Incident details: addition of a 'per page' selector on the occurrences table.
Members: renaming 'role' to 'access level'
caution
The role field has been deprecated and replaced by the access_level field in our API for the endpoints /v1/members and /v1/invitations.
Historical Scan:
skip the historical scan of a repository if it has not changed since the last scan.
add the ability to filter and sort repositories on the Perimeter page by scan duration.
introduce a new pending_timeout status in the API to differentiate between scans failing due to exceeding the time limit (timeout) and those in the queue (pending_timeout).
This release includes breaking changes. Upgrade to 2024.7.0 using the upgrade notes.
standardize existingSecret across the Helm chart to ensure uniform configuration for Redis Sentinel, Ingress, and CustomCA.
update to the latest version of the Replicated SDK 1.0.0-beta.23, used for license management and custom telemetry.
Cluster Management:
new embedded cluster installations now use PostgreSQL 16. Follow the migration guide to migrate your existing embedded cluster to PostgreSQL 16.
reorganize the KOTS Admin Console configuration page and moved the TLS certificate configuration to its own section for better clarity.
add a check in the pre-deploy job to ensure previous asynchronous migrations have completed before upgrading to a new version.
add missing webapp-internal_api and webapp-public_api scaling parameters in KOTS Admin for the new architecture.
API: remove monthly sliding quotas for API calls in the preference table.
Applicative Metrics: remove gim_version_info and add the following metrics: gim_celery_queue_length, gim_celery_active_consumer_count, gim_repo_scan_active_statuses_total, gim_http_request_started_total, gim_http_request_success_total, and gim_http_request_failure_total. For more details, refer to the Applicative metrics page.
Filepath exclusion: correct a bug that causes the * character in the exclusion pattern to match at least one character when it should match zero or more characters.
Check runs: addition of an optional Skip action for check runs on forked repositories that detect secrets, preventing a complete blockage for developers.
Argo CD: fix the upgrade-path-check tool to ensure that unskippable versions are not bypassed during upgrades when deploying the app with Argo CD.
API: correct the base URL in the API documentation for new architecture installations.
KOTS: fix an error with the preflights failing with "Analyzer Failed file secrets/default.json was not collected".
CVE: update packages to resolve CVE-2024-6257, CVE-2024-39689, CVE-2024-39330, CVE-2024-39329, CVE-2024-38875, CVE-2024-39614, CVE-2024-24791 with high severity; CVE-2024-24790, CVE-2024-5535 with critical severity.
Incidents details: merge commit authors from GitHub are now identified. It is not retroactive.
Incidents: periodic secret validity checks enable for ignored incidents. See documentation here.
GitLab integration: when a GitLab webhook is found disabled, GitGuardian now attempts to reactivate it automatically (by sending a test payload) before triggering an error message.
API: new endpoint to query the secret incidents of a source.
Filepath exclusions: when adding a new rule, show how many new secret incidents will be hidden by the new filepath exclusion, without recalculating existing hidden incidents.
Health Check:
implement periodic health checks on all integrations type (VCS, Messaging, Ticketing, Documentation) to run every hour, with the frequency being configurable in the Admin Area.
send email notifications when a integration health check fails. For further details, refer to the Configure email preferences page. Note that the notification is not enabled by default for existing accounts and must be turned on manually.
Audit Logs:
introduce audit logs for actions in the Admin Area visible only for promoted-admin users.
Jira Cloud Alerting: fix an issue where Jira automatic configurations remained invisible to 'member' role users within the 'All Incidents' team, ensuring uniform visibility across teams.
API:
fix a problem causing conflicting information between the UI and the API regarding team permissions.
fix an incorrect self-hosted instance URL in the API documentation.
Historical scan: attribute automatic historical scans of new repositories to "GitGuardian Bot" in audit logs.
Cluster management:
add missing readiness/liveness probes in gitguardian-app pods in the legacy architecture.
fixed issue preventing bundle generation in Openshift environments.
