Skip to main content

3 posts tagged with "nhi-governance"

View All Tags

2026.1 - Required

Versioncalendar icon Release Date
2026.1.0January 28, 2026

System Requirements Update

Ensure your infrastructure meets the latest requirements for optimal performance and security:

ComponentMinimum VersionRecommended Version
KOTS1.117.3Latest
Kubernetes1.281.34
PostgreSQL1517
Redis67
ggscout0.19.0Latest

Helm & Upgrade Considerations

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

⚠️ Important: This is a required release and cannot be skipped.

Upgrading to 2026.1

Feature highlights

  • Secret Enricher — generic incidents now display enriched secret names powered by our ML model, transforming vague findings into precise, actionable insights. Learn more.
  • More NHI Integrations — discover and secure non-human identities across Datadog, Snowflake, Okta, and Auth0. Learn more.
  • Unified Identity Governance for Entra & AWS IAM — unified visibility and risk-based prioritization for Microsoft Entra ID and AWS IAM with secret-less OIDC authentication. Learn more.
  • GCP Marketplace — GitGuardian is now available on Google Cloud Marketplace, enabling deployment on GKE with consolidated billing through your GCP account. Learn more.

Secrets Detection Engine

  • v2.153 — 6 new detectors (HighLevel, Elastic, Google Cloud Keys, Socket Dev, Upstash Redis, Vapid Key), 8 improved (Cloudflare, MySQL, GitLab Token, Fireworks AI, JSON Web Token, SSH, Duo, Azure Event Grid), 1 new checker (Oracle), 883 new secret providers.
  • v2.154 — 3 new detectors (Cloudflare R2, Azure SAS URL, MySQL), 1 new checker (Tailscale SCIM), 10 improved (SendGrid, Dwolla, PubNub, Google OAuth2, Azure Cosmos DB, Generic High Entropy, HashiCorp Vault, Discord Webhook, Alchemy, Fireworks AI), 378 new secret providers.
  • v2.155 — 18 new detectors (Oracle, Azure Entra App Secret, Azure Entra Access Token, GitLab SCIM, GitLab Agent Kubernetes, ASI:One, Azure IoT Device, Xendit, Supabase, Neoload, MongoDB, Azure Cache for Redis, GitLab Feed, Clerk Webhook, Better Auth, Elastic Search, Redis, Azure Relay), 8 improved (Doppler, Databricks, TeamCity, Scraper API, Slack Webhook, MongoDB, Okta, Tailscale), 3 analyzer upgrades.

Enhancements

  • Incident API enhanced to include enriched secret names, CSV/JSON exports now include both original detector name and enriched secret name. Learn more.
  • Detectors: Some detectors are now flagged as non-business and disabled by default for business accounts to reduce noise. Use the new "Recommended for business" filter in detector settings to identify and re-enable them if needed. Learn more.
  • GitHub Check Runs message updated for merge queues. Learn more.

Fixes

  • Docker Hub Integration configuration error. Learn more.
  • GitHub Check runs blocking pull requests when disabled. Learn more.
  • Playbooks auto-ignore reactivation issue, Historical Scans queueing for bulk operations. Learn more.
  • Google Cloud Keys validation, detector validity check filter, GitLab health check link, Health Check email notifications, JFrog Container Registry compatibility. Learn more.

2025.12

Versioncalendar icon Release Date
2025.12.0December 15, 2025

System Requirements Update

Ensure your infrastructure meets the latest requirements for optimal performance and security:

ComponentMinimum VersionRecommended Version
KOTS1.117.3Latest
Kubernetes1.281.33
PostgreSQL1517
Redis67
ggscout0.19.0Latest

Helm & Upgrade Considerations

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Feature highlights

  • Advanced Analytics for Internal Monitoring — track the detection, remediation and prevention of secret leaks with actionable dashboards. Learn more.

    ⚠️ This feature is in beta. It is disabled by default and requires additional resources (12 GB memory). Enabling Analytics also increases database usage by 15-20% (minimum 5-6 GB). Analytics are computed once a day, so data may take up to 24 hours to appear after activation. To enable: set inAppAnalytics.enabled: true in Helm values, or enable "In-App Analytics" in the KOTS Admin Console.

  • SCIM team provisioning — automate team creation and sync from Okta and Microsoft Entra ID. Learn more
  • Enhanced Slack notifications — complete incident lifecycle coverage for internal monitoring and honeytoken alerting. Learn more.
  • CyberArk Secrets Manager Self Hosted integration — discover and enumerate non-human identities stored in your self-hosted CyberArk (Conjur) vault. Learn more.

