Skip to main content

6 posts tagged with "secrets-detection"

View All Tags

2025.7 - Required

Versioncalendar icon Release Date
2025.7.0July 25, 2025

System Requirements Update

Ensure your infrastructure meets the latest requirements for optimal performance and security:

ComponentMinimum VersionRecommended Version
KOTS1.117.3Latest
Kubernetes1.28 ⚠️1.32
PostgreSQL1516
Redis67
ggscout0.16.6Latest

Helm & Upgrade Considerations

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

⚠️ Important: This is a required release and cannot be skipped.

Upgrading to 2025.7

Machine Learning engine is now enabled by default. Ensure your infrastructure meets the ML requirements.

If you're concerned about resource usage, you can lower the priority of ML pods to ensure other critical services are scheduled first.

Historical Scanning now available for Jira and Confluence Data Center

Jira Confluence DC HScan Thumbnail

We’re excited to announce a significant enhancement to our secret detection capabilities for both Jira and Confluence Data Center: historical scanning is now available!

What's new?

Previously, our integrations would surface hardcoded secrets in real-time, alerting you to newly introduced risks as soon as they appeared. With this update, we’re extending our detection to include secrets that were leaked in the past—not just those introduced going forward.

Why does this matter?

Once a secret is leaked, it should always be considered compromised, regardless of when the leak occurred. By surfacing historical secrets, you can now:

  • Identify and remediate old, forgotten leaks that may still pose a security risk.
  • Reach a comprehensive security posture by ensuring that no secrets—past or present—slip through the cracks.
  • Take proactive action to rotate or revoke secrets that may have been exposed long ago.

Check out our documentation to enable historical scanning now:

Automatically Ignore Invalid Incidents with New Playbook

Incident Playbook Thumbnail

We’re excited to announce a powerful enhancement to your incident management experience, designed to help you focus on what matters: we are introducing a new playbook: Automatically Ignore Invalid Incidents.

What's new?

This new playbook will automatically ignore incidents where the detected secret has been confirmed invalid and revoked, even for those that have never been valid. With this new capability, your team can immediately focus on genuine, actionable threats without being distracted by unnecessary noise from already-resolved issues.

Why This Matters?

By automatically clearing these known invalid incidents, you'll save valuable time, reduce alert fatigue, and maintain a clear focus on critical security issues that require your attention.

Important Note

This playbook is designed for incidents from standard detectors and will not impact those related to detectors with a custom host.

You Stay in Control

The playbook will be enabled by default, but you can opt out at any time if it doesn’t fit your needs. All incidents will remain accessible in your workspace for review.

Documentation

Secrets Detection Engine (v2.143)

New Detectors

New Checkers These checkers are implemented to verify the detected secrets, adding another layer of security and ensuring their validity and correct application:

  • Coze Personal Access Token
  • Tavus API Key
  • Heroku Platform Key
  • Tableau Cloud PAT
  • Notion Integration Token v2
  • Salesforce OAuth2
  • AI71 API Key
  • AMP API Token
  • Kubernetes User Certificate with Port
  • Alchemy API Key v2
  • OpenRouter API Key
  • Duffel API Key
  • Apify Token
  • Jina API Key
  • Deno Account Token
  • Resend API Key
  • VKontakte Access Token
  • Fireworks AI API Key

Detector Improvements

  • Google OAuth2 Keys – Improved precision for Google OAuth2 detector and enhanced regex for better detection accuracy.
  • Zendesk Token – ZendeskTokenAnalyzer has been rewritten in Rust for improved performance.
  • Sendinblue Key – SendinblueSecretAnalyzer has been rewritten in Rust.
  • Generic High Entropy Secret – No longer considers IDs in ServiceNow migration files as secrets and removed AWS ECR images that were misclassified as secrets.
  • Algolia Keys – AlgoliaKeysSecretAnalyzer has been rewritten in Rust.
  • Fastly Personal Token – FastlySecretAnalyzer has been rewritten in Rust.
  • [Hugging Face User Access] – Migrated analyzer to Rust for improved performance.
  • Kubernetes Docker Secret – Enhanced detection for kubernetes.io/dockercfg secrets with more precise regex for JWTs.
  • MySQL Assignment – Restricted the maximum number of secrets per document to prevent combinatorial explosion.
  • Sourcegraph Token – Updated regex for sourcegraph_access_token_v3 as per customer request.
  • GitHub Access Token – GitHub classic analyzer has been rewritten in Rust for improved performance.
  • HashiCorp Vault Token – Improved precision for HashiCorp Vault token detection.
  • Confluent Keys – Updated checker for Confluent API keys.
  • GitHub Fine-Grained PAT – Analyzer now handles archived repositories.
  • Slack Tokens – SlackBot analyzer has been rewritten in Rust for improved performance and applies to Slackbot, Slack App, and Slack User tokens.
  • DigitalOcean Spaces Token – Fixed checker for tokens that do not have permission to list buckets.
  • Checkout Secret Key – Updated endpoint to avoid deprecated usage.
  • Checkout Sandbox Secret Key – Enhanced pattern and updated endpoint for improved accuracy.
  • Bunny.net API Key – Fixed checker for better validation.
  • Dify API Key – Updated checker endpoint for enhanced detection.