We strongly recommend that all our customers currently using the legacy architecture transition to our new architecture, which offers numerous advantages! For a detailed overview of the new architecture and guidance on determining whether you're using the New or Legacy GitGuardian architecture, please visit the New GitGuardian Architecture page.
π Find the version-to-version changes in the Helm chart values here.
Honeytoken: context creation strategies for honeytoken deployment jobs now allow to choose only dynamic contexts.
Privacy mode: this (mode) allows to obfuscate secrets and other sensitive information on the GitGuardian UI.
Jira Cloud integration: introduction of a new version of our Jira Cloud integration for issue tracking. It now offers
automatic creation of a Jira issue as soon as a new incident is triggered,
management of Jira custom fields,
and an auto-resolve feature that marks the incident as resolved in your dashboard when the issue is closed in Jira Cloud.
More information available in the documentation.
Filters: the history of AI queries can now be deleted.
add istio.gateway.enabled parameter to be able to disable Istio Gateway handling when Istio is enabled.
give the ability to specify dedicated labels and podLabels for migrations resources.
give the ability to customize the RefreshInterval parameter for externalSecrets.
it is now possible to set the initial admin password in an existing secret.
update to the latest version of the Replicated SDK 1.0.0-beta.20 used for license management and custom telemetry.
Cluster management:
GitGuardian currently supports PostgreSQL 13 to 16 (previously, versions 15 and 16 were experimental).
Check CA validity during preflight for both KOTS and Helm installation. If you previously installed GitGuardian on an existing cluster and planning to upgrade to 2024.5.0, you must modify the rule for the core api group in your configuration by adding:
fix an issue where uninstalling a Bitbucket project inadvertently occurred when a token was removed, despite other valid tokens being present.
enhance logging mechanisms surrounding Bitbucket token operations for better troubleshooting.
Azure repos integration: fix a problem with updating a repository when the token is either invalid or missing.
Cluster management:
fix an issue where the no-proxy list wasn't correctly applied for KOTS installation.
add missing debug image to the KOTS airgap bundle.
Migration new architecture: fix an issue occurring when the KOTS admin password contains special characters.
Prometheus exporter:
fix error 500 from the /metrics path of the exporter when using AWS Elasticache Redis.
fix RBAC error occurring when activating GitGuardian Prometheus exporter in the new architecture with KOTS. If you previously installed GitGuardian on an existing cluster you must modify the rule for monitoring.coreos.com in your configuration. Refer to the Kubernetes Application RBAC page.
Honeytoken deployment jobs: automate the deployment of honeytokens in your code repositories from GitLab, GitHub and GitHub Enterprise! This is a business-only feature. Read more about Deployment jobs in our documentation.
Jira Cloud integration: Jira Cloud integration is now supported for real-time secret detection and honeytoken detection.
Incidents: it is now possible to filter on Occurrences count.
Incidents details: introduction of a secret identity card on each secret incident detail page.
Check runs: skip actions are now aligned with the ignored reasons (false positive, test credential, low risk). Tags (Tagged as [false positive|test credential|low risk] in check runs) are added to the corresponding secret incident when this action is taken.
API: the breakdown of secret incidents by severity is displayed in the payload of the sources.
Helm:
to ensure your existing cluster meets the Gitguardian's requirements, you can run our new preflight script.
add version check before Helm upgrade to ensure no required versions are skipped. If using a private registry for deployment, make sure to download the new image helm-tooling.
Helm Chart:
add custom labels to differentiate multiple GitGuardian deployments within the same Kubernetes cluster. Refer to commonLabels in Helm Chart Values. Example:
commonLabels: env: staging
add an option to use Generic Ephemeral Inline Volumes for all worker pods. For further details, refer to the Scalling page.
Scaling: a new pod called worker-realtime-ods was added in the new architecture. If Slack or Jira Cloud scanning isn't needed, set its replicas to 0 to save resources via your Helm value file or the KOTS Admin Console.
Health Check: remove VCS health checks from the Admin Area, now available under Settings > Workspace > Integrations.
