Air gap deployment? This release introduces a new image.registry parameter in Helm values to support the Log Collector system. This parameter specifies the location of the GitGuardian images for the Log Collector components (Loki, MinIO, Fluent Bit) and is separate from the main imageRegistry parameter. Follow the upgrade instructions to update your helm values file.
Detect hardcoded secrets in your AWS ECR Container Registry
We are excited to introduce Secret detection for Amazon Elastic Container Registry (ECR).
Secrets often end up in container images due to common mistakes during development and image creation, mainly:
Hardcoding Secrets in Code: Developers may directly embed sensitive credentials, such as API keys or passwords, into application code, which gets packaged into container images.
Misconfigured Dockerfiles: Commands like ENV or RUN in Dockerfiles can inadvertently expose sensitive data during the build process.
By identifying and addressing hardcoded credentials in your AWS ECR repositories early in the development pipeline, this feature significantly minimizes the risk of security breaches, helping you prevent the unintended exposure of sensitive information before it even reaches production.
We're excited to announce support for Valkey, a Redis-compatible database that is a fork of Redis 7.2. This provides users with an additional option for Redis while maintaining full compatibility with GitGuardian Self-Hosted.
New Checkers
These checkers are implemented to verify the detected secrets, adding another layer of security and ensuring their validity and correct application:
Custom webhooks: Enhanced webhook configuration with more granular event selection. See the updated documentation.
VCS Integrations: Provided the capability to disable Automatic Repository Monitoring upon VCS Integration. Toggles controlling this capability was also moved on top of the discovered sources for more visibility
Bitbucket Cloud Integration: Updated authentication to support API tokens as Atlassian discontinues app passwords, ensuring continued integration functionality.
GitGuardian 2025.6 now requires Kubernetes 1.28 as the minimum supported version. However, Kubernetes 1.28 is no longer receiving active or maintenance support from the Kubernetes project (see end-of-life schedule).
We strongly recommend upgrading to Kubernetes 1.32 for optimal security and stability. See our system requirements for more details.
Securely Access Secret Values via API with GitGuardian's New “Secrets” Endpoint
GitGuardian is excited to announce a new API endpoint /v1/secrets/{secret_id}, allowing users to securely access secret values directly through our API.
This feature introduces several key benefits:
Enhanced Security Automation - Integrate secret remediation into existing security workflows and tools with secure API access to secret values.
Reduced Manual Intervention - Eliminate the need to manually copy secrets from the UI, saving time and reducing human error.
Comprehensive Security Controls - Multiple security layers (PAT permissions, workspace settings) ensure secrets are accessed only by authorized users.
Complete Secret Context - Receive both the secret value and detector information in a single API call for efficient remediation.
We’re pleased to introduce hardcoded secret detection for Microsoft Teams!
What’s new?
Our platform now scans Microsoft Teams messages for hardcoded secrets—such as API keys, credentials, and tokens—across both new activity and historical content. This means you can instantly identify and remediate exposed secrets, whether they were just shared or left unnoticed in your Teams environment.
Why is this important?
Once a secret is leaked, it remains a security risk until addressed—regardless of when it was exposed. By providing both real-time and historical scanning, we offer:
Comprehensive coverage: Instantly detect newly introduced secrets and uncover old leaks hiding in past conversations or shared files.
Proactive risk management: Take swift action to rotate, revoke, or investigate secrets, minimizing the window of exposure.
Complete peace of mind: Ensure your Teams environment is continuously monitored and secured against secret sprawl.
Secure your collaboration. Protect your business.
Simply connect your Microsoft Teams instance and let our enhanced detection engine do the rest. Our solution will automatically scan both ongoing and historical Teams content, surfacing any hardcoded secrets for prompt remediation.
Check out our documentation to start protecting your MS Teams communications!
Historical Scanning now available for Jira and Confluence Cloud sources.
We’re excited to announce a significant enhancement to our secret detection capabilities for Jira and Confluence Cloud: historical scanning is now available!
