Helm Chart Values Changelog
Track changes in GitGuardian's Helm chart values across releases.
Latest Version: 2025.9.0
Resources: Helm installation guide | Upgrade procedures
2025.9.0 vs 2025.8.0
New:
- Introduced
apacheTikaparameter to configure the new file scanner service for Non-VCS sources (disabled by default). - Introduced
celeryWorkers.scanners-ods-highdiskparameter to configure workers dedicated to high storage tasks like Microsoft OneDrive and SharePoint scanning (default: 0).
Learn more about Non-VCS Sources.
Updated:
- Updated
logCollector.supportBundle.sincedefault value from3dto6hto make support bundle lighter.
Removed:
postgresql.plugins.pgvector.enabledhas been removed since it is now enabled by default, pgvector is now required. Learn more about PostgreSQL requirements.
2025.8.0 vs 2025.7.0
Air gap deployment? This release introduces a new image.registry parameter in Helm values to support the Log Collector system. This parameter specifies the location of the GitGuardian images for the Log Collector components (Loki, MinIO, Fluent Bit) and is separate from the main imageRegistry parameter. Follow the upgrade instructions to update your helm values file.
New:
- Introduced a new
image.registryparameter in Helm values to support the Log Collector system. This parameter specifies the location of the GitGuardian images for the Log Collector components (Loki, MinIO, Fluent Bit) and is separate from the mainimageRegistryparameter. Follow the upgrade instructions to update your helm values file. - Introduced
celeryWorkers.scanners-slackparameter to configure workers dedicated to Slack scanning (default: 0). Learn more about Slack Scanning considerations. - Added
commonTolerationsparameter that allows you to apply consistent tolerations across all workloads in the GitGuardian deployment.
Updated:
- Updated Replicated SDK to version
1.8.0.
Removed:
beat.replicashas been removed and is now hardcoded in the chart to 1.
2025.7.0 vs 2025.6.0
New:
- Added
priorityClassNameparameter for ML Secret Engine and several priority class configuration. Learn more. This is also available for other pods and as a global parameter (global.priorityClassName).
Updated:
- Changed the default value of
celeryWorkers.ml-api-priority.replicasfrom0to1. Learn more. - Updated Replicated SDK to version
1.7.1.
2025.6.0 vs 2025.5.0
New:
- Added
global.fipsEnabledparameter to enable FIPS compliant images. Learn more about FIPS compliance. - Added pod anti-affinity configuration (
podAntiAffinityPreset) andnodeSelectorandtolerationsparameters across all components for improved workload placement control and high availability. Learn more about scaling. - Enhanced logCollector with additional configuration options (
logCollector.env,logCollector.envFrom,logCollector.pipelines). Learn more about additional pipelines. - Enhanced migration job resource configuration with separate specifications for pre-deploy, post-deploy, and upgrade path check jobs.
Updated:
- Updated Replicated SDK to version
1.6.0. - Updated log collection system components (Fluent Bit, Loki, MinIO) to latest versions.
Removed:
migration.resourceshas been replaced with job-specific resource configurations for better resource management.
2025.5.0 vs 2025.4.0
Air gap deployment? We've renamed images in this release. See below changes and find all image and tag names on the Air Gap Install page.
New:
- Added support for configuring the proxy via an existing Kubernetes secret using
proxy.existingSecretandproxy.existingSecretKeys.*.
Updated:
- FIPS: This release uses Chainguard images without FIPS-approved cryptographic modules. If you would like to use Chainguard images with FIPS, please contact our support team. This change involves renaming the following images:
gitguardian/prm-static-chainguard-fipstogitguardian/prm-static-chainguardgitguardian/prm-app-fipstogitguardian/prm-app-chainguard
- Use
proxy.replicated.com/proxy/gitguardian/ghcr.io/gitguardian/wolfi/bash:latestimage instead ofproxy.replicated.com/proxy/gitguardian/docker.io/nginxinc/nginx-unprivileged:stablefor Custom CA injection (Seetls.customCa.image.*). - Changed the default value of
replicated.image.tagfrom1.5.1to1.5.3. - The
securityContext.enabled(bool) parameter has been replaced by a newsecurityContext(object) parameter, which now allows specifying the full Pod Security Context.
