HomeGuidesChangelog
Changelog

ROH 6.31.1.0

Purpose

RegScale Orchestration Hub (ROH) enables organizations to automate the import and export of data between RegScale and external systems through configurable integrations and commands.

This beta release is intended for early adopters and validation of core orchestration capabilities. Functionality, supported integrations, and performance characteristics may change before General Availability (GA).

What's Included

Core Capabilities

ROH Beta Supports:

  • Multiple scheduled job configurations per integration to support different data sources, configuration options, secrets, etc.
  • Run instant jobs for ad hoc data loads
  • Job splitting enables breaking larger jobs up into multiple smaller batches to support processing very large collections of data more quickly
  • Review logs of currently running job executions or previously completed job executions
  • Review of the health of different ROH components from a dashboard about job workers
  • Managing different sets of credentials and settings in a secret set so the same kind of job can be run against multiple different environment with different credentials or environments
  • Executing jobs ad-hoc by a user pressing a button or running a job on a schedule without direct user interaction

Newly Supported Integrations

IntegrationCommand
AWSsync_assets
sync_findings
sync_findings_and_assets
sync_compliance
sync_config_compliance
sync_kms
sync_org
sync_iam
sync_guardduty
sync_s3
sync_cloudtrail
sync_cloudwatch
sync_cloudwatch_ex
sync_ssm
Axoniussync_assets
sync_findings
sync_all
sync_saved_queries
Azure Active Directorysync_admins
sync_general
sync_readonly
CrowdStrikecollect_evidence
sync_assets
sync_compliance
sync_incidents
sync_vulnerabilities
Entra Evidence Microsoft Defendercollect_entra_evidence
Google BigQuerycollect_evidence
sync_assets
sync_compliance
sync_findings
Jiraissues
tasks
Palo Alto Prisma Cloudsync_hosts
sync_images
sync_sbom
Qualyssync_cis_report
sync_qualys
SentinelOnesync_assets
sync_findings
sync_threats
sync_vulnerabilities
sync_all
Rapid7sync_all
sync_assets
sync_findings
Tenable.iosync_all
sync_assets
sync_findings
Tenable SCsync_all
sync_assets
sync_compliance
sync_findings
Wizinventory
issues
vulnerabilities
sync_compliance
compliance_report

Known Limitations

Functional Limitations

  • A ROH deployment can only execute two jobs at the same time. This behavior is not dynamic.
  • A ROH deployment can only talk to integrations using HTTP 1.1, HTTP 2 is disabled for stability purposes.

Performance Limitations

  • Issue Ingestion Limitations

    • The issue ingest functionality of the core RegScale Platform does not completely performantly for smaller batches of 100 items or less at a time. For integration_command sync_all and integration_command sync_issues commands, add the secret issuesBatchSize 500, Type Integer, and Category General.

  • Vulnerability Ingestion Limitations

    • The vulnerability ingestion functionality of the core RegScale Platform does not perform stably for large batches over 1,000 items at a time. For integration_command sync_all and integration_command sync_vulnerabilities commands, add the secret vulnerabilityBatchSize 500, Type Integer, and Category General.

  • Integration-specific Limitations

    • Azure AD

      • The azure sync_admins, azure sync_general, azure sync_readonly command is not near real-time. With default settings, the command will ingest approximately 333 users per minute successfully.
      • The azure sync_admins command will not perform reliably for ingesting more than 50,000 users at one time.

    • Jira

      • The jira issues command is not near real-time. With default settings, the command will ingest approximately 500 issues per minute.
      • The jira tasks command is not near real-time. With default settings, the command will ingest approximately 540 issues per minute.

    • Rapid7

      • The rapid7 sync_all command is not near real-time. With default settings, the command will ingest approximately 2,100 items per minute.
      • The rapid7 sync_assets command is not near real-time. With default settings, the command will ingest approximately 3,300 items per minute.

    • Tenable.io

      • The tenable_io sync_assets command is not near real-time. With default settings, the command will ingest approximately 1,300 assets per minute.
      • The tenable_io sync_findings command is not near real-time. With default settings, the command will ingest approximately 1,100 findings per minute.

RegScale 6.31.1.0

[6.31.1.0] 05-28-2026

Important Information regarding platform release 6.31.1.0 dependencies.

This release is the minimum required version to support RegScale Orchestration Hub (ROH) version 6.31.1.0.
Please see the ROH 6.31.1.0 release notes for more details regarding other requirements.

