is closed in Jira Cloud. More information available in the documentation.
• Check runs: a comment is posted on the pull request when a secret is uncovered.
• Historical scan: improve historical scan status overview on the perimeter page side bar.

Honeytoken​

• Context creation strategies for honeytoken deployment jobs now allow to choose only dynamic contexts.

Platform​

• Privacy mode: this (mode) allows to obfuscate secrets and other sensitive information on the GitGuardian UI.
• Filters: the history of AI queries can now be deleted.
• API: the workspace_id is now included in the payload of API tokens.

Self-Hosted​

• Argo CD: we officially support Argo CD, please refer to the Argo CD specifics page to learn more.
• Helm:
  • ⚠️ This release includes breaking changes. Upgrade to 2024.5.0 using the upgrade notes.
  • add istio.gateway.enabled parameter to be able to disable Istio Gateway handling when Istio is enabled.
  • give the ability to specify dedicated labels and podLabels for migrations resources.
  • give the ability to customize the RefreshInterval parameter for externalSecrets.
  • it is now possible to set the initial admin password in an existing secret.
• Cluster management:
  • GitGuardian currently supports PostgreSQL 13 to 16 (previously, versions 15 and 16 were experimental).
  • Check CA validity during preflight for both KOTS and Helm installation. If you previously installed GitGuardian on an existing cluster and planning to upgrade to 2024.5.0, you must modify the rule for the core api group in your configuration by adding:

    - apiGroups: [""]
        resources: ["events"]
        verbs: ["list"]
    

    Refer to the Kubernetes Application RBAC page.

Bug fixes​

• GitLab integration:
  • fix an issue where the installation status was incorrectly displaying as 'no longer monitored' in the tooltip, despite being actively monitored.
  • when re-enabling a disabled webhook in GitLab, the error on the GitGuardian dashboard is now cleared automatically within 20 minutes.
• Filters: the "per-page" selection for each table is now persisted.
• API: correct a bug that allowed members to view sources they should not have been able to access when using the /sources endpoint.
• Check runs: fix a bug that is causing related incident IDs to be missing in the check run summary.
• Cluster management:
  • rename celeryWorkers.realtime_ods to celeryWorkers.realtime-ods.
  • ensure consistent naming for pre-post release jobs throughout the application lifecycle, preventing pod accumulation.
  • introduce Time-to-Live (TTL) functionality to remove pre-post jobs after 30 days.
• Helm: fix an issue when Helm installation using a custom CA fails when pod security policy is enforced.

2024.4.2​

Bug fixes​

• Check runs: display accurate error message when a check run fails due to rate limiting.

2024.4.1 - Required​

Bug fixes​

• Bitbucket integration:
  • fix an issue where uninstalling a Bitbucket project inadvertently occurred when a token was removed, despite other valid tokens being present.
  • enhance logging mechanisms surrounding Bitbucket token operations for better troubleshooting.
• Azure repos integration: fix a problem with updating a repository when the token is either invalid or missing.
• Cluster management:
  • fix an issue where the no-proxy list wasn't correctly applied for KOTS installation.
  • add missing debug image to the KOTS airgap bundle.
• Migration new architecture: fix an issue occurring when the KOTS admin password contains special characters.
• Prometheus exporter:
  • fix error 500 from the /metrics path of the exporter when using AWS Elasticache Redis.
  • fix RBAC error occurring when activating GitGuardian Prometheus exporter in the new architecture with KOTS. If you previously installed GitGuardian on an existing cluster you must modify the rule for monitoring.coreos.com in your configuration. Refer to the Kubernetes Application RBAC page.

    - apiGroups: ['monitoring.coreos.com']
      resources: ['servicemonitors']
      verbs: ['get', 'list', 'watch', 'create', 'update', 'delete']
    

2024.4.0​

⚠️ Check the Helm values file changes from the previous version here.

Secrets Detection​

• Jira Cloud integration: Jira Cloud integration is now supported for real-time secret detection and honeytoken detection.
• Secrets detection engine: upgrade to version 2.109 with the addition of 5 new detectors (Snowflake API credentials, Replicate User Access Token, Workato API Key, Azure Open AI API key, Kubernetes Docker Secret) and the improvement of 7 detectors (Rails Master Key, Generic password, Generic High Entropy secret, GitLab Token, Google API Key, Okta Keys, Slack Bot Token)
• Incidents: it is now possible to filter on Occurrences count.
• Incidents details: introduction of a secret identity card on each secret incident detail page.
• Check runs: skip actions are now aligned with the ignored reasons (false positive, test credential, low risk). Tags (Tagged as [false positive|test credential|low risk] in check runs) are added to the corresponding secret incident when this action is taken.
• API: the breakdown of secret incidents by severity is displayed in the payload of the sources.

Honeytoken​

• Honeytoken deployment jobs: automate the deployment of honeytokens in your code repositories from GitLab, GitHub and GitHub Enterprise Server! This is a business-only feature. Read more about Deployment jobs in our documentation.