Jira integration: fix an issue that was hindering the assignment on JIRA tickets upon creation.
Audit log: correct the logs related to the creation and removal of teammates through the API.
Cluster management:
add missing links to KOTS Admin Console for embedded cluster in the Admin Area.
fix an issue with the KOTS preflights in the legacy architecture for embedded installation when an ElastiCache Redis instance is configured with TLS enabled.
set default number of replicas for scanner_ods pod to 0 for legacy architecture running on openshift.
enable AI filter via the ai_filters_enabled option in the preferences.
Check runs: add check_runs_overrides_labels_ghe option in the preferences to enable overriding the check run settings with repository labels on GitHub Enterprise.
Health Check: introduce tracking for last execution and last success times, refine error messaging, and adopt non-HTTP status codes.
Images: GitGuardian images are now signed with Cosign, exclusive to the new architecture.
Kubernetes Version Support: GitGuardian now supports Kubernetes versions 1.28 and 1.29 (experimental). More information in the System requirements page.
Incident details: fix an issue on the git patch restricted visibility feature that was preventing members from seeing the patch they were involved in based on email matching.
GitHub integration: performance improvement when a lot of repositories are added at the same time.
GitLab integration:
fix an issue where the GitLab instance URL was incorrectly displayed instead of the GitLab token name.
remove the "Check Again" button from the health check for users on the Free plan.
Bitbucket integration: improve handling of token revocation to prevent issues when a repository changes ownership.
Cluster management:
preflight checks now confirm support for Redis version 7.
remove the link to the KOTS Admin Console from the Admin Area for existing cluster installations (both Helm and KOTS). For further details, refer to the Access to the Admin Area page.
set default number of replicas for scanner_ods pod to 0 for new architecture.
fix an issue with the periodic task related to the database encryption key rotation.
Helm Chart: add missing podAnnotations in webapp object definition.
Incident: fix an issue with validity check failure hitting a timeout in some specific cases
Cluster management: fix an issue with KOTS preflights failing with PostgreSQL or Redis with TLS enabled
SMTP configuration: make the option to support SMTP servers using a self-signed certificate permanent. More details in the Configure the email system page.
SSO: the option 'Force SSO' applies to owners as well when enabled. More details in the Force SSO section of the documentation.
Incidents: exporting CSV secret incidents now allows changing the separator used, comma (default) or tab. More details in the Export data section of the documentation.
Incident details: update of the default remediation workflow.
Check runs:
the preview of the "How to remediate" instructions in markdown is enhanced when you customize them.
the incident status is displayed in the GitHub check run details.
improve causes of errors transparency and timeouts in the check run summary.
is_actionable_checkrun_enabled preference in the Admin area is deprecated. Action buttons on checkruns are now enable by default.
Custom detectors: improve error messages for invalid regex when requesting a custom detector.
GitHub integration: add commit_collector_max_workers option in the preferences to use more workers to collect commits.
GitLab integration: we now detect and notify by email and raise a health check error when a GitLab group hook was disabled by GitLab, causing the monitoring not to work anymore.
Azure repos integration: improvement of the billing metrics. You now must check the Graph:Read scope in your Personal Access Token. More information in our VCS integrations documentation.
add support Redis Sentinel in KOTS and Helm installs in the new architecture.
add support of multiple CA certificates concatenated in KOTS install in the new architecture.
Helm Chart:
replace deprecated v1alpha1 API version of External Secret Manager with the latest version v0.9.11.
update to the latest version of the Replicated SDK 1.0.0-beta.14 used for license management and custom telemetry.
Applicative Metrics: rename appExporter to webAppExporter and celeryExporter to statefulAppExporter in the Helm-based Prometheus activation. For more details in the Applicative metrics page.
SMTP configuration: provide an option to support SMTP servers using a self-signed certificate. More details in the Configure the email system page.
