Air gap deployment? This release introduces a new image.registry parameter in Helm values to support the Log Collector system. This parameter specifies the location of the GitGuardian images for the Log Collector components (Loki, MinIO, Fluent Bit) and is separate from the main imageRegistry parameter. Follow the upgrade instructions to update your helm values file.
Detect hardcoded secrets in your AWS ECR Container Registry
We are excited to introduce Secret detection for Amazon Elastic Container Registry (ECR).
Secrets often end up in container images due to common mistakes during development and image creation, mainly:
Hardcoding Secrets in Code: Developers may directly embed sensitive credentials, such as API keys or passwords, into application code, which gets packaged into container images.
Misconfigured Dockerfiles: Commands like ENV or RUN in Dockerfiles can inadvertently expose sensitive data during the build process.
By identifying and addressing hardcoded credentials in your AWS ECR repositories early in the development pipeline, this feature significantly minimizes the risk of security breaches, helping you prevent the unintended exposure of sensitive information before it even reaches production.
We're excited to announce support for Valkey, a Redis-compatible database that is a fork of Redis 7.2. This provides users with an additional option for Redis while maintaining full compatibility with GitGuardian Self-Hosted.
New Checkers
These checkers are implemented to verify the detected secrets, adding another layer of security and ensuring their validity and correct application:
Custom webhooks: Enhanced webhook configuration with more granular event selection. See the updated documentation.
VCS Integrations: Provided the capability to disable Automatic Repository Monitoring upon VCS Integration. Toggles controlling this capability was also moved on top of the discovered sources for more visibility
Bitbucket Cloud Integration: Updated authentication to support API tokens as Atlassian discontinues app passwords, ensuring continued integration functionality.
⚠️ Important: This is a required release and cannot be skipped.
Upgrading to 2025.7
Machine Learning engine is now enabled by default. Ensure your infrastructure meets the ML requirements.
If you're concerned about resource usage, you can lower the priority of ML pods to ensure other critical services are scheduled first.
Historical Scanning now available for Jira and Confluence Data Center
We’re excited to announce a significant enhancement to our secret detection capabilities for both Jira and Confluence Data Center: historical scanning is now available!
What's new?
Previously, our integrations would surface hardcoded secrets in real-time, alerting you to newly introduced risks as soon as they appeared. With this update, we’re extending our detection to include secrets that were leaked in the past—not just those introduced going forward.
Why does this matter?
Once a secret is leaked, it should always be considered compromised, regardless of when the leak occurred. By surfacing historical secrets, you can now:
Identify and remediate old, forgotten leaks that may still pose a security risk.
Reach a comprehensive security posture by ensuring that no secrets—past or present—slip through the cracks.
Take proactive action to rotate or revoke secrets that may have been exposed long ago.
Check out our documentation to enable historical scanning now:
Automatically Ignore Invalid Incidents with New Playbook
We’re excited to announce a powerful enhancement to your incident management experience, designed to help you focus on what matters: we are introducing a new playbook: Automatically Ignore Invalid Incidents.
What's new?
This new playbook will automatically ignore incidents where the detected secret has been confirmed invalid and revoked, even for those that have never been valid. With this new capability, your team can immediately focus on genuine, actionable threats without being distracted by unnecessary noise from already-resolved issues.
Why This Matters?
By automatically clearing these known invalid incidents, you'll save valuable time, reduce alert fatigue, and maintain a clear focus on critical security issues that require your attention.
Important Note
This playbook is designed for incidents from standard detectors and will not impact those related to detectors with a custom host.
You Stay in Control
The playbook will be enabled by default, but you can opt out at any time if it doesn’t fit your needs. All incidents will remain accessible in your workspace for review.
New Checkers
These checkers are implemented to verify the detected secrets, adding another layer of security and ensuring their validity and correct application:
Coze Personal Access Token
Tavus API Key
Heroku Platform Key
Tableau Cloud PAT
Notion Integration Token v2
Salesforce OAuth2
AI71 API Key
AMP API Token
Kubernetes User Certificate with Port
Alchemy API Key v2
OpenRouter API Key
Duffel API Key
Apify Token
Jina API Key
Deno Account Token
Resend API Key
VKontakte Access Token
Fireworks AI API Key
Detector Improvements
Google OAuth2 Keys – Improved precision for Google OAuth2 detector and enhanced regex for better detection accuracy.
Zendesk Token – ZendeskTokenAnalyzer has been rewritten in Rust for improved performance.
Sendinblue Key – SendinblueSecretAnalyzer has been rewritten in Rust.
Generic High Entropy Secret – No longer considers IDs in ServiceNow migration files as secrets and removed AWS ECR images that were misclassified as secrets.
Algolia Keys – AlgoliaKeysSecretAnalyzer has been rewritten in Rust.
Jira Data Center Integration: Enhanced Jira Data Center incident creation to include leaker email addresses for historical comments occurrences.
Custom Tags API: Enhanced the custom tags filter in the public API to support filtering by key/value pairs in addition to IDs, improving search flexibility for better incident management. Learn more.
Playbook: "Auto-resolve secrets incidents when valid secrets are revoked" playbook is officially activated for all accounts. Learn about Playbooks
Custom remediation: Added dynamic links to custom remediation pages, providing users with seamless access to relevant documentation and revocation support.
Public API: Custom Tags (custom_tags) query parameters have been documented as part of the API documentation.
GitLab integration: Configuration of multiple GitLab integrations using both system hooks and group hooks simultaneously is now supported.
Custom Tags: Fixed an issue where assigning tags to selected filtered issues was incorrectly applying tags to all issues instead of only the selected ones.
Azure DevOps Integration: Improved token handling to prevent unnecessary revocation of Azure DevOps installations due to intermittent 401 errors.
Email Notifications: Improved email delivery logic for Microsoft Teams integrations to prevent excessive notification sending during periodic scans.
GitHub Integration: Fixed an issue where dangling GitHub installations were being unnecessarily checked when no installations were present.
User Management: Ensure SCIM user provisioning matches emails case-insensitively to prevent duplicate or mismatched user entries.
Incidents Management: Resolved a regression where secrets detected on deletion lines could reopen incidents. Deletion lines are no longer scanned for secrets, as per the expected "Scan only addition line" behavior.
GitGuardian 2025.6 now requires Kubernetes 1.28 as the minimum supported version. However, Kubernetes 1.28 is no longer receiving active or maintenance support from the Kubernetes project (see end-of-life schedule).
We strongly recommend upgrading to Kubernetes 1.32 for optimal security and stability. See our system requirements for more details.
Securely Access Secret Values via API with GitGuardian's New “Secrets” Endpoint
GitGuardian is excited to announce a new API endpoint /v1/secrets/{secret_id}, allowing users to securely access secret values directly through our API.
This feature introduces several key benefits:
Enhanced Security Automation - Integrate secret remediation into existing security workflows and tools with secure API access to secret values.
Reduced Manual Intervention - Eliminate the need to manually copy secrets from the UI, saving time and reducing human error.
Comprehensive Security Controls - Multiple security layers (PAT permissions, workspace settings) ensure secrets are accessed only by authorized users.
Complete Secret Context - Receive both the secret value and detector information in a single API call for efficient remediation.
We’re pleased to introduce hardcoded secret detection for Microsoft Teams!
What’s new?
Our platform now scans Microsoft Teams messages for hardcoded secrets—such as API keys, credentials, and tokens—across both new activity and historical content. This means you can instantly identify and remediate exposed secrets, whether they were just shared or left unnoticed in your Teams environment.
Why is this important?
Once a secret is leaked, it remains a security risk until addressed—regardless of when it was exposed. By providing both real-time and historical scanning, we offer:
Comprehensive coverage: Instantly detect newly introduced secrets and uncover old leaks hiding in past conversations or shared files.
Proactive risk management: Take swift action to rotate, revoke, or investigate secrets, minimizing the window of exposure.