Changes & Enhancements

Security & Access Management

  • Added enhanced security controls to better restrict module permissions by user group.
  • Improved handling of server account bug-related access permission assignments.
  • Enhanced App Builder capabilities to better support Tenant and App Admin permission management through SSO.
  • Improved performance for Issue, Vulnerability, and Asset queries to provide faster response times.
  • Optimized assessment list page performance to reduce delays caused by large RBAC queries.

Workflow & Automation

  • Improved recurring questionnaire scheduling and processing reliability.
  • Enhanced workflow step panel behavior to prevent unnecessary issue detail page redirects.
  • Improved webhook reliability for API compliance integrations.
  • Enhanced streaming batch create/update processing to better support large SSP datasets.
  • Improved vulnerability batch processing logic to better detect and handle duplicate matches across plans.

Reporting & Data Export

  • Added support for exporting custom report fields in Excel date filter outputs.
  • Improved PDF chart rendering in reports for more accurate and consistent exports.
  • Enhanced handling of large SSP exports to improve overall stability and performance.

User Experience & Interface

  • Improved handling of dropdown field option rendering in forms.
  • Enhanced UI behavior when adding repeated treatments from Security Plan review controls and Risk Assessment workflows.
  • Improved Nessus compliance scan visualization by consolidating findings into a single vulnerability row while preserving host-level mapping data.
  • Updated local storage handling for request evidence link rendering behavior.

Compliance & Rules Engine

  • Improved Rules Engine stability and validation handling for grade rule management.
  • Enhanced vulnerability stream processing to better support large-scale SSP operations.
  • Improved handling of CVE matching validation within the ConMon process.

Fixes

API & Integration Fixes

  • Fixed an issue where API webhook requests could intermittently fail.
  • Fixed a problem preventing correct comparison of generated API documentation.
  • Resolved intermittent failures affecting AI access requests.
  • Fixed an issue where the Asset Delete webhook was not firing correctly.
  • Corrected API response handling for password reset operations returning incorrect HTTP 400 responses.
  • Fixed API behavior preventing the admin change password action from triggering properly.

Authentication & Permissions

  • Fixed an issue where assigned permissions could incorrectly return HTTP 401 errors despite valid access.
  • Corrected issues with module permission enforcement and access validation.
  • Resolved caching issues that caused RegScale configuration sidebar visibility problems for critical admin menu items.

App Builder & Forms

  • Fixed an issue where the “Set Value” action was not visible in the Rule Builder.
  • Corrected App Builder form rendering and field visibility inconsistencies.
  • Fixed right navigation dropdown fields not displaying configured options despite valid bindings.
  • Resolved issues affecting repeated treatment entry behavior in workflow review screens.

Reporting & Data Handling

  • Fixed report export issues related to custom date filter fields in Excel outputs.
  • Corrected vulnerabilities causing local storage rendering issues for request evidence links.
  • Fixed data deduplication issues during streaming batch create/update processing.

Vulnerability & Compliance Management

  • Fixed vulnerability batch create/update timeout issues for large SSP environments.
  • Corrected CVE matching issues during ConMon processing.
  • Fixed Nessus compliance scan result grouping issues that caused per-host asset mapping inconsistencies.
  • Resolved issues where vulnerability matching incorrectly crossed plans.

UI & Workflow Fixes

  • Fixed issues causing UI blocks when adding repeated treatments during Security Plan review workflows.
  • Corrected assessment list performance issues caused by excessive database query volume.
  • Fixed issue detail workflow navigation inconsistencies.
  • Resolved local storage-related UI rendering issues.

Asset & Identifier Management

  • Fixed issues related to AssetIdentifierValidator behavior when switching tracking number cases.

CLI 6.34.34.0

[6.34.34.0] - 2026-05-20

Changed

  • Wiz inventory type allow-list trimmed to 25 approved asset types; network plumbing, IAM artifacts, governance/scope, and individual secret types removed from default filter
  • Wiz asset provider-native cloud identifiers (ARM path, AWS ARN) now used as primary dedup keys instead of internal Wiz UUIDs
  • Cloud-native Kubernetes Clusters now categorized as Hardware assets in the eMASS inventory
  • Database engine version (e.g. SQL Server, PostgreSQL) now correctly populates SoftwareVersion rather than OSVersion
  • VM image assets now carry a meaningful AssetType instead of "Other"

Added

  • OpenSCAP now accepts FedRAMP POA&M-shaped CSV files in addition to the previously supported xccdf2csv scan-output format