Self-Hosted​

• Helm:
  • to ensure your existing cluster meets the Gitguardian's requirements, you can run our new preflight script.
  • add version check before Helm upgrade to ensure no required versions are skipped. If using a private registry for deployment, make sure to download the new image helm-tooling.
• Helm Chart:
  • add custom labels to differentiate multiple GitGuardian deployments within the same Kubernetes cluster. Refer to commonLabels in Helm Chart Values. Example:

    commonLabels:
      env: staging
    

  • add an option to use Generic Ephemeral Inline Volumes for all worker pods. For further details, refer to the Scalling page.
• Scaling: a new pod called worker-realtime-ods was added in the new architecture. If Slack or Jira Cloud scanning isn't needed, set its replicas to 0 to save resources via your Helm value file or the KOTS Admin Console.
• Health Check: remove VCS health checks from the Admin Area, now available under Settings > Workspace > Integrations.

Bug fixes​

• Jira integration: fix an issue that was hindering the assignment on JIRA tickets upon creation.
• Audit log: correct the logs related to the creation and removal of teammates through the API.
• Cluster management:
  • add missing links to KOTS Admin Console for embedded cluster in the Admin Area.
  • fix an issue with the KOTS preflights in the legacy architecture for embedded installation when an ElastiCache Redis instance is configured with TLS enabled.
  • set default number of replicas for scanner_ods pod to 0 for legacy architecture running on openshift.

2024.3.2​

Bug fixes​

• GitHub integration: fix an issue where managers and owners were unable to add new GitHub sources to the dashboard.
• Check runs:
  • improve error collection on check runs.
  • fix an issue where GitHubNotFound errors prevented the completion of check runs.

2024.3.1​

Bug fixes​

• Incidents: resolve a bug triggered by secret incidents detected by custom detectors, causing the incidents list to fail to load.
• GitLab integration:
  • fix GitLab installation check task issue affecting system hook installations.
  • fix an issue with sending emails to users who are no longer token owners within the GitLab installation.

2024.3.0​

⚠️ Check the Helm values file changes from the previous version here.

Secrets Detection​

• Slack integration: Slack integration is now supported for real-time secret detection and honeytoken detection on Self-Hosted.
• Secrets detection engine: upgrade to version 2.106 with the improvement of 3 detectors (Generic Password, Generic High Entropy Secret, Base64 Generic High Entropy Secret).
• Secret SLAs: add the "First detected" date in incidents details and the associated filter in the Secret incident dashboard.
• Incidents:
  • tags are exposed in the All occurrences CSV report.
  • a new filter on "Occurrences count" is available
  • enable AI filter via the ai_filters_enabled option in the preferences.
• Check runs: add check_runs_overrides_labels_ghe option in the preferences to enable overriding the check run settings with repository labels on GitHub Enterprise Server.

Platform​

• Health Check: introduce tracking for last execution and last success times, refine error messaging, and adopt non-HTTP status codes.

Self-Hosted​

• Images: GitGuardian images are now signed with Cosign, exclusive to the new architecture.
• Kubernetes Version Support: GitGuardian now supports Kubernetes versions 1.28 and 1.29 (experimental). More information in the System requirements page.
• Cluster management:
  • support for air gap installation in KOTS during installation in the new architecture.
  • support for snapshots with velero for KOTS install in the new architecture.
  • update Kubernetes version to 1.28 for embedded cluster. For further details, refer to the Upgrade page.

Bug fixes​

• Incident details: fix an issue on the git patch restricted visibility feature that was preventing members from seeing the patch they were involved in based on email matching.
• GitHub integration: performance improvement when a lot of repositories are added at the same time.
• GitLab integration:
  • fix an issue where the GitLab instance URL was incorrectly displayed instead of the GitLab token name.
  • remove the "Check Again" button from the health check for users on the Free plan.
• Bitbucket integration: improve handling of token revocation to prevent issues when a repository changes ownership.
• Cluster management:
  • preflight checks now confirm support for Redis version 7.
  • remove the link to the KOTS Admin Console from the Admin Area for existing cluster installations (both Helm and KOTS). For further details, refer to the Access to the Admin Area page.
  • set default number of replicas for scanner_ods pod to 0 for new architecture.
  • fix an issue with the periodic task related to the database encryption key rotation.
• Helm Chart: add missing podAnnotations in webapp object definition.

2024.2.1​

Bug fixes​

• Incident: fix an issue with validity check failure hitting a timeout in some specific cases
• Cluster management: fix an issue with KOTS preflights failing with PostgreSQL or Redis with TLS enabled
• SMTP configuration: make the option to support SMTP servers using a self-signed certificate permanent. More details in the Configure the email system page.

2024.2.0​

⚠️ Check the Helm values file changes from the previous version here.

Secrets Detection​

• Secrets detection engine: upgrade to version 2.105 with the addition of 7 new detectors (Square Token, Bunny.net API Key, Hugging Face user access token, CircleCI Project Token, Claude API Key, Grafana Service Account Token With Host, Klaviyo API Key) and the improvement of 8 detectors (Beamer API Key, NuGet API Key, Paypal OAuth2 Keys, Twitter Tokens, CircleCI Personal Token, Django Secret Key, Generic High Entropy Secret, Heroku Platform Key).
• Incidents: exporting CSV secret incidents now allows changing the separator used, comma (default) or tab. More details in the Export data section of the documentation.
• Incident details: update of the default remediation workflow.
• Check runs:
  • the preview of the "How to remediate" instructions in markdown is enhanced when you customize them.
  • the incident status is displayed in the GitHub check run details.
  • improve causes of errors transparency and timeouts in the check run summary.
  • is_actionable_checkrun_enabled preference in the Admin area is deprecated. Action buttons on checkruns are now enable by default.
• Custom detectors: improve error messages for invalid regex when requesting a custom detector.
• GitHub integration: add commit_collector_max_workers option in the preferences to use more workers to collect commits.
• GitLab integration: we now detect and notify by email and raise a health check error when a GitLab group hook was disabled by GitLab, causing the monitoring not to work anymore.
• Azure repos integration: improvement of the billing metrics. You now must check the Graph:Read scope in your Personal Access Token. More information in our VCS integrations documentation.