Complete peace of mind: Ensure your Teams environment is continuously monitored and secured against secret sprawl.
Secure your collaboration. Protect your business.
Simply connect your Microsoft Teams instance and let our enhanced detection engine do the rest. Our solution will automatically scan both ongoing and historical Teams content, surfacing any hardcoded secrets for prompt remediation.
Check out our documentation to start protecting your MS Teams communications!
Historical Scanning now available for Jira and Confluence Cloud sources.
We’re excited to announce a significant enhancement to our secret detection capabilities for Jira and Confluence Cloud: historical scanning is now available!
What's new?
Previously, our integration would surface hardcoded secrets in real-time, alerting you to newly introduced risks as soon as they appeared. With this update, we’re extending our detection to include secrets that were leaked in the past—not just those introduced going forward.
Why does this matter?
Once a secret is leaked, it should always be considered compromised, regardless of when the leak occurred. By surfacing historical secrets, you can now:
Identify and remediate old, forgotten leaks that may still pose a security risk.
Reach a comprehensive security posture by ensuring that no secrets—past or present—slip through the cracks.
Take proactive action to rotate or revoke secrets that may have been exposed long ago.
Check out our documentation to enable the feature now:
Detect hardcoded secrets in your Container Registries
We are excited to introduce Secret detection for Container Registries, including:
Azure Container Registry
Google Artifact Registry
JFrog Container Registry
DockerHub
Secrets often end up in container images due to common mistakes during development and image creation, mainly:
Hardcoding Secrets in Code: Developers may directly embed sensitive credentials, such as API keys or passwords, into application code, which gets packaged into container images.
Misconfigured Dockerfiles: Commands like ENV or RUN in Dockerfiles can inadvertently expose sensitive data during the build process.
By identifying and addressing hardcoded credentials early in the development pipeline, this feature significantly minimizes the risk of security breaches, helping you prevent the unintended exposure of sensitive information before it even reaches production.
Check out our Blog Post to learn more and our documentation to enable the feature now:
New Checkers
These checkers are implemented to verify the detected secrets, adding another layer of security and ensuring their validity and correct application:
Laravel Encryption Key with Host
GitLab Feature Flags Client Token with Project ID
Kubernetes JWT with Host
Brave Search API Key
Firecrawl API Key
Dify API Key
GitLab Runner Authentication Token
Detector Improvements
Ubidots Token – Now includes new secret prefixes and improved checker responses for tokens from disabled accounts.
AMQP Credentials – Detector Upgrade: Enhanced multimatch selection to reduce false positive combinations, vital for secure message queuing in distributed systems.
Confluent Keys – Detector Upgrade: Improved multimatch selection for better accuracy and fewer false positives, essential for managing access to Kafka clusters.
Generic High Entropy Secret – Detector Upgrade: Excludes secrets ending with '.certificate' from being reported, reducing noise by ignoring non-sensitive certificates.
Artifactory Token – Analyzer Upgrade: Improved stability by preventing crashes when analyzing secrets with multiple scopes, key for managing and securing software artifacts.
Microsoft Azure Storage Connection String – Checker Upgrade: Enhanced to accept additional fields, crucial for accessing and managing Azure storage resources securely.
Microsoft Azure Storage Account Key – Detector Upgrade: Increased precision, reducing false positives, critical for safeguarding data in cloud storage.
Engine Enhancements
Established a priority rule favoring the confluent_api_keys detector over amqp_assignment and amqp_assignment_attached_port detectors.
Expanded detection pattern list for encrypted strings to increase precision.
Enhanced AssignmentRegexMatcher for N prefixed strings in SQL, supporting Microsoft SQL Server.
Teams: Optimized the /teams API endpoint to reduce loading times for workspaces with large team structures.
Self-Hosted:
Improved ML Secret Engine Docker image permissions to support running with custom user and group IDs for better Kubernetes security contexts.
Improved Docker image permissions to support running with custom user and group IDs for better Kubernetes security contexts.
Improved handling of failed index creation migrations to allow safe re-execution of database updates.
Added capability to specify constraint of only one worker per node in Kubernetes deployments to optimize resource allocation. Learn more about scaling.
Emails: Resolved an issue where email alerts were being sent to inactive workspace members.
Custom Tags: Resolved pagination issues in the custom_tags endpoint that were causing incorrect next page URLs.
GitLab: Improve permission checking for GitLab group integrations to properly handle inherited permissions from parent groups.
Severity rules: Corrected an issue preventing Self-Hosted customers from adding or editing custom severity rule sets.
Secret analyzer: Improved behavior to ensure secret analyzer is properly disabled when validity checking is turned off.
Self-Hosted Deployment on GCP and Azure: Fixed an issue with ACL limitations on GCP and Azure cloud platforms where Redis deployments disable the ACL command, causing pre-deployment checks for the FLUSHDB command to fail. The system now gracefully handles scenarios where ACL commands are unavailable.
Air gap deployment? We've renamed images in this release. Follow the upgrade instructions to update your tooling for downloading and uploading GitGuardian images to your private registry.
FIPS: This release uses Chainguard images without FIPS-approved cryptographic modules. If you would like to use Chainguard images with FIPS, please contact our support team.
ServiceNow is now supported for secrets detection and honeytoken detection, enabling automated tracking of security incidents. Learn more
Customize Your Incidents View for Enhanced Context Exploration
With this new feature, users can create fully customized views of their incidents, displaying specific properties and exploring their security data in an entirely new way.
This customization capability offers two key advantages:
Leverage the Generic Secret Enricher model (read 2025.3 release page) - You can now explore and prioritize generic incidents more effectively by visualizing the AI-classified secret categories and providers
Harness extensive incident context - Access the rich contextual data we provide for each incident, which is essential for efficient prioritization efforts
Context is critical for effective remediation. CyberSecurity is fundamentally a data business, and by collecting and presenting the richest, most structured context possible, we enable you to filter, sort, and prioritize incidents effectively and make informed decisions.
SCIM (System for Cross-domain Identity Management) integration now supports both automatic user provisioning and deprovisioning in GitGuardian. When users are added or removed from your Identity Provider (IdP)—such as Okta or Microsoft Entra ID—they are automatically created or deactivated in your GitGuardian workspace.
Now, all your developers can be automatically onboarded to GitGuardian and are ready to handle security incidents as soon as they are added to your IdP. This means you can fully automate the onboarding and offboarding of users, directly from your IdP, ensuring your entire development team is always prepared to respond to incidents.
Why is this important?
Streamlined onboarding: New users are automatically provisioned in GitGuardian as soon as they are added to your IdP—no more manual invites or user creation.
Automated offboarding: When a user is removed or deactivated in your IdP, their access to GitGuardian is automatically revoked, reducing security risks.
Real-time synchronization: User changes in your IdP are reflected in GitGuardian almost instantly, ensuring your workspace always stays up to date.
Improved compliance: Automated user lifecycle management helps you meet security and compliance requirements by ensuring only authorized users have access.
Reduced manual work: Save time and reduce errors by eliminating manual user management tasks.
Note: Team provisioning via SCIM is not yet available, but is planned for a future update.
How to get started?
SCIM is available for workspaces using Okta or Microsoft Entra ID as their IdP.
To enable SCIM, go to your workspace Settings > Authentication and follow the setup instructions for your IdP.
For detailed configuration steps and best practices, check out our product documentation.
This release brings major enhancements to the Secrets Detection Engine, with a strong focus on expanding coverage for Artifactory and Azure services. New detectors have been added for a wide range of secrets—including Perplexity AI, Azure Entra ID, Communication Services, App Configuration, and more—helping organizations better protect sensitive credentials across their software supply chain and cloud infrastructure.
Key improvements include:
Expanded Azure Coverage: New detectors for Entra ID tokens, Communication Services, App Configuration, DevOps PATs, and SignalR, strengthening security for Azure environments.