Removed:
experimental.chainguardhas been deprecated as GitGuardian images are now using Chainguard by default. Lean more about Chainguard.
2025.4.0 vs 2025.3.0
Air gap deployment? We've added new images in this release. Find all image and tag names on the Air Gap Install page.
New:
- Our self-hosted deployments now include a log collection system, leveraging Loki, MinIO, and Fluent Bit under the hood. This log collection system is now enabled by default for all installation types (Helm or KOTS). Learn more about the log collector.
- The PostgreSQL
pgvectorextension is now required by default (postgresql.plugins.pgvector.enabled). Please follow the installation instructions to enable vector similarity search capabilities for upcoming machine learning features.
Updated:
- Added default
support-bundleRole and optional ClusterRole creation (configurable viareplicated.supportBundle.rbac.clusterRole.create). - Changed the default value of
replicated.image.tagfrom1.1.1to1.5.1. - Added
global.compatibility.openshift.adaptSecurityContextconfiguration to support OpenShift's restricted-v2 Security Context Constraints (SCC). Values includeauto(default),force, anddisabledfor flexible security context adaptation.
2025.3.0 vs 2025.2.0
We've updated the path and names of our images in this release. Follow the upgrade instructions to update your tooling for downloading and uploading GitGuardian images to your private registry. Find all image and tag names on the Air Gap Install page.
Updated:
- Changed the default value of
replicated.image.tagfrom1.1.0to1.1.1. - Change registry URL from
proxy.replicated.com/proxy/gitguardian/513715405986.dkr.ecr.us-west-2.amazonaws.comtoproxy.replicated.com/proxy/gitguardian/docker.ioand rename paths and images name from:/prm/static-chainguardto/gitguardian/prm-static-chainguard-fips/prm/app-chainguardto/gitguardian/prm-app-chainguard-fips/prm/helm-toolingto/gitguardian/prm-helm-tooling/services/nginx-unprivilegedto/nginxinc/nginx-unprivileged/ml-detector/ml-secret-engine/app-chainguardto/gitguardian/ml-secret-engine-app-chainguard-fips
- Change registry URL from
registry.replicated.comtoproxy.replicated.com/proxy/gitguardian/docker.ioand rename paths and images name from/gitguardian/replicated-sdkto/replicated/replicated-sdk. - The
nhi-scoutparameter has been renamed toggscout. - Added
celeryWorkers.*.autoscaling.keda.idleReplicaCountparameter to allow specifying the number of replicas when there is no activity on the Celery Worker (default:0).
2025.2.0 vs 2025.1.0
New:
- Enhanced the
webapps.<all>.autoscalingsettings to support both Horizontal Pod Autoscaler (HPA) and KEDA autoscaling options, including enabling/disabling and setting triggers. Learn more. - Added
migration.podAnnotationsparameter for GitGuardian migration pods.
Updated:
nhiScout.enabledparameter has been moved tonhi-scout.enabled. Learn more.- Changed the default value of
replicated.image.tagfrom1.0.0to1.1.0.
2025.1.0 vs 2024.12.0
The ReplicatedSDK image is now pulled from the Replicated registry instead of Docker Hub. For airgap installations, ensure you update your automation processes for pulling and pushing images to your private registry. For more information, refer to the Airgap Installation page.
New:
- Introduced
secretEngineparameter to configure the new ML Secret Engine service. (Disabled by default). Learn more. - Introduced
celeryWorkers.ml-api-priorityparameter to configure ML Secret Engine dedicated worker (Disabled by default). - Introduced
nhiScout.enabledparameter to enable NHI Scout deployment (Disabled by default). Learn more - Introduced
nhi-scoutparameter to configure NHI Scout. - Added
replicated.image.registryparameter to use the Replicated registry (registry.replicated.com) instead of Docker Hub by default.
Updated:
- Changed the default value of
replicated.image.repositoryfromreplicated/replicated-sdktogitguardian/replicated-sdk. - Changed the default value of
replicated.image.tagfromv1.0.0-beta.31to1.0.0.
2024.12.0 vs 2024.11.0
This release includes breaking changes. Upgrade to 2024.12.0 using the upgrade notes.
New:
- Ability to deploy
Ingressobjects with the support of several Ingress controllers. For details, see the Ingress documentation.