Engine Enhancements

  • All JWT detectors will now only catch signed JWTs, enhancing security.

Enhancements

  • Jira Data Center Integration: Enhanced Jira Data Center incident creation to include leaker email addresses for historical comments occurrences.
  • Custom Tags API: Enhanced the custom tags filter in the public API to support filtering by key/value pairs in addition to IDs, improving search flexibility for better incident management. Learn more.
  • Playbook: "Auto-resolve secrets incidents when valid secrets are revoked" playbook is officially activated for all accounts. Learn about Playbooks
  • Custom remediation: Added dynamic links to custom remediation pages, providing users with seamless access to relevant documentation and revocation support.
  • Public API: Custom Tags (custom_tags) query parameters have been documented as part of the API documentation.
  • GitLab integration: Configuration of multiple GitLab integrations using both system hooks and group hooks simultaneously is now supported.

Fixes

  • Custom Tags: Fixed an issue where assigning tags to selected filtered issues was incorrectly applying tags to all issues instead of only the selected ones.
  • Azure DevOps Integration: Improved token handling to prevent unnecessary revocation of Azure DevOps installations due to intermittent 401 errors.
  • Email Notifications: Improved email delivery logic for Microsoft Teams integrations to prevent excessive notification sending during periodic scans.
  • GitHub Integration: Fixed an issue where dangling GitHub installations were being unnecessarily checked when no installations were present.
  • User Management: Ensure SCIM user provisioning matches emails case-insensitively to prevent duplicate or mismatched user entries.
  • Incidents Management: Resolved a regression where secrets detected on deletion lines could reopen incidents. Deletion lines are no longer scanned for secrets, as per the expected "Scan only addition line" behavior.

2025.6

Versioncalendar icon Release Date
2025.6.0June 20, 2025

System Requirements Update

Ensure your infrastructure meets the latest requirements for optimal performance and security:

ComponentMinimum VersionRecommended Version
KOTS1.117.3Latest
Kubernetes1.28 ⚠️1.32
PostgreSQL1516
Redis67
ggscout0.16.6Latest

Helm & Upgrade Considerations

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Upgrading to 2025.6 Kubernetes Support

GitGuardian 2025.6 now requires Kubernetes 1.28 as the minimum supported version. However, Kubernetes 1.28 is no longer receiving active or maintenance support from the Kubernetes project (see end-of-life schedule).

We strongly recommend upgrading to Kubernetes 1.32 for optimal security and stability. See our system requirements for more details.

Securely Access Secret Values via API with GitGuardian's New “Secrets” Endpoint

secret API thumbnail GitGuardian is excited to announce a new API endpoint /v1/secrets/{secret_id}, allowing users to securely access secret values directly through our API.

This feature introduces several key benefits:

  1. Enhanced Security Automation - Integrate secret remediation into existing security workflows and tools with secure API access to secret values.
  2. Reduced Manual Intervention - Eliminate the need to manually copy secrets from the UI, saving time and reducing human error.
  3. Comprehensive Security Controls - Multiple security layers (PAT permissions, workspace settings) ensure secrets are accessed only by authorized users.
  4. Complete Secret Context - Receive both the secret value and detector information in a single API call for efficient remediation.

Read more in the documentation

Secrets Detection in Microsoft Teams

MS Teams historical scanning thumbnail

We’re pleased to introduce hardcoded secret detection for Microsoft Teams!

What’s new?