Broader Secret Detection: Added support for Perplexity AI, Anthropic admin keys, Laravel encryption keys, X AI API keys, and GitGuardian Platform Magic Links.
Enhanced Accuracy: Upgrades to existing detectors (LDAP, JWT, Cloudinary, Auth0, Claude, Jira, SMB, ODBC, Octopus, and more) improve precision, recall, and reduce false positives.
For full details on new detectors and improvements, see the list below.
Azure Event Grid Access Key – Added new detectors for Azure Event Grid Access Keys and a New Checker for the azure_event_grid_access_key_with_host detector.
Anthropic Admin Keys – Introduced a new detector and New Checker for Anthropic admin keys.
X AI API Keys – Detects API keys for accessing X AI's artificial intelligence services.
Detector Improvements
LDAP Credentials – Checker Upgrade: Improved the LDAP checker to better distinguish between connection errors and invalid credentials. Updated ldap_credentials_assignment_with_dn to remove false positives.
JSON Web Token – Detector Upgrade: The detector will now detect all JWTs regardless of their contents.
Cloudinary API Keys – Detector Upgrade: Extended charset of cloudinary_api_key_config to improve recall.
Auth0 Keys – Detector Upgrade: Improved recall of the detector to detect more domains.
Claude API Key – Detector Upgrade: Refined regex for Claude API keys.
Emails: Included the number of incidents to both weekly digest and historical scan emails subject line
Jira Data Center Issue Tracking Integration: Creating Jira tickets now only requires regular user permissions. Administrator privileges on the Jira Data Center site are only needed when setting up the two-way synchronization (Auto-resolve feature).
Self-Hosted:
Ensured that the Redis FLUSHDB command is available for use before installing or upgrading GitGuardian. Learn more.
Added support for configuring proxy username and password using Kubernetes secrets. Learn more.
GitGuardian Chainguard images are now used by default and include a shell for troubleshooting and maintenance.
Security: Implemented a Content Security Policy in response headers to better control which resources can be loaded, strengthening overall security.
⚠️ Important: This is a required release and cannot be skipped.
Upgrading to 2025.4
Please install the PostgreSQL pgvector extension to enable vector similarity search. This is essential for upcoming features leveraging our internal machine learning engine. Follow the installation instructions to ensure compatibility.
Air gap deployment? We've added new images in this release. Find all image and tag names on the Air Gap Install page.
We're proud to introduce our brand new NHI Governance product! This solution is designed to help you manage and secure your Non-Human Identities (NHIs) and related secrets.
As organizations face exponential growth in machine identities, NHI Governance delivers a comprehensive observability and lifecycle management across all your environments. Integrating with leading secrets managers and other sources from your infrastructure, it centralizes inventory, helps you assess your posture, and enforces security policies.
The solution includes:
Deep contextual insights, mapping relationships between secrets, their consumers, and resources, drastically reducing incident response times.
Advanced analytics helps you identify risks like overprivileged NHIs and track hygiene metrics.
Policy enforcement aligns your posture with standards such as the OWASP NHI Top 10.
NHI Governance empowers you to regain control over your NHIs and tied secrets, reduce risk, accelerate compliance tasks, and improve hygiene by addressing orphaned, untracked, or overprivileged credentials.
Ready to start your journey towards safer secrets management? Request access to GitGuardian NHI Governance by contacting your sales representative.
We're excited to announce Secrets Analyzer, a new enhancement to our secrets detection capabilities.
Secrets Analyzer automatically gathers additional context for detected secrets, including their associated scopes, permissions, ownership, and relevant perimeter information where available.
This added intelligence helps security teams:
Evaluate the potential impact of a secret incident more accurately.
Prioritize remediation efforts based on risk level.
Streamline the overall incident response process.
For details on how each analyzer works, including metadata collected and validation calls:
Take control of incident management with custom tags. This feature allows you to categorize, filter, and search incidents using customized labels, offering greater flexibility in tracking and prioritizing incidents, and improving remediation workflows.
For developers, you can interact with custom tags via the API. For more information, visit the API documentation.
For more details on how to use custom tags within the GitGuardian platform, check out our detailed guide.
You now have two options for receiving incident email notifications: "All incidents" (default) or "Only incidents involving yourself (based on your Git commit email)", learn more about email preferences.
Our self-hosted deployments now include a seamless log collection system, leveraging Loki, MinIO, and Fluent Bit under the hood. This enhancement ensures that relevant logs are efficiently gathered and stored, supporting faster troubleshooting and support—without requiring any manual setup from users.
Incidents: Added a new filter to improve incident categorization based on the presence or absence of Jira Data Center tickets.
Custom Tags: Users can now create custom tags directly from search queries in the dashboard.
Custom webhook: Add the team name and webhook name to the custom webhook payload for incidents and occurrences. Learn more.
Jira Configuration: Introduced a new layout for the Jira Configuration form to enhance user experience and streamline configuration tasks.
Navigation Improvements:
Added persistent section state to remember your navigation preferences and updated browser tab titles for better identification when managing multiple tabs.
Added a "Skip to Main Content" button for better accessibility. When using keyboard navigation, pressing the Tab key reveals the button, which allows users to bypass navigation menus and jump directly to the main content area.
Invitation: Added GET /v1/invitations/{invitation_id} endpoint to retrieve invitation details through the Public API.
Self-Hosted:
Email Configuration: Improved error messages to provide clearer guidance when setting up email configurations.
Troubleshooting: Enhanced debug capabilities by adding network diagnostic tools (netcat, openssl) to the debug image. Learn more.
Helm:
Extended the readiness probe timeout on public-api to enhance stability and prevent premature failures.
Resolved an issue where the host was not specified in the health ingress configuration.
Added global.compatibility.openshift.adaptSecurityContext configuration to support OpenShift's restricted-v2 Security Context Constraints (SCC). Values include auto (default), force, and disabled for flexible security context adaptation. Learn more.
Added default support-bundle Role and optional ClusterRole creation (configurable via replicated.supportBundle.rbac.clusterRole.create).
The PostgreSQL pgvector extension is now required by default (postgresql.plugins.pgvector.enabled). Please follow the installation instructions to enable vector similarity search capabilities for upcoming machine learning features.
Ingress:
Improved response times for issue occurrence queries through optimized request routing. Particularly useful when autoscaling webapp-public_api.
Standardized health check endpoint routing by removing the wildcard host configuration from gim-ingress-health and consolidating /api/v1/health under the main API hostname.
Jira Cloud Issue Tracking Integration: Fixed an issue where Jira project keys were incorrectly changed during synchronization.
GitLab Integration:
Fixed an issue where multiple emails were sent for failures in multiple group hooks on the same GitLab instance, ensuring only one email is sent per instance.
We improved the process for read-only token installations by automatically detecting and updating the webhook ID if the webhook was created manually.
Resolved an issue where system hook checks returned a 403 forbidden error when using a read-only token.
Fixed unnecessary scans triggered by webhooks related to unmonitored repositories.
Incidents: Fixed a bug that could cause unnecessary data refresh on the incidents list when switching browser tabs.
Self-Hosted:
Licensing: Updated the notification message for license expiration on self-hosted environments to provide clearer guidance.
Security: Added Content Security Policy (CSP) headers to HTTP responses to strengthen browser security controls.
We've updated the path and names of our images in this release. Follow the upgrade instructions to update your tooling for downloading and uploading GitGuardian images to your private registry. Find all image and tag names on the Air Gap Install page.
We are excited to unveil the "Generic Secret Enricher V1", a machine learning model designed to enhance our capabilities in generic secret detection. This innovative model analyzes the entire context of a document, identifying the company and category associated with a secret, thereby providing meaningful insights to help users understand the origin and type of a discovered secret.
Contextual Analysis: Upon detection of a generic secret, our platform analyzes the full document context to determine the associated provider or category of a secret.
Efficient Classification: This feature reduces the need for manual classification, enabling users to quickly comprehend the source and nature of a discovered generic secret.
