Version	Release Date
2026.5.0	May 21, 2026
2026.5.1	May 28, 2026

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Component	Minimum Version	Recommended Version
KOTS	1.117.3	Latest
Kubernetes	1.30	1.35
PostgreSQL	15	17
Redis	6	7
ggscout	0.19.0	Latest

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Feature highlights​

• Advanced Analytics enabled by default for Helm installation — actionable dashboards for detection, remediation, and prevention of secret leaks are now activated by default on all instances, including the new Analytics Overview page, previously available in early access, that aggregates KPIs across Protect, Detect, Remediate, and Govern in a single dashboard. Learn more.

  Requires ~12 GB extra memory and increases database usage by 15-20% (min. 5-6 GB). Data refreshes once a day. KOTS installation must enable the new analytics in KOTS admin console.

• New AI workspace setting — workspace owners now have a self-service Settings → Workspace → AI page to enable or disable external LLM calls and configure Bring Your Own Cloud (BYOC) providers, with AWS Bedrock supported at launch. External LLM features are disabled by default on self-hosted instances. Once the integration is up and running, the selected Anthropic model powers every LLM-driven feature in the app. See AI settings and the AWS Bedrock setup guide.
• NHI admin and overprivileged flags — NHI Governance now flags admin-level and overprivileged non-human identities across AWS IAM, Microsoft Entra, and Okta, and automatically bumps the severity of any policy breach landing on an admin NHI. Learn more.
• Attachment scanning across Atlassian — secret detection now covers file attachments on Jira Cloud, Jira Data Center, Confluence Cloud, and Confluence Data Center. Reinstall your Atlassian integrations to grant the new attachment scopes. Learn more.
• New Slack capabilities — file attachment scanning, interactive thread responses (beta), and private channel name redaction. To enable them, add the latest Bot Token Scopes to your existing Slack app (no reinstall required). See the updated permissions list. Learn more.

Secrets Detection Engine​

• v2.161 — 7 new detectors (Payhere App Credentials, HubSpot API Key, Birdeye API Key, Datadog API Credentials, Payhere Merchant Secret, GitGuardian Personal Access Token, GitGuardian Service Access Token), 1 new checker (Azure SignalR Connection String), 4 detector precision improvements (Jira Basic Auth, Atlassian OAuth2, npm Token, OpenWeatherMap Token), 5 new analyzers (Intercom Access Token, GitGuardian PAT/SAT, Notion Integration Token, Azure Cosmos DB Credentials).
• v2.162 — 16 new detectors (Aikido CI Scanning Token, Baidu AI API Key, Baidu Cloud API Keys, Bitrise Personal/Workspace Access Tokens, Canva Integration OAuth2, Cloudflare API Token V2, CockroachDB API Key, Coder Session Token, Datadog Application Key, ElevenLabs API Key, HashiCorp Consul ACL Token, MaxMind License Key, QQ Robot API Keys, Snyk Key V2, Volcengine API Key), 6 detector updates (Azure OpenAI, GitLab Token, Google Cloud Keys, Grafbase, PayPal Braintree, Slack Bot Token), 2 new analyzers (Azure AI Search Key, Azure OpenAI), 3 analyzer updates (Anthropic Admin Key, GitLab Token, PostgreSQL Credentials).

Enhancements​

• Accessibility: Ctrl+Enter to submit forms; dynamic variables (e.g., {secretType}, {sourceName}, {sourceType}) now supported across all Jira integration fields. Learn more.
• Deprecated Honeytoken Labels Public API removed (use Custom Tags), Jira templates flag unsupported required fields, GitHub Check runs reliability during partial outages. Learn more.
• Microsoft Teams notifications expanded to full incident lifecycle; new Public API Health Checks endpoints; archived-source filters on Sources and Incidents endpoints. Learn more.
• Microsoft Teams Issue Regression event backfilled for existing notifiers, leak author now captured on JFrog Artifactory incidents. Learn more.
• Self-Hosted:
  • Improved the support bundle upload with a more descriptive filename (including hostname, date, and ticket ID and an instance ID display.
  • Added logCollector.supportBundle.logLevel to filter Loki queries when generating a support bundle.
  • Added dedicated celeryWorkers.automatic-severities worker — moves the automatic_severities queue out of the long worker into its own scalable worker. See the updated application topology.
  • Helm upgrades no longer fail when the chart is configured with a third-party cert-manager issuer plugin. The certManager values schema now accepts plugin issuer kinds in addition to the built-in Issuer and ClusterIssuer.