What's new?
Previously, our integration would surface hardcoded secrets in real-time, alerting you to newly introduced risks as soon as they appeared. With this update, we’re extending our detection to include secrets that were leaked in the past—not just those introduced going forward.
Why does this matter?
Once a secret is leaked, it should always be considered compromised, regardless of when the leak occurred. By surfacing historical secrets, you can now:
Identify and remediate old, forgotten leaks that may still pose a security risk.
Reach a comprehensive security posture by ensuring that no secrets—past or present—slip through the cracks.
Take proactive action to rotate or revoke secrets that may have been exposed long ago.
Check out our documentation to enable the feature now:
Detect hardcoded secrets in your Container Registries
We are excited to introduce Secret detection for Container Registries, including:
Azure Container Registry
Google Artifact Registry
JFrog Container Registry
DockerHub
Secrets often end up in container images due to common mistakes during development and image creation, mainly:
Hardcoding Secrets in Code: Developers may directly embed sensitive credentials, such as API keys or passwords, into application code, which gets packaged into container images.
Misconfigured Dockerfiles: Commands like ENV or RUN in Dockerfiles can inadvertently expose sensitive data during the build process.
By identifying and addressing hardcoded credentials early in the development pipeline, this feature significantly minimizes the risk of security breaches, helping you prevent the unintended exposure of sensitive information before it even reaches production.
Check out our Blog Post to learn more and our documentation to enable the feature now:
New Checkers
These checkers are implemented to verify the detected secrets, adding another layer of security and ensuring their validity and correct application:
Laravel Encryption Key with Host
GitLab Feature Flags Client Token with Project ID
Kubernetes JWT with Host
Brave Search API Key
Firecrawl API Key
Dify API Key
GitLab Runner Authentication Token
Detector Improvements
Ubidots Token – Now includes new secret prefixes and improved checker responses for tokens from disabled accounts.
AMQP Credentials – Detector Upgrade: Enhanced multimatch selection to reduce false positive combinations, vital for secure message queuing in distributed systems.
Confluent Keys – Detector Upgrade: Improved multimatch selection for better accuracy and fewer false positives, essential for managing access to Kafka clusters.
Generic High Entropy Secret – Detector Upgrade: Excludes secrets ending with '.certificate' from being reported, reducing noise by ignoring non-sensitive certificates.
Artifactory Token – Analyzer Upgrade: Improved stability by preventing crashes when analyzing secrets with multiple scopes, key for managing and securing software artifacts.
Microsoft Azure Storage Connection String – Checker Upgrade: Enhanced to accept additional fields, crucial for accessing and managing Azure storage resources securely.
Microsoft Azure Storage Account Key – Detector Upgrade: Increased precision, reducing false positives, critical for safeguarding data in cloud storage.
Engine Enhancements
Established a priority rule favoring the confluent_api_keys detector over amqp_assignment and amqp_assignment_attached_port detectors.
Expanded detection pattern list for encrypted strings to increase precision.
Enhanced AssignmentRegexMatcher for N prefixed strings in SQL, supporting Microsoft SQL Server.
Teams: Optimized the /teams API endpoint to reduce loading times for workspaces with large team structures.
Self-Hosted:
Improved ML Secret Engine Docker image permissions to support running with custom user and group IDs for better Kubernetes security contexts.
Improved Docker image permissions to support running with custom user and group IDs for better Kubernetes security contexts.
Improved handling of failed index creation migrations to allow safe re-execution of database updates.
Added capability to specify constraint of only one worker per node in Kubernetes deployments to optimize resource allocation. Learn more about scaling.
Emails: Resolved an issue where email alerts were being sent to inactive workspace members.
Custom Tags: Resolved pagination issues in the custom_tags endpoint that were causing incorrect next page URLs.
GitLab: Improve permission checking for GitLab group integrations to properly handle inherited permissions from parent groups.
Severity rules: Corrected an issue preventing Self-Hosted customers from adding or editing custom severity rule sets.
