Version	Release Date
2025.5.0	May 22, 2025

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Component	Minimum Version	Recommended Version
KOTS	1.117.3	Latest
Kubernetes	1.25	1.32
PostgreSQL	15	16
Redis	6	7
ggscout	0.16.6	Latest

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version.

FIPS: This release uses Chainguard images without FIPS-approved cryptographic modules. If you would like to use Chainguard images with FIPS, please contact our support team.

ServiceNow secret scanning​

ServiceNow is now supported for secrets detection and honeytoken detection, enabling automated tracking of security incidents. Learn more

Customize Your Incidents View for Enhanced Context Exploration​

With this new feature, users can create fully customized views of their incidents, displaying specific properties and exploring their security data in an entirely new way.

This customization capability offers two key advantages:

1. Leverage the Generic Secret Enricher model (read 2025.3 release page) - You can now explore and prioritize generic incidents more effectively by visualizing the AI-classified secret categories and providers
2. Harness extensive incident context - Access the rich contextual data we provide for each incident, which is essential for efficient prioritization efforts

Context is critical for effective remediation. CyberSecurity is fundamentally a data business, and by collecting and presenting the richest, most structured context possible, we enable you to filter, sort, and prioritize incidents effectively and make informed decisions.

Read more in the documentation

Automate User Onboarding & Offboarding with SCIM​

SCIM (System for Cross-domain Identity Management) integration now supports both automatic user provisioning and deprovisioning in GitGuardian. When users are added or removed from your Identity Provider (IdP)—such as Okta or Microsoft Entra ID—they are automatically created or deactivated in your GitGuardian workspace.

Now, all your developers can be automatically onboarded to GitGuardian and are ready to handle security incidents as soon as they are added to your IdP. This means you can fully automate the onboarding and offboarding of users, directly from your IdP, ensuring your entire development team is always prepared to respond to incidents.

Why is this important?

• Streamlined onboarding: New users are automatically provisioned in GitGuardian as soon as they are added to your IdP—no more manual invites or user creation.
• Automated offboarding: When a user is removed or deactivated in your IdP, their access to GitGuardian is automatically revoked, reducing security risks.
• Real-time synchronization: User changes in your IdP are reflected in GitGuardian almost instantly, ensuring your workspace always stays up to date.
• Improved compliance: Automated user lifecycle management helps you meet security and compliance requirements by ensuring only authorized users have access.
• Reduced manual work: Save time and reduce errors by eliminating manual user management tasks.

Note: Team provisioning via SCIM is not yet available, but is planned for a future update.

How to get started?

• SCIM is available for workspaces using Okta or Microsoft Entra ID as their IdP.
• To enable SCIM, go to your workspace Settings > Authentication and follow the setup instructions for your IdP.
• For detailed configuration steps and best practices, check out our product documentation.

NHI Policies improvements​

Identify quick wins and areas of improvement thanks to improved policy breach visibility and management, including the ability to:

• Filter breaches by type on the inventory page,
• View detailed analytics on NHI breaches over time,
• Benefit from Secret Reuse policy for better secret management and security across environments.

Want to discover more about NHI Governance? Check out our public materials:

• Product Overview
• Documentation
• Blog Post

---

Secrets Detection Engine (v2.138)​

This release brings major enhancements to the Secrets Detection Engine, with a strong focus on expanding coverage for Artifactory and Azure services. New detectors have been added for a wide range of secrets—including Perplexity AI, Azure Entra ID, Communication Services, App Configuration, and more—helping organizations better protect sensitive credentials across their software supply chain and cloud infrastructure.

Key improvements include:

• Expanded Azure Coverage: New detectors for Entra ID tokens, Communication Services, App Configuration, DevOps PATs, and SignalR, strengthening security for Azure environments.
• Broader Secret Detection: Added support for Perplexity AI, Anthropic admin keys, Laravel encryption keys, X AI API keys, and GitGuardian Platform Magic Links.
• Enhanced Accuracy: Upgrades to existing detectors (LDAP, JWT, Cloudinary, Auth0, Claude, Jira, SMB, ODBC, Octopus, and more) improve precision, recall, and reduce false positives.

For full details on new detectors and improvements, see the list below.

New Detectors

• Perplexity AI API Keys – Added a new detector for Perplexity AI API keys.
• Azure SignalR Connection String – Introduced a new detector for Azure SignalR Connection Strings.
• Azure Event Grid Access Key – Added new detectors for Azure Event Grid Access Keys and a New Checker for the azure_event_grid_access_key_with_host detector.
• Anthropic Admin Keys – Introduced a new detector and New Checker for Anthropic admin keys.
• GitGuardian Platform Magic Link – Added a new detector for GitGuardian Platform Magic Links.
• Azure Entra ID Tokens – Detects tokens used for authentication within Azure's identity management service, Entra ID.
• Azure Communication Services Connection Strings – Identifies connection strings for Azure's comprehensive communication platform.
• Azure DevOps Personal Access Token – Recognizes personal access tokens used to authenticate with Azure DevOps.
• Laravel Encryption Key – Detects encryption keys used in Laravel applications for data security.
• Azure App Configuration Connection String – Identifies connection strings for managing application settings in Azure.
• X AI API Keys – Detects API keys for accessing X AI's artificial intelligence services.