Platform​

• SSO: the option 'Force SSO' applies to owners as well when enabled. More details in the Force SSO section of the documentation.

Self-Hosted​

• Cluster management:
  • add support of HTTP proxy setup in KOTS and Helm installs in the new architecture. More details in the Configure a proxy server page.
  • add support Redis Sentinel in KOTS and Helm installs in the new architecture.
  • add support of multiple CA certificates concatenated in KOTS install in the new architecture.
• Helm Chart: replace deprecated v1alpha1 API version of External Secret Manager with the latest version v0.9.11.
• Applicative Metrics: rename appExporter to webAppExporter and celeryExporter to statefulAppExporter in the Helm-based Prometheus activation. For more details in the Applicative metrics page.
• SMTP configuration: provide an option to support SMTP servers using a self-signed certificate. More details in the Configure the email system page.

Bug fixes​

• Force SSO activation: fix an issue where authentication page “Force SSO Toggle” enabled “By default to all incident team” toggle as well.
• GitLab integration: fix an issue where revoked tokens weren't detected as such if not actively used by a configured GitLab group.
• GitHub integration: disable repositories are now marked as such when searching GitHub integrations.
• Bitbucket integration:
  • correct failure message and re-check button when the Bitbucket integration stops working.
  • syncing installs with a new token now correctly retains projects linked to the old token, preventing unintended deletion of all projects.
  • adds a default timeout to all requests made by the Bitbucket client.
• Cluster management:
  • fix a "failed to verify certificate" error when a proxy is configured in the KOTS config during a migration.
  • adjusted embedded cluster settings: system time zone to UTC, maximum database connections to 500, and idle timeout to 1 hour.
  • fix an issue with liveness probes failing.
• Historical scan: fix an issue with missing audit logs for historical scans.

2024.1.3 - Required​

Bug fixes​

• Cluster management:
  • remove the rqlite DB data dump from support bundles generated by KOTS.
  • fix migration by using specific models, avoiding variable external dependencies.
  • enable ability to perform the database encryption key rotation in the Admin area.

2024.1.2​

Bug fixes​

• Bitbucket integration: fix an issue which revoke the access token when the project only has read permission.

2024.1.1​

⚠️ Check the Helm values file changes from the previous version here.

Secrets Detection​

• Secrets detection engine: upgrade to version 2.102 with the addition of 8 new detectors (Base64 AWS IAM Keys, Base64 AWS SES Keys, Readme API Key, Tailscale API key, Tailscale oauth key, Tailscale pre-auth key, Tailscale SCIM key, Tailscale webhook key) and the improvement of 1 detector (Vercel API Access Token).
• Source criticality: a new parameter at the source level to help users prioritize their Secret incidents. Refer to the documentation for more details.
• Check runs: the preview of the "How to remediate" instructions in markdown is enhanced when you customize them.
• Custom detectors: improve error messaging for invalid regex when requesting a custom detector.

Self-Hosted​

• Chainguard: Chainguard-based GitGuardian images are now used by default, enhancing security by reducing CVE exposure. Available only on the new GitGuardian architecture. Additionally, both KOTS admin version 1.104.4 and Replicated SDK version 1.0.0-beta.12 are built using a distroless base image from Chainguard.
• SMTP configuration: the system now supports unauthenticated SMTP server, allowing for more flexible email service integration.
• KOTS preflights: update preflights to support TLS for Redis and PostgreSQL.
• Helm Chart:
  • Private registries: introduce support for the replicated SDK image and offer an option to include a custom nginx image for private CA insertion. For detailed information, refer to the Install on Airgap page.
  • RBAC: add Kubernetes Roles and RoleBindings required for the app in the Helm Chart (optional but enabled by default). Refer to rbac in Helm Chart Values.
• Cluster management: update Kubernetes version to 1.27 for embedded cluster. For further details, refer to the Upgrade page.

Bug fixes​

• Airgap: add missing Replicated SDK image in airgap bundle.
• SSO: fix a server error (500) issue with login via SSO on KOTS install in the new architecture.
• Helm: fix a Nil Pointer error that occurs during a helm upgrade of GitGuardian when specifying the djangoSecretKey in the local-values.yaml.
• Custom webhook: fix webhook event serialization error when no hmsl_hash is present in the secret.

2023.12.1​

Bug fixes​

• Bitbucket integration: add auth_error_grace_period option in preferences for setting a grace period before token revocation.
• Cluster management: fix an issue with the database migration when schema name is not "public".
• API: fix random HTTP/502 errors while navigating in the application.

