January 2025

This release introduces several significant updates, including False Positive Remover v1, which reduces false positives by 50% using machine learning, Remediation Tracking for real-time progress monitoring with precise fix locations, and Slack historical scans to detect leaked secrets. The self-hosted platform now includes support for SCIM user deprovisioning and Microsoft Teams alerts. Explore all updates in the release notes below.

As always, we encourage you to update to the latest version to take full advantage of these enhancements. Detailed instructions for the update process are available in our documentation.

	Minimum	Recommended
KOTS Version	1.117.3	latest
Kubernetes Version	1.25	1.30
PostgreSQL Version	15 ⚠️	16
Redis Version	6	7

📋 Check out the Helm values file changes from the previous version.

Important: This is a required release and cannot be skipped

2025.1.0

  Release Date: January 20, 2025

  Secrets Detection

• Expanded Secrets Detection Engine
  The detection engine has been upgraded to version 2.129.1, introducing 5 new detectors and enhancing 5 existing detector to provide broader and more precise coverage for sensitive information:

  • New Detectors:
    These detectors enable identification of previously undetected secrets, enhancing overall security:

    • GitLab OAuth Application Token: Detects OAuth tokens used in GitLab for secure application access.
    • Jenkins API Token: Identifies API tokens for Jenkins automation and integrations.
    • chpasswd Username Password: Recognizes username-password pairs in chpasswd commands.
    • Nessus Agent Key: Detects agent keys for Nessus vulnerability scanners.
    • Statsig Server Secret Key: Identifies server secret keys for Statsig feature management.

  • Enhanced Detector:

    • Base64 Generic High Entropy Secret: Improved identification of high-entropy secrets encoded in Base64.
    • GitGuardian Test Token Checked: Enhanced detection of GitGuardian test tokens in various contexts.
    • MSSQL Credentials: Improved precision for detecting Microsoft SQL Server credentials.
    • Zendesk Token: Enhanced coverage for Zendesk token detection.
    • FTP Credentials Assignment: Improved handling of FTP credential detection in configuration files.

• False Positive Remover v1: Our first internal machine learning model halves false positives, ensuring data security and privacy without third-party dependencies. This in-house capability is now available for Self-Hosted. More information is available in the documentation.

• Slack integration: Slack integration is now supported for scanning the full history of your public and private Slack channels to detect leaked secrets.

• Remediation tracking: Enhanced the secrets remediation workflow with precise location details for code fixes and real-time tracking of remediation progress. Learn more here.
  ⚠️ You can adjust the scan rate limit for the file tracking engine via the scan_after_push_force_rate_limit preference on the Preferences page. Historical scans are recommended to ensure incidents requiring fixes are available in the dashboard.

• GitHub integration:

  • Improved handling of real-time events to retrieve more than 100 commits when necessary, ensuring complete coverage.
  • Enhanced processing of large patches by making additional API calls to retrieve missing files, up to the policy__maximum_scan_size limit defined in the Preferences page.

  Platform

• Navigation: The menu has been redesigned with a collapsible left sidebar for a cleaner, more organized experience.
• Microsoft Teams Alerts for Security Incidents: We now support real-time GitGuardian notifications in Microsoft Teams. This feature includes:
  • automatic alerts sent directly to your chosen Teams channels whenever a security incident is detected,
  • secure notifications without exposing sensitive data, linking to the GitGuardian dashboard for full details. More information is available in the documentation.
• Jira Data Center integration: Added support for the "User Picker (single user)" custom field in Jira templates. More information is available here.
• User management: SCIM integration now supports automatic user deprovisioning in GitGuardian when users are removed from your Identity Provider (IdP). Provisioning for users and teams will be included in a future update. Setup details are available in our documentation.
• Commit length configuration: Admins can configure the maximum total length of commits to scan, with larger commits truncated. This can be set via the repo_scan_max_commit_length preference on the Preferences page.

  Self-Hosted

• Upgrade: ⚠️ This version includes a lengthy database migration that runs in the background post-upgrade and may take up to 1 hour. If upgrading from an older version, multiple upgrades may result in a retry message. Please wait 1 hour before retrying. This migration will accelerate some queries and improve search performances.
• Database: ⚠️ PostgreSQL 13 and 14 are no longer supported. Learn more about reasons to upgrade to PostgreSQL 16 in our engineering blog.
• Helm: ⚠️
  • The ReplicatedSDK image is now pulled from the Replicated registry instead of Docker Hub. For airgap installations, ensure you update your automation processes for pulling and pushing images to your private registry. For more information, refer to the Airgap Installation page.
  • External secrets handling will be deprecated starting with the 2024.3.0 release.
• Installation and upgrade: Improved error messages for partially initialized databases, providing clear instructions to check logs and ensure the PostgreSQL database is empty before retrying.
• Admin Area: Introduced a Periodic Tasks page to adjust schedules and fine-tune periodic task execution.
• Queues: Merged the secrets_checks queue with the background validity checks queue to optimize performance.

  Fixes

• GitLab: Enable viewing of more than 50,000 GitLab projects in the integration settings.
• Check runs: Updated messages to note flagged secrets lack commit references and remain compromised once leaked.
• Validity check: Fixed an issue where the tooltip incorrectly indicated a token was valid for all endpoints when it was valid for only one.
• Jira issue tracking: Fixed an issue where line feeds (\n) were not properly translated to hardBreak nodes, ensuring correct spacing in Jira tickets.
• Admin area: Corrected sorting and filters on the Worker Tasks page for improved usability.

  Security fixes

• CVE: Updated packages to resolve CVE-2025-21613 with critical severity; CVE-2025-21614, CVE-2024-45338 with high severity; and CVE-2024-8260, CVE-2024-24786, CVE-2019-25210, CVE-2024-56326, CVE-2024-56201 with medium severity.

---

2025.1.1 - Required

  Release Date: January 23, 2025

  Fixes

• Embedded cluster installation:
  • Fix an issue where the GitGuardian dashboard returns a 404 error. Note this fix does not apply to legacy embedded clusters using Kurl.
  • Resolved the inability to deploy an embedded cluster with a custom CA.
• Helm:
  • Fixed a 404 error on the /metrics endpoint for fetching GitGuardian applicative metrics on Webapp pods and Celery workers.
  • Fixed Replicated RBAC resources being created despite rbac.enabled: false in Helm values, causing issues in RBAC-restricted environments.