Our platform now scans Microsoft Teams messages for hardcoded secrets—such as API keys, credentials, and tokens—across both new activity and historical content. This means you can instantly identify and remediate exposed secrets, whether they were just shared or left unnoticed in your Teams environment.

Why is this important?

Once a secret is leaked, it remains a security risk until addressed—regardless of when it was exposed. By providing both real-time and historical scanning, we offer:

  • Comprehensive coverage: Instantly detect newly introduced secrets and uncover old leaks hiding in past conversations or shared files.
  • Proactive risk management: Take swift action to rotate, revoke, or investigate secrets, minimizing the window of exposure.
  • Complete peace of mind: Ensure your Teams environment is continuously monitored and secured against secret sprawl.

Secure your collaboration. Protect your business.

Simply connect your Microsoft Teams instance and let our enhanced detection engine do the rest. Our solution will automatically scan both ongoing and historical Teams content, surfacing any hardcoded secrets for prompt remediation.

Check out our documentation to start protecting your MS Teams communications!

Historical Scanning now available for Jira and Confluence Cloud sources.

Jira Confluence historical scan Thumbnail

We’re excited to announce a significant enhancement to our secret detection capabilities for Jira and Confluence Cloud: historical scanning is now available!

What's new?

Previously, our integration would surface hardcoded secrets in real-time, alerting you to newly introduced risks as soon as they appeared. With this update, we’re extending our detection to include secrets that were leaked in the past—not just those introduced going forward.

Why does this matter?

Once a secret is leaked, it should always be considered compromised, regardless of when the leak occurred. By surfacing historical secrets, you can now:

  • Identify and remediate old, forgotten leaks that may still pose a security risk.
  • Reach a comprehensive security posture by ensuring that no secrets—past or present—slip through the cracks.
  • Take proactive action to rotate or revoke secrets that may have been exposed long ago.

Check out our documentation to enable the feature now:

Detect hardcoded secrets in your Container Registries

Container Registries Thumbnail

We are excited to introduce Secret detection for Container Registries, including:

  • microsoft-azure-container-registry Azure Container Registry
  • google-artifact-registry Google Artifact Registry
  • jfrog JFrog Artifactory
  • dockerhub DockerHub

Secrets often end up in container images due to common mistakes during development and image creation, mainly:

  • Hardcoding Secrets in Code: Developers may directly embed sensitive credentials, such as API keys or passwords, into application code, which gets packaged into container images.
  • Misconfigured Dockerfiles: Commands like ENV or RUN in Dockerfiles can inadvertently expose sensitive data during the build process.

By identifying and addressing hardcoded credentials early in the development pipeline, this feature significantly minimizes the risk of security breaches, helping you prevent the unintended exposure of sensitive information before it even reaches production.

Container Registries Dashboard

Check out our Blog Post to learn more and our documentation to enable the feature now:

Export self-hosted GitGuardian logs to Splunk and more

You can now forward GitGuardian application logs to external log aggregation systems including Splunk, Loki, Elasticsearch, Kafka, and Datadog.

This allows you to integrate GitGuardian's logs with your existing observability infrastructure for centralized monitoring and analysis.

Check out our documentation to configure custom pipelines and start exporting your logs!

Secrets Detection Engine (v2.140)

New Detectors

New Checkers These checkers are implemented to verify the detected secrets, adding another layer of security and ensuring their validity and correct application:

  • Laravel Encryption Key with Host
  • GitLab Feature Flags Client Token with Project ID
  • Kubernetes JWT with Host
  • Brave Search API Key
  • Firecrawl API Key
  • Dify API Key
  • GitLab Runner Authentication Token

Detector Improvements

  • Ubidots Token – Now includes new secret prefixes and improved checker responses for tokens from disabled accounts.
  • Azure Cosmos DB Credentials – Enhanced host pattern to improve recall and detection accuracy.
  • GitLab Token – Refined pattern to minimize false positives.
  • ODBC Connection String – Advanced detection precision for ODBC strings.
  • AMQP CredentialsDetector Upgrade: Enhanced multimatch selection to reduce false positive combinations, vital for secure message queuing in distributed systems.
  • Confluent KeysDetector Upgrade: Improved multimatch selection for better accuracy and fewer false positives, essential for managing access to Kafka clusters.
  • Generic High Entropy SecretDetector Upgrade: Excludes secrets ending with '.certificate' from being reported, reducing noise by ignoring non-sensitive certificates.
  • Artifactory TokenAnalyzer Upgrade: Improved stability by preventing crashes when analyzing secrets with multiple scopes, key for managing and securing software artifacts.
  • Microsoft Azure Storage Connection StringChecker Upgrade: Enhanced to accept additional fields, crucial for accessing and managing Azure storage resources securely.
  • Microsoft Azure Storage Account KeyDetector Upgrade: Increased precision, reducing false positives, critical for safeguarding data in cloud storage.