2023.12.0​

- apiGroups: ["apps"]
    resources: ["daemonsets", "deployments", "deployments/scale", "replicasets", "statefulsets"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

Secrets Detection​

• Azure Repos integration: the monitoring of your Azure Repos repositories is now done in real-time. Refer to the documentation for more details.
• GitHub integration: improvement of check runs to support the GitHub Merge Queue feature.

Honeytoken​

• IP allow-listing for Honeytoken: it's now possible to add IP ranges to an allow-list, ensuring events from these IPs won’t trigger the honeytokens. Learn more about IP rules.

Platform​

• Jira Cloud integration: Jira issues can now be created without assigning them to anyone.
• Onboarding: implementation of an onboarding todo list to guide users in their first steps on the application
• Help Center: enrich the Help Center with additional resources.
• Filters: a new way of filtering pages, more streamlined and intuitive.

Self-Hosted​

• Kubernetes Version Support: GitGuardian now supports Kubernetes versions 1.27 and 1.28 (experimental). More information in the System requirements page.
• Helm and KOTS installation: introduce a new pod Replicated SDK for license management and telemetry collection. More information in the Replicated documentation.
• Helm Chart:
  • Private registries: support specifying existing Docker secrets and custom registries, enabling image pulls from private registries. Refer to the documentation for more details.
  • Kubernetes resource: add missing Kubernetes resources properties for Pre/Post deploy jobs and nginx init containers.
  • Pod security context: implements enhanced pod security context configurations in line with Kubernetes v1.25's Pod Security Admission feature, now customizable via Helm values for improved security compliance. Refer to containerSecurityContext in Helm Chart Values.
• Custom Telemetry: gather product usage metrics, such as VCS and incidents numbers, API call statistics. We prioritize your privacy and assure you that no personal data is collected through this process. It can be easily deactivated by adjusting the custom_telemetry_active setting found in the preferences section in the Admin area.

Bug fixes​

• GitHub integration: handling of GitHub app ownership transfer: it is now possible to change ownership without deleting the self-hosted application.
• Incidents: filtered results in CSV export: CSV export keeps the filters applied.
• API: fix /secret_detectors endpoint to filter out detectors that have been administratively disabled by GitGuardian.
• User Preferences: fix an issue where the "email not configured" banner incorrectly persists in private browsing mode due to a failure in loading user preferences.
• Historical scan: ensure UTF-8 character encoding compatibility for filenames in repositories.

2023.11.0​

Secrets Detection​

• Secrets detection engine: upgrade to version 2.99.1 with the addition of 6 new detectors:
  • Google Bard
  • Webflow API token
  • Aiven
  • Infracost API Key
  • Rollbar API Access Token
  • Vercel API
    and the improvement of 6 detectors:
    
  • Okta Keys
  • Username Password
  • Generic password
  • Microsoft Azure Storage Account key
  • SSH credentials
  • Generic High Entropy Secret
• Incident details: git patches of occurrences can now have restricted visibility to only the teams and developers involved with the occurrence, thanks to a workspace setting. If the git patch of an occurrence is too large, a link to the Version Control System is displayed instead.
• Historical scan: addition of some details in the status tooltip, including scan duration and number of commits and branches scanned. For failed scans, the tooltip now also displays the reason for the failure.
• API: New endpoint to retrieve secret incidents of a team.
• ggshield: ggshield auth login flow now asks you to confirm scopes.

Honeytoken​

• Honeytoken module is now available for Self-Hosted customers. This feature is available upon request.

Platform​

• Teams: users can now filter the incidents and the perimeter pages based on their teams. Managers have the flexibility to filter any team, while Members can only filter their own teams.
• Alerting integrations: alerting integrations are now available at team level. More information in our teams documentation.

Self-Hosted​

• Chainguard: introducing an experimental.chainguard flag in Helm chart values for enabling Chainguard-based GitGuardian images, enhancing security by reducing CVE exposure. Default is false, available only in Helm-based install on the new GitGuardian architecture.
• Kubernetes Version Support: GitGuardian now supports Kubernetes versions 1.25, 1.26, and offers experimental support for version 1.27 for Existing Cluster installations. More information in the System requirements page.
• Cluster Management:
  • support of GitGuardian installation via KOTS using the new GitGuardian architecture.
  • update Kubernetes version to 1.25 for embedded cluster. For further details, refer to the Upgrade page.

Bug fixes​

• Azure repos integration: installation status persists on all pages until the installation is complete. Removing a token no longer causes a crash in other installation.
• Bitbucket integration: prevents connection errors from revoking a Bitbucket token, letting instances go through maintenance without needing to re-enter their token afterwards.
• Teams: fix a bug that caused incidents belonging to an unmonitored repository to still be visible to the team.
• Historical scan: support for special UTF-8 characters, like Kanji, in filenames during historical scans. Improve handling of commits without dates.

2023.10.1​

Bug fixes​

• Security: update Contour (ingress controller for Kubernetes) to provide protection against CVE-2023-44487
• Cluster management: resolve an issue where migration jobs would fail and the app wouldn't start when Redis Sentinel was used.

2023.10.0 - Required​

Features​

• Secrets detection engine: upgrade to version 2.97.
• OpenShift: we officially support OpenShift, please refer to the OpenShift specifics page to learn more.