Ensure the btree_gin PostgreSQL extension is installed for optimized text search performances. Manual installation by the user or sufficient privileges for the database user utilized by GitGuardian are required. Failure to install manually or insufficient privileges may result in an error during the upgrade, hinting at the necessity of CREATE privilege on the current database for extension installation. More details in the System requirements page.
π Find the version-to-version changes in the Helm chart values here.
Source criticality: a new parameter at the source level to help users prioritize their Secret, SCA, and IaC incidents. Refer to the documentation for more details.
Check runs: the preview of the "How to remediate" instructions in markdown is enhanced when you customize them.
Custom detectors: improve error messaging for invalid regex when requesting a custom detector.
Chainguard: Chainguard-based GitGuardian images are now used by default, enhancing security by reducing CVE exposure. Available only on the new GitGuardian architecture. Additionally, both KOTS admin version 1.104.4 and Replicated SDK version 1.0.0-beta.12 are built using a distroless base image from Chainguard.
SMTP configuration: the system now supports unauthenticated SMTP server, allowing for more flexible email service integration.
KOTS preflights: update preflights to support TLS for Redis and PostgreSQL.
Helm Chart:
Private registries: introduce support for the replicated SDK image and offer an option to include a custom nginx image for private CA insertion. For detailed information, refer to the Install on Airgap page.
RBAC: add Kubernetes Roles and RoleBindings required for the app in the Helm Chart (optional but enabled by default). Refer to rbac in Helm Chart Values.
Cluster management: update Kubernetes version to 1.27 for embedded cluster. For further details, refer to the Upgrade page.
Before upgrading GitGuardian, you must upgrade to KOTS version 1.104 or later for optimal performance and compatibility.
If you previously installed GitGuardian on an existing cluster using KOTS and either lack cluster-admin rights in your Kubernetes cluster or wish to limit permissions for the KOTS Admin Console, you must modify the rule for apps in your configuration by adding replicasets resource. Refer to the Kubernetes Application RBAC documentation page.
Azure Repos integration: the monitoring of your Azure Repos repositories is now done in real-time. Refer to the documentation for more details.
Filters: a new way of filtering pages, more streamlined and intuitive.
Jira Cloud integration: Jira issues can now be created without assigning them to anyone.
IP allow-listing for Honeytoken: it's now possible to add IP ranges to an allow-list, ensuring events from these IPs wonβt trigger the honeytokens. Learn more about IP rules.
GitHub integration: improvement of check runs to support the GitHub Merge Queue feature.
Onboarding: implementation of an onboarding todo list to guide users in their first steps on the application
Help Center: enrich the Help Center with additional resources.
Kubernetes Version Support: GitGuardian now supports Kubernetes versions 1.27 and 1.28 (experimental). More information in the System requirements page.
Helm and KOTS installation: introduce a new pod Replicated SDK for license management and telemetry collection. More information in the Replicated documentation.
Helm Chart:
Private registries: support specifying existing Docker secrets and custom registries, enabling image pulls from private registries. Refer to the documentation for more details.
Kubernetes resource: add missing Kubernetes resources properties for Pre/Post deploy jobs and nginx init containers.
Pod security context: implements enhanced pod security context configurations in line with Kubernetes v1.25's Pod Security Admission feature, now customizable via Helm values for improved security compliance. Refer to containerSecurityContext in Helm Chart Values.
Custom Telemetry: gather product usage metrics, such as VCS and incidents numbers, API call statistics. We prioritize your privacy and assure you that no personal data is collected through this process. It can be easily deactivated by adjusting the custom_telemetry_active setting found in the preferences section in the Admin area.
GitHub integration: handling of GitHub app ownership transfer: it is now possible to change ownership without deleting the self-hosted application.
Incidents: filtered results in CSV export: CSV export keeps the filters applied.
API: fix /secret_detectorsendpoint to filter out detectors that have been administratively disabled by GitGuardian.
User Preferences: fix an issue where the "email not configured" banner incorrectly persists in private browsing mode due to a failure in loading user preferences.
Historical scan: ensure UTF-8 character encoding compatibility for filenames in repositories.