Engine Enhancements

  • Established a priority rule favoring the confluent_api_keys detector over amqp_assignment and amqp_assignment_attached_port detectors.
  • Expanded detection pattern list for encrypted strings to increase precision.
  • Enhanced AssignmentRegexMatcher for N prefixed strings in SQL, supporting Microsoft SQL Server.

Enhancements

  • Teams: Optimized the /teams API endpoint to reduce loading times for workspaces with large team structures.
  • Self-Hosted:
    • Improved ML Secret Engine Docker image permissions to support running with custom user and group IDs for better Kubernetes security contexts.
    • Improved Docker image permissions to support running with custom user and group IDs for better Kubernetes security contexts.
    • Improved handling of failed index creation migrations to allow safe re-execution of database updates.
    • Added capability to specify constraint of only one worker per node in Kubernetes deployments to optimize resource allocation. Learn more about scaling.

Fixes

  • Emails: Resolved an issue where email alerts were being sent to inactive workspace members.
  • Custom Tags: Resolved pagination issues in the custom_tags endpoint that were causing incorrect next page URLs.
  • GitLab: Improve permission checking for GitLab group integrations to properly handle inherited permissions from parent groups.
  • Severity rules: Corrected an issue preventing Self-Hosted customers from adding or editing custom severity rule sets.
  • Secret analyzer: Improved behavior to ensure secret analyzer is properly disabled when validity checking is turned off.
  • Self-Hosted Deployment on GCP and Azure: Fixed an issue with ACL limitations on GCP and Azure cloud platforms where Redis deployments disable the ACL command, causing pre-deployment checks for the FLUSHDB command to fail. The system now gracefully handles scenarios where ACL commands are unavailable.

2025.4 - Required

Versioncalendar icon Release Date
2025.4.0April 25, 2025
2025.4.1April 30, 2025

System Requirements Update

Ensure your infrastructure meets the latest requirements for optimal performance and security:

ComponentMinimum VersionRecommended Version
KOTS1.117.3Latest
Kubernetes1.251.31
PostgreSQL1516
Redis67
helm3.13Latest
ggscout0.16.40.16.4 is the only supported version

Helm & Upgrade Considerations

To ensure compatibility, please review Helm values updates from the previous version.

⚠️ Important: This is a required release and cannot be skipped.

Upgrading to 2025.4

Please install the PostgreSQL pgvector extension to enable vector similarity search. This is essential for upcoming features leveraging our internal machine learning engine. Follow the installation instructions to ensure compatibility.

Air gap deployment? We've added new images in this release. Find all image and tag names on the Air Gap Install page.

Get full control of your Non-Human Identities

NHI Governance Thumbnail

We're proud to introduce our brand new NHI Governance product! This solution is designed to help you manage and secure your Non-Human Identities (NHIs) and related secrets.

As organizations face exponential growth in machine identities, NHI Governance delivers a comprehensive observability and lifecycle management across all your environments. Integrating with leading secrets managers and other sources from your infrastructure, it centralizes inventory, helps you assess your posture, and enforces security policies. The solution includes:

  • Deep contextual insights, mapping relationships between secrets, their consumers, and resources, drastically reducing incident response times.
  • Advanced analytics helps you identify risks like overprivileged NHIs and track hygiene metrics.
  • Policy enforcement aligns your posture with standards such as the OWASP NHI Top 10.

NHI Governance empowers you to regain control over your NHIs and tied secrets, reduce risk, accelerate compliance tasks, and improve hygiene by addressing orphaned, untracked, or overprivileged credentials.

Ready to start your journey towards safer secrets management? Request access to GitGuardian NHI Governance by contacting your sales representative.

Learn more:

Prioritize faster with Secrets Analyzer

Secret Analyzer Thumbnail

We're excited to announce Secrets Analyzer, a new enhancement to our secrets detection capabilities.