Bug fixes​

• Check runs: fix neutral check runs being created on workspaces with check runs disabled.
• Custom detectors: update the message when a custom detector request cannot be edited due to its current status.
• Incident details: fix a bug causing the absence of an expiration date on public share links generated by the Auto-healing playbook.
• Health check: prevent UI from crashing on unknown Health check error code.
• API: fix timeout issues on the /occurrences/secrets endpoint when using a date filter.
• SSO: fix conflict happening when signing up via SSO while having a pending invitation.
• Notifications: fix Linkedin link in email footer.
• Bitbucket integration: remove automatic revocation of the token when the connection is down.
• Historical scans: process incidents and occurrences in batches of 500 for efficient memory use.

2023.9.2​

Bug fixes​

• Cluster management:
  • fix an issue that hindered the generation of support bundles on Helm-based instances.
  • fix an issue that prevented the deployment of applications on an OpenShift cluster when utilizing Redis Sentinel.

2023.9.1​

Bug fixes​

• Jira integration: fix a configuration issue preventing the usage of Jira integration on a self-hosted environment.

2023.9.0​

Features​

• Secrets detection engine: upgrade to version 2.96 with the addition of four new detectors:
  • Databricks Authentication Token With Hostname,
  • Hashicorp Vault Token,
  • Generic Terraform Variable Secret,
  • CARTO API Access Token,
    and the improvement of 2 detectors:
    
  • Generic Password,
  • Base64 Basic Authentication.
• Custom detectors: self-hosted users can now extend GitGuardian's secrets detection engine to support secrets specific to their organization.
• Incident details: the public sharing is now a workspace setting.

Bug fixes​

• Incidents: fixed the sorting of incidents by severity when some severities are automatically set.
• Incidents: fixed wrong occurrence count on incident page.
• Incidents: the tooltip displaying the sources is now displayed correctly.
• Custom webhook: fixed duplicate notifications being sent when setting incident severity using a bulk action.
• API: fixed invalid link in personal access token expiration email notification.
• Custom detectors: update the message when a custom detector request cannot be edited due to its current status.
• Incident details: fixed a bug causing the absence of an expiration date on public share links generated by the Auto-healing playbook.
• Health check: prevent UI from crashing on unknown Health check error code.
• API: fix timeout issues on the /occurrences/secrets endpoint when using a date filter.
• SSO: fix conflict happening when signing up via SSO while having a pending invitation.

2023.8.0​

Features​

• Incidents: addition of the Default branch tag to secret incidents that occurred on the default git branch of a repository.
• Incident details: filters have been added to the occurrences table.
• Incident details: the public sharing toggle has been moved to the "Grant access" modal, which has been renamed to the "Share" modal. For a more detailed explanation, please refer to our collaboration and sharing documentation.
• Integrations: modification of the Integrations and Settings/Integrations pages.
• Secrets detection engine: upgrade to version 2.94 with the addition of four new detectors:
  • Azure Active Directory API Keys,
  • Docusign API Key,
  • Pinecone API Key,
  • Pinecone API Key and environment
    and the improvement of two detectors:
    
  • Generic Password,
  • Coveralls Personal Token.
• Cluster management: port for applicative metrics exposure changed from 8082 to 9808.

Bug fixes​

• API: fix an error preventing the creation of an invitation when the role was not specified.
• Personal access tokens: personal access tokens can now be searched by name, and ordering by name now works correctly.

⚠️ Deprecation​

• Custom webhook v1: the feature has been replaced by the event-based custom webhooks. More information in the documentation here.

2023.7.1 - Required​

Bug fixes​

• Custom webhook: fix notifications for when a bulk action is performed. Previously, only one notification would be sent for the first incident affected by the bulk action. However, now notifications are sent for each incident that is modified by the bulk action.

2023.7.0​

Features​

• Automated severity scoring: managers and workspace owners can now activate the automated severity scoring feature for Self-Hosted environments in order to automatically score incidents with a severity.
• Custom severity rules: the severity ruleset used by the automated severity scoring is now customizable to maximize the coverage of automatically scored incidents.
• Incident details: feedback about the incident can now be submitted in a standardized way through a form that is available on the incident's page.
  Refer to this page for more information on how to use this form effectively and involve your developer population during the remediation process.
• Incidents: addition of new filter to select the incidents that are publicly shared.
• Teams: team owners with the Member role can now invite brand new users to the workspace when adding teammates to their team. This feature can be deactivated.
  For more details, please refer to this page.
• Grant access: users with Full access incident permissions can now invite brand new users to the workspace when granting access to an incident.
  For more details, please refer to this page.
• Secrets detection engine: upgrade to version 2.93 with the addition of four new detectors:
  • Tableau Personal Access Token,
  • Yelp API key,
  • AWS SES Keys,
  • Forest Admin API Key
    and the improvement of eight detectors:
    
  • Atlassian Oauth2 Keys,
  • Contentful Content Delivery API Key,
  • Etsy Developer Key,
  • GitLab Token,
  • HubSpot API Key,
  • MS Team webhook,
  • GitHub Access Token,
  • OpenAI API Key.
• API: managers can now enforce a maximum lifetime for personal access tokens generated on their workspace.

Bug fixes​

• Emails: button URLs are now hardcoded to prevent a bad user experience when the button is not visible due to HTML-escaping by email providers.
• PagerDuty Integration: title update in PagerDuty incidents to eliminate confusion regarding the number of occurrences.
• Cluster management: fix an issue on proxy configuration that was not correctly propagated for some integrations, causing network requests time out.

