Version	Release Date
2026.4.0	April 22, 2026

System Requirements Update​

Ensure your infrastructure meets the latest requirements for optimal performance and security:

Helm & Upgrade Considerations​

To ensure compatibility, please review Helm values updates from the previous version. Air gap deployment? Find all the images and tag names in the air gap install page.

⚠️ Important: This is a required release and cannot be skipped.

Feature highlights​

• Advanced Analytics enabled by default for Helm installation — actionable dashboards for detection, remediation, and prevention of secret leaks are now activated by default on all instances. Learn more.

  Requires ~12 GB extra memory and increases database usage by 15-20% (min. 5-6 GB). Data refreshes once a day. KOTS installation must enable the new analytics in KOTS admin console.

• Email verification MFA — email-based verification codes are now required at login and before sensitive workspace actions for users authenticating with email and password. Learn more.
• Secret scanning for AI coding tools — ggshield now scans prompts, tool calls, and agent actions in real time to prevent secrets from leaking through Cursor, Claude Code, and GitHub Copilot. Learn more.
• Team perimeter for non-VCS sources — scope incident visibility by team across container registries, messaging, docs, tickets, package registries and custom sources. Learn more.
• In-cluster support bundle generation — Helm administrators can now generate, download, and upload support bundles directly from the Admin area > Support Bundle page, without kubectl access or the Krew plugin. Learn more.

  Init container memory scales with bundle size (~45 Mi/MB); large bundles may need higher limits to avoid OOMKilled. See Sizing the init container.

Secrets Detection Engine​

• v2.159 — 16 new detectors and checkers (Polar Organization Access Token, Microsoft Azure Storage Account Key, Azure Language API Key, Azure IoT Hub Connection String, DeepL Free/Pro API Keys, Azure Document Intelligence Key, Azure Speech Services Key, Azure Computer Vision Key, Azure Text Translation Key, Oracle Credentials, Google Cloud Express API Key, GitGuardian Public/Internal Monitoring Keys, SAP AI Core Credentials, Odoo External API Key), 3 new detectors (K3s Token, Zoho API Key, ServiceNow Generic Password), 4 new analyzers, 5 detector upgrades, 9 checker upgrades, 2 analyzer upgrades.
• v2.160 — 2 new detectors and checkers (Paymob API Key, Paymob Secret Key), 2 new detectors (ConvertTo-SecureString Password, Paymob HMAC Secret), 5 new checkers (Kubernetes Docker Secret, Generic/OpenSSH/RSA/Elliptic Curve Private Keys with GitLab/GitHub registration checks), 4 new analyzers (Sentry, Figma, Datadog, Google Cloud Keys), 2 detector upgrades, 1 checker upgrade.

Enhancements​

• Bring Your Own Sources location.url field, v2 format for Personal and Service Account Tokens. Learn more.
• Critical saved view as default, privacy mode in public API, historical scan trigger/cancel endpoints, severity rule ID and detector category on incidents, /v1/severity-rules endpoint. Learn more.
• Workspace-level privacy mode enforcement, audit log event types exposed via public API. Learn more.
• Self-Hosted:
  • New namespace-scoped NetworkPolicy support for the GIM namespace, configurable via networkPolicy.* Helm values with a dryrun → enforce rollout. See Network policies.
  • Manual encryption secret creation is now required for all new Helm installations (Helm, Argo CD, Flux). Existing installations are unaffected. See Mandatory secret.
  • Removed the API quota page for self-hosted instances, as quotas do not apply. The API endpoint helper banner is now displayed on the Personal Access Tokens and Service Accounts pages.
  • Added support for bundling JSON schemas into the deployment package, removing the need to fetch them at runtime in air-gapped environments.
  • Added support for replicated.readOnlyMode, which prevents the Replicated subchart from creating or patching Secrets, enabling deployments in environments with strict admission policies.

Fixes​

• Audit log actor display, missing audit logs for Custom Sources via API, bulk filter select-all, NHI Governance timeouts on large Entra ID datasets. Learn more.
• ggshield incident URL for shared-hash secrets, analytics "All time" date range, Jira Data Center authentication drops, Honeytoken GitLab deployment encoding. Learn more.
• GitLab instance health check compatibility with GitLab.com and upcoming GitLab 19 self-hosted versions. Learn more.