2025.4.0 - Required

  Release Date: April 25, 2025

System Requirements Update

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Component	Minimum Version	Recommended Version
KOTS	1.117.3	Latest
Kubernetes	1.25	1.31
PostgreSQL	15	16
Redis	6
helm	3.13	Latest

⚠️ Please install the PostgreSQL pgvector extension to enable vector similarity search. This is essential for upcoming features leveraging our internal machine learning engine. Follow the installation instructions to ensure compatibility.

Helm & Upgrade Considerations

⚠️ Important: This is a required release and cannot be skipped.

To ensure compatibility, please review Helm values updates from the previous version.

Air gap deployment? We’ve added new images in this release. Find all image and tag names on the Air Gap Install page.

Get full control of your Non-Human Identities

We're proud to introduce our brand new NHI Governance product! This solution is designed to help you manage and secure your Non-Human Identities (NHIs) and related secrets.

As organizations face exponential growth in machine identities, NHI Governance delivers a comprehensive observability and lifecycle management across all your environments. Integrating with leading secrets managers and other sources from your infrastructure, it centralizes inventory, helps you assess your posture, and enforces security policies. The solution includes:

• Deep contextual insights, mapping relationships between secrets, their consumers, and resources, drastically reducing incident response times.
• Advanced analytics helps you identify risks like overprivileged NHIs and track hygiene metrics.
• Policy enforcement aligns your posture with standards such as the OWASP NHI Top 10.

NHI Governance empowers you to regain control over your NHIs and tied secrets, reduce risk, accelerate compliance tasks, and improve hygiene by addressing orphaned, untracked, or overprivileged credentials.

Ready to start your journey towards safer secrets management? Request access to GitGuardian NHI Governance by contacting your sales representative.

Learn more:

• Product Overview
• Documentation
• Blog Post

Prioritize faster with Secrets Analyzer

We're excited to announce Secrets Analyzer, a new enhancement to our secrets detection capabilities.

Secrets Analyzer automatically gathers additional context for detected secrets, including their associated scopes, permissions, ownership, and relevant perimeter information where available.

This added intelligence helps security teams:

• Evaluate the potential impact of a secret incident more accurately.
• Prioritize remediation efforts based on risk level.
• Streamline the overall incident response process.

For details on how each analyzer works, including metadata collected and validation calls:

• Explore the Secret Analyzers documentation.
• View the full list of Available Analyzers.
• See a specific example for the Jira Token Secret Analyzer.

Improve incident remediation with custom tags

Take control of incident management with custom tags. This feature allows you to categorize, filter, and search incidents using customized labels, offering greater flexibility in tracking and prioritizing incidents, and improving remediation workflows.

For developers, you can interact with custom tags via the API. For more information, visit the API documentation.

For more details on how to use custom tags within the GitGuardian platform, check out our detailed guide.

Email notifications enhancement

You now have two options for receiving incident email notifications: "All incidents" (default) or "Only incidents involving yourself (based on your Git commit email)", learn more about email preferences.

Log collector for Self-Hosted

Our self-hosted deployments now include a seamless log collection system, leveraging Loki, MinIO, and Fluent Bit under the hood. This enhancement ensures that relevant logs are efficiently gathered and stored, supporting faster troubleshooting and support—without requiring any manual setup from users.

This log collection system is now enabled by default for all installation types (Helm or KOTS).
Learn more about the log collector.

---

Secrets Detection Engine (v2.135)

Improved accuracy and broader coverage in this latest release:

New Detectors

• Azure Logic App Shared Access Signature – New detector for Azure Logic App Shared Access Signature.
• Multiple new detectors have been added for Artifactory:
  • Artifactory Reference Token
  • Artifactory Reference Token With Host
  • Artifactory Master Key
  • Artifactory Basic Auth Credentials

Detector Improvements

• Snowflake Credentials – The Snowpark API credentials detector has been enhanced to identify more patterns.
• IBM Cloud Key – We reduced false positives in the IBM Platform API key detector.
• PlanetScale Database Password - Expanded detection to cover more host names for the Planetscale database password detector.
• Artifactory Token With Host - Improved precision for host names.
• LINE Messaging OAuth2 – Removed false positives from the LINE Messaging OAuth2 detector.
• OpenAI API Key – Fixed a bug in the analyzer for OpenAI API Key that prevented it from reporting threads:* scopes.

Detector changes

• FCM API Key – Removed FCM API Key checker since its API was removed.

Miscellaneous

• Add User Agent GitGuardian in HTTPClient class used by analyzers.

Enhancements

• Incidents: Added a new filter to improve incident categorization based on the presence or absence of Jira Data Center tickets.
• Custom Tags: Users can now create custom tags directly from search queries in the dashboard.
• Custom webhook: Add the team name and webhook name to the custom webhook payload for incidents and occurrences. Learn more.
• Jira Configuration: Introduced a new layout for the Jira Configuration form to enhance user experience and streamline configuration tasks.
• Navigation Improvements:
  • Added persistent section state to remember your navigation preferences and updated browser tab titles for better identification when managing multiple tabs.
  • Added a "Skip to Main Content" button for better accessibility. When using keyboard navigation, pressing the Tab key reveals the button, which allows users to bypass navigation menus and jump directly to the main content area.
• Invitation: Added GET /v1/invitations/{invitation_id} endpoint to retrieve invitation details through the Public API.
• Self-Hosted:
  • Email Configuration: Improved error messages to provide clearer guidance when setting up email configurations.
  • Troubleshooting: Enhanced debug capabilities by adding network diagnostic tools (netcat, openssl) to the debug image. Learn more.
  • Helm:
    • Extended the readiness probe timeout on public-api to enhance stability and prevent premature failures.
    • Resolved an issue where the host was not specified in the health ingress configuration.
    • Added global.compatibility.openshift.adaptSecurityContext configuration to support OpenShift's restricted-v2 Security Context Constraints (SCC). Values include auto (default), force, and disabled for flexible security context adaptation. Learn more.
    • Added default support-bundle Role and optional ClusterRole creation (configurable via replicated.supportBundle.rbac.clusterRole.create).
    • The PostgreSQL pgvector extension is now required by default (postgresql.plugins.pgvector.enabled). Please follow the installation instructions to enable vector similarity search capabilities for upcoming machine learning features.
  • Ingress:
    • Improved response times for issue occurrence queries through optimized request routing. Particularly useful when autoscaling webapp-public_api.
    • Standardized health check endpoint routing by removing the wildcard host configuration from gim-ingress-health and consolidating /api/v1/health under the main API hostname.

Fixes

• Jira Cloud Issue Tracking Integration: Fixed an issue where Jira project keys were incorrectly changed during synchronization.
• GitLab Integration:
  • Fixed an issue where multiple emails were sent for failures in multiple group hooks on the same GitLab instance, ensuring only one email is sent per instance.
  • We improved the process for read-only token installations by automatically detecting and updating the webhook ID if the webhook was created manually.
  • Resolved an issue where system hook checks returned a 403 forbidden error when using a read-only token.
  • Fixed unnecessary scans triggered by webhooks related to unmonitored repositories.
• Incidents: Fixed a bug that could cause unnecessary data refresh on the incidents list when switching browser tabs.
• Self-Hosted:
  • Licensing: Updated the notification message for license expiration on self-hosted environments to provide clearer guidance.
  • Security: Added Content Security Policy (CSP) headers to HTTP responses to strengthen browser security controls.