Fixed

  • OpenSCAP now logs a header-mismatch warning instead of silently reporting zero findings when CSV columns are not recognized
  • integration now follows Microsoft Graph pagination on group and group-member fetches, so , , and see the full set of groups and members instead of silently truncating at the first page (~100 items)
  • FedRAMP POA&M import no longer fails on every sheet when run in Airflow and ROH workers, restoring asset and finding sync
  • eMASS now correctly detects an existing Security Plan by eMASS ID and updates it instead of creating a duplicate
  • Wiz compliance sync no longer creates stub Asset records for refused entity types such as DNS records, IAM roles, and subscription/namespace types
  • Cloud-native firewalls (NSGs, security groups) now correctly categorized as Software instead of Hardware
  • Prisma host sync no longer silently drops vulnerabilities that share a package name across hosts; the integration now sends the full server-aligned vulnerability dedup key so distinct CVE findings persist as distinct records

RegScale 6.31.0.4

[6.31.0.4] 05-14-2026

Fixes

  • Added startup-time and on-demand probing of configured log-forwarding sinks (UDP syslog, TCP syslog, Splunk HEC) so misconfigured sinks surface as structured log lines instead of silently dropping the events.

CLI 6.34.31

[6.34.31] - 2026-05-13

Changed

  • eMASS importers (, SecCat workbook import, eMASS XML system import) now create new Security Plans with the tenant's DoD compliance setting instead of the default RegScale compliance setting, with the correct ID resolved automatically by framework keyword regardless of the numeric ID assigned in each tenant
  • Rapid7 InsightVM integration now uses server-side API pagination for orchestration offset and limit, reducing redundant API calls during parallel job splitting
  • Rapid7 InsightVM Console v3 sync_findings now streams findings as soon as their definitions are available instead of waiting for every asset listing to finish first, reducing time-to-first-finding from minutes to seconds on large environments
  • Scanner-based asset sync (GCP, Wiz, Tanium, Crowdstrike, SentinelOne, etc.) now respects the configured for the HTTP POST chunk size to ; the previous hardcoded chunk size of 100 only applies when is unset, with the documented default of 500 now taking effect for unconfigured deployments
  • Bumped 3.2.0 → 3.2.1 (REG-22036 / Trivy scan): patch-level fix for CVE-2026-38743 (per-DAG access-control bypass on the Human-in-the-Loop endpoint) and CVE-2026-40690 (asset dependency graph leaking nodes outside the viewer's DAG read permissions); operators on the bundled Airflow do not need any deployment change
  • Bumped 1.7.0 → 1.7.2 (REG-22036 / Trivy scan): patch for CVE-2026-44681 (OIDC Implicit/Hybrid Authorization open-redirect); affects only the extra, which uses for Azure provider OIDC flows

Added

  • New module (REG-22036): the Phase 1 container-startup AWS Secrets Manager loader is extracted from into a focused module so the file-permission / non- path / exception-sanitization hardening can be exercised by a dedicated regression suite. Behavior is unchanged for production callers — the helper is still invoked at import time when and are set.

Fixed

<<<<<<< REG-22156-ssp-safe-update

  • Security Plan updates from the CLI no longer wipe optional fields that were not explicitly modified, by fetching the current server copy and merging only the fields the caller set before sending the update

  • Security Plan updates now block accidental re-parenting through the CLI unless the caller explicitly opts in via

  • SSP and Appendix A imports (including FedRAMP Rev 5) now generate platform-policy-compliant passwords when creating stakeholder users, restoring stakeholder linkage that was previously dropped when the platform rejected weak or incompletely-classed passwords with HTTP 400
  • Nessus compliance scan findings now create one Vulnerability per control with all affected hosts preserved instead of collapsing every control under a plugin into a single row

