- support for_each for resources in tf loader
- switch to hcl_interpreter from policy-engine (#383)
- resources IDs for tf resources that have count set now use the
- FG_R00252 should support arrays for condition values (#380)
- FG_R00329 has wrong property name (#368)
- Support for .tf.json files - including those output by Terraform CDK's
- fix panic in EnrichResources
- false positive for rule FG_R00031
- panic on empty rego file
- bump OPA to v0.43.1
- Updated OPA to v0.43.0
- Updated alpine to v3.16 in Dockerfile
- fix severities for passing rules
- Support for tfvars files and a corresponding
--var-fileoption. See the usage section of our docs site for a description of this feature. (#343)
- Tests for FG_R00211 (#281 authored by @dkoder20)
- Support for advanced_event_selector in FG_R00237 (#336)
- Support for account level blocks to FG_R00299 (#336)
- Support for new Terraform AWS provider v4 resource in FG_R00099 (#336)
- Support for new Terraform AWS provider v4 resources in: FG_R00028, FG_R00031, FG_R00044, FG_R00101, FG_R00252, FG_R00274, FG_R00275, FG_R00277, FG_R00279 (#341)
- NACL rule handling in nacl_library.rego (#336)
- False negatives from FG_R00484 (#336)
- False positives from FG_R00036 for asymmetric keys (#341)
- Go version to 1.18 (#326 authored by @chenrui333)
- OPA to version 0.40.0 along with other dependency upgrades (#338)
- New TF rules: FG_R00354, FG_R00355, FG_R00357, FG_R00359, FG_R00375, FG_R00451, FG_R00452, FG_R00468
- SARIF output format (#284)
- Resource tags to JSON report (#317)
- Support for valueless tags (#319)
- Support for waivers defined in Fugue SaaS when using
- Commented-out defaults from generated config file (#320)
- Package name to match Go mod conventions for package versioning (#296) (#312)
- Nil panic in Cloudformation detector (#313)
- Bug in FG_R00068 when KMS key resource not defined in same module (#299)
- Support for
countattribute in HCL (#321)
- Rule package names to match what's in the Fugue platform offering (#300)
- Panic from null count in some Terraform configurations (#307)
- Added support for retrieving rule bundles from Fugue
- Add families to JSON output
- Change ARM provider from "arm" to "azurerm"
- On --sync, apply only rules from synced environment
- Fix issue around module detection
- Better error for missing environment ID on --upload
FG_R00500that enforces AWS WAF configuration that mitigates the recently-publicized Log4J vulnerabilities
- Panic in Terraform loader (#279)
- Azure Resource Manager (ARM) template support with 38 rules. This feature is currently in preview.
- Ability to specify remediation doc URL for custom rules (#247 authored by @darrendao)
- Support for aws_alb resource type in Terraform rules (#252)
- Remediation doc links for some newer rules
- Panic from HCL loader for variables without defaults (#245)
- Bucket policies not correctly associated with buckets in some Terraform rules (#251)
- Lambda permissions not associated with functions when values besides function name are used (#200)
- False positives from FG_R00073 for WAFv2 with Terraform HCL inputs (#249)
- Issue where some data resources would appear empty in the resource view for Terraform HCL inputs (#244)
This is a major release that contains a few breaking changes described below. Users who are upgrading from previous versions should:
- Swap any uses of the
regula run --sync --uploadinstead of
- Update any tooling that consumes Regula's JSON output to account for the newly-added field
Please see our docs site for the latest usage information.
regula run. When
--syncis specified, Regula will fetch custom rules from Fugue.
regula run. When
--uploadis specified, Regula will upload rule results to Fugue.
--excludetakes a rule ID or rule name and excludes that rule from the evaluation.
--onlytakes a rule ID or rule name and excludes all other rules from the evaluation.
rule_raw_resultfield to Regula JSON report output. This boolean field indicates the unwaived rule status -
trueif the rule passed before waivers were applied and
regula scancommand. The functionality of
regula scanhas been combined into
- Regula's Terraform HCL loader. We've gained support for heredoc syntax, better error handling, better function support, and more.
