2025.3.0
Release Date: March 20, 2025
System Requirements Update
Ensure your infrastructure meets the latest requirements for optimal performance and security:
Component | Minimum Version | Recommended Version |
---|---|---|
KOTS | 1.117.3 | Latest |
Kubernetes | 1.25 | 1.31 |
PostgreSQL | 15 | 16 |
Redis | 6 | |
helm | 3.13 | Latest |
⚠️ Please install the PostgreSQL pgvector
extension to enable vector similarity search. This is essential for upcoming features leveraging our internal machine learning engine. Follow the installation instructions to ensure compatibility.
Helm & Upgrade Considerations
To ensure compatibility, please review Helm values updates from the previous version.
⚠️ Ensure you're using Helm version > 3.13. We recommend upgrading to the latest version.
Air gap deployment? We’ve updated the path and names of our images in this release. Follow the upgrade instructions to update your tooling for downloading and uploading GitGuardian images to your private registry. Find all image and tag names on the Air Gap Install page.
Explore and prioritize your Generic Incidents
We are excited to unveil the "Generic Secret Enricher V1", a machine learning model designed to enhance our capabilities in generic secret detection. This innovative model analyzes the entire context of a document, identifying the company and category associated with a secret, thereby providing meaningful insights to help users understand the origin and type of a discovered secret.
New Features
-
Contextual Analysis: Upon detection of a generic secret, our platform analyzes the full document context to determine the associated provider or category of a secret.
-
Efficient Classification: This feature reduces the need for manual classification, enabling users to quickly comprehend the source and nature of a discovered generic secret.
-
New Filters: We've introduced three new filters - Provider, Category, Family - to help identify critical generic incidents. To use these, filter your incidents by the "Generic" type, then apply a combination of these filters.
Goals
Our long-term goal is to provide you with actionable insights, prioritize their generic incidents, and improve their remediation efforts.
Usage
To use the new filters, simply filter your incidents by the "Generic" type, then apply a combination of the Provider, Category, and Family filters. This will help you identify the most significant or critical generic incidents, such as those classified under "Data Storage" or linked to the provider "Postgresql".
Leverage insights from your Secrets Managers
GitGuardian now integrates with AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, Google Secret Manager, Delinea, and Akeyless through ggscout, letting you sync secret incidents with your Secrets Managers—without exposing sensitive data.
What’s in it for you?
- Prioritize Faster – Instantly see which secrets are already vaulted and focus on real risks.
- Remediate Quicker – Vault unprotected secrets in a click and speed up fixes.
- Streamline Workflows – Leverage vaulted secrets insights directly in GitGuardian.
- Improve Secrets Hygiene – Spot duplicate, weak, or mismanaged secrets with ggscout.
- Simplify Vault Consolidation – Track migrations, filter secrets, and purge outdated ones effortlessly.
Secrets Detection Engine (v2.133)
Bringing enhanced accuracy and broader coverage:
- New Detectors
- OpenAI Project API Key (v2) – Added support for detecting the new format of OpenAI project API keys.
- OpenAI Admin API Key – New detection capability for OpenAI admin API keys.
- Netlify Token (v2) – Introduced detection for the latest version of Netlify tokens.
- 1Password Service Account Token – New detector added to identify 1Password service account tokens.
- DeepSeek API Key – Now detecting DeepSeek API keys.
- Improved Detection
- OpenAI Service Account – Expanded pattern coverage for better identification.
- Rails Master Key – Updated detection rules to minimize false positives.
- GitHub Tokens – Improved recall and validation for GitHub authentication tokens.
- Groq API Key – Enhanced detection rules for greater accuracy.
- Artifactory Token – New checker added to improve detection effectiveness.
- Generic Passwords – Excluded secrets containing
*****
as they are likely false positives. - Dropbox Key – Detector group split into Dropbox Key and Dropbox Access Token for improved granularity.
- FCM API Key – Validity check is no longer available since the API has been removed. While we can no longer retrieve the validity status for FCM secrets, we still detect the keys.
Enhancements
- Jira Issue Tracking Integration:
- Added Incident ID as an optional variable in Jira ticket templates for improved customization.
- Enabled instant ticket creation in Jira without requiring a predefined template.
- ggscout: Additional improvements to the integration of ggscout with self-hosted. Learn more.
- Ensured Vault configurations are reachable via the preflight check for Helm and KOTS.
- Hardened Helm chart (custom CA support, optional GitGuardian hostname).
- Used Replicated Proxy to pull the ggscout image.
- Enabled support for embedded cluster deployment (HashiCorp Vault only).
- Included ggscout logs in the support bundle.
- Self-Hosted:
- Public API: Added ability to customize maximum page size for the Public API pagination. More info here.
- Embedded cluster: Machine learning is now activated by default for embedded cluster installations.
- License: GitGuardian will now automatically synchronize license information for non-air-gap environments, eliminating the need for manual license syncs after installation or upgrades.
- Helm: Added support for
nodeSelector
in Helm jobs to enhance node scheduling flexibility.
Fixes
- Jira Cloud Issue Tracking Integration: Resolved an issue where integration entered an invalid state after being uninstalled.
- Microsoft Teams Alerts for Security Incidents: Resolved an issue where the wrong team was displayed during configuration.
- Self-Hosted:
- Machine Learning: Added support for using custom security contexts, allowing to configure security settings for the machine learning pods.
- Preflights: Fixed an issue with Redis TLS that could cause connection errors.