Secrets Analyzer automatically gathers additional context for detected secrets, including their associated scopes, permissions, ownership, and relevant perimeter information where available.

This added intelligence helps security teams:

  • Evaluate the potential impact of a secret incident more accurately.
  • Prioritize remediation efforts based on risk level.
  • Streamline the overall incident response process.

For details on how each analyzer works, including metadata collected and validation calls:

Improve incident remediation with custom tags

Custom tags Thumbnail

Take control of incident management with custom tags. This feature allows you to categorize, filter, and search incidents using customized labels, offering greater flexibility in tracking and prioritizing incidents, and improving remediation workflows.

For developers, you can interact with custom tags via the API. For more information, visit the API documentation.

For more details on how to use custom tags within the GitGuardian platform, check out our detailed guide.

Custom tags example

Email notifications enhancement

You now have two options for receiving incident email notifications: "All incidents" (default) or "Only incidents involving yourself (based on your Git commit email)", learn more about email preferences.

Email notification

Log collector for Self-Hosted

log collector

Our self-hosted deployments now include a seamless log collection system, leveraging Loki, MinIO, and Fluent Bit under the hood. This enhancement ensures that relevant logs are efficiently gathered and stored, supporting faster troubleshooting and support—without requiring any manual setup from users.

This log collection system is now enabled by default for all installation types (Helm or KOTS).
Learn more about the log collector.

Secrets Detection Engine (v2.135)

Improved accuracy and broader coverage in this latest release:

New Detectors

Detector Improvements

Detector changes

  • FCM API Key – Removed FCM API Key checker since its API was removed.

Miscellaneous

  • Add User Agent GitGuardian in HTTPClient class used by analyzers.

Enhancements

  • Incidents: Added a new filter to improve incident categorization based on the presence or absence of Jira Data Center tickets.
  • Custom Tags: Users can now create custom tags directly from search queries in the dashboard.
  • Custom webhook: Add the team name and webhook name to the custom webhook payload for incidents and occurrences. Learn more.
  • Jira Configuration: Introduced a new layout for the Jira Configuration form to enhance user experience and streamline configuration tasks.
  • Navigation Improvements:
    • Added persistent section state to remember your navigation preferences and updated browser tab titles for better identification when managing multiple tabs.
    • Added a "Skip to Main Content" button for better accessibility. When using keyboard navigation, pressing the Tab key reveals the button, which allows users to bypass navigation menus and jump directly to the main content area.
  • Invitation: Added GET /v1/invitations/{invitation_id} endpoint to retrieve invitation details through the Public API.
  • Self-Hosted:
    • Email Configuration: Improved error messages to provide clearer guidance when setting up email configurations.
    • Troubleshooting: Enhanced debug capabilities by adding network diagnostic tools (netcat, openssl) to the debug image. Learn more.
    • Helm:
      • Extended the readiness probe timeout on public-api to enhance stability and prevent premature failures.
      • Resolved an issue where the host was not specified in the health ingress configuration.
      • Added global.compatibility.openshift.adaptSecurityContext configuration to support OpenShift's restricted-v2 Security Context Constraints (SCC). Values include auto (default), force, and disabled for flexible security context adaptation. Learn more.
      • Added default support-bundle Role and optional ClusterRole creation (configurable via replicated.supportBundle.rbac.clusterRole.create).
      • The PostgreSQL pgvector extension is now required by default (postgresql.plugins.pgvector.enabled). Please follow the installation instructions to enable vector similarity search capabilities for upcoming machine learning features.
    • Ingress:
      • Improved response times for issue occurrence queries through optimized request routing. Particularly useful when autoscaling webapp-public_api.
      • Standardized health check endpoint routing by removing the wildcard host configuration from gim-ingress-health and consolidating /api/v1/health under the main API hostname.

Fixes

  • Jira Cloud Issue Tracking Integration: Fixed an issue where Jira project keys were incorrectly changed during synchronization.
  • GitLab Integration:
    • Fixed an issue where multiple emails were sent for failures in multiple group hooks on the same GitLab instance, ensuring only one email is sent per instance.
    • We improved the process for read-only token installations by automatically detecting and updating the webhook ID if the webhook was created manually.
    • Resolved an issue where system hook checks returned a 403 forbidden error when using a read-only token.
    • Fixed unnecessary scans triggered by webhooks related to unmonitored repositories.
  • Incidents: Fixed a bug that could cause unnecessary data refresh on the incidents list when switching browser tabs.
  • Self-Hosted:
    • Licensing: Updated the notification message for license expiration on self-hosted environments to provide clearer guidance.
    • Security: Added Content Security Policy (CSP) headers to HTTP responses to strengthen browser security controls.