2023.6.0​

Features​

• Cluster management: you can now install GitGuardian Self-Hosted using Helm Charts. This feature is currently in Beta. More information is available in the installation documentation. the installation documentation.
• Cluster management: allow self-hosted instances to use a specific Redis instance for the commit cache. More information is available in our documentation our documentation

Bug fixes​

• Authentication: fix broken email confirmation link when registering with email and password.

2023.05.1​

Bug fixes​

• Cluster management: fix an issue on Redis Sentinel that failed to start, blocking GitGuardian's launch.

2023.05.0​

Features​

• API: secret detectors are now exposed in the API.
• Incidents: filepaths can now be searched in the free text search of the secret incidents table.
• Secrets detection engine: upgrade to version 2.89 with the addition of seven new detectors:
  • Azure Cosmos DB Credentials
  • Redis Server Password
  • DigitalOcean Refresh Token
  • DigitalOcean OAuth Application Token
  • DigitalOcean Personal Access Token
  • Cloudinary API keys
  • MongoDB Atlas Keys

Bug fixes​

• Custom severity rule: fix wrong timeline when setting a manual severity to an incident having only an automatic severity.
• Grant access: copy-pasting now works correctly.
• Incidents: performance for loading secret incidents has been improved for workspaces with a large number of incidents.
• Loader: fix loader size in incident and Perimeter pages.
• API: comment field is now required on incident note creation endpoint.

2023.04.0​

Features​

• Custom remediation workflow: remediation workflow is now 100% customizable thanks to the deletion of the last static step.
• Secrets detection engine: upgrade to version 2.87 with the addition of a new detector (Keycloak API Keys).
• API: new endpoints are added for API tokens management (personal access tokens and service accounts).
• API: new fields resolver_id and ignorer_id are available in the secret incident payload.

Bug fixes​

• Members: fix invitation link for new members.
• Jira integration: Jira ticket creation CTAs are hidden for workspaces without a single Jira site installed.
• Jira integration: fix permission issues by disabling the configure button for users without a Manager role and allowing users with the Restricted role and Can edit permissions to create a Jira ticket.
• Detectors list: when the validity checks are disabled, the detectors are sorted by status.
• Notifications: fix empty emails being sent after an occurrence was found during real time scan.
• Personal access tokens: Restricted users now only see the scan scope in the personal access token form.
• Cluster management: fix password issue that was blocking application initialization during GitGuardian installation.

2023.03.1 - Required​

Bug fixes​

• Cluster management: suppression of preflight checks that were failing for new installation with embedded air-gapped configuration with PostgreSQL 13.

2023.03.0​

Features​

• Azure Repos: addition of a loader and notifications when an organization is being installed.
• API: add filters to multiple endpoints.
• Cluster management: Embedded clusters now use PostgreSQL 13. Refer to this procedure to migrate from on older version of PostgreSQL.
• Cluster management: self-hosted GitGuardian environments are now supporting Redis version 6 and Kubernetes version 1.23.

Bug fixes​

• ggshield: ggshield auth login flow now expires after 5 minutes.
• Incidents: performances when filtering incidents on a detector are improved.
• VCS integrations: fix broken links to documentation.
• GitHub: fix the integration of a GitHub installation with a large number of repositories
• GitHub: fix check-runs running forever by enforcing a timeout.

2023.02.1 - Required​

Bug fixes​

• Cluster management: self-hosted GitGuardian can now be deployed on OpenShift with default security settings.
• Cluster management: self-hosted GitGuardian is now compatible with Redis Sentinel.
• Historical scans: corrections on scans that can be automatically launched.
• Custom Certificates for Cluster Management: correction of regression on custom Certificates Authorities.

2023.02.0​

Features​

• Azure Repos: the native integration is now available. You can scan your Azure Repos repositories for secret detection and policy breaks.
• API: specify missing scopes in error message when the API token being used doesn't include the appropriate scopes.
• Custom remediation workflow: remediation workflow can now be customized in the settings.

Bug fixes​

• Health Check: on self-hosted environments, pods are no longer crashing because of integrations' health checks.

2023.01.1​

Bug fixes​

• Cluster management: Self-hosted GitGuardian containers are now running with non-root security context.

2023.01.0​

Features​

• Teams: addition of a description field for your teams.
• Teams: the "all-incidents" team is now visible in the Members table.
• Perimeter: improve the display of the historical scan's last status information.
• Playbooks: new Auto-resolution playbook to automatically close incidents that have once been valid and that become invalid.
• Secret incident: prevent valid secrets from being "marked as revoked".
• Cluster management: Self-hosted GitGuardian environments are now supporting PostgreSQL version 13. Support for PG version 12 is deprecated as of this release.

Bug fixes​

• SSO: Fix the "sign in" redirection for SSO connection.

2022.12.1​

Bug fixes​

• Incident detail: fix misplaced secret in the commit patch when detected by a historical scan and in real-time. Please contact the Support team if you have occurrences impacted in your environment.

2022.12.0​

Features​

• Historical scan: increase the maximum size of the historical scan from 1 GB to 12 GB.
• Historical scan: new email template for historical scan report.
• API: expose external_id representing the VCS id of a source in API source payload.

