- policy-engine to v0.18.1
- policy-engine to v0.18.0 to add support for newer Terraform syntax (#388)
- policy-engine to fix panic from null variables (#389)
- go version to 1.18
- support for_each for resources in tf loader
- switch to hcl_interpreter from policy-engine (#383)
- resources IDs for tf resources that have count set now use the
aws_s3_bucket.my_bucket[0]
format
- FG_R00252 should support arrays for condition values (#380)
- FG_R00329 has wrong property name (#368)
- Support for .tf.json files - including those output by Terraform CDK's
cdktf synth
command.
- fix panic in EnrichResources
- false positive for rule FG_R00031
- panic on empty rego file
- bump OPA to v0.43.1
- Support for remediation doc to regotools metadoc (#352 authored by @darrendao)
- Panic when using both Terraform and Regula as go libraries (#350 authored by @craigfurman)
- Updated OPA to v0.43.0
- Updated alpine to v3.16 in Dockerfile
- fix severities for passing rules
- Support for tfvars files and a corresponding
--var-file
option. See the usage section of our docs site for a description of this feature. (#343)
- Tests for FG_R00211 (#281 authored by @dkoder20)
- Support for advanced_event_selector in FG_R00237 (#336)
- Support for account level blocks to FG_R00299 (#336)
- Support for new Terraform AWS provider v4 resource in FG_R00099 (#336)
- Support for new Terraform AWS provider v4 resources in: FG_R00028, FG_R00031, FG_R00044, FG_R00101, FG_R00252, FG_R00274, FG_R00275, FG_R00277, FG_R00279 (#341)
- NACL rule handling in nacl_library.rego (#336)
- False negatives from FG_R00484 (#336)
- False positives from FG_R00036 for asymmetric keys (#341)
- Go version to 1.18 (#326 authored by @chenrui333)
- OPA to version 0.40.0 along with other dependency upgrades (#338)
regula version
output
- New TF rules: FG_R00354, FG_R00355, FG_R00357, FG_R00359, FG_R00375, FG_R00451, FG_R00452, FG_R00468
- SARIF output format (#284)
- Resource tags to JSON report (#317)
- Support for valueless tags (#319)
input_resource_types
set tofugue
library (#322)- Support for waivers defined in Fugue SaaS when using
--sync
(#316)
- Commented-out defaults from generated config file (#320)
- Package name to match Go mod conventions for package versioning (#296) (#312)
- Nil panic in Cloudformation detector (#313)
- Bug in FG_R00068 when KMS key resource not defined in same module (#299)
- Upgrade OPA from 0.34.1 to 0.37.0 (#308)
- Upgrade Alpine version in docker image (#323)
- Support for
count
attribute in HCL (#321)
- Rule package names to match what's in the Fugue platform offering (#300)
- Empty
opa.runtime()
result (#301) - Null
terraform.workspace
value (#305) - Panic from null count in some Terraform configurations (#307)
- Table output by making the result and severity columns more visible (#298 authored by @fafg)
- Added support for retrieving rule bundles from Fugue
- Add families to JSON output
- Change ARM provider from "arm" to "azurerm"
- On --sync, apply only rules from synced environment
- Fix issue around module detection
- Better error for missing environment ID on --upload
- Rule
FG_R00500
that enforces AWS WAF configuration that mitigates the recently-publicized Log4J vulnerabilities
- Panic in Terraform loader (#279)
- Azure Resource Manager (ARM) template support with 38 rules. This feature is currently in preview.
- Ability to specify remediation doc URL for custom rules (#247 authored by @darrendao)
- Support for aws_alb resource type in Terraform rules (#252)
- Remediation doc links for some newer rules
- Panic from HCL loader for variables without defaults (#245)
- Bucket policies not correctly associated with buckets in some Terraform rules (#251)
- Lambda permissions not associated with functions when values besides function name are used (#200)
- False positives from FG_R00073 for WAFv2 with Terraform HCL inputs (#249)
- Issue where some data resources would appear empty in the resource view for Terraform HCL inputs (#244)
This is a major release that contains a few breaking changes described below. Users who are upgrading from previous versions should:
- Swap any uses of the
--user-only
flag for--no-built-ins
- Use
regula run --sync --upload
instead ofregula scan
- Update any tooling that consumes Regula's JSON output to account for the newly-added field
Please see our docs site for the latest usage information.
--sync
flag toregula run
. When--sync
is specified, Regula will fetch custom rules from Fugue.--upload
flag toregula run
. When--upload
is specified, Regula will upload rule results to Fugue.--exclude
flag toregula run
.--exclude
takes a rule ID or rule name and excludes that rule from the evaluation.--only
flag toregula run
.--only
takes a rule ID or rule name and excludes all other rules from the evaluation.rule_raw_result
field to Regula JSON report output. This boolean field indicates the unwaived rule status -true
if the rule passed before waivers were applied andfalse
otherwise.
