2025.10 - Required

Version	Release Date
2025.10.0	October 27, 2025

System Requirements Update

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Component	Minimum Version	Recommended Version
KOTS	1.117.3	Latest
Kubernetes	1.28	1.32
PostgreSQL	15	16
Redis	6	7
ggscout	0.19.0	Latest

Helm & Upgrade Considerations

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

⚠️ Important: This is a required release and cannot be skipped.

Upgrading to 2025.10

Helm installations: This release changes the MinIO image used in the log collector and requires updates to your Helm values file. See Upgrade Helm > Upgrading to 2025.10.

Seal the Leak - Instantly Revoke Secrets with GitGuardian!

We're thrilled to introduce Secret Revocation directly from the GitGuardian platform for supported providers, including GitHub, GitLab, and OpenAI. This enhancement is designed to accelerate your incident response process, reducing manual efforts and enabling you to quickly prevent attackers from leveraging your compromised secrets.

How it works:

• Quickly identify revocable secrets: Using the newly introduced Revocable by GitGuardian Tag.
• Access Controls: Requires full-access permissions on the incidents.
• Instant Revocation: Revoke secrets immediately using the call-to-acttion from the incident detail view.
• Safety First: Includes a confirmation step to prevent accidental revocations.
• Closing the incident loop: Automatically resolves incidents when valid secrets are revoked.
• Comprehensive Audit Trail: Every revocation activities are tracked and logged within the incident timeline for compliance and auditing purposes.

Assess the impact first:

To prevent operational disruption, always assess the impact of a revocation first. GitGuardian provides the context you need to evaluate the risk, including identifying which workloads depend on the credential, so you can act confidently.

Why it matters:

Manual secret revocation is traditionally slow and complex, as it often involves different teams. This delays the incident response and increases the security risk compromised secrets pose. This integrated revocation feature significantly shortens secret exposure times and expedites incident response workflows, especially once the investigation confirms secret shall be revoked.

Learn more about revocation.

Context Preview for non-VCS Secret Leaks!

We're thrilled to announce a feature that will significantly enhance your investigation: Context Previews are now available for Secret Leaks in non-VCS sources like SharePoint, OneDrive, Slack, and Confluence!

What does this mean for you?

• Immediate Context Visibility: Instantly view the surrounding content where secrets were detected, directly within GitGuardian incidents. No more switching between systems!
• Accelerated Investigation: Reduce investigation time by up to 75% with quick access to contextual information, enabling faster, more informed remediation decisions.

Why is this important?

In today's fast-paced digital landscape, efficient incident response is crucial. By providing immediate context, this feature empowers you to act swiftly and accurately, minimizing potential risks and enhancing your organization's security posture.

Get Started Today!

Context previews are now automatically available by default for all non-VCS incidents on your workspace.
Get in touch with our Support team if you want this feature disabled.

MS Teams attachment scanning is here!

We're thrilled to expand our detection coverage with Microsoft Teams Attachment Scanning!

Now, you can ensure comprehensive security by detecting secrets hidden in file attachments shared within Microsoft Teams.

Why This Matters?

• Enhanced Security: Automatically scan attachments for secrets, closing critical security gaps.
• Seamless Integration: No extra setup required, works effortlessly with your existing GitGuardian setup.
• No Extra Cost: Included in your current GitGuardian subscription.

Historical Scanning Consideration:

To cover your debt in file attachments shared in past messages, access your perimeter, manually select sources you want to cover, and scan them.

Get Started Today: Secure your Teams environment and protect your sensitive data now!
Check out our documentation to learn more.

ggshield - Show vault information for vaulted secrets

We're excited to announce an enhancement to ggshield that will streamline your remediation workflow: secret managers’ information is now available for secrets detected in integrated secrets managers!

What does this mean for you?

Enhanced Remediation Context: Previously, ggshield only indicated whether a secret was present in an integrated vault. Now you get the complete picture with specific vault names and exact paths, enabling faster and more precise remediation decisions.