Secret analyzer: Improved behavior to ensure secret analyzer is properly disabled when validity checking is turned off.
Self-Hosted Deployment on GCP and Azure: Fixed an issue with ACL limitations on GCP and Azure cloud platforms where Redis deployments disable the ACL command, causing pre-deployment checks for the FLUSHDB command to fail. The system now gracefully handles scenarios where ACL commands are unavailable.
⚠️ Important: This is a required release and cannot be skipped.
Upgrading to 2025.4
Please install the PostgreSQL pgvector extension to enable vector similarity search. This is essential for upcoming features leveraging our internal machine learning engine. Follow the installation instructions to ensure compatibility.
Air gap deployment? We've added new images in this release. Find all image and tag names on the Air Gap Install page.
We're proud to introduce our brand new NHI Governance product! This solution is designed to help you manage and secure your Non-Human Identities (NHIs) and related secrets.
As organizations face exponential growth in machine identities, NHI Governance delivers a comprehensive observability and lifecycle management across all your environments. Integrating with leading secrets managers and other sources from your infrastructure, it centralizes inventory, helps you assess your posture, and enforces security policies.
The solution includes:
Deep contextual insights, mapping relationships between secrets, their consumers, and resources, drastically reducing incident response times.
Advanced analytics helps you identify risks like overprivileged NHIs and track hygiene metrics.
Policy enforcement aligns your posture with standards such as the OWASP NHI Top 10.
NHI Governance empowers you to regain control over your NHIs and tied secrets, reduce risk, accelerate compliance tasks, and improve hygiene by addressing orphaned, untracked, or overprivileged credentials.
Ready to start your journey towards safer secrets management? Request access to GitGuardian NHI Governance by contacting your sales representative.
We're excited to announce Secrets Analyzer, a new enhancement to our secrets detection capabilities.
Secrets Analyzer automatically gathers additional context for detected secrets, including their associated scopes, permissions, ownership, and relevant perimeter information where available.
This added intelligence helps security teams:
Evaluate the potential impact of a secret incident more accurately.
Prioritize remediation efforts based on risk level.
Streamline the overall incident response process.
For details on how each analyzer works, including metadata collected and validation calls:
Take control of incident management with custom tags. This feature allows you to categorize, filter, and search incidents using customized labels, offering greater flexibility in tracking and prioritizing incidents, and improving remediation workflows.
For developers, you can interact with custom tags via the API. For more information, visit the API documentation.
For more details on how to use custom tags within the GitGuardian platform, check out our detailed guide.
You now have two options for receiving incident email notifications: "All incidents" (default) or "Only incidents involving yourself (based on your Git commit email)", learn more about email preferences.
Our self-hosted deployments now include a seamless log collection system, leveraging Loki, MinIO, and Fluent Bit under the hood. This enhancement ensures that relevant logs are efficiently gathered and stored, supporting faster troubleshooting and support—without requiring any manual setup from users.
Incidents: Added a new filter to improve incident categorization based on the presence or absence of Jira Data Center tickets.
Custom Tags: Users can now create custom tags directly from search queries in the dashboard.
Custom webhook: Add the team name and webhook name to the custom webhook payload for incidents and occurrences. Learn more.
Jira Configuration: Introduced a new layout for the Jira Configuration form to enhance user experience and streamline configuration tasks.
Navigation Improvements:
Added persistent section state to remember your navigation preferences and updated browser tab titles for better identification when managing multiple tabs.
Added a "Skip to Main Content" button for better accessibility. When using keyboard navigation, pressing the Tab key reveals the button, which allows users to bypass navigation menus and jump directly to the main content area.
Invitation: Added GET /v1/invitations/{invitation_id} endpoint to retrieve invitation details through the Public API.
Self-Hosted:
Email Configuration: Improved error messages to provide clearer guidance when setting up email configurations.
Troubleshooting: Enhanced debug capabilities by adding network diagnostic tools (netcat, openssl) to the debug image. Learn more.