Hotfixes

2025.4.1

calendar icon   Release Date: April 30, 2025

Fixes

  • Helm: Disabled Support Bundle Role creation by default to accommodate customers with high security requirements.

2025.3

calendar icon   Release Date: March 20, 2025

System Requirements Update

Ensure your infrastructure meets the latest requirements for optimal performance and security:

ComponentMinimum VersionRecommended Version
KOTS1.117.3Latest
Kubernetes1.251.31
PostgreSQL1516
Redis67
helm3.13Latest
ggscout0.16.00.16.0 is the only supported version

Helm & Upgrade Considerations

To ensure compatibility, please review Helm values updates from the previous version.

Upgrading to 2025.3 Air gap deployments

We've updated the path and names of our images in this release. Follow the upgrade instructions to update your tooling for downloading and uploading GitGuardian images to your private registry. Find all image and tag names on the Air Gap Install page.

Explore and prioritize your Generic Incidents

GSE-filters

We are excited to unveil the "Generic Secret Enricher V1", a machine learning model designed to enhance our capabilities in generic secret detection. This innovative model analyzes the entire context of a document, identifying the company and category associated with a secret, thereby providing meaningful insights to help users understand the origin and type of a discovered secret.

New Features

  • Contextual Analysis: Upon detection of a generic secret, our platform analyzes the full document context to determine the associated provider or category of a secret.

  • Efficient Classification: This feature reduces the need for manual classification, enabling users to quickly comprehend the source and nature of a discovered generic secret.

  • New Filters: We've introduced three new filters - Provider, Category, Family - to help identify critical generic incidents. To use these, filter your incidents by the "Generic" type, then apply a combination of these filters.

Goals

Our long-term goal is to provide you with actionable insights, prioritize their generic incidents, and improve their remediation efforts.

Usage

To use the new filters, simply filter your incidents by the "Generic" type, then apply a combination of the Provider, Category, and Family filters. This will help you identify the most significant or critical generic incidents, such as those classified under "Data Storage" or linked to the provider "Postgresql".

Leverage insights from your Secrets Managers

Secrets Managers Thumbnail

GitGuardian now integrates with AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, Google Secret Manager, Delinea, and Akeyless through ggscout, letting you sync secret incidents with your Secrets Managers—without exposing sensitive data.

What’s in it for you?

  • Prioritize Faster – Instantly see which secrets are already vaulted and focus on real risks.
  • Remediate Quicker – Vault unprotected secrets in a click and speed up fixes.
  • Streamline Workflows – Leverage vaulted secrets insights directly in GitGuardian.
  • Improve Secrets Hygiene – Spot duplicate, weak, or mismanaged secrets with ggscout.
  • Simplify Vault Consolidation – Track migrations, filter secrets, and purge outdated ones effortlessly.

Secrets Managers Tag

Secrets Detection Engine (v2.133)

Bringing enhanced accuracy and broader coverage:

Enhancements

  • Jira Issue Tracking Integration:
    • Added Incident ID as an optional variable in Jira ticket templates for improved customization.
    • Enabled instant ticket creation in Jira without requiring a predefined template.
  • ggscout: Additional improvements to the integration of ggscout with self-hosted. Learn more.
    • Ensured Vault configurations are reachable via the preflight check for Helm and KOTS.
    • Hardened Helm chart (custom CA support, optional GitGuardian hostname).
    • Used Replicated Proxy to pull the ggscout image.
    • Enabled support for embedded cluster deployment (HashiCorp Vault only).
    • Included ggscout logs in the support bundle.
  • Self-Hosted:
    • Public API: Added ability to customize maximum page size for the Public API pagination. More info here.
    • Embedded cluster: Machine learning is now activated by default for embedded cluster installations.
    • License: GitGuardian will now automatically synchronize license information for non-air-gap environments, eliminating the need for manual license syncs after installation or upgrades.
    • Helm: Added support for nodeSelector in Helm jobs to enhance node scheduling flexibility.