    main

  • Airflow DAG listing now returns all RegScale integrations to the RegScale UI instead of silently truncating at the first 100 alphabetically, restoring visibility of Wiz, Trivy, and other late-alphabet integrations on the Integrations page
  • Nessus and other large-file scanner imports no longer incorrectly close findings from unrelated sources during multi-batch ingestion; mop-up is now scoped to the final batch of each run instead of every chunk
  • Control implementation sync no longer fails with a platform validation error when the Justification for Exclusion field has not been previously set
  • , , , and now propagate values as headers on outbound Microsoft Graph calls; previously, mock-server scale configuration was silently ignored, so end-to-end test environments always used the mock server's built-in defaults (, ) instead of the configured values. Header injection covers both the legacy session and the default client
  • Scanner integrations now honor , , and from ; previously these keys were silently ignored and per-API-call batches always used the hardcoded defaults
  • Issue and Vulnerability descriptions are now capped at 4000 characters client-side at the model layer (matching the backend on ; 's backend limit is 8000 but is capped at the same 4000 by convention so both records produced from one finding stay the same length) so oversized descriptions from any integration (Microsoft Defender, Qualys, ServiceNow, SonarCloud, GitLab, and others) are truncated before sync with a WARNING log instead of being rejected by the platform
  • AWS CloudWatch, CloudTrail, and Systems Manager sync now link generated evidence records to the parent Security Plan instead of leaving them unmapped
  • AWS Security Hub sync_findings now creates Vulnerabilities with a stable per-control identifier, so the backend auto-creates the corresponding Issues and keeps them open across subsequent scans instead of leaving the tenant with zero Vulnerabilities and closed Issues
  • Corrected misleading CLI help text across several commands (eMASS , Axonius and related file-path options, FedRAMP , Azure Intune , ServiceNow, Microsoft Defender, CSAM, CISA, JFrog Xray, OpenText, and the bulk permissions importer) so accurately describes what each command does
  • SentinelOne no longer fails for a percentage of records with HTTP 500 from the platform vulnerability endpoint; the SentinelOne agent UUID is no longer leaked into the field of the Vulnerability payload, and the underlying scanner-framework behavior of treating opaque asset identifiers (UUIDs, ARNs, agent IDs) as DNS sources has been removed across all scanners
  • SentinelOne (and any scanner using the platform bulk vulnerability endpoint) previously appeared to succeed but persisted zero rows because the request envelope used a misspelled key; vulnerabilities now serialize under the correct envelope key and are written to the security plan as expected
  • Bulk vulnerability and issue submission paths now retry transparently on the transient raised by the HTTP/2 connection-pool race under heavy concurrent fan-out, eliminating spurious single-item failures during large per-item fallbacks
  • CrowdStrike evidence collection now hydrates host details via the POST-form Hosts API to avoid HTTP 414/431 rejections at upstream ingress when batches approach the GET-form query-string limit

RegScale 6.31.0.3

[6.31.0.3] 05-12-2026

Enhancements & Changes

POAM Export Performance Improvements

Enhanced the performance and stability of large FedRAMP POAM exports to better support environments with high POAM volumes and complex SSP data sets.

Key improvements include:

  • Optimized POAM export processing for large SSPs
  • Reduced memory consumption during export generation
  • Improved handling of large entity relationships and child record loading
  • Added pagination and streaming support for large export operations
  • Added safeguards and record count protections for oversized exports

These updates significantly improve export reliability and scalability for enterprise-sized implementations.

Fixes

FedRAMP & SSP

  • Resolved an issue causing FedRAMP POAM exports to fail with memory-related errors when processing SSPs containing very large POAM datasets (33k+ records)
  • Fixed multiple errors preventing successful SSP ConMonData wipe operations
  • Corrected an issue where SSP Author functionality could fail under certain demo and testing scenarios

POAM & Vulnerability Management

  • Fixed issues impacting POAM configuration findings behavior
  • Fixed an issue where vulnerabilities and issues could not be created from Nessus scan imports
  • Corrected a vulnerability lookup error that caused Deviation Request operations to fail with a server error
  • Fixed vulnerability search issues impacting specific control searches such as “CM-6”

Deviations & Exports

  • Corrected an issue where Deviation exports incorrectly included Deviation Requests in a “Rejected” state

Security & Authentication

  • Fixed a password reset validation issue that did not properly enforce updated password requirements

Security Policies

  • Fixed an issue preventing values greater than approximately 365 days from being saved in the “Inactive Account De-Activation” policy field

Database & Migration Stability

  • Corrected a questionnaire group migration failure caused by foreign key constraint conflicts during database migrations