Bug fixes​

• GitLab integration: handle timeout errors when setting up a new instance.
• Playbooks: fix incorrect default permission can view applied with auto-access playbook instead of correct can edit.
• Filepath exclusions: ignore hidden occurrences in the auto-access playbook and notifications.
• Custom webhooks: fix incorrect event names.
• Historical scan: reduce errors during scans of large repositories and optimize memory usage on large patch sizes.
• Members: fix the sorting when navigating through pages.

2022.11.3 - Required​

Features​

• Cluster Management: integrate memory limits for Kubernetes pods. You can configure them on the Admin Console's configuration page.

Bug fixes​

• RBAC: prevent users from receiving email notifications for already existing incidents.

2022.11.2​

• Released on November 21, 2022.
• Validated for KOTS v1.90.
• Minimum Kubernetes version: 1.19.

Features​

• Teams: introducing team management within a workspace and granular incident permissions (can view, can edit, full access). You can activate the feature on the Admin Area's preference page.
• Custom webhooks: update the action field with more user-friendly messages.
• Perimeter page: update the information displayed in the Protection section.
• Analytics: add all ggshield modes to the Analytics section.
• Custom Certificates for Cluster Management: integrate custom Certificates Authorities for integrations. This feature was in beta and is now stabilized. More information is available in the dedicated documentation.
• API: add the API URL to the dashboard, in the section API >> Quota. The URL is also updated in the API documentation of those environments.

Bug fixes​

• Check runs: When deactivating a check run, finish the processing if it was already in progress.
• Check runs: Check runs are functional for forked repositories.
• Custom webhooks: Remove matches from webhooks' new occurrence.
• GitHub: fix display latency observed for big GitHub organizations.

2022.10.1​

• Released on October 26, 2022.
• Validated for KOTS v1.88.
• Minimum Kubernetes version: 1.19.

Bug fixes​

• Bitbucket Integration: when you create a branch on a monitored repository, the event now triggers a scan of the branch commits only, and not of the whole repository.

2022.10.0​

• Released on October 10, 2022.
• Validated for KOTS v1.86.1.
• Minimum Kubernetes version: 1.19.

Features​

• Members: Notification is sent to users who are removed from a Workspace.

Bug fixes​

• Check Runs: check runs are functional again for forked repositories.
• Incidents: provide a more user-friendly error message when a bulk action can't be applied to the selected incidents.

2022.09.1​

• Released on September 21, 2022.
• Validated for KOTS v1.85.
• Minimum Kubernetes version: 1.19.

Bug fixes​

• API: fix a broken link on the Settings page.
• Redis: we fixed a bug where the database memory could get filled.

2022.09.0​

• Released on September 5, 2022.
• Validated for KOTS v1.82.
• Minimum Kubernetes version: 1.19.

Features​

• API: enrich the Members section with retrieve and delete endpoints.
• API: handle invitations on grant/revoke access endpoints.
• API: add a filter by role and a search on name and email for the /members endpoint.
• API: add filters to the audit log list endpoint.
• Cluster Management: add a parameter to customize pods' CPU limits. More information is available in the dedicated documentation.
• Incidents: include the unaffected count for bulk actions.

Bug fixes​

• API: respect the validity checks setting ON/OFF.
• Custom webhooks: fix the webhook event-based signature.
• GitHub: don't display the "scan integrated repositories" modal if the auto scan is on.
• GitLab integration: keep unmonitored projects unmonitored.
• Incident details: searching GitHub pull requests associated with an issue can be performed on a specific #ID and repository name.
• Incident: secrets with validity status "failed to check" are no longer checked automatically after they have been marked as resolved.
• Incident: the button to manually check the presence in git history remains when the incident is closed.
• Incidents: fix the severity badge 'info' icon.

2022.08.0 - Required​

• Released on August 8, 2022.
• Validated for KOTS v1.78.
• Minimum Kubernetes version: 1.19.

Features​

• API: the /occurrences endpoint can be filtered by author_name and author_info.
• API: add an endpoint to fetch the audit logs. The API key needs to have the new audit_logs:read scope to query the endpoint.
• API: tags are exposed in the incidents endpoint.
• CSV: tags are exposed in the CSV report of secret incidents.
• Health Check: it checks if the GitHub integration has been suspended.
• Perimeter: the repository name is now a link to the incidents list filtered on this repository. The link to the VCS is also available as a popup icon.
• Applicative Metrics: metrics have been added: scanned commit, API quota, API usage and API tokens.

Bug fixes​

• Detectors: activating and deactivating detectors is now forbidden for Members.
• Perimeter: fix a bug preventing Members from launching historical scans.

⚠️ Deprecation​

• API: deprecated issue_id in favor of incident_id on incident note management endpoints.

2022.07.0​

• Released on July 11, 2022.
• Validated for KOTS v1.75.
• Minimum Kubernetes version: 1.19.

Features​

• ggshield: setting up ggshield is made easy with the new ggshield auth login command. More information is available in the dedicated documentation.
• Grant access: notify Restricted users by email when they are granted access to an incident.
• Members: notify users by email when their role is updated.
• CSV: add status, ignore_reason and status_revoked columns to the CSV export of secret incidents.
• CSV: add occurrence_id column to CSV export of occurrences.
• CSV: return the dates in iso format.
• Members: invitations can be resent through the dashboard.
• API: add endpoints to manage invitations. The API key needs to have the new members: write scope to query those endpoints.
• API: add an endpoint to set the severity of a secret incident.