Updated:
front.ingresshas been renamed toingressfor improved consistency and standardization across the Helm chart.istiohave been moved under theingress.- The default memory value for
migration.resourceshas been increased from100Mito200Mi.
2024.11.0 vs 2024.10.0
This release includes breaking changes.
New:
- Removed
settings.healthCheck.periodicIntervalparameter since health checks are now distributed over time rather than executing them simultaneously. This parameter is replaced byspread_periodic_range_minutesin the admin area. - Added
replicated.privateCASecretparameter to specify a custom CA when using a proxy. Learn more. - Replace the legacy parameter
replicated.images.replicated-sdkwith the new parametersreplicated.image.repositoryandreplicated.image.tag
Updated:
- Changed the default value of
replicated.image.tagfromv1.0.0-beta.27to1.0.0-beta.31.
2024.10.0 vs 2024.9.0
New:
- Added two new worker types
long-ods(non-VCS sources such as Slack, Jira Cloud, Confluence, ...) andlong-ods-io(long tasks specialized in Input/Output). - Added the support of CRL (instead of default OCSP) for certificate-based authentication.
Updated:
- Decreased the default value of
celeryWorkers.realtime-ods.replicasfrom2to0.
2024.9.0 vs 2024.8.0
New:
- Added a new
autoscalingobject to configure autoscaling settings. - Enhanced the
celeryWorkers.<all>.autoscalingsettings to support both Horizontal Pod Autoscaler (HPA) and KEDA autoscaling options, including enabling/disabling and setting triggers. Learn more. - Introduced a new setting
replicated.supportBundle.logs.maxLinesto specify the maximum number of lines included in support bundle logs. - Added
experimental.tini, a new option to enabletinifor terminating zombie processes on workers.
Updated:
- Changed the default value of
replicated.images.replicated-sdkfromv1.0.0-beta.26tov1.0.0-beta.27.
2024.8.0 vs 2024.7.0
New:
- Introduced
tls.clientAuthto support authentication using Common Access Card (CAC) or Personal Identity Verification (PIV). For detailed information, refer to the documentation here.
Updated:
- Updated the default version of
replicated.images.replicated-sdkfromv1.0.0-beta.23tov1.0.0-beta.26.
2024.7.0 vs 2024.6.0
This release includes breaking changes.
New:
- Added
settings.healthCheck.periodicIntervalallowing you to change the frequency of health checks.
Updated:
- Renamed
front.ingress.tls.secretNametofront.ingress.tls.existingSecret. - Renamed
tls.customCa.caCerttotls.customCa.caCrt. - Renamed
tls.customCa.existingSecretCaCertKeytotls.customCa.existingSecretKeys.caCrtand set the Default to"". - Renamed
redis.main.existingSecretKeys.sentinel.passwordtoredis.main.existingSecretKeys.sentinelPassword. - Renamed
redis.main.existingSecretKeys.sentinel.urltoredis.main.existingSecretKeys.sentinelUrl. - Updated default value
front.nginx.resourcesfrom{"requests":{"cpu":"200m","memory":"500Mi"}}to{"requests":{"cpu":"100m","memory":"200Mi"}} - Changed the default value of
replicated.images.replicated-sdkfromv1.0.0-beta.21tov1.0.0-beta.23.
2024.6.0 vs 2024.5.0
Updated:
- Added new task
background_validity_checktoceleryWorkers.long.queues. - Changed the default value of
replicated.images.replicated-sdkfromv1.0.0-beta.16tov1.0.0-beta.21.
2024.5.0 vs 2024.4.0
This release includes breaking changes.
New:
- Introduce
externalSecrets.refreshIntervaloption to give the ability to customize the refresh interval for external secrets. - Added
istio.gateway.enabledparameter to be able to disable Istio Gateway handling when Istio is enabled. - Added
redis.main.existingSecretKeys.urlandredis.main.existingSecretKeys.password. - Added
redis.commitCache.existingSecretKeys.urlandredis.commitCache.existingSecretKeys.password. - Added
migration.labelsandmigration.podLabelsfor migrations resources.