New Filters: We've introduced three new filters - Provider, Category, Family - to help identify critical generic incidents. To use these, filter your incidents by the "Generic" type, then apply a combination of these filters.
To use the new filters, simply filter your incidents by the "Generic" type, then apply a combination of the Provider, Category, and Family filters. This will help you identify the most significant or critical generic incidents, such as those classified under "Data Storage" or linked to the provider "Postgresql".
GitGuardian now integrates with AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, Google Secret Manager, Delinea, and Akeyless through ggscout, letting you sync secret incidents with your Secrets Managers—without exposing sensitive data.
What’s in it for you?
Prioritize Faster – Instantly see which secrets are already vaulted and focus on real risks.
Remediate Quicker – Vault unprotected secrets in a click and speed up fixes.
Streamline Workflows – Leverage vaulted secrets insights directly in GitGuardian.
Improve Secrets Hygiene – Spot duplicate, weak, or mismanaged secrets with ggscout.
FCM API Key – Validity check is no longer available since the API has been removed. While we can no longer retrieve the validity status for FCM secrets, we still detect the keys.
License: GitGuardian will now automatically synchronize license information for non-air-gap environments, eliminating the need for manual license syncs after installation or upgrades.
Helm: Added support for nodeSelector in Helm jobs to enhance node scheduling flexibility.
GitGuardian allows you to monitor secret leaks across thousands of your repositories and over 30 different types of sources. It is reassuring to know that this critical secret, which provides access to your corporate LDAP, has not been detected anywhere.
Improve incident organization and tracking with Custom Tags, allowing users to filter, sort, and categorize incidents more effectively. For now, custom tag management (CRUD) and tag assignments to incidents can only be done via the API (API documentation), with UI support coming soon.
To activate this feature, enable custom_tags_enabled in the Preferences page.
HPA now supports web applications (e.g., webapp-public_api), allowing automatic scaling based on demand for improved performance and resource efficiency. Learn more on the autoscaling page.
Scan Only Addition Lines in Commits: Now, when using ggshield or our check runs integration, we only scan for added lines in commits. Developers will no longer be blocked while remediating incidents.
Jira Issue Tracking Integration: Added support for "Numbers (or float)" and "Group Pickers (single group)" custom fields in Jira templates, allowing more customization in notifications and issue tracking.
Enhanced Email Incident Alerting Controls for Members: You can now manage email notification settings more effectively with an option that allows updates through the API, and customize account-level defaults, ensuring a more tailored communication experience for all members. Learn more
Azure Repos Integration: Fixed an issue where organization deletions were not properly synced when using ADO installations in Organization-mode.
GitLab Integration: Resolved an issue where GitLab installations were incorrectly revoked due to temporary plan downgrades or admin status changes.
Users & Teams:
Incidents: Resolved an issue where restricted users could not view the Vulnerable Sources block.
Users: Resolved an issue where user deletion was prevented due to the presence of saved views associated with the user.
Teams Management: Resolved an issue where action menus were not displayed in the teammates table for non-admin users in certain cases.
Alerting:
Confluence Cloud Integration: Fixed an issue where some Confluence Cloud events without a spaceKey were incorrectly ignored.
PagerDuty Alerts for Security Incidents: Fixed an issue where the integration was not sending alerts for real-time incidents.
Email Notifications: Fixed an issue where emails for ignored and valid incidents were sent to all teams a user belongs to, instead of only the teams managing the affected repository.
Self-Hosted:
Helm: Fixed an issue where connecting to Redis Sentinel failed when using a password with special characters.
Kots: Restore the left navigation menu in the KOTS admin console for embedded cluster installations.
⚠️ Important: This is a required release and cannot be skipped.
Upgrading to 2025.1
Database Deprecation Notice: PostgreSQL 13 & 14 are no longer supported. Learn why upgrading to PostgreSQL 16 is recommended in our engineering blog.
Upgrade Considerations: This release includes a background migration that may take up to 1 hour post-upgrade. It improves query execution speed and search performance. If upgrading from an older version, multiple upgrades may trigger a retry message—wait 1 hour before retrying.
Our first internal machine learning model halves false positives, ensuring data security and privacy without third-party dependencies. This in-house capability is now available for Self-Hosted. More information is available in the documentation.
Enhanced the secrets remediation workflow with precise location details for code fixes and real-time tracking of remediation progress. Learn more here.
⚠️ You can adjust the scan rate limit for the file tracking engine via the scan_after_push_force_rate_limit preference on the Preferences page. Historical scans are recommended to ensure incidents requiring fixes are available in the dashboard.
SCIM integration now supports automatic user deprovisioning in GitGuardian when users are removed from your Identity Provider (IdP). Provisioning for users and teams will be included in a future update. Setup details are available in our documentation.
Navigation: The menu has been redesigned with a collapsible left sidebar for a cleaner, more organized experience.
Jira Data Center integration: Added support for the "User Picker (single user)" custom field in Jira templates. More information is available here.
GitHub integration:
Improved handling of real-time events to retrieve more than 100 commits when necessary, ensuring complete coverage.
Enhanced processing of large patches by making additional API calls to retrieve missing files, up to the policy__maximum_scan_size limit defined in the Preferences page.
Commit length configuration: Admins can configure the maximum total length of commits to scan, with larger commits truncated. This can be set via the repo_scan_max_commit_length preference on the Preferences page.
Helm: The ReplicatedSDK image is now pulled from the Replicated registry instead of Docker Hub. For airgap installations, ensure you update your automation processes for pulling and pushing images to your private registry. For more information, refer to the Airgap Installation page.
Installation and upgrade: Improved error messages for partially initialized databases, providing clear instructions to check logs and ensure the PostgreSQL database is empty before retrying.
Admin Area: Introduced a Periodic Tasks page to adjust schedules and fine-tune periodic task execution.
Queues: Merged the secrets_checks queue with the background validity checks queue to optimize performance.
Secret pattern exclusion: This feature allows users to define patterns and therefore hide any secret matching the pattern defined. Secret pattern can be applied to all repositories or a defined set of repositories. It provides greater control over exclusion rules, allowing for more precise management of incidents.
Learn more.
Jira Data Center integration: Jira Data Center integration is now supported for real-time secret detection and honeytoken detection. For more details, refer to the documentation here.
Jira Data Center issue tracking integration: We now support Jira Data Center integration for issue tracking. This feature includes:
automatic creation of a Jira issue as soon as a new incident is triggered,
management of Jira custom fields,
and an auto-resolve feature that marks the incident as resolved in your
dashboard when the issue is closed in Jira. More information available in the
documentation.
GitLab integration: Added the ability to configure an instance-level GitLab integration using a read-only admin token. However, since the token lacks permissions for creating system hooks, manual setup is required. Learn more.
Check runs: Added the option to improve your code security by enabling GitGuardian check runs on their GitHub forked repositories. Learn more here.
VCS integration: Workspace Managers can now disable automatic repository monitoring in GitGuardian, giving you more control when adding new repositories to your perimeter. For an example, see GitHub integration.
Helm: front.ingress has been renamed ingress to improve consistency and standardize the ingress object across the Helm chart. ⚠️ This release includes breaking changes. Upgrade to 2024.12.0 using the upgrade notes.
Cluster management: Replaced the nginx container with Ingress support, compatible with several controllers (ingress-nginx, traefik, contour, aws_alb, openshift, istio). This feature is optional and disabled by default. For more details, refer to the ingress page.
Admin Area: Added a Worker Tasks page for monitoring task activity and worker usage to help optimize scaling and performance.
Applicative Metrics: Added the following metrics: gim_periodic_task_period_seconds, gim_periodic_task_not_run_for_seconds, gim_check_runs_long_running, gim_health_check_result_count, and gim_outdated_health_check_count for better monitoring and insight. For more details, refer to the Applicative metrics page.
Support Bundle: Enhanced diagnose_instance to include celery worker data.