Incident details: git patches of occurrences can now have restricted visibility to only the teams and developers involved with the occurrence, thanks to a workspace setting. If the git patch of an occurrence is too large, a link to the Version Control System is displayed instead.
Teams: users can now filter the incidents and the perimeter pages based on their teams. Managers have the flexibility to filter any team, while Members can only filter their own teams.
API: New endpoint to retrieve secret incidents of a team.
ggshield: ggshield auth login flow now asks you to confirm scopes.
Historical scan: addition of some details in the status tooltip, including scan duration and number of commits and branches scanned. For failed scans, the tooltip now also displays the reason for the failure.
Alerting integrations: alerting integrations are now available at team level. More information in our teams documentation.
Kubernetes Version Support: GitGuardian now supports Kubernetes versions 1.25, 1.26, and offers experimental support for version 1.27 for Existing Cluster installations. More information in the System requirements page.
Honeytoken: Honeytoken module is now available for Self-Hosted customers. This feature is available upon request.
Chainguard: introducing an experimental.chainguard flag in Helm chart values for enabling Chainguard-based GitGuardian images, enhancing security by reducing CVE exposure. Default is false, available only in Helm-based install on the new GitGuardian architecture.
Azure repos integration: installation status persists on all pages until the installation is complete. Removing a token no longer causes a crash in other installation.
Bitbucket integration: prevents connection errors from revoking a Bitbucket token, letting instances go through maintenance without needing to re-enter their token afterwards.
Teams: fix a bug that caused incidents belonging to an unmonitored repository to still be visible to the team.
Historical scan: support for special UTF-8 characters, like Kanji, in filenames during historical scans. Improve handling of commits without dates.
Incidents: addition of the Default branch tag to secret incidents that occurred on the default git branch of a repository.
Incident details: filters have been added to the occurrences table.
Incident details: the public sharing toggle has been moved to the "Grant access" modal, which has been renamed to the "Share" modal. For a more detailed explanation, please refer to our collaboration and sharing documentation.
Integrations: modification of the Integrations and Settings/Integrations pages.
Secrets detection engine: upgrade to version 2.94 with the addition of four new detectors:
Custom webhook: fix notifications for when a bulk action is performed. Previously, only one notification would be sent for the first incident affected by the bulk action. However, now notifications are sent for each incident that is modified by the bulk action.
Automated severity scoring: managers and workspace owners can now activate the automated severity scoring feature for Self-Hosted environments in order to automatically score incidents with a severity.
Custom severity rules: the severity ruleset used by the automated severity scoring is now customizable to maximize the coverage of automatically scored incidents.
Incident details: feedback about the incident can now be submitted in a standardized way through a form that is available on the incident's page.
Refer to this page for more information on how to use this form effectively and involve your developer population during the remediation process.
Incidents: addition of new filter to select the incidents that are publicly shared.
Teams: team owners with the Member role can now invite brand new users to the workspace when adding teammates to their team. This feature can be deactivated.
For more details, please refer to this page.
Grant access: users with Full access incident permissions can now invite brand new users to the workspace when granting access to an incident.
For more details, please refer to this page.
Secrets detection engine: upgrade to version 2.93 with the addition of four new detectors:
Cluster management: you can now install GitGuardian Self-Hosted using Helm
Charts. This feature is currently in Beta. More information is available in
the installation documentation.
the installation documentation.
Cluster management: allow self-hosted instances to use a specific Redis
instance for the commit cache. More information is available in
our documentationour documentation
Jira integration: Jira ticket creation CTAs are hidden for workspaces
without a single Jira site installed.
Jira integration: fix permission issues by disabling the configure button
for users without a Manager role and allowing users with the Restricted role
and Can edit permissions to create a Jira ticket.
Detectors list: when the validity checks are disabled, the detectors are
sorted by status.
Notifications: fix empty emails being sent after an occurrence was found
during real time scan.
Personal access tokens: Restricted users now only see the scan scope in
the personal access token form.