Detector Improvements

• LDAP Credentials – Checker Upgrade: Improved the LDAP checker to better distinguish between connection errors and invalid credentials. Updated ldap_credentials_assignment_with_dn to remove false positives.
• JSON Web Token – Detector Upgrade: The detector will now detect all JWTs regardless of their contents.
• Cloudinary API Keys – Detector Upgrade: Extended charset of cloudinary_api_key_config to improve recall.
• Auth0 Keys – Detector Upgrade: Improved recall of the detector to detect more domains.
• Claude API Key – Detector Upgrade: Refined regex for Claude API keys.
• Riot Games API Key – Checker Updated: Banlist checker will be deleted.
• LINE Notify Token – Checker Updated: Banlist checker as the service has been discontinued.
• Microsoft Azure Storage Connection String – Detector Upgrade: Improved regex precision for more accurate detection.
• ODBC Connection String – Detector Upgrade: Enhanced regex precision to better identify ODBC connection strings.
• Jira Token – Detector Upgrade: Corrected host regex to accurately match ports.
• SMB Credentials – Detector Upgrade: Now allows percent sign as a separator between username and password in host matches.
• Octopus API Key – Checker Upgrade: Updated to use the correct API endpoint, resolving issues with secret validity checks.

Enhancements​

• Emails: Included the number of incidents to both weekly digest and historical scan emails subject line
• Jira Data Center Issue Tracking Integration: Creating Jira tickets now only requires regular user permissions. Administrator privileges on the Jira Data Center site are only needed when setting up the two-way synchronization (Auto-resolve feature).
• Self-Hosted:
  • Ensured that the Redis FLUSHDB command is available for use before installing or upgrading GitGuardian. Learn more.
  • Added support for configuring proxy username and password using Kubernetes secrets. Learn more.
  • GitGuardian Chainguard images are now used by default and include a shell for troubleshooting and maintenance.
• Security: Implemented a Content Security Policy in response headers to better control which resources can be loaded, strengthening overall security.

Fixes​

• GitLab Integrations: Resolved a problem where system hook checks returned a 403 forbidden error when using a read-only token.
• Dashboard: Resolved an issue where a toast message displayed "unknown error" in certain situations.
• Historical Scan: Resolved an issue where scans of empty GitHub repositories were incorrectly marked as failed.
• API: Resolved an issue where deleted sources were incorrectly displayed as monitored.
• Self-Hosted:
  • Resolved an issue where deployment failed when using Kustomize.
  • Increased the readiness probe timeout for public-api to enhance stability and prevent failures.

  Release Date: February 20, 2025

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Component	Minimum Version	Recommended Version
KOTS	1.117.3	Latest
Kubernetes	1.25	1.30
PostgreSQL	15	16
Redis	6	7
helm	3.13	Latest

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Search Incidents by Secret Value​

GitGuardian allows you to monitor secret leaks across thousands of your repositories and over 30 different types of sources. It is reassuring to know that this critical secret, which provides access to your corporate LDAP, has not been detected anywhere.

Bitbucket Cloud Scanning​

Secure your Bitbucket Cloud repositories with secrets detection powered by GitGuardian.

• Detect exposed credentials and secrets in real-time.
• Gain visibility into security incidents directly in your dashboard.
  Learn more

Custom Tags Early Access​

Improve incident organization and tracking with Custom Tags, allowing users to filter, sort, and categorize incidents more effectively. For now, custom tag management (CRUD) and tag assignments to incidents can only be done via the API (API documentation), with UI support coming soon.

To activate this feature, enable custom_tags_enabled in the Preferences page.

Autoscaling​

HPA now supports web applications (e.g., webapp-public_api), allowing automatic scaling based on demand for improved performance and resource efficiency. Learn more on the autoscaling page.

---

Secrets Detection Engine (v2.131)​

Bringing enhanced accuracy and broader coverage:

• New Detectors
  • Artifactory Token With Host
  • HubSpot Private App Token
  • Microsoft Azure Storage Connection String
  • Hashicorp Vault AppRole Authentication
• Improved Detection for GitHub Tokens
  • Enhanced validation for GitHub Enterprise Token
  • Refined rules for various GitHub authentication tokens:
    • OAuth Access Token
    • Personal Access Token
    • Server-to-Server Token
    • GitHub Token
    • User-to-Server Token

Enhancements​

• Scan Only Addition Lines in Commits: Now, when using ggshield or our check runs integration, we only scan for added lines in commits. Developers will no longer be blocked while remediating incidents.
• Jira Issue Tracking Integration: Added support for "Numbers (or float)" and "Group Pickers (single group)" custom fields in Jira templates, allowing more customization in notifications and issue tracking.
• Enhanced Email Incident Alerting Controls for Members: You can now manage email notification settings more effectively with an option that allows updates through the API, and customize account-level defaults, ensuring a more tailored communication experience for all members. Learn more

Fixes​

• Sources:
  • Azure Repos Integration: Fixed an issue where organization deletions were not properly synced when using ADO installations in Organization-mode.
  • GitLab Integration: Resolved an issue where GitLab installations were incorrectly revoked due to temporary plan downgrades or admin status changes.
• Users & Teams:
  • Incidents: Resolved an issue where restricted users could not view the Vulnerable Sources block.
  • Users: Resolved an issue where user deletion was prevented due to the presence of saved views associated with the user.
  • Teams Management: Resolved an issue where action menus were not displayed in the teammates table for non-admin users in certain cases.
• Alerting:
  • Confluence Cloud Integration: Fixed an issue where some Confluence Cloud events without a spaceKey were incorrectly ignored.
  • PagerDuty Alerts for Security Incidents: Fixed an issue where the integration was not sending alerts for real-time incidents.
  • Email Notifications: Fixed an issue where emails for ignored and valid incidents were sent to all teams a user belongs to, instead of only the teams managing the affected repository.
• Self-Hosted:
  • Helm: Fixed an issue where connecting to Redis Sentinel failed when using a password with special characters.
  • Kots: Restore the left navigation menu in the KOTS admin console for embedded cluster installations.