CLI 6.34.30

Changed

  • Extended credential-redaction protections across third-party integration log output at all severity levels (Microsoft Defender, Okta, Wiz, Qualys, Prisma Cloud, Azure Intune, GitLab, Jira, SonarCloud, SentinelOne, Sicura, DuroSuite, Tenable, Axonius, CrowdStrike, and the GitLab and GitHub pipeline-compliance providers).
  • OpenTelemetry trace exporter now defaults to TLS. Deployments that previously relied on plaintext OTLP export must either point at a loopback collector (, , or ) or front the collector with TLS. Operators should monitor the application log for either WARNING (insecure=True against a non-loopback endpoint, exporter is disabled and spans are dropped) or WARNING (insecure=False against a plaintext http:// endpoint, gRPC TLS handshake fails and spans are dropped). Both modes drop spans silently with no exception raised.
  • Hidden the non-functional command group and its subcommands from output to avoid confusion. Use the group for eMASS workbook imports and legacy operations.
  • Documented the exact Microsoft Graph and Azure RBAC permissions required for the Azure (Intune) and Microsoft Defender (Defender for Endpoint, Defender for Cloud, and Entra ID evidence collection) integrations so administrators can grant least-privilege access to the corresponding Entra ID app registrations.
  • Pinned in the Airflow image build to clear CVE-2026-44307.

Added

  • FIPS 140-3 compliant Docker image variant published as (and ) for customers running in FedRAMP High or IL5 environments.

RegScale 6.31.0.2

[6.31.0.2] 05-05-2026

Fixes

DoD XCCDF & Assessments

  • Resolved an issue where form tabs would disappear after importing an XCCDF benchmark.
  • Fixed a bug where navigation failed to load within the XCCDF module.
  • Addressed inconsistent behavior when stepping through lightning assessment tests, improving reliability and user flow.

Modules & Configuration

  • Fixed an issue where disabling Issue Screening Verification under Modules and Features did not properly remove it from the user interface.
  • Resolved a bug where changing implementation status to "Planned" required a manual screen refresh to display the "Steps to Implement" field.

Issues & POA&M

  • Fixed an issue where filtered count tabs on the Issues/POA&M screen did not correctly navigate users to the filtered results.

Exporting & Integrations

  • Resolved an issue where seeding Export Builder templates for eMASS failed due to a missing file ID.

Enhancements

Files & Data Handling

  • Enhanced Excel preview functionality in the Files subsystem for improved usability and data visibility.

Platform Improvements

  • Performed custom cell function cleanup and mapping fixes in Export Builder, improving data consistency and maintainability.
  • Added Framework Importer capability for selective installation of Export Builder templates and custom forms to support both SaaS and on-prem custom installations.

CLI 6.34.29

Changed

Fixed

  • Airflow Docker image now installs the regscale package successfully so all DAGs (including the Wiz DAGs) load on container startup instead of failing with
  • Removed an unused runtime dependency that conflicted with and broke for Airflow DAGs that pull from FedRAMP and evidence modules
  • Hardened credential handling in container startup, Microsoft Defender authentication, Azure AD authentication, and Airflow initialization

Added

CLI 6.34.28

[6.34.28] - 2026-05-04

Changed

  • Questionnaire instance creation helpers now target the non-deprecated v2.0 API handler via the header
  • Control implementation lookups for a security plan now use the non-deprecated endpoint for forward compatibility
  • CrowdStrike now hydrates host details concurrently while scrolling, and Spotlight/Hosts page sizes raised from 100 to 500, materially reducing wall-clock time on large CrowdStrike syncs

Fixed

  • GCP sync commands (, , , Cloud SQL inventory, App Engine inventory) no longer fail with when is not configured in init.yaml; mock-header wiring no longer interferes with Application Default Credentials on the production code path
  • CrowdStrike Spotlight and Hosts syncs no longer abort partway through long-running fetches when the OAuth bearer token expires mid-pagination; the integration now refreshes the token and retries automatically
  • Airflow container startup now runs unconditionally before launching the api-server, scheduler, dag-processor, and triggerer, so minor Airflow version upgrades (e.g. 3.1.x to 3.2.x) self-heal the metadata schema instead of crashing the dag-processor on a missing table; the previous automatic recovery path that ran the destructive has been removed and is now reserved for the explicit operator-invoked entrypoint
  • Azure Entra evidence collection now refreshes its Microsoft Graph access token mid-run when it expires (Azure tokens are ~1h, long paginations can outlive that window), so / / no longer fail with after the token expires
  • log lines no longer crash on Windows consoles using (the and log records previously contained a Unicode arrow that the default Windows logging stream couldn't encode)
  • OpenText WebInspect Airflow DAG () now loads in Airflow without an import error, so the DAG is visible and runnable
  • Removed the broken Autotask Airflow DAG () that produced a DAG import error on every Airflow refresh; the connector is not yet available in the synqly ticketing CLI