[6.30.0.1] 2026-04-03

Changes

• Improved UI behavior to ensure filter options display correctly without requiring a manual refresh.
• Enhanced security by updating cache-control headers on endpoints that may return sensitive data to enforce and directives.

Fixes

• Resolved an issue where users were unable to view evidence after the most recent release.
• Fixed FedRAMP Test Case Procedure Export to remove unintended HTML/XML metadata and eliminate duplicated content.
• Addressed an error occurring during post-startup processing in .
• Fixed Wayfinder links to allow opening in a new browser window as expected.
• Corrected Access Request email links that were incorrectly pointing to localhost instead of the production URL.

[6.33.2] - 2026-03-31

Fixed

• AWS GuardDuty sync creating duplicate issues by processing findings through both compliance framework and individual finding paths
• Vulnerability deduplication across consecutive scanner imports caused by missing parentModule in the uniqueKeys lookup
• Stale vulnerabilities from previous scans not being closed when a subsequent scan produces fewer findings
• Duplicate issues created per vulnerability when retry logic re-queued the same vulnerability for batch submission

[6.33.2] - 2026-03-31

Fixed

• AWS GuardDuty sync creating duplicate issues by processing findings through both compliance framework and individual finding paths
• Vulnerability deduplication across consecutive scanner imports caused by missing parentModule in the uniqueKeys lookup
• Stale vulnerabilities from previous scans not being closed when a subsequent scan produces fewer findings
• Duplicate issues created per vulnerability when retry logic re-queued the same vulnerability for batch submission

[6.30.0.0] 2026-03-30

Fixes

Platform & Data Integrity

• Fixed an issue where Security Profile Exports did not include JSON files compatible for re-import.
• Fixed multiple Export Builder issues affecting Appendix A, Appendix Q, and SOD exports.
• Resolved placeholder text appearing in final exports.
• Fixed issue preventing customer records from being saved.
• Fixed Appendix Q export failures.
• Resolved asset mapping issues for vulnerabilities creating issues.

Vulnerability & Issue Management

• Fixed multiple issues with and endpoints:
  • Issues not appearing in reports
  • Missing asset associations
  • Incorrect default status (“Closed”)
  • Mop-up functionality failures
  • Missing POA&M fields
  • KEV auto-detection not functioning
• Fixed KEV filtering returning incorrect results.
• Corrected issue where “Mitigated” vulnerabilities appeared in Open filters.
• Fixed Auto Close issues for scanner integrations.
• Resolved Issues Analytics graph issues (KEV identification, Issues Due by Month).

Navigation & UI/UX

• Fixed Wayfinder deep links to ensure reliable navigation across modules and records.
• Resolved UI issues including:
  • Pagination display cutoffs
  • Quick Links truncation
  • Dashboard and Compliance Certificate console errors
• Fixed navigation between Assets, Issues, Vulnerabilities, and Assessments.
• Fixed missing logos in cross-app views.

Security & Access Control

• Fixed multiple authorization and tenant isolation issues:
  • Tenant users accessing restricted admin routes via direct URL
  • Tenant admins viewing users across tenants
  • Tenant admins creating global admin accounts
• Fixed separation of duties enforcement issues.
• Fixed Compliance Certificate visibility and access control issues.

Integrations & APIs

• Fixed Axonius integration failure when no SSP controls exist.
• Fixed Frontend API base URL mismatch causing GCP environment failures.
• Fixed CI/CD workflow issue preventing Docker images from deploying to ACR.
• Fixed SSP Author query filtering bug.

Logging & System Behavior

• Fixed errors when navigating audit logs.
• Fixed inconsistent pagination in security logs.
• Fixed error when submitting consecutive bug bounty reports.

Access Requests & Workflows

• Fixed errors when approving/rejecting access requests.
• Fixed Capabilities/Milestones issue where Responsible Person was not updating.

Miscellaneous Fixes

• Fixed inability to create Service Accounts.
• Fixed UI confusion in Create Product and Create Company flows.
• Fixed Trust Center Inbox and Branding access via direct URL.

Changes & Enhancements

Navigation & User Experience

• Improved cross-object navigation:
  • One-click navigation between vulnerabilities, issues, assets, and assessments
  • Linked navigation across compliance failures and security plans
• Added filtering capabilities:
  • Assets by vulnerabilities and issues
  • Issues by POA&M, identification, and source report

Vulnerability & Risk Management

• Added automatic KEV CVE detection for vulnerability ingestion.
• Introduced vulnerability-to-disposition linking.
• Added POA&M and Milestones rollup status board.
• Improved asset visibility in compliance failures.

RegML & AI Enhancements

• Improved RegML query handling with structured support.
• Reduced chatbot hallucinations and stale data responses.
• Enhanced dynamic policy harvesting capabilities.

Platform & Architecture

• Refactored Auditor Service to use structured response schemas.
• Updated control implementation patterns for CLI CSAM integration.