Streamlined Developer Experience: Developers now receive detailed guidance directly in their CI pipelines and local environments, reducing the time spent investigating where secrets are stored and how to properly remediate them.

Why is this important?

In today's complex infrastructure landscape, secrets are often distributed across multiple vault systems. By providing precise vault location information, we empower development teams to act swiftly and accurately, significantly reducing investigation time and improving security posture across your organization.

Get Started Today!

This enhancement is automatically available in the latest version of ggshield. Update ggshield to 1.42+ to start benefiting from enhanced vault information display in your scanning workflows.

Check out our documentation to learn more.

Expand NHI graph

We’re pleased to introduce a major enhancement to GitGuardian's identity graph with an improved visualization experience that enhances how you investigate secret incidents across your security perimeter.

What’s new?

• Unified all graph views into a single, context-rich interface.
• Key details like severity, source, and occurrences are shown directly in the graph, enabling faster incident understanding without page switching.
• Supports consolidated investigation across private monitoring and NHI inventory in one view.

Why it matters:

Having a unified and enriched graph view is critical for modern security teams to efficiently understand and remediate secret exposures. It simplifies the complexity of correlating incidents appearing across internal monitoring and NHI and helps prioritize response actions.

Availability:

These enhanced graph views are now live across the Internal Monitoring and NHI Governance modules. Experience the new unified visualization by visiting any incident in your dashboard.

---

Secrets Detection Engine (v2.149)

New Detectors

• Weaviate Token with Hostname – Detects Weaviate tokens associated with specific hostnames.
• Cursor API Key – Adds detection for Cursor Admin & User API keys.
• Virustotal API Key – New detector for VirusTotal API keys.
• Cloudflare Turnstile Secret Key – Added a new detector for Cloudflare Turnstile secret keys.
• Stability AI API Key – Add a detector for Stability AI API Key.
• Azure Cognito OAuth Credentials – Added a new detector for AWS Cognito OAuth credentials.
• Azure Cognito OAuth Credentials with Host – Added detector with host-specific checks and checker.
• Artifactory Access Token – Allow for dashes in JFrog Artifactory hostnames.
• Artifactory Basic Auth Credentials – Allow for dashes in JFrog Artifactory hostnames.
• Artifactory Reference Token with Host – Allow for dashes in JFrog Artifactory hostnames.
• Artifactory Token with Host – Allow for dashes in JFrog Artifactory hostnames.
• GitLab Feature Flags Client Token with Project ID – Detect Gitlab feature flags tokens and associated project id.
• Kubernetes JWT with Host – New detector for Kubernetes JWT with host.
• GitLab Trigger Token – Add detector for GitLab Trigger Tokens.
• Brave Search API Key – Brave Search API keys.
• GitLab Deploy Token – GitLab deploy tokens.
• Firecrawl API Key – Firecrawl API keys.
• Dify API Key – Dify API keys.
• GitLab Runner Authentication Token – GitLab runner authentication tokens.
• Ubidots API Key – Ubidots API keys.
• Vapi API Key – Vapi API keys.
• Llama Cloud API Key – Llama Cloud API keys.
• Azure Cosmos DB Credentials – Extend host pattern to improve recall.
• GitLab Token – Restrict detector pattern to reduce false positives.
• ODBC Connection String – Improve ODBC connection string precision.
• Comet API Key: Added a detector and checker for Comet API keys.
• Langfuse Credentials: Added a new detector and checker for Langfuse Credentials.
• Okta OAuth Credentials with Host: Added a new detector and checker for Okta OAuth credentials with host.
• Okta API Token with Host: Added a new detector and checker for Okta API token with host.