KOTS: Minor UI updates to the KOTS Admin Console, replacing radio buttons with dropdowns in some cases.
Historical Scan: Added minutes_between_scans_per_source in the preference table.
License: The license check is now managed by the ReplicatedSDK for all installation types, replacing the previous reliance on KOTS for this function in KOTS installations.
Policy breaks: Starting with the 2024.12 version, the Policy Breaks module will be removed from your dashboard as we enhance our focus on our core Secrets Security offering.
Deprecating the Policy Breaks module will not affect your overall security coverage; it will only reduce the number of alerts you receive. Previously, alerts for Policy Breaks incidents (such as an exposed .env file) required manual investigation to determine if they contained secrets. Our “Secrets detection” module already handles the detection, incident creation, and alerting for these secrets.
Performance: Fixed an issue to retrieve the memberships, which sometimes lead to "504 Gateway Time-out" errors.
Tasks Management: Fixed an issue in Celery where database connection errors were not properly handled, leading to errors while handling tasks in rare cases.
Confluence Data Center integration: Confluence Data Center integration is now supported for real-time secret detection and honeytoken detection. For more details, refer to the documentation here.
ServiceNow integration: This new issue tracking integration allows to create ServiceNow issues from GitGuardian incidents. The feature includes the following:
possibility to create a ServiceNow issue directly from a GitGuardian incident;
possibility to automate the creation of a ServiceNow issue for any new GitGuardian incident;
auto-resolve setting to mark the incident as resolved in your dashboard when the issue is closed in ServiceNow.
Check runs: GitHub's custom properties can now be leveraged to override the GitGuardian global configuration of check runs. This allows customization at both the repository and organization levels. For more details, please refer to our dedicated documentation.
Historical Scan: New "Bulk Historical Scans Management" page for easy tracking, filtering, and detailed insights on all scans.
Members: You now have the option to deactivate a member instead of deleting them. For more details, refer to our documentation.
API:
All Sources endpoints now require specific scopes for access. The new sources:read scope is required for all GET endpoints to retrieve source information, while the sources:write scope is required for the PATCH endpoint to update a source's attributes, monitoring status, and business criticality.
A new parameter, send_email: true|false, is now available on endpoints that trigger an email notification, such as when an invitation is created. This allows you to determine whether an email should be sent when using these endpoints. By default, if the parameter is not specified, the email will be sent.
Replace the legacy parameter replicated.images.replicated-sdk with the new parameters replicated.image.repository and replicated.image.tag. ⚠️ This release includes breaking changes. Upgrade to 2024.11.0 using the upgrade notes.
Added replicated.privateCASecret parameter to specify a custom CA when using a proxy. Learn more.
Health Check: Distribute health checks over time rather than executing them simultaneously. This reduces system load, avoids bottlenecks, and enhances monitoring accuracy.
⚠️ The settings.healthCheck.periodicInterval in the Helm chart is now deprecated and replaced by spread_periodic_range_minutes in the admin area.
Applicative Metrics: If you are using Prometheus to export GitGuardian metrics or to leverage our autoscaling capabilities, and your installation type is KOTS, ensure that you update the Kubernetes Application RBAC by adding the patch permission to the servicemonitors resource.
Incidents: Notify team leaders only when a valid secret is intentionally ignored.
Perimeter: Fixed inaccurate historical scanning statistics displayed on the side panel of the perimeter page.
Historical Scans:
Fixed UI count on the perimeter page so that "sources successful" now shows the total count of monitored sources, regardless of failed or unscanned sources.
Standardized the date format for start and end dates in the status tooltip.
Corrected the repo size display in the status tooltip.
API: Resolved an issue where an error was raised if the IP address could not be found, even when the IP allowlist setting was disabled. This occurred in an on-premises instance, causing the PAT endpoint of the public API to become non-functional.
Proxy: Support HTTP proxy when customCA is used for the Replicated SDK used for license management and telemetry collection. Nothing to do if you are using KOTS, if you are using helm, set isAirgap to false and configure your HTTP proxy following the example.
Secrets detection engine upgrade to version 2.122.1: Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.
VSCode extension: We are excited to announce the release of GitGuardian CLI (ggshield) as a VS Code extension! Files are now automatically scanned upon saving, with detected secrets highlighted in your code and listed as warnings. Additionally, custom remediation messages are provided within your IDE to guide you in resolving any issues efficiently. Download from the marketplace
Occurrence grouping: Added ability to group secret occurrences per secret x source, allowing separate secret incidents for the same secret found in different sources. This enhances remediation processes tailored to your company's data privacy policies. Learn more.
Filepath exclusion: File path exclusions are now applicable to one or more repositories. By targeting file path exclusions to specific repositories, users can significantly reduce the number of irrelevant incidents, enabling more accurate incident management. Learn more.
Saved views: Saved views can now be created in the Honeytoken module.
Certificate-based authentication: Introduced support for multi-authentication alongside certificate-based authentication and Certificate Revocation List (CRL). For more details, see the documentation here.
New Embedded Cluster Install (Early Access): Installation is now 4x faster, improving the proof-of-concept experience. Simplified management of Kubernetes, KOTS, and app updates streamlines maintenance. More information in the Embedded cluster V2 page.
Cluster Management:
⚠️ Before upgrading GitGuardian, you must upgrade to KOTSversion 1.117.3 or later for optimal performance and compatibility.
Removed resources limits for Postgres and Redis on the Embedded cluster installation.
Added two new worker types long-ods (Productivity tools such as Slack, Jira Cloud, Confluence, ...) and long-ods-io (long tasks specialized in Input/Output).
Historical Scan: Added minutes_between_scans_per_source in the preference table.
Personal access token: Resolved a bug to ensure the lifetime of a newly generated personal access token is strictly less than the maximum permissible duration.
Validity check: Fixed GitLab checker wrongly marking some secrets as valid by improving token validation (impacting custom host validity checks).
Note concerning the reCAPTCHA Key detector: Due to changes in the behavior of some Google APIs, we are no longer able to ensure the validity of reCaptcha keys. As this detector could be quite "noisy" the validity of the keys was a mandatory prerequisite in the detection flow and this can no longer be the case. We have however improved this detector to be as efficient as possible.
Validity check: Specify the host of your own provider instances for GitGuardian to perform validity checks and obtain the exact validity information. For example you can perform a validity check for a GitLab token secret against your own GitLab instance. For more details, refer to our dedicated documentation.
GitGuardian CLI (ggshield) custom remediation message: Admins can now customize remediation messages at pre-commit, pre-push or pre-receive stages and provide to developers useful guidance on how to use internal Vaults etc ... See documentation here.
Historical Scan: Streamline source management with new filters for failure reasons, instances (e.g. prod/staging), and last scan date.
Horizontal Pod Autoscaling (HPA): Dynamically scale worker pods based on application load, reducing infrastructure costs and optimizing resource usage. Learn more in the Scaling page. Exclusive to the new architecture.
Kubernetes Version Support: GitGuardian now supports Kubernetes version 1.30. More information in the System requirements page.
Historical Scan: Removed is_repo_size_controlled (redundant with repo_scan_size_limit) in the preference table.
Support Bundle: Improve troubleshooting by adding an option to customize the maximum amount of logs captured for Helm and KOTS installations.
Jira Cloud Alerting: Fixed an issue where the assignee dropdown in Jira template creation was incomplete for projects with a large number of assignees due to pagination limits.
Historical Scan: Improved handling of pending states and fixed an issue where sources were reaching the timeout limit.
API: Corrected the pagination link in the header to use HTTPS instead of HTTP when querying the API.
Helm preflights: Fixed an issue with Redis and PostgreSQL preflight checks where passwords containing special characters were not functioning correctly.
Cluster Management: Resolved an issue where the Scanner pod was spawning zombie processes (new architecture).
Historical Scan: Resolved an issue with the formatting of days in the last scan duration on the perimeter page.
Secrets detection engine: Due to changes in the google reCAPTCHA API, the checker for reCAPTCHA key detector has been removed and the detector has been updated to remove false positives.