Secrets Detection Engine

  • v2.151 — 13 new detectors (Hume AI, Azure AI Face, Neon, E2B, MailerSend, Scraper API, AIProxy, Cloudsmith, AWS Bedrock, Harness, Grafbase, AssemblyAI), 8 improved (Generic Password, Pinecone, Keycloak, Discord, Kubernetes JWT, Tableau, Sendinblue), 3 analyzer upgrades.
  • v2.152 — 1 new detector (Google Cloud Access Token), 3 improved (Hashicorp Vault Token, PagerDuty, Google Cloud Access Token), 2 analyzer upgrades.

Enhancements

  • New "Valid" saved view for incidents, API filtering by triggered date, GitLab validation and health checks, Docker Hub organization namespaces, Custom Monitored Perimeter improvements, GitLab empty namespaces hidden by default. Learn more.
  • Self-Hosted:
    • Added multiple hostname support via extra_hostnames parameter, enabling access through additional domain names. Learn more.
    • Added global podDisruptionBudget.enabled parameter to disable automatic PDB creation for restricted Kubernetes environments that prohibit PodDisruptionBudget resources. Learn more.
    • Added official support for Helm v4.
    • Added IPv6 support via network.ipFamily parameter for Service resources. Learn more.

Fixes

  • Jira Data Center historical scans for large projects, incident details "First detected" date display, Slack notifications user association, Health Check error differentiation. Learn more.
  • Bulk action filters, Jira ticketing issues, Perimeter scan behavior, GitLab namespace display and search, Container Registry URLs and caching. Learn more.
  • Self-Hosted: Resolved NHI Governance access for manager roles.

2025.4 - Required

Versioncalendar icon Release Date
2025.4.0April 25, 2025
2025.4.1April 30, 2025
2025.4.2August 8, 2025

System Requirements Update

Ensure your infrastructure meets the latest requirements for optimal performance and security:

ComponentMinimum VersionRecommended Version
KOTS1.117.3Latest
Kubernetes1.251.31
PostgreSQL1516
Redis67
helm3.13Latest
ggscout0.16.40.16.4 is the only supported version

Helm & Upgrade Considerations

To ensure compatibility, please review Helm values updates from the previous version.

⚠️ Important: This is a required release and cannot be skipped.

Upgrading to 2025.4

Please install the PostgreSQL pgvector extension to enable vector similarity search. This is essential for upcoming features leveraging our internal machine learning engine. Follow the installation instructions to ensure compatibility.

Air gap deployment? We've added new images in this release. Find all image and tag names on the Air Gap Install page.

Feature highlights

  • NHI Governance — manage and secure Non-Human Identities with comprehensive observability and lifecycle management. Learn more
  • Secrets Analyzer — enrich detected secrets with scope, permission, and ownership details for faster risk assessment. Learn more
  • Custom tags — categorize and filter incidents with customized labels for improved remediation workflows. Learn more
  • Log collector for Self-Hosted — seamless log collection system with Loki, MinIO, and Fluent Bit for faster troubleshooting. Learn more

Secrets Detection Engine

  • v2.134 — 1 new detector (Azure Logic App), 2 improved (LINE Messaging, OpenAI), 1 analyzer enhancement.
  • v2.135 — 4 new detectors (Artifactory Reference Token, Artifactory Master Key, Artifactory Basic Auth), 4 improved (Snowflake, IBM Cloud, PlanetScale, Artifactory).

Enhancements

  • Jira DC incident filter, custom tags from search, custom webhook payload. Learn more.
  • Jira configuration layout, navigation improvements, invitations API. Learn more.
  • Self-Hosted:
    • Improved error messages for email configuration setup.
    • Enhanced debug capabilities with network diagnostic tools (netcat, openssl) in debug image. Learn more.
    • Extended readiness probe timeout on public-api for enhanced stability.
    • Added OpenShift restricted-v2 SCC support via global.compatibility.openshift.adaptSecurityContext. Learn more.
    • Added default support-bundle Role and optional ClusterRole creation.
    • PostgreSQL pgvector extension now required by default for upcoming ML features. Learn more.
    • Improved response times for issue occurrence queries through optimized request routing.
    • Standardized health check endpoint routing under main API hostname.

Fixes

  • Jira Cloud project key synchronization. Learn more.
  • GitLab multiple group hook emails, read-only token webhook detection, system hook 403 errors, unnecessary webhook scans, incidents list refresh. Learn more.
  • GitLab system hook 403 errors. Learn more.
  • Self-Hosted:
    • Updated license expiration notification message for clearer guidance.
    • Added Content Security Policy (CSP) headers to HTTP responses for enhanced browser security.

Hotfixes

2025.4.1

calendar icon   Release Date: April 30, 2025

Fixes

  • Self-Hosted:
    • Support Bundle Role creation disabled by default to accommodate customers with high security requirements (Helm).

2025.4.2

calendar icon   Release Date: August 8, 2025

Fixes

  • Self-Hosted:

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status