Detector Improvements

• Company Email + Password – Improved to exclude Zoom meeting details as false positives.
• Generic High Entropy Secret – Now ignores JSON Web Tokens; JWTs are handled by the dedicated json_web_token detector.
• Google API Key – Checker upgrade: Updated googleaiza checker to avoid reporting all secrets as valid.
• Jira Basic Auth – Fixed false positives.
• Generic Password: Detector upgrade to remove false positives in lock files.
• MySQL Credentials: The mysql_credentials secret-analyzer now uses pymysql instead of mysql-connector-python. pymysql is lighter and is already used by the checker.
• PostgreSQL Credentials: Fixed failure in postgresql_credentials analyzer when roles have quotes around them.

New or Updated Checkers

• Weaviate Token with Hostname – Validity checker for identified tokens.
• Cursor API Key – Validity checker supporting Cursor Admin & User API keys.
• Snowflake Credentials
  • New validity checker for snowflake_uri detector.
  • New validity checker for snowpark_api_credentials detector.
• Various new and updated checkers accompany the new detectors, including host-specific and project-id aware checkers, improving verification and reducing false positives. See each detector for the exact checker entries.

Revoker Upgrades

• OpenAI API Key: Added revoker for OpenAI API keys.
• OpenAI Project API Key V2: Added revoker for OpenAI Project API Key V2.

Enhancements

• Generic Secret Enricher, GitGuardian's machine learning model for secret categorization, has reached version 2. This update introduces 50 new providers and enhances enrichment by 75% for public data and 50% for internal data, resulting in a 30% increase in categorized incidents. Learn more about Generic Secret Enricher.
• Jira ticketing integrations: Added automatic ticket assignment to incident authors via email matching, improving accountability and faster resolution. Available for both Jira Cloud and Data Center. Learn more
• Secret detail: Base64 Basic Authentication token incidents now show the decoded username and password in the secret information.
• New Ignore reason: Added "Invalid Secret" as a reason when ignoring incidents where the secret was already invalid at detection time and requires no remediation.
• Pattern Exclusion: Improved performance and memory usage when checking the impact of secret pattern exclusions.
• Incidents: Added developer identity display for skipped secrets in GitHub Pull Request security checks, enabling SecOps to track accountability and follow up on security decisions during incident reviews.
• Playbooks: Updated the Playbooks settings page with a refreshed, modern interface design.
• GitLab Integration: Improved performance of the GitLab source selection interface to prevent browser unresponsiveness when searching through large numbers of namespaces, groups, and repositories.
• Public API: Enabled editing of Custom Monitored Perimeter via Public API for all sources (except for custom sources).
• Self-Hosted:
  • All GitGuardian images are now multi-arch. Helm deployments now support ARM64 clusters in addition to AMD64. KOTS and Embedded Cluster installations remain AMD64-only. See system requirements.
  • Added support for read-only root filesystem constraint to meet security compliance requirements and enhance container runtime protection.

Fixes

• Weekly Summary Email: Fixed incorrect date ranges displayed in weekly summary emails.
• Jira Integration: Fixed admin permission detection for Jira Data Center.
• Historical Scans: Fixed duplicate information appearing in the historical scan elements column.
• Container Registries Integrations: Fixed authentication error with Google Artifact Registry that was causing scan failures.
• Incidents search: Resolved a bug where search filters persisted without visible search text after page navigation, causing user confusion.
• Link to secret in internal source: Fixed an issue where some "View secret" links from historical scan occurrences did not navigate to the exact line in the commit.
• Incidents: Fixed an issue where occurrences displayed incorrect commit and file information, ensuring accurate incident tracking data.
• Perimeter: Fixed an issue where the scan button was not visible for members who are not in the all incidents team.
• Historical Scans: Fixed duplicate information appearing in the historical scan elements column.
• Self-Hosted:
  • Updated KOTS embedded cluster installation requirements to match documented system requirements.
  • Added missing toleration configuration for secretEngine deployment.
  • Fixed license verification when using a proxy by adding the NO_PROXY to replicated.extraEnv default values.