Changelog
All notable changes to Guardimesh are documented here. This includes new features, improvements, bug fixes, and breaking changes.
Versions follow Semantic Versioning. The operator Helm chart version is the primary version indicator for customers.
[Unreleased]
Added
- Customer documentation site at docs.guardimesh.com
[0.5.0] — 2026-05-XX
Added
- Obfuscation scanner sidecar with YARA rules, entropy analysis, and ML model
- Deleted shared library detection (
.sofiles loaded but removed from disk) - Advanced reporting with time-series charts and PDF export (Startup+)
- ServiceNow integration (Team+)
- Custom signature support for Team and Enterprise tiers
- Notification delivery history and rate limiting
Changed
- Signature puller now uses incremental updates (
.cdiff) when available - Default scan deduplication TTL increased from 60s to 300s
- Improved error messages for node limit exceeded and subscription expired states
Fixed
- Scanner crash when scanning containers with extremely long image names
- Race condition in fanotify monitor during rapid container creation/deletion
- Puller failing silently when storage service returns 503
[0.4.0] — 2026-03-XX
Added
- Fanotify real-time file monitoring (Startup+ tier)
- memfd fileless payload scanning
- Executable drift detection
- Deleted binary scanning via
/proc/[pid]/exe - Remote scan configuration via web console
- Jira integration (Team+)
- PagerDuty integration (Startup+)
- Slack webhook integration (Startup+)
Changed
- Scanner now polls remote config every 5 minutes (configurable via
CONFIG_POLL_INTERVAL) - Fanotify feature flag is enforced server-side based on subscription tier
Breaking Changes
- Helm chart
scannerImagevalue renamed toscanner.scanner.image - API key Secret name changed from
scanner-api-keytoguardimesh-api-key
[0.3.0] — 2026-01-XX
Added
- Helm-based installation via OCI registry (
oci://quay.io/guardimesh/guardimesh-operator) - GuardimeshScanner CRD for declarative scanner management
- Operator-managed DaemonSet lifecycle (create, update, delete)
- In-memory retry buffer for failed result sends (default: 1000 entries)
- Health endpoints (
/healthz,/readyz,/startupz) for Kubernetes probes
Changed
- Moved from raw YAML manifests to operator-managed deployment
- Scanner now waits for ClamAV socket before starting scans
- Improved structured JSON logging
Removed
- Legacy
kubectl apply -f yaml/installation method (manifests still available but unsupported)
[0.2.0] — 2025-11-XX
Added
- Enterprise operator for air-gapped deployments (
GuardimeshPlatformCRD) - Internal signature storage server for disconnected environments
- PostgreSQL backend for air-gap mode (replaces BigQuery)
- Multi-architecture support (AMD64 + ARM64)
- Scheduled scanning mode with configurable per-day schedules
Changed
- Puller sidecar now downloads from Guardimesh storage service instead of directly from ClamAV CDN
- Improved signature database management with per-database enable/disable
[0.1.0] — 2025-09-XX
Added
- Initial release
- ClamAV-based container malware scanning
- Runtime upperdir (container writable layer) scanning
- Active scanning on pod creation
- Web console for viewing scan results
- API key authentication
- DaemonSet deployment model
- BigQuery data pipeline via Pub/Sub and Cloud Functions
- Email notifications on detection
- Namespace skip lists
Version Compatibility
| Operator Chart | Scanner | Antivirus (ClamAV) | Kubernetes | OpenShift |
|---|---|---|---|---|
| 0.5.x | 0.5.x | 1.3.x | 1.24–1.30 | 4.10–4.16 |
| 0.4.x | 0.4.x | 1.2.x | 1.24–1.29 | 4.10–4.15 |
| 0.3.x | 0.3.x | 1.2.x | 1.24–1.28 | 4.10–4.14 |
Upgrade Notes
Upgrading from 0.4.x to 0.5.x
helm upgrade guardimesh-operator \
oci://quay.io/guardimesh/guardimesh-operator \
--namespace guardimesh-system \
--reuse-values
No breaking changes. The obfuscation scanner sidecar is added automatically.
Upgrading from 0.3.x to 0.4.x
- Update Helm values: rename
scannerImagetoscanner.scanner.imageif overridden - Rename the API key Secret if using a non-default name
- Run
helm upgrade— the operator handles the rolling update
Subscribing to Updates
- Watch releases on the Guardimesh container registry
- Check for new versions via the operator's version check endpoint
- The web console shows a notification when a newer operator version is available