Fixes​

• PAT source scopes not applied correctly, Bitbucket Cloud workspace-scoped APIs. Learn more.
• Dashboard unresponsive when filtering PATs, Bitbucket Cloud cross-workspace API deprecation handled. Learn more.
• SendGrid revocation error, JFrog Artifactory bulk select-all in team perimeters, GitHub Enterprise health check on GHES 3.19.4, GitHub Enterprise PR Check runs analytics dashboards, perimeter page rendering on workspaces with 200k+ sources. Learn more.

Hotfixes​

2026.5.1​

  Release Date: May 28, 2026

Fixes​

• Security: Fixed an XSS / open-redirect vulnerability via a crafted redirect_url query parameter in the login and bulk-scan flows.
• Jira Data Center: Fixed scan timeouts on large instances and improved handling of missing or null fields during scans.
• Machine Learning: Removed a test artifact from the ML Secret Engine image that was being flagged as a private key by container scanners.
• Self-Hosted: Bundled component bumps — Replicated SDK, MinIO (log collector), ML Secret Engine. See the air gap install page for the updated tags.

Version	Release Date
2026.3.0	March 16, 2026
2026.3.1	March 23, 2026
2026.3.2	March 26, 2026
2026.3.3	April 2, 2026

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Component	Minimum Version	Recommended Version
KOTS	1.117.3	Latest
Kubernetes	1.30	1.35
PostgreSQL	15	17
Redis	6	7
ggscout	0.19.0	Latest

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Using Argo CD? A pre-created encryption secret is required before deploying — see the Argo CD installation guide.

Feature highlights​

• JFrog Artifactory Package Registries — scan Maven, npm, PyPI, NuGet, Go, and 7 more package ecosystems for secrets hiding in your software supply chain, with historical and incremental scanning support. Currently in beta. Learn more.
• Red Hat Quay Integration — detect secrets in container images across quay.io and self-hosted Quay deployments, with full image layer analysis and OAuth2 authentication. Currently in beta. Learn more.
• Okta Integration Network — GitGuardian is now an Okta-verified app with one-click SAML SSO, SCIM provisioning, and Group Push for streamlined identity management. Learn more.

Secrets Detection Engine​

• v2.157 — 26 new detectors (WooCommerce, Iyzico, Mercado Pago, Bitbucket HTTP Access Token, PostgreSQL, MariaDB, Azure Event Hub, Azure Container Registry, Coralogix, Azure Web PubSub, Azure Batch, Azure APIM Gateway, Azure IoT Provisioning, Azure AI Search, GitLab CI/CD Job Token, PostHog, and more), 13 improved, 4 analyzer upgrades, 4 new revokers (SendGrid, Slack User Token, Slackbot, Heroku), scanning throughput nearly doubled.
• v2.158 — 4 new detectors (MiniMax, Retell, Azure Storage Account Key, Curl Username Password), 2 improved (Azure Container Registry, MongoDB), scanning speed improved by 12%.

Enhancements​

• Improved scanning for SharePoint Online and OneDrive integrations. Self-hosted customers using these integrations should ensure all required pods are active and properly scaled. See the scaling documentation and non-VCS sources configuration for details.
• Audit logs now display scope information for PAT and SAT creation events. Learn more.
• Workspace managers can restrict Personal Access Token scopes for members. Learn more.
• Customizable session duration for dashboard sessions. Learn more.
• Slack and Webhook alerts now include feedback content (remarks) for incidents. Learn more.
• Enhanced Slack incident notification messages with improved formatting and additional context. Learn more.
• Jira templates now support filename and line number fields. Learn more.
• "System" theme mode option that follows OS light/dark preference. Learn more.
• Public API endpoint for retrieving GitGuardian egress IP addresses. Learn more.
• Custom perimeter support for Microsoft Teams, Confluence Cloud, Confluence Data Center, Jira Cloud, and Jira Data Center. Learn more.
• Self-Hosted:
  • Allow to have fixed tags for the Custom CA image, to support environments enforcing fixed tags
  • Added ALB ingress support for autoscaling and improved templating of custom autoscaling metrics in Helm charts.
  • Added missing queues to KEDA ScaledObjects configuration for improved autoscaling coverage.

Fixes​

• Jira Cloud installations unexpectedly soft-deleted. Learn more.
• API schema validation error for response path 'id'. Learn more.
• Timeout issues when bulk-updating incident custom tags. Learn more.
• Authorization issue allowing Team Leaders to delete "All Incidents" team notification settings. Learn more.
• Self-Hosted:
  • Fixed Redis password handling issue when using existing secrets in ArgoCD environments.

Hotfixes​

2026.3.1​

  Release Date: March 24, 2026

Fixes​

• GitHub Enterprise integration: Fixed issue where repositories appeared as "Unmonitored" after upgrading to 2026.3 despite being correctly selected in Integration settings.
• JFrog Package Registries: Fixed payload mismatch error during JFrog Artifactory package registry scans.
• API documentation link: Fixed incorrect API documentation link in the self-hosted help menu.
• Audit logs: Fixed actor filter in audit logs where selected users were lost after using and clearing the search field.