Updated:
- Replaced
postgresql.existingSecretKeys.tlswithpostgresql.tls.existingSecretKeysand set the Default to""forpasswordinstead ofPOSTGRES_PASSWORD.crtinstead of ``"pg_client.crt"`.keyinstead of"pg_client.key".caCrtinstead of"pg_server.ca_crt".
- Replaced
redis.main.existingSecretKeys.tlswithredis.main.tls.existingSecretKeysand set the Default values to""forcrtinstead of ``"redis_client.crt"`.keyinstead of"redis_client.key".caCrtinstead of"redis_server.ca_crt".
- Replaced
redis.commitCache.existingSecretKeys.tlswithredis.commitCache.tls.existingSecretKeysand set the Default values to""forcrtinstead of ``"redis_client.crt"`.keyinstead of"redis_client.key".caCrtinstead of"redis_server.ca_crt".
- Rename
celeryWorkers.realtime_odstoceleryWorkers.realtime-ods. - Set the Default for
miscEncryption.existingSecretKeysattributes to""fordjangoSecretKeyinstead of"DJANGO_SECRET_KEY".dbEncryptionKeysinstead of"ENCRYPTION_KEYS".x509Certinstead of"SP_X509_CERT".x509PrivateKeyinstead of"SP_PRIVATE_KEY".
- Added
"existingSecret":"","existingSecretKeys":{"password":""}inonPrem.adminUseroffering the option to specify the admin password in a secret. - Rename Default value for
tls.customCa.existingSecretCaCertKeyto"ca.crt"instead of"custom-ca.pem". - Added
reporttoceleryWorkers.worker.queues.
Removed:
- Removed
argoCd.enabledoriginally used to inject Argo CD phase annotations in Kubernetes resources but, since Argo CD supports Helm hooks annotations by mapping them onto its own hook annotations, it is not used anymore in 2024.5.0.
2024.4.0 vs 2024.3.0
New:
- Added
commonLabelsto add custom labels to differentiate multiple GitGuardian deployments within the same Kubernetes cluster. - Introduce
ephemeralStorageoption for allceleryWorkersto support Generic Ephemeral Inline Volumes. - Introduced new
celeryWorkers.realtime-odsworker for Other Data Sources (ODS) real time scanning.
Updated:
- Modified
celeryWorkers.worker.queuesand movedrealtime_ods,realtime_retry_odstasks into newceleryWorkers.realtime-ods.queue.
2024.3.0 vs 2024.2.0
Updated:
- Changed the default value of
replicated.images.replicated-sdkfromv1.0.0-beta.14tov1.0.0-beta.16. - Decreased the default value of
celeryWorkers.scanners_ods.replicasfrom2to0.
2024.2.0 vs 2024.1.0
New:
- Added
redis.main.sentinelconfiguration options for managing Redis Sentinel settings. - Introduced new settings for
redis.main.existingSecretKeys.sentinel.urlandredis.main.existingSecretKeys.sentinel.password. - Added
miscEncryption.dbEncryptionKeysandmiscEncryption.existingSecretKeys.dbEncryptionKeysfor database encryption key management. - Introduced new
celeryWorkers.scanners_odsworker for Other Data Sources (ODS) scanning.
Updated:
- Changed the default value of
replicated.images.replicated-sdkfromv1.0.0-beta.12tov1.0.0-beta.14.
Removed:
- Removed
observability.exporters.celeryExporter.
2024.1.0 vs 2023.12.0
New:
- Expanded
nodeSelectorandtolerationssettings across multiple services:front.nginx,webapps.internal_api,webapps.internal_api_long,webapps.public_api,webapps.hook,webapps.app_exporter,celeryWorkers.worker,celeryWorkers.email,celeryWorkers.scanners, andceleryWorkers.long. - New
replicated.isAirgapsetting to manage air-gapped environments. - Introduced
tls.customCa.imageconfiguration for custom CA management. - Added new settings related to Kubernetes Roles and RoleBindings:
rbac.enabled,serviceAccount.create,serviceAccount.name,migration.serviceAccount.create, andmigration.serviceAccount.name.
Updated:
- Added new tasks
realtime_ods,realtime_retry_odstoceleryWorkers.worker.queuesto support additional task types. - Enabled
experimental.chainguardby default, changing fromfalsetotrue, to utilize Chainguard images for backend and frontend services.