Helm preflights: Resolved an issue with Redis preflights where passwords containing special characters were not properly URL encoded.
Secrets detection engine upgrade to version 2.117: Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.
API Enhancements: User feedback on secret incidents is now accessible via the API, providing better incident management and insights. This information is included in the feedback_list field within the secret incidents' payload.
Incident Notifications: Team managers will receive email notifications when incidents with valid secrets are ignored, ensuring critical issues are not overlooked.
Weekly Email Recap: New section displaying ignored incidents with valid secrets, improving visibility and actionability for security teams.
Saved views: You can now save your most frequently used filters as views for quicker access. Learn more about about saved views here.
Historical Scan Enhancements: These enhancements provide better visibility and management of the scanning process. They include progress estimation for both individual and bulk scans, along with comprehensive scan status details such as size, duration, start/end dates, number of commits, branches, queue duration, and more.
Health Check: Let managers manually start health checks from the GitGuardian dashboard so they can address any failed checks immediately without waiting for the next scheduled run.
GitLab integration: Upon installing a new integration for GitLab Community Edition, it is now possible to skip the historical scan (to launch it manually later).
Teams: Get simplified team management with a clear designation of team leaders. Changing "can_manage|cannot_manage team permissions" to a "team leader" boolean attribute to designate the team owner.
⚠️ The team_permissions field has been deprecated and replaced by the is_team_leader field in our API for the endpoints /v1/teams/{team_id}/team_memberships and /v1/teams/{team_id}/team_invitations.
Certificate-based authentication: Support for CAC or PIV cards, enhancing security for organizations with strict authentication requirements. For more information, see the documentation here. This feature is available upon request and is exclusive to the new architecture.
Helm: You can now customize the rolling upgrade strategy with the updateStrategy parameter, providing greater control over deployments. More info on the upgrade page.
Cluster Management:
Productivity tools (such as Slack, Jira Cloud, Confluence, ...) tasks are now defaulted to the worker-worker node in KOTS installations, with the option to scale using dedicated workers. More info on the Scaling page.
Added user input validation in KOTS configurations to prevent errors and improve user experience.
Confluence Cloud integration: Now supports real-time secret and honeytoken detection for seamless security.
Secrets detection engine upgrade to version 2.115: Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.
Incident details: Added a 'per page' selector on the occurrences table for improved navigation.
Historical Scan:
Skip historical scan of unchanged repositories since the last scan to save time and resources.
Filter and sort repositories by scan duration on the Perimeter page for better management.
Introduced pending_timeout status in the API to differentiate between scans failing due to timeouts (timeout) and those in the queue (pending_timeout).
Members: Renamed 'role' to 'access level' for clarity.
⚠️ The role field has been deprecated and replaced by the access_level field in our API for the endpoints /v1/members and /v1/invitations.
Helm: Standardize existingSecret across the Helm chart to ensure uniform configuration for Redis Sentinel, Ingress, and CustomCA. ⚠️ This release includes breaking changes. Upgrade to 2024.7.0 using the upgrade notes.
Cluster Management:
New embedded cluster installations now use PostgreSQL 16 for better performances and security. Follow the migration guide to migrate your existing embedded cluster to PostgreSQL 16.
Reorganized KOTS Admin Console configuration for better clarity, including moving the TLS certificate configuration to its own section.
Added a pre-deploy job check to ensure asynchronous migrations are complete before upgrading to a new version.
Included missing scaling parameters webapp-internal_api and webapp-public_api in KOTS Admin for the new architecture.
API: Removed monthly sliding quotas for API calls in the preference table.
Applicative Metrics: Removed gim_version_info and added the following metrics: gim_celery_queue_length, gim_celery_active_consumer_count, gim_repo_scan_active_statuses_total, gim_http_request_started_total, gim_http_request_success_total, and gim_http_request_failure_total for better monitoring and insight. For more details, refer to the Applicative metrics page.
Secrets detection engine upgrade to version 2.114: Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.
Incidents details: merge commit authors from GitHub are now identified. It is not retroactive.
Incidents: periodic secret validity checks enable for ignored incidents. See documentation here.
GitLab integration: when a GitLab webhook is found disabled, GitGuardian now attempts to reactivate it automatically (by sending a test payload) before triggering an error message.
API: new endpoint to query the secret incidents of a source.
Filepath exclusions: when adding a new rule, show how many new secret incidents will be hidden by the new filepath exclusion, without recalculating existing hidden incidents.
implement periodic health checks on all integrations type (VCS, Messaging, Ticketing, Documentation) to run every hour, with the frequency being configurable in the Admin Area.
send email notifications when a integration health check fails. For further details, refer to the Configure email preferences page. Note that the notification is not enabled by default for existing accounts and must be turned on manually.
Audit Logs:
introduce audit logs for actions in the Admin Area visible only for promoted-admin users.
Jira Cloud Alerting: fix an issue where Jira automatic configurations remained invisible to 'member' role users within the 'All Incidents' team, ensuring uniform visibility across teams.
API:
fix a problem causing conflicting information between the UI and the API regarding team permissions.
fix an incorrect self-hosted instance URL in the API documentation.
Historical scan: attribute automatic historical scans of new repositories to "GitGuardian Bot" in audit logs.
Cluster management:
add missing readiness/liveness probes in gitguardian-app pods in the legacy architecture.
fixed issue preventing bundle generation in Openshift environments.
We strongly recommend that all our customers currently using the legacy architecture transition to our new architecture, which offers numerous advantages! For a detailed overview of the new architecture and guidance on determining whether you're using the New or Legacy GitGuardian architecture, please visit the New GitGuardian Architecture page.
⚠️ Check the Helm values file changes from the previous version here.
Jira Cloud Issue tracking integration: introduction of a new version of our Jira Cloud integration for issue tracking. It now offers
automatic creation of a Jira issue as soon as a new incident is triggered,
management of Jira custom fields,
and an auto-resolve feature that marks the incident as resolved in your dashboard when the issue is closed in Jira Cloud.
More information available in the documentation.
Check runs: a comment is posted on the pull request when a secret is uncovered.
Historical scan: improve historical scan status overview on the perimeter page side bar.
Argo CD: we officially support Argo CD, please refer to the Argo CD specifics page to learn more.
Helm:
⚠️ This release includes breaking changes. Upgrade to 2024.5.0 using the upgrade notes.
add istio.gateway.enabled parameter to be able to disable Istio Gateway handling when Istio is enabled.
give the ability to specify dedicated labels and podLabels for migrations resources.
give the ability to customize the RefreshInterval parameter for externalSecrets.
it is now possible to set the initial admin password in an existing secret.
Cluster management:
GitGuardian currently supports PostgreSQL 13 to 16 (previously, versions 15 and 16 were experimental).
Check CA validity during preflight for both KOTS and Helm installation. If you previously installed GitGuardian on an existing cluster and planning to upgrade to 2024.5.0, you must modify the rule for the core api group in your configuration by adding:
fix an issue where uninstalling a Bitbucket project inadvertently occurred when a token was removed, despite other valid tokens being present.
enhance logging mechanisms surrounding Bitbucket token operations for better troubleshooting.
Azure repos integration: fix a problem with updating a repository when the token is either invalid or missing.
Cluster management:
fix an issue where the no-proxy list wasn't correctly applied for KOTS installation.
add missing debug image to the KOTS airgap bundle.
Migration new architecture: fix an issue occurring when the KOTS admin password contains special characters.
Prometheus exporter:
fix error 500 from the /metrics path of the exporter when using AWS Elasticache Redis.
fix RBAC error occurring when activating GitGuardian Prometheus exporter in the new architecture with KOTS. If you previously installed GitGuardian on an existing cluster you must modify the rule for monitoring.coreos.com in your configuration. Refer to the Kubernetes Application RBAC page.
Incidents: it is now possible to filter on Occurrences count.