2026.3.2​

  Release Date: March 26, 2026

Fixes​

• Database migration on upgrade: Fixed a pre-deploy migration failure blocking upgrades to 2026.3 on instances originally installed before version 2025.7.

2026.3.3​

  Release Date: April 2, 2026

Fixes​

• In-app analytics optimization: Fixed excessive data footprint from inAppAnalytics, reducing storage and memory usage.

Version	Release Date
2026.1.0	January 28, 2026

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Component	Minimum Version	Recommended Version
KOTS	1.117.3	Latest
Kubernetes	1.28	1.34
PostgreSQL	15	17
Redis	6	7
ggscout	0.19.0	Latest

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

⚠️ Important: This is a required release and cannot be skipped.

Feature highlights​

• Secret Enricher — generic incidents now display enriched secret names powered by our ML model, transforming vague findings into precise, actionable insights. Learn more.
• More NHI Integrations — discover and secure non-human identities across Datadog, Snowflake, Okta, and Auth0. Learn more.
• Unified Identity Governance for Entra & AWS IAM — unified visibility and risk-based prioritization for Microsoft Entra ID and AWS IAM with secret-less OIDC authentication. Learn more.
• GCP Marketplace — GitGuardian is now available on Google Cloud Marketplace, enabling deployment on GKE with consolidated billing through your GCP account. Learn more.

Secrets Detection Engine​

• v2.153 — 6 new detectors (HighLevel, Elastic, Google Cloud Keys, Socket Dev, Upstash Redis, Vapid Key), 8 improved (Cloudflare, MySQL, GitLab Token, Fireworks AI, JSON Web Token, SSH, Duo, Azure Event Grid), 1 new checker (Oracle), 883 new secret providers.
• v2.154 — 3 new detectors (Cloudflare R2, Azure SAS URL, MySQL), 1 new checker (Tailscale SCIM), 10 improved (SendGrid, Dwolla, PubNub, Google OAuth2, Azure Cosmos DB, Generic High Entropy, HashiCorp Vault, Discord Webhook, Alchemy, Fireworks AI), 378 new secret providers.
• v2.155 — 18 new detectors (Oracle, Azure Entra App Secret, Azure Entra Access Token, GitLab SCIM, GitLab Agent Kubernetes, ASI:One, Azure IoT Device, Xendit, Supabase, Neoload, MongoDB, Azure Cache for Redis, GitLab Feed, Clerk Webhook, Better Auth, Elastic Search, Redis, Azure Relay), 8 improved (Doppler, Databricks, TeamCity, Scraper API, Slack Webhook, MongoDB, Okta, Tailscale), 3 analyzer upgrades.

Enhancements​

• Incident API enhanced to include enriched secret names, CSV/JSON exports now include both original detector name and enriched secret name. Learn more.
• Some detectors are now flagged as non-business and disabled by default for business accounts to reduce noise. Use the new "Recommended for business" filter in detector settings to identify and re-enable them if needed. Learn more.
• Improved token refresh reliability for Slack and Atlassian Cloud integrations with automatic retry on transient failures. Learn more.
• GitHub Check Runs message updated for merge queues. Learn more.

Fixes​

• Docker Hub Integration configuration error. Learn more.
• GitHub Check runs blocking pull requests when disabled. Learn more.
• Playbooks auto-ignore reactivation issue, Historical Scans queueing for bulk operations. Learn more.
• Google Cloud Keys validation, detector validity check filter, GitLab health check link, Health Check email notifications, JFrog Container Registry compatibility. Learn more.

Version	Release Date
2025.12.0	December 15, 2025

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Component	Minimum Version	Recommended Version
KOTS	1.117.3	Latest
Kubernetes	1.28	1.33
PostgreSQL	15	17
Redis	6	7
ggscout	0.19.0	Latest

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Feature highlights​

• Advanced Analytics for Internal Monitoring — track the detection, remediation and prevention of secret leaks with actionable dashboards. Learn more.

  ⚠️ This feature is in beta. It is disabled by default and requires additional resources (12 GB memory). Enabling Analytics also increases database usage by 15-20% (minimum 5-6 GB). Analytics are computed once a day, so data may take up to 24 hours to appear after activation. To enable: set inAppAnalytics.enabled: true in Helm values, or enable "In-App Analytics" in the KOTS Admin Console.

• SCIM team provisioning — automate team creation and sync from Okta and Microsoft Entra ID. Learn more
• Enhanced Slack notifications — complete incident lifecycle coverage for internal monitoring and honeytoken alerting. Learn more.
• CyberArk Secrets Manager Self Hosted integration — discover and enumerate non-human identities stored in your self-hosted CyberArk (Conjur) vault. Learn more.