- Renamed
--user-only
flag to--no-built-ins
regula scan
command. The functionality ofregula scan
has been combined intoregula run
.
:unneeded is deprecated
warning from brew install (#239 authored by @somaritane)
- Regula's Terraform HCL loader. We've gained support for heredoc syntax, better error handling, better function support, and more.
- Resource line numbers for Kubernetes manifests
k8s
input type in help text (#217)- A tutorial on how to debug a rule
- A new rule to enforce lambda permission conditions (#200)
- Base docker image from scratch to alpine (#215)
- Incompatibility with plan files from Terraform v1.0.8 (#220) (#221) (#222)
- Add resource source code location for regula scan
- Kubernetes support and first batch of rules
- Add CIS AWS v1.4.0 and CIS Google v1.2.0
- Enhance ASG AZ rule by inspecting vpc_zone_identifier
- Fix trailing commas in rego metadocs for regula scan
- A new 'compact' output format. See our updated usage documentation for example output.
- Option to set the output format via the
REGULA_FORMAT
environment variable - Remediation docs URLs to JSON output format. See our updated report output documentation for more info.
- Rule documentation links in the text output format
- Bug with template strings in arguments to
jsonencode
in Terraform
- Bug that caused S3 buckets to be ignored by some rules if they had a bucket policy we could not parse (#186)
- Compatibility issue with
regula scan
and some custom Fugue SaaS rules (#185)
- Integration with Fugue's SaaS product via
regula scan
. This is a purely optional feature andregula run
continues to operate entirely standalone. Let us know if you'd like access to the closed beta by emailing support@fugue.co!
- Out-of-date NIST mappings (#175)
- Errors from some Terraform configurations that use variables with nested complex types (#176)
- Bug where .terraform directory can get loaded when --no-ignore option is used (#181)
- Use consistent evaluation order for local variables in Terraform (#184)
- A configuration file for 'regula run'. See 'regula init' in our usage and configuration pages for more details (#172)
- Inconsistent filepaths when inputs are specified with a leading
./
. Now all filepaths will be normalized to remove any leading./
(#169) - Confusing warning messages when
terraform init
is needed (#170)
- Default WORKDIR to
/workspace
in Docker image (#158) - Resource line and column numbers in rule results 😎
- Rule metadata updates (#148) (#153) (#166)
- Issue with
missing_resource()
rule results excluded from report output (#157) - Values for undefined Terraform variables without defaults (#156)
- Support for _ in flag names, e.g. --input_type=tf_plan
- A new text format as the default output format
- Many new Terraform rules! See the full list on our docs site.
- Unified input_type values in rules with --input-type flag
- Bug when reading .tf files from stdin
- Use specific filepath in report output for tf inputs (#128)
- Include
data.
prefix in data source type names (e.g.data.aws_iam_policy_document
) for tf inputs
- Remove coloring for WAIVED status and severity in table output so that it's readable against a black background (#126)
- Improve support for conditional resources (count = 0) in Terraform HCL
-
A
regula
CLI tool with lots of new features, including:- Support for HCL source code
- Built-in OPA and input processing - removes the need for a separate OPA installation as well as the Python and Terraform dependencies.
- Discovery of IaC configurations
- Additional output formats (an ASCII table, JUnit XML, etc.)
- A configurable exit status based on rule severity
test
andrepl
commands which enhance OPA with the Regula library
For descriptions of the new features and how to use them, please see our updated documentation at https://regula.dev
- Put all rego code in a
rego
subdirectory. Please see our Conftest documentation for the updated URLs.
- Add support for waivers.
- Add support for disabling rules.
- Always use multiple input file mode to display the file path.
- Rename
filename
tofilepath
in report out. - Use nonzero exit code when rules are failing.
- Update regula report output format.
- Support multiple input files.
- Add support for CloudFormation templates.
- Add 23 new CIS AWS rules for CloudFormation templates.
- Reorganize rules and tests and standardize rule names.
- Update control and compliance family names to new format.
- Add a Dockerfile.
- New rule: Ensure AWS S3 Buckets are encrypted.
- New rule: Ensure AWS CloudFront uses HTTPS.
- Allow
deny[msg]
style simple rules. - Enable structured output for
conftest
integration.
- Relicense under Apache 2.0 rather than AGPL.
- Add
NIST_800-53
mapping to existing rules. - Add support for
fugue.deny_resource_with_message
andfugue.missing_resource_with_message
to return custom messages from rules. - Add a workaround for a bug in OPA >= 0.20 that prevented simple
allow
/deny
rules from working. - Fix an issue where multiple terraform refs would cause an
object keys must be unique
error.
- Add conftest integration.
- Add a human-readable message to the report.
- Work around terraform issue with subdirectories & remote backends.
- Add initial set of Azure rules.
- Add initial set of GCP rules.
- Minor README.md and SECURITY.md fixes and improvements.
- Add support for terraform modules.
- Fix
mktemp
invocation on Mac. - Various README improvements.
- Initial release.