Incidents details: introduction of a secret identity card on each secret incident detail page.
Check runs: skip actions are now aligned with the ignored reasons (false positive, test credential, low risk). Tags (Tagged as [false positive|test credential|low risk] in check runs) are added to the corresponding secret incident when this action is taken.
API: the breakdown of secret incidents by severity is displayed in the payload of the sources.
Honeytoken deployment jobs: automate the deployment of honeytokens in your code repositories from GitLab, GitHub and GitHub Enterprise Server! This is a business-only feature. Read more about Deployment jobs in our documentation.
to ensure your existing cluster meets the Gitguardian's requirements, you can run our new preflight script.
add version check before Helm upgrade to ensure no required versions are skipped. If using a private registry for deployment, make sure to download the new image helm-tooling.
Helm Chart:
add custom labels to differentiate multiple GitGuardian deployments within the same Kubernetes cluster. Refer to commonLabels in Helm Chart Values. Example:
commonLabels: env: staging
add an option to use Generic Ephemeral Inline Volumes for all worker pods. For further details, refer to the Scalling page.
Scaling: a new pod called worker-realtime-ods was added in the new architecture. If Slack or Jira Cloud scanning isn't needed, set its replicas to 0 to save resources via your Helm value file or the KOTS Admin Console.
Health Check: remove VCS health checks from the Admin Area, now available under Settings > Workspace > Integrations.
Jira integration: fix an issue that was hindering the assignment on JIRA tickets upon creation.
Audit log: correct the logs related to the creation and removal of teammates through the API.
Cluster management:
add missing links to KOTS Admin Console for embedded cluster in the Admin Area.
fix an issue with the KOTS preflights in the legacy architecture for embedded installation when an ElastiCache Redis instance is configured with TLS enabled.
set default number of replicas for scanner_ods pod to 0 for legacy architecture running on openshift.
enable AI filter via the ai_filters_enabled option in the preferences.
Check runs: add check_runs_overrides_labels_ghe option in the preferences to enable overriding the check run settings with repository labels on GitHub Enterprise Server.
Images: GitGuardian images are now signed with Cosign, exclusive to the new architecture.
Kubernetes Version Support: GitGuardian now supports Kubernetes versions 1.28 and 1.29 (experimental). More information in the System requirements page.
Incident details: fix an issue on the git patch restricted visibility feature that was preventing members from seeing the patch they were involved in based on email matching.
GitHub integration: performance improvement when a lot of repositories are added at the same time.
GitLab integration:
fix an issue where the GitLab instance URL was incorrectly displayed instead of the GitLab token name.
remove the "Check Again" button from the health check for users on the Free plan.
Bitbucket integration: improve handling of token revocation to prevent issues when a repository changes ownership.
Cluster management:
preflight checks now confirm support for Redis version 7.
remove the link to the KOTS Admin Console from the Admin Area for existing cluster installations (both Helm and KOTS). For further details, refer to the Access to the Admin Area page.
set default number of replicas for scanner_ods pod to 0 for new architecture.
fix an issue with the periodic task related to the database encryption key rotation.
Helm Chart: add missing podAnnotations in webapp object definition.
Incident: fix an issue with validity check failure hitting a timeout in some specific cases
Cluster management: fix an issue with KOTS preflights failing with PostgreSQL or Redis with TLS enabled
SMTP configuration: make the option to support SMTP servers using a self-signed certificate permanent. More details in the Configure the email system page.
Incidents: exporting CSV secret incidents now allows changing the separator used, comma (default) or tab. More details in the Export data section of the documentation.
Incident details: update of the default remediation workflow.
Check runs:
the preview of the "How to remediate" instructions in markdown is enhanced when you customize them.
the incident status is displayed in the GitHub check run details.
improve causes of errors transparency and timeouts in the check run summary.
is_actionable_checkrun_enabled preference in the Admin area is deprecated. Action buttons on checkruns are now enable by default.
Custom detectors: improve error messages for invalid regex when requesting a custom detector.
GitHub integration: add commit_collector_max_workers option in the preferences to use more workers to collect commits.
GitLab integration: we now detect and notify by email and raise a health check error when a GitLab group hook was disabled by GitLab, causing the monitoring not to work anymore.
Azure repos integration: improvement of the billing metrics. You now must check the Graph:Read scope in your Personal Access Token. More information in our VCS integrations documentation.
add support Redis Sentinel in KOTS and Helm installs in the new architecture.
add support of multiple CA certificates concatenated in KOTS install in the new architecture.
Helm Chart: replace deprecated v1alpha1 API version of External Secret Manager with the latest version v0.9.11.
Applicative Metrics: rename appExporter to webAppExporter and celeryExporter to statefulAppExporter in the Helm-based Prometheus activation. For more details in the Applicative metrics page.
SMTP configuration: provide an option to support SMTP servers using a self-signed certificate. More details in the Configure the email system page.
Ensure the btree_gin PostgreSQL extension is installed for optimized text search performances. Manual installation by the user or sufficient privileges for the database user utilized by GitGuardian are required. Failure to install manually or insufficient privileges may result in an error during the upgrade, hinting at the necessity of CREATE privilege on the current database for extension installation. More details in the System requirements page.
⚠️ Check the Helm values file changes from the previous version here.
Chainguard: Chainguard-based GitGuardian images are now used by default, enhancing security by reducing CVE exposure. Available only on the new GitGuardian architecture. Additionally, both KOTS admin version 1.104.4 and Replicated SDK version 1.0.0-beta.12 are built using a distroless base image from Chainguard.
SMTP configuration: the system now supports unauthenticated SMTP server, allowing for more flexible email service integration.
KOTS preflights: update preflights to support TLS for Redis and PostgreSQL.
Helm Chart:
Private registries: introduce support for the replicated SDK image and offer an option to include a custom nginx image for private CA insertion. For detailed information, refer to the Install on Airgap page.
RBAC: add Kubernetes Roles and RoleBindings required for the app in the Helm Chart (optional but enabled by default). Refer to rbac in Helm Chart Values.
Cluster management: update Kubernetes version to 1.27 for embedded cluster. For further details, refer to the Upgrade page.
Before upgrading GitGuardian, you must upgrade to KOTS version 1.104 or later for optimal performance and compatibility.
If you previously installed GitGuardian on an existing cluster using KOTS and either lack cluster-admin rights in your Kubernetes cluster or wish to limit permissions for the KOTS Admin Console, you must modify the rule for apps in your configuration by adding replicasets resource. Refer to the Kubernetes Application RBAC documentation page.
IP allow-listing for Honeytoken: it's now possible to add IP ranges to an allow-list, ensuring events from these IPs won’t trigger the honeytokens. Learn more about IP rules.
Kubernetes Version Support: GitGuardian now supports Kubernetes versions 1.27 and 1.28 (experimental). More information in the System requirements page.
Helm and KOTS installation: introduce a new pod Replicated SDK for license management and telemetry collection. More information in the Replicated documentation.
Helm Chart:
Private registries: support specifying existing Docker secrets and custom registries, enabling image pulls from private registries. Refer to the documentation for more details.
Kubernetes resource: add missing Kubernetes resources properties for Pre/Post deploy jobs and nginx init containers.
Pod security context: implements enhanced pod security context configurations in line with Kubernetes v1.25's Pod Security Admission feature, now customizable via Helm values for improved security compliance. Refer to containerSecurityContext in Helm Chart Values.
Custom Telemetry: gather product usage metrics, such as VCS and incidents numbers, API call statistics. We prioritize your privacy and assure you that no personal data is collected through this process. It can be easily deactivated by adjusting the custom_telemetry_active setting found in the preferences section in the Admin area.
GitHub integration: handling of GitHub app ownership transfer: it is now possible to change ownership without deleting the self-hosted application.
Incidents: filtered results in CSV export: CSV export keeps the filters applied.
API: fix /secret_detectorsendpoint to filter out detectors that have been administratively disabled by GitGuardian.