Cluster management: fix password issue that was blocking application
initialization during GitGuardian installation.
Teams: addition of a description field for your teams.
Teams: the "all-incidents" team is now visible in the Members table.
Perimeter: improve the display of the historical scan's last status
information.
Playbooks: new Auto-resolution playbook to automatically close incidents
that have once been valid and that become invalid.
Secret incident: prevent valid secrets from being "marked as revoked".
Cluster management: Self-hosted GitGuardian environments are now supporting
PostgreSQL version 13. Support for PG version 12 is deprecated as of this
release.
Incident detail: fix misplaced secret in the commit patch when detected by a historical scan and in real-time. Please
contact the Support team if you have occurrences impacted in your environment.
Teams: introducing team management within a workspace and granular
incident permissions (can view, can edit, full access). You can activate
the feature on the Admin Area's preference page.
Custom webhooks: update the action field with more user-friendly
messages.
Perimeter page: update the information displayed in the Protection
section.
Analytics: add all ggshield modes to the Analytics section.
Custom Certificates for Cluster Management: integrate custom
Certificates Authorities for integrations. This feature was in beta and is
now stabilized. More information is available in the
dedicated documentation.
API: add the API URL to the dashboard, in the
section API >> Quota. The URL is also updated in the API documentation of
those environments.
Bitbucket Integration: when you create a branch on a monitored repository,
the event now triggers a scan of the branch commits only, and not of the whole
repository.
Applicative Metrics: applicative metrics are added to help you monitor
your self-hosted instance. More information is available in the
dedicated documentation
API: move the Personal access tokens to the API section.
Check runs: improve success message in GitHub UI.
GitHub: expose the base/head branch of GitHub pull requests.
Incident: mark the third remediation step "rewrite git history" as
optional.
Health checks: Health checks are displayed in the VCS integration settings
ggshield: since v1.12 of ggshield, ggshield scan and ggshield ignore
commands are deprecated, use ggshield secret scan and ggshield secret ignore
instead.
Health checks: We add VCS troubleshooting tools in the Admin
Area. You can check the status of your integrations and gather error information
on this page.
More information is available in the
dedicated documentation
Personal access tokens and service accounts: We now distinguish two types
of API keys: Personal Access Tokens and Service accounts.
More information is available in the
dedicated documentation
GitHub check runs now handle the regression mode. If an already resolved
secret incident is detected by a check run AND the regression mode is OFF, the
check run wonβt raise the secret.
GitHub A comment can be posted directly to Github pull request timeline
when a check run detects a secret. This can be deactivated in Settings by a
Manager.
API: We add an API endpoint to list members having access to an incident.
More information is available in the
dedicated documentation.
PostgreSQL: Secrets are now encrypted in the database.
Incident: Restricted users are no longer able to generate incident-sharing
links.
caution
This release integrates secret encryption in the database. Please be careful
while updating and do not hesitate to backup completely your database before
upgrading.
TLS Support for PostgreSQL: Transport Layer Security (TLS) is an
encryption protocol intended to keep data secure when being transferred over a
network. When installing GitGuardian Self-Hosted, users can now activate the
option for PostgreSQL.
API: Members are now exposed in API and new fields were added
to the source payload.
Incident detail: From an incident detail page, you can grant access to a
selection of Restricted users.
TLS Support for Redis: Transport Layer Security (TLS) is an encryption
protocol intended to keep data secure when being transferred over a network.
When installing GitGuardian Self-Hosted, users can now activate the option for
Redis. You can find more information about the configuration on
our official documentation
API: new scope incident::share and grant access to incidents, documented
here.
Regression: added a workspace setting giving the option to control the
behavior of GG when a new occurrence of an already-resolved incident is
detected.
Custom webhooks: added validity and severity to the payload.
Synchronization between ggshield and the dashboard: secrets ignored on
the dashboard will also be ignored by ggshield. Detectors deactivated in the
dashboard will be deactivated for ggshield too.