- Resource line numbers for Kubernetes manifests
k8sinput type in help text (#217)
- A tutorial on how to debug a rule
- A new rule to enforce lambda permission conditions (#200)
- Base docker image from scratch to alpine (#215)
- Add resource source code location for regula scan
- Kubernetes support and first batch of rules
- Add CIS AWS v1.4.0 and CIS Google v1.2.0
- Enhance ASG AZ rule by inspecting vpc_zone_identifier
- Fix trailing commas in rego metadocs for regula scan
- A new 'compact' output format. See our updated usage documentation for example output.
- Option to set the output format via the
- Remediation docs URLs to JSON output format. See our updated report output documentation for more info.
- Rule documentation links in the text output format
- Bug with template strings in arguments to
- Bug that caused S3 buckets to be ignored by some rules if they had a bucket policy we could not parse (#186)
- Compatibility issue with
regula scanand some custom Fugue SaaS rules (#185)
- Integration with Fugue's SaaS product via
regula scan. This is a purely optional feature and
regula runcontinues to operate entirely standalone. Let us know if you'd like access to the closed beta by emailing email@example.com!
- Out-of-date NIST mappings (#175)
- Errors from some Terraform configurations that use variables with nested complex types (#176)
- Bug where .terraform directory can get loaded when --no-ignore option is used (#181)
- Use consistent evaluation order for local variables in Terraform (#184)
- A configuration file for 'regula run'. See 'regula init' in our usage and configuration pages for more details (#172)
- Inconsistent filepaths when inputs are specified with a leading
./. Now all filepaths will be normalized to remove any leading
- Confusing warning messages when
terraform initis needed (#170)
- Default WORKDIR to
/workspacein Docker image (#158)
- Resource line and column numbers in rule results
- Issue with
missing_resource()rule results excluded from report output (#157)
- Values for undefined Terraform variables without defaults (#156)
- Support for _ in flag names, e.g. --input_type=tf_plan
- A new text format as the default output format
- Many new Terraform rules! See the full list on our docs site.
- Unified input_type values in rules with --input-type flag
- Bug when reading .tf files from stdin
- Use specific filepath in report output for tf inputs (#128)
data.prefix in data source type names (e.g.
data.aws_iam_policy_document) for tf inputs
- Remove coloring for WAIVED status and severity in table output so that it's readable against a black background (#126)
- Improve support for conditional resources (count = 0) in Terraform HCL
regulaCLI tool with lots of new features, including:
- Support for HCL source code
- Built-in OPA and input processing - removes the need for a separate OPA installation as well as the Python and Terraform dependencies.
- Discovery of IaC configurations
- Additional output formats (an ASCII table, JUnit XML, etc.)
- A configurable exit status based on rule severity
replcommands which enhance OPA with the Regula library
For descriptions of the new features and how to use them, please see our updated documentation at https://regula.dev
- Put all rego code in a
regosubdirectory. Please see our Conftest documentation for the updated URLs.
- Add support for waivers.
- Add support for disabling rules.
- Always use multiple input file mode to display the file path.
filepathin report out.
- Use nonzero exit code when rules are failing.
- Update regula report output format.
- Support multiple input files.
- Add support for CloudFormation templates.
- Add 23 new CIS AWS rules for CloudFormation templates.
- Reorganize rules and tests and standardize rule names.
- Update control and compliance family names to new format.
- Add a Dockerfile.
- New rule: Ensure AWS S3 Buckets are encrypted.
- New rule: Ensure AWS CloudFront uses HTTPS.
deny[msg]style simple rules.
- Enable structured output for
- Relicense under Apache 2.0 rather than AGPL.
NIST_800-53mapping to existing rules.
- Add support for
fugue.missing_resource_with_messageto return custom messages from rules.
- Add a workaround for a bug in OPA >= 0.20 that prevented simple
denyrules from working.
- Fix an issue where multiple terraform refs would cause an
object keys must be uniqueerror.
- Add conftest integration.
- Add a human-readable message to the report.
- Work around terraform issue with subdirectories & remote backends.
- Add initial set of Azure rules.
- Add initial set of GCP rules.
- Minor README.md and SECURITY.md fixes and improvements.
- Add support for terraform modules.
mktempinvocation on Mac.
- Various README improvements.
- Initial release.