User Preferences: fix an issue where the "email not configured" banner incorrectly persists in private browsing mode due to a failure in loading user preferences.
Historical scan: ensure UTF-8 character encoding compatibility for filenames in repositories.
Incident details: git patches of occurrences can now have restricted visibility to only the teams and developers involved with the occurrence, thanks to a workspace setting. If the git patch of an occurrence is too large, a link to the Version Control System is displayed instead.
Historical scan: addition of some details in the status tooltip, including scan duration and number of commits and branches scanned. For failed scans, the tooltip now also displays the reason for the failure.
API: New endpoint to retrieve secret incidents of a team.
ggshield: ggshield auth login flow now asks you to confirm scopes.
Teams: users can now filter the incidents and the perimeter pages based on their teams. Managers have the flexibility to filter any team, while Members can only filter their own teams.
Alerting integrations: alerting integrations are now available at team level. More information in our teams documentation.
Chainguard: introducing an experimental.chainguard flag in Helm chart values for enabling Chainguard-based GitGuardian images, enhancing security by reducing CVE exposure. Default is false, available only in Helm-based install on the new GitGuardian architecture.
Kubernetes Version Support: GitGuardian now supports Kubernetes versions 1.25, 1.26, and offers experimental support for version 1.27 for Existing Cluster installations. More information in the System requirements page.
Azure repos integration: installation status persists on all pages until the installation is complete. Removing a token no longer causes a crash in other installation.
Bitbucket integration: prevents connection errors from revoking a Bitbucket token, letting instances go through maintenance without needing to re-enter their token afterwards.
Teams: fix a bug that caused incidents belonging to an unmonitored repository to still be visible to the team.
Historical scan: support for special UTF-8 characters, like Kanji, in filenames during historical scans. Improve handling of commits without dates.
Incidents: addition of the Default branch tag to secret incidents that occurred on the default git branch of a repository.
Incident details: filters have been added to the occurrences table.
Incident details: the public sharing toggle has been moved to the "Grant access" modal, which has been renamed to the "Share" modal. For a more detailed explanation, please refer to our collaboration and sharing documentation.
Integrations: modification of the Integrations and Settings/Integrations pages.
Secrets detection engine: upgrade to version 2.94 with the addition of four new detectors:
Custom webhook: fix notifications for when a bulk action is performed. Previously, only one notification would be sent for the first incident affected by the bulk action. However, now notifications are sent for each incident that is modified by the bulk action.
Automated severity scoring: managers and workspace owners can now activate the automated severity scoring feature for Self-Hosted environments in order to automatically score incidents with a severity.
Custom severity rules: the severity ruleset used by the automated severity scoring is now customizable to maximize the coverage of automatically scored incidents.
Incident details: feedback about the incident can now be submitted in a standardized way through a form that is available on the incident's page.
Refer to this page for more information on how to use this form effectively and involve your developer population during the remediation process.
Incidents: addition of new filter to select the incidents that are publicly shared.
Teams: team owners with the Member role can now invite brand new users to the workspace when adding teammates to their team. This feature can be deactivated.
For more details, please refer to this page.
Grant access: users with Full access incident permissions can now invite brand new users to the workspace when granting access to an incident.
For more details, please refer to this page.
Secrets detection engine: upgrade to version 2.93 with the addition of four new detectors:
Cluster management: you can now install GitGuardian Self-Hosted using Helm
Charts. This feature is currently in Beta. More information is available in
the installation documentation.
the installation documentation.
Cluster management: allow self-hosted instances to use a specific Redis
instance for the commit cache. More information is available in
our documentationour documentation
Jira integration: Jira ticket creation CTAs are hidden for workspaces
without a single Jira site installed.
Jira integration: fix permission issues by disabling the configure button
for users without a Manager role and allowing users with the Restricted role
and Can edit permissions to create a Jira ticket.
Detectors list: when the validity checks are disabled, the detectors are
sorted by status.
Notifications: fix empty emails being sent after an occurrence was found
during real time scan.
Personal access tokens: Restricted users now only see the scan scope in
the personal access token form.
Cluster management: fix password issue that was blocking application
initialization during GitGuardian installation.
Teams: addition of a description field for your teams.
Teams: the "all-incidents" team is now visible in the Members table.
Perimeter: improve the display of the historical scan's last status
information.
Playbooks: new Auto-resolution playbook to automatically close incidents
that have once been valid and that become invalid.
Secret incident: prevent valid secrets from being "marked as revoked".
Cluster management: Self-hosted GitGuardian environments are now supporting
PostgreSQL version 13. Support for PG version 12 is deprecated as of this
release.
Incident detail: fix misplaced secret in the commit patch when detected by a historical scan and in real-time. Please
contact the Support team if you have occurrences impacted in your environment.
Teams: introducing team management within a workspace and granular
incident permissions (can view, can edit, full access). You can activate
the feature on the Admin Area's preference page.
Custom webhooks: update the action field with more user-friendly
messages.
Perimeter page: update the information displayed in the Protection
section.
Analytics: add all ggshield modes to the Analytics section.
Custom Certificates for Cluster Management: integrate custom
Certificates Authorities for integrations. This feature was in beta and is
now stabilized. More information is available in the
dedicated documentation.
API: add the API URL to the dashboard, in the
section API >> Quota. The URL is also updated in the API documentation of
those environments.
Bitbucket Integration: when you create a branch on a monitored repository,
the event now triggers a scan of the branch commits only, and not of the whole
repository.
Applicative Metrics: applicative metrics are added to help you monitor
your self-hosted instance. More information is available in the
dedicated documentation
API: move the Personal access tokens to the API section.
Check runs: improve success message in GitHub UI.
GitHub: expose the base/head branch of GitHub pull requests.
Incident: mark the third remediation step "rewrite git history" as
optional.
Health checks: Health checks are displayed in the VCS integration settings
ggshield: since v1.12 of ggshield, ggshield scan and ggshield ignore
commands are deprecated, use ggshield secret scan and ggshield secret ignore
instead.
Health checks: We add VCS troubleshooting tools in the Admin
Area. You can check the status of your integrations and gather error information
on this page.
More information is available in the
dedicated documentation
Personal access tokens and service accounts: We now distinguish two types
of API keys: Personal Access Tokens and Service accounts.
More information is available in the
dedicated documentation
GitHub check runs now handle the regression mode. If an already resolved
secret incident is detected by a check run AND the regression mode is OFF, the
check run won’t raise the secret.
GitHub A comment can be posted directly to Github pull request timeline
when a check run detects a secret. This can be deactivated in Settings by a
Manager.
API: We add an API endpoint to list members having access to an incident.
More information is available in the
dedicated documentation.
PostgreSQL: Secrets are now encrypted in the database.
Incident: Restricted users are no longer able to generate incident-sharing
links.
caution
This release integrates secret encryption in the database. Please be careful
while updating and do not hesitate to backup completely your database before
upgrading.
TLS Support for PostgreSQL: Transport Layer Security (TLS) is an
encryption protocol intended to keep data secure when being transferred over a
network. When installing GitGuardian Self-Hosted, users can now activate the
option for PostgreSQL.
API: Members are now exposed in API and new fields were added
to the source payload.
Incident detail: From an incident detail page, you can grant access to a
selection of Restricted users.
TLS Support for Redis: Transport Layer Security (TLS) is an encryption
protocol intended to keep data secure when being transferred over a network.
When installing GitGuardian Self-Hosted, users can now activate the option for
Redis. You can find more information about the configuration on
our official documentation
API: new scope incident::share and grant access to incidents, documented
here.
Regression: added a workspace setting giving the option to control the
behavior of GG when a new occurrence of an already-resolved incident is
detected.
Custom webhooks: added validity and severity to the payload.
Synchronization between ggshield and the dashboard: secrets ignored on
the dashboard will also be ignored by ggshield. Detectors deactivated in the
dashboard will be deactivated for ggshield too.