Skip to main content

Install

helm repo add changeguard https://charts.changeguard.ai
helm repo update
helm upgrade --install changeguard changeguard/changeguard-operator \
  --namespace changeguard-system --create-namespace \
  --set agent.apiKey=YOUR_API_KEY \
  --set agent.clusterName=production \
  --set agent.provider=EKS \
  --set agent.security.enabled=true
ChangeGuard is operator-managed, and the Helm chart is the single install artifact — it deploys the operator, the read-only data collector, and all five scanners. There is no standalone agent.

Key Values

KeyDefaultDescription
agent.apiKeyrequiredChangeGuard API key
agent.clusterNamerequiredCluster display name
agent.providerKubernetesEKS, GKE, AKS, Kubernetes
agent.security.enabledtrueEnable all security scanning
agent.security.kubeBench.enabledtrueCIS benchmarks
agent.security.grype.enabledtrueCVE scanning
agent.security.falco.enabledtrueRuntime detection
agent.collector.pushInterval10sSnapshot frequency
global.imageRegistryunsetOverride the registry for every image (air-gapped installs)

GitOps, OCI, and air-gapped installs

ChangeGuard discovers GitOps state by reading it directly from the Kubernetes API inside the cluster — no ArgoCD or Flux API token is required. Turn discovery on with: 
  --set gitops.argoCD.enabled=true \
  --set gitops.flux.enabled=true
See ArgoCD Integration and Flux CD Integration for details. The chart is also published as an OCI artifact. To install from the registry — or to run fully air-gapped by mirroring the chart and images and repointing them with a single value: 
helm upgrade --install changeguard \
  oci://public.ecr.aws/m7g7b7v0/changeguard-operator \
  --namespace changeguard-system --create-namespace \
  --set global.imageRegistry=registry.internal \
  --set agent.apiKey=YOUR_API_KEY \
  --set agent.clusterName=production \
  --set agent.security.enabled=true

Verify before installing

The chart, the operator and agent images, and a CycloneDX SBOM for each are signed with cosign (backed by AWS KMS). Verify any artifact against the published key before installing: 
cosign verify --key https://charts.changeguard.ai/cosign.pub <image-or-chart>

Upgrade

helm upgrade changeguard changeguard/changeguard-operator \
  --namespace changeguard-system --reuse-values