Fixes

  • Jira Cloud Issue Tracking Integration: Resolved an issue where integration entered an invalid state after being uninstalled.
  • Microsoft Teams Alerts for Security Incidents: Resolved an issue where the wrong team was displayed during configuration.
  • Self-Hosted:
    • Machine Learning: Added support for using custom security contexts, allowing to configure security settings for the machine learning pods.
    • Preflights: Fixed an issue with Redis TLS that could cause connection errors.

2025.2

calendar icon   Release Date: February 20, 2025

System Requirements Update

Ensure your infrastructure meets the latest requirements for optimal performance and security:

ComponentMinimum VersionRecommended Version
KOTS1.117.3Latest
Kubernetes1.251.30
PostgreSQL1516
Redis67
helm3.13Latest

Helm & Upgrade Considerations

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

Search Incidents by Secret Value

search secret GitGuardian allows you to monitor secret leaks across thousands of your repositories and over 30 different types of sources. It is reassuring to know that this critical secret, which provides access to your corporate LDAP, has not been detected anywhere.

Bitbucket Cloud Scanning

Bitbucket Cloud Integration Secure your Bitbucket Cloud repositories with secrets detection powered by GitGuardian.

  • Detect exposed credentials and secrets in real-time.
  • Gain visibility into security incidents directly in your dashboard.
    Learn more

Custom Tags Early Access

custom tags
Improve incident organization and tracking with Custom Tags, allowing users to filter, sort, and categorize incidents more effectively. For now, custom tag management (CRUD) and tag assignments to incidents can only be done via the API (API documentation), with UI support coming soon.

To activate this feature, enable custom_tags_enabled in the Preferences page.

Autoscaling

hpa
HPA now supports web applications (e.g., webapp-public_api), allowing automatic scaling based on demand for improved performance and resource efficiency. Learn more on the autoscaling page.

Secrets Detection Engine (v2.131)

Bringing enhanced accuracy and broader coverage:

Enhancements

  • Scan Only Addition Lines in Commits: Now, when using ggshield or our check runs integration, we only scan for added lines in commits. Developers will no longer be blocked while remediating incidents.
  • Jira Issue Tracking Integration: Added support for "Numbers (or float)" and "Group Pickers (single group)" custom fields in Jira templates, allowing more customization in notifications and issue tracking.
  • Enhanced Email Incident Alerting Controls for Members: You can now manage email notification settings more effectively with an option that allows updates through the API, and customize account-level defaults, ensuring a more tailored communication experience for all members. Learn more

Fixes

  • Sources:
    • Azure Repos Integration: Fixed an issue where organization deletions were not properly synced when using ADO installations in Organization-mode.
    • GitLab Integration: Resolved an issue where GitLab installations were incorrectly revoked due to temporary plan downgrades or admin status changes.
  • Users & Teams:
    • Incidents: Resolved an issue where restricted users could not view the Vulnerable Sources block.
    • Users: Resolved an issue where user deletion was prevented due to the presence of saved views associated with the user.
    • Teams Management: Resolved an issue where action menus were not displayed in the teammates table for non-admin users in certain cases.
  • Alerting:
    • Confluence Cloud Integration: Fixed an issue where some Confluence Cloud events without a spaceKey were incorrectly ignored.
    • PagerDuty Alerts for Security Incidents: Fixed an issue where the integration was not sending alerts for real-time incidents.
    • Email Notifications: Fixed an issue where emails for ignored and valid incidents were sent to all teams a user belongs to, instead of only the teams managing the affected repository.
  • Self-Hosted:
    • Helm: Fixed an issue where connecting to Redis Sentinel failed when using a password with special characters.
    • Kots: Restore the left navigation menu in the KOTS admin console for embedded cluster installations.

2025.1 - Required

Versioncalendar icon Release Date
2025.1.0January 20, 2025
2025.1.1January 23, 20255

System Requirements Update

Ensure your infrastructure meets the latest requirements for optimal performance and security:

ComponentMinimum VersionRecommended Version
KOTS1.117.3Latest
Kubernetes1.251.30
PostgreSQL1516
Redis67
helm3.13Latest

Helm & Upgrade Considerations

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

⚠️ Important: This is a required release and cannot be skipped.

Upgrading to 2025.1

Database Deprecation Notice: PostgreSQL 13 & 14 are no longer supported. Learn why upgrading to PostgreSQL 16 is recommended in our engineering blog.