Secrets Detection Engine​

• v2.151 — 13 new detectors (Hume AI, Azure AI Face, Neon, E2B, MailerSend, Scraper API, AIProxy, Cloudsmith, AWS Bedrock, Harness, Grafbase, AssemblyAI), 8 improved (Generic Password, Pinecone, Keycloak, Discord, Kubernetes JWT, Tableau, Sendinblue), 3 analyzer upgrades.
• v2.152 — 1 new detector (Google Cloud Access Token), 3 improved (Hashicorp Vault Token, PagerDuty, Google Cloud Access Token), 2 analyzer upgrades.

Enhancements​

• New "Valid" saved view for incidents, API filtering by triggered date, GitLab validation and health checks, Docker Hub organization namespaces, Custom Monitored Perimeter for Container Registries, SharePoint, OneDrive, ServiceNow, and Slack, GitLab empty namespaces hidden by default. Learn more.
• Self-Hosted:
  • Added multiple hostname support via extra_hostnames parameter, enabling access through additional domain names. Learn more.
  • Added global podDisruptionBudget.enabled parameter to disable automatic PDB creation for restricted Kubernetes environments that prohibit PodDisruptionBudget resources. Learn more.
  • Added official support for Helm v4.
  • Added IPv6 support via network.ipFamily parameter for Service resources. Learn more.

Fixes​

• Jira Data Center historical scans for large projects, incident details "First detected" date display, Slack notifications user association, Health Check error differentiation. Learn more.
• Bulk action filters, Jira ticketing issues, Perimeter scan behavior, GitLab namespace display and search, Container Registry URLs and caching. Learn more.
• Self-Hosted: Resolved NHI Governance access for manager roles.

Version	Release Date
2025.4.0	April 25, 2025
2025.4.1	April 30, 2025
2025.4.2	August 8, 2025

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Component	Minimum Version	Recommended Version
KOTS	1.117.3	Latest
Kubernetes	1.25	1.31
PostgreSQL	15	16
Redis	6	7
helm	3.13	Latest
ggscout	0.16.4	0.16.4 is the only supported version

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version.

⚠️ Important: This is a required release and cannot be skipped.

Feature highlights​

• NHI Governance — manage and secure Non-Human Identities with comprehensive observability and lifecycle management. Learn more
• Secrets Analyzer — enrich detected secrets with scope, permission, and ownership details for faster risk assessment. Learn more
• Custom tags — categorize and filter incidents with customized labels for improved remediation workflows. Learn more
• Log collector for Self-Hosted — seamless log collection system with Loki, MinIO, and Fluent Bit for faster troubleshooting. Learn more

---

Secrets Detection Engine​

• v2.134 — 1 new detector (Azure Logic App), 2 improved (LINE Messaging, OpenAI), 1 analyzer enhancement.
• v2.135 — 4 new detectors (Artifactory Reference Token, Artifactory Master Key, Artifactory Basic Auth), 4 improved (Snowflake, IBM Cloud, PlanetScale, Artifactory).

Enhancements​

• Jira DC incident filter, custom tags from search, custom webhook payload. Learn more.
• Jira configuration layout, navigation improvements, invitations API. Learn more.
• Self-Hosted:
  • Improved error messages for email configuration setup.
  • Enhanced debug capabilities with network diagnostic tools (netcat, openssl) in debug image. Learn more.
  • Extended readiness probe timeout on public-api for enhanced stability.
  • Added OpenShift restricted-v2 SCC support via global.compatibility.openshift.adaptSecurityContext. Learn more.
  • Added default support-bundle Role and optional ClusterRole creation.
  • PostgreSQL pgvector extension now required by default for upcoming ML features. Learn more.
  • Improved response times for issue occurrence queries through optimized request routing.
  • Standardized health check endpoint routing under main API hostname.

Fixes​

• Jira Cloud project key synchronization. Learn more.
• GitLab multiple group hook emails, read-only token webhook detection, system hook 403 errors, unnecessary webhook scans, incidents list refresh. Learn more.
• GitLab system hook 403 errors. Learn more.
• Self-Hosted:
  • Updated license expiration notification message for clearer guidance.
  • Added Content Security Policy (CSP) headers to HTTP responses for enhanced browser security.

Hotfixes​

2025.4.1​

  Release Date: April 30, 2025

Fixes​

• Self-Hosted:
  • Support Bundle Role creation disabled by default to accommodate customers with high security requirements (Helm).

2025.4.2​

  Release Date: August 8, 2025

Fixes​

• Self-Hosted:
  • Embedded Cluster with Embedded Redis configuration to use bitnamilegacy/redis registry following Bitnami's registry changes.