Helm:
Extended the readiness probe timeout on public-api to enhance stability and prevent premature failures.
Resolved an issue where the host was not specified in the health ingress configuration.
Added global.compatibility.openshift.adaptSecurityContext configuration to support OpenShift's restricted-v2 Security Context Constraints (SCC). Values include auto (default), force, and disabled for flexible security context adaptation. Learn more.
Added default support-bundle Role and optional ClusterRole creation (configurable via replicated.supportBundle.rbac.clusterRole.create).
The PostgreSQL pgvector extension is now required by default (postgresql.plugins.pgvector.enabled). Please follow the installation instructions to enable vector similarity search capabilities for upcoming machine learning features.
Ingress:
Improved response times for issue occurrence queries through optimized request routing. Particularly useful when autoscaling webapp-public_api.
Standardized health check endpoint routing by removing the wildcard host configuration from gim-ingress-health and consolidating /api/v1/health under the main API hostname.
Jira Cloud Issue Tracking Integration: Fixed an issue where Jira project keys were incorrectly changed during synchronization.
GitLab Integration:
Fixed an issue where multiple emails were sent for failures in multiple group hooks on the same GitLab instance, ensuring only one email is sent per instance.
We improved the process for read-only token installations by automatically detecting and updating the webhook ID if the webhook was created manually.
Resolved an issue where system hook checks returned a 403 forbidden error when using a read-only token.
Fixed unnecessary scans triggered by webhooks related to unmonitored repositories.
Incidents: Fixed a bug that could cause unnecessary data refresh on the incidents list when switching browser tabs.
Self-Hosted:
Licensing: Updated the notification message for license expiration on self-hosted environments to provide clearer guidance.
Security: Added Content Security Policy (CSP) headers to HTTP responses to strengthen browser security controls.
We've updated the path and names of our images in this release. Follow the upgrade instructions to update your tooling for downloading and uploading GitGuardian images to your private registry. Find all image and tag names on the Air Gap Install page.
We are excited to unveil the "Generic Secret Enricher V1", a machine learning model designed to enhance our capabilities in generic secret detection. This innovative model analyzes the entire context of a document, identifying the company and category associated with a secret, thereby providing meaningful insights to help users understand the origin and type of a discovered secret.
Contextual Analysis: Upon detection of a generic secret, our platform analyzes the full document context to determine the associated provider or category of a secret.
Efficient Classification: This feature reduces the need for manual classification, enabling users to quickly comprehend the source and nature of a discovered generic secret.
New Filters: We've introduced three new filters - Provider, Category, Family - to help identify critical generic incidents. To use these, filter your incidents by the "Generic" type, then apply a combination of these filters.
To use the new filters, simply filter your incidents by the "Generic" type, then apply a combination of the Provider, Category, and Family filters. This will help you identify the most significant or critical generic incidents, such as those classified under "Data Storage" or linked to the provider "Postgresql".
GitGuardian now integrates with AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, Google Secret Manager, Delinea, and Akeyless through ggscout, letting you sync secret incidents with your Secrets Managers—without exposing sensitive data.
What’s in it for you?
Prioritize Faster – Instantly see which secrets are already vaulted and focus on real risks.
Remediate Quicker – Vault unprotected secrets in a click and speed up fixes.
Streamline Workflows – Leverage vaulted secrets insights directly in GitGuardian.
Improve Secrets Hygiene – Spot duplicate, weak, or mismanaged secrets with ggscout.
FCM API Key – Validity check is no longer available since the API has been removed. While we can no longer retrieve the validity status for FCM secrets, we still detect the keys.
License: GitGuardian will now automatically synchronize license information for non-air-gap environments, eliminating the need for manual license syncs after installation or upgrades.
Helm: Added support for nodeSelector in Helm jobs to enhance node scheduling flexibility.
Release Date
Amazon Elastic Container Registry (ECR).
GitGuardian is excited to announce a new API endpoint 
Azure Container Registry
Google Artifact Registry
JFrog Container Registry
DockerHub