Upgrade Considerations: This release includes a background migration that may take up to 1 hour post-upgrade. It improves query execution speed and search performance. If upgrading from an older version, multiple upgrades may trigger a retry message—wait 1 hour before retrying.

Microsoft Teams Security Alerts

MS team alerting Never miss a critical security event with real-time GitGuardian alerts in Microsoft Teams.

  • Instant notifications when security incidents occur.
  • Direct links to investigate issues inside GitGuardian.
    Learn more

Jira Auto-Tracking for Security Incidents

jira dc alerting Streamline incident response with Jira Data Center integration.

  • Auto-create Jira issues when new incidents are detected.
  • Sync custom fields for better tracking.
  • Auto-resolve incidents when Jira issues are closed.
    Learn more

False Positive Remover v1

false positive remover Our first internal machine learning model halves false positives, ensuring data security and privacy without third-party dependencies. This in-house capability is now available for Self-Hosted. More information is available in the documentation.

Slack Secret Scanning

slack secret scanning Slack integration is now supported for scanning the full history of your public and private Slack channels to detect leaked secrets.

Remediation tracking

remediation tracking Enhanced the secrets remediation workflow with precise location details for code fixes and real-time tracking of remediation progress. Learn more here.

⚠️ You can adjust the scan rate limit for the file tracking engine via the scan_after_push_force_rate_limit preference on the Preferences page. Historical scans are recommended to ensure incidents requiring fixes are available in the dashboard.

User management with SCIM

SCIM integration now supports automatic user deprovisioning in GitGuardian when users are removed from your Identity Provider (IdP). Provisioning for users and teams will be included in a future update. Setup details are available in our documentation.

Secrets Detection Engine (v2.129)

Bringing enhanced accuracy and broader coverage:

Enhancements

  • Navigation: The menu has been redesigned with a collapsible left sidebar for a cleaner, more organized experience.
  • Jira Data Center integration: Added support for the "User Picker (single user)" custom field in Jira templates. More information is available here.
  • GitHub integration:
    • Improved handling of real-time events to retrieve more than 100 commits when necessary, ensuring complete coverage.
    • Enhanced processing of large patches by making additional API calls to retrieve missing files, up to the policy__maximum_scan_size limit defined in the Preferences page.
  • Commit length configuration: Admins can configure the maximum total length of commits to scan, with larger commits truncated. This can be set via the repo_scan_max_commit_length preference on the Preferences page.

Self-Hosted

  • Helm: The ReplicatedSDK image is now pulled from the Replicated registry instead of Docker Hub. For airgap installations, ensure you update your automation processes for pulling and pushing images to your private registry. For more information, refer to the Airgap Installation page.
  • Installation and upgrade: Improved error messages for partially initialized databases, providing clear instructions to check logs and ensure the PostgreSQL database is empty before retrying.
  • Admin Area: Introduced a Periodic Tasks page to adjust schedules and fine-tune periodic task execution.
  • Queues: Merged the secrets_checks queue with the background validity checks queue to optimize performance.

Fixes

  • Secrets:
    • Check runs: Updated messages to note flagged secrets lack commit references and remain compromised once leaked.
    • Validity check: Fixed an issue where the tooltip incorrectly indicated a token was valid for all endpoints when it was valid for only one.
  • Sources:
    • GitLab: Enable viewing of more than 50,000 GitLab projects in the integration settings.
  • Alerting:
    • Jira issue tracking: Fixed an issue where line feeds (\n) were not properly translated to hardBreak nodes, ensuring correct spacing in Jira tickets.
  • Self-Hosted:
    • Admin area: Corrected sorting and filters on the Worker Tasks page for improved usability.

Hotfixes

2025.1.1

calendar icon   Release Date: January 23, 2025

Fixes

  • Self-Hosted:
    • Embedded cluster installation:
      • Fix an issue where the GitGuardian dashboard returns a 404 error. Note this fix does not apply to legacy embedded clusters using Kurl.
      • Resolved the inability to deploy an embedded cluster with a custom CA.
    • Helm:
      • Fixed a 404 error on the /metrics endpoint for fetching GitGuardian applicative metrics on Webapp pods and Celery workers.
      • Fixed Replicated RBAC resources being created despite rbac.enabled: false in Helm values, causing issues in RBAC-restricted environments.

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status