Bug fixes​

• GitLab: adding a GitLab project that had been deleted now correctly set it as monitored.
• Analytics: pre-receive mode is displayed correctly in the shift-left panel.
• Service account: fix a permission error allowing all roles to modify service accounts.
• GitHub: fix the re-run action of old check runs to show an explicit error.

2022.06.1​

• Released on July 1, 2022.
• Validated for KOTS v1.73.
• Minimum Kubernetes version: 1.19.

Bug fixes​

• Bitbucket Integration: add a parameter in the Preferences section of the Admin Area to disable Admin Check during Bitbucket Installation creation.

2022.06.0​

• Released on June 20, 2022.
• Validated for KOTS v1.71.
• Minimum Kubernetes version: 1.19.

Features​

• Applicative Metrics: applicative metrics are added to help you monitor your self-hosted instance. More information is available in the dedicated documentation
• API: move the Personal access tokens to the API section.
• Check runs: improve success message in GitHub UI.
• GitHub: expose the base/head branch of GitHub pull requests.
• Incident: mark the third remediation step "rewrite git history" as optional.
• Health checks: Health checks are displayed in the VCS integration settings

Bug fixes​

• GitHub: explicitly neutralize old check runs that are re-run.
• Incident: fix grant access modal broken when too many Restricted users.

⚠️ Deprecation​

• ggshield: since v1.12 of ggshield, ggshield scan and ggshield ignore commands are deprecated, use ggshield secret scan and ggshield secret ignore instead.

2022.05.1 - Required​

• Released on June 6, 2022.
• Validated for KOTS v1.70.
• Minimum Kubernetes version: 1.19.

Bug fixes​

• Bitbucket Integration: when configuring a whole instance token, GitGuardian is not returning a timeout.

2022.05.0​

• Released on May 16, 2022.
• Validated for KOTS v1.70.
• Minimum Kubernetes version: 1.19.

Bug fixes​

• Grant Access: Members in Business workspaces can give access to restricted users but can’t invite new users by typing email addresses.
• Incident details: timestamp of the last presence check is updated synchronously upon manual check.
• CSV Export: disable timeouts.
• Incidents: improve performance on the incidents table.
• Detector: improve performance of table of detectors for workspaces with many incidents.
• Email: the warning banner is not displayed anymore when the email-sending system is configured.
• Health Check: the error code for an expired GitLab token has been corrected.
• PostgreSQL: configuring an external port different from the default one (5432) correctly works.

2022.04.2​

• Released on May 09, 2022.
• Validated for KOTS v1.70.

Bug fixes​

• Upgrade: Error on Ingress component deployment.
• Postgre TLS: Fixes error on deployment while Postgres TLS "Allowed" mode is activated.

2022.04.1​

• Released on April 22, 2022.
• Validated for KOTS v1.59.1.

Features​

• Health checks: We add VCS troubleshooting tools in the Admin Area. You can check the status of your integrations and gather error information on this page. More information is available in the dedicated documentation
• Personal access tokens and service accounts: We now distinguish two types of API keys: Personal Access Tokens and Service accounts. More information is available in the dedicated documentation
• GitHub check runs now handle the regression mode. If an already resolved secret incident is detected by a check run AND the regression mode is OFF, the check run won’t raise the secret.
• GitHub A comment can be posted directly to Github pull request timeline when a check run detects a secret. This can be deactivated in Settings by a Manager.
• API: We add an API endpoint to list members having access to an incident. More information is available in the dedicated documentation.
• PostgreSQL: Secrets are now encrypted in the database.

Bug fixes​

• Incident: Restricted users are no longer able to generate incident-sharing links.

1.35​

• Released on March 25, 2022.
• Validated for KOTS v1.59.1.

Features​

• TLS Support for PostgreSQL: Transport Layer Security (TLS) is an encryption protocol intended to keep data secure when being transferred over a network. When installing GitGuardian Self-Hosted, users can now activate the option for PostgreSQL.
• API: Members are now exposed in API and new fields were added to the source payload.
• Incident detail: From an incident detail page, you can grant access to a selection of Restricted users.

1.34​

• Released on February 11, 2022.
• Validated for KOTS v1.59.1.

Features​

• TLS Support for Redis: Transport Layer Security (TLS) is an encryption protocol intended to keep data secure when being transferred over a network. When installing GitGuardian Self-Hosted, users can now activate the option for Redis. You can find more information about the configuration on our official documentation

1.33​

• Released on January 13, 2022.
• Validated for KOTS v1.59.1.

Features​

• API: Added secret validity information.

1.32​

• Released on December 14, 2021.
• Validated for KOTS v1.58.1.

Features​

• API: new scope incident::share and grant access to incidents, documented here.
• Regression: added a workspace setting giving the option to control the behavior of GG when a new occurrence of an already-resolved incident is detected.
• Custom webhooks: added validity and severity to the payload.
• API: added validity to scan results.

1.31​

• Released on November 15, 2021.
• Validated for KOTS v1.56.0.

Features​

• Synchronization between ggshield and the dashboard: secrets ignored on the dashboard will also be ignored by ggshield. Detectors deactivated in the dashboard will be deactivated for ggshield too.