UI & Workflow Improvements

• Added Issue-to-Asset mapping UI enhancements.
• Improved Compliance Certificate interactions.
• Enhanced SSP Inventory visualizations with graph labels.

Developer & API Improvements

• Enhanced batch processing APIs to align with vulnerability disposition logic.
• Improved feature flag handling for SSP Author dynamic harvesting.

[6.33.1] - 2026-03-30

Changed

• Faster CLI startup by deferring DuroSuite module loading until its commands are invoked
• Lazy-loaded RegScale model imports to reduce CLI startup memory by ~20MB
• Reduced default HTTP connection pool size from 200 to 100 to lower memory usage at startup
• Replaced dependency with for lighter, faster CLI progress bars and console output
• Introduced abstract interface for swappable progress bar backends
• Batch API responses now log at DEBUG level on success, INFO only on errors
• Consistent progress bar styling across all CLI commands with cleaner display
• Pydantic model performance and memory optimization across all RegScale CLI models with slots-based storage, Literal type constraints, and TypeAdapter bulk validation
• Assessment model memory footprint reduced via deferred imports, cached endpoint lookups, and annotation deferral

Fixed

• GCP compliance sync now creates issues for failed controls when issue creation is enabled, with a clear log message when turned off
• GCP compliance items now use unique per-resource identifiers from SCC findings instead of the project-level ID, fixing asset deduplication
• Wiz integration now creates Ports & Protocols and Software Inventory records for synced assets, restoring functionality lost during scanner migration
• ComponentMapping and AssetMapping model overrides now accept skip_validation parameter, fixing asset sync failures across all scanner integrations
• GCP findings now use correct issue status values instead of ControlTestResultStatus enums, eliminating status mapping warnings during sync
• Tanium Cloud CVE vulnerability fetch now uses correct GraphQL field names, resolving API 400 errors
• Tanium compliance findings now create unique vulnerabilities per finding instead of collapsing to a handful due to missing plugin identifiers
• Tanium integration now pre-loads endpoint data during findings sync, enabling vulnerability-to-asset linkage when syncing to components
• Server-side POAM creation from vulnerabilities now respects the setting and is off by default ()
• Test suite no longer overwrites the user's when running locally
• Burp integration logger initialization using incorrect parameter

[6.33.0] - 2026-03-24

Changed

• Upgraded CrowdStrike FalconPy SDK from 1.4.5 to 1.6.0 for improved API error handling and bug fixes
• Updated CSAM integration to use new control implementation endpoint for faster loads

Added

• flag on command to select Azure cloud environment (commercial, government, china) at invocation time, enabling a single CLI install to collect Entra evidence from both GovCloud and commercial tenants
• Azure Container Registry (ACR) integration for Microsoft Defender: new CLI command pulls container images from ACR and creates RegScale software assets
  • Supports to target a single registry or to iterate every ACR in the subscription
  • ACR API methods added to DefenderApi: registry listing, OAuth2 token exchange, repository and tag enumeration
  • New (ScannerIntegration) with full asset parsing, error handling, and pagination support
• BigQuery sync_assets_bq subcommand now available in the ROH CLI under both and groups
• Generic SBOM file import command supporting SPDX and CycloneDX JSON files

Fixed

• Axonius V2 : Asset Category and Asset Owner fields are now populated correctly on ingested assets. Changed from non-standard "IT Asset" to "Hardware" (matching the enum) and explicitly set in the mapper
• configuration value is no longer silently dropped from init.yaml when the CLI saves config
• Deleted Airflow DAGs (e.g., ) now get deactivated promptly; reduced from 1 year to 60 seconds so the scheduler detects removed DAG files within a minute
• SARIF compliance integration now correctly extracts CWE IDs from rule.properties.tags strings, resolving false-PASS compliance status for Semgrep and other SAST tools that embed CWEs as tag annotations

[6.33.0] - 2026-03-24

Changed

• Upgraded CrowdStrike FalconPy SDK from 1.4.5 to 1.6.0 for improved API error handling and bug fixes
• Updated CSAM integration to use new control implementation endpoint for faster loads

Added

• flag on command to select Azure cloud environment (commercial, government, china) at invocation time, enabling a single CLI install to collect Entra evidence from both GovCloud and commercial tenants
• Azure Container Registry (ACR) integration for Microsoft Defender: new CLI command pulls container images from ACR and creates RegScale software assets (REG-11608)
  • Supports to target a single registry or to iterate every ACR in the subscription
  • ACR API methods added to DefenderApi: registry listing, OAuth2 token exchange, repository and tag enumeration
  • New (ScannerIntegration) with full asset parsing, error handling, and pagination support
• BigQuery sync_assets_bq subcommand now available in the ROH CLI under both and groups
• Generic SBOM file import command supporting SPDX and CycloneDX JSON files

Fixed

• Axonius V2 : Asset Category and Asset Owner fields are now populated correctly on ingested assets. Changed from non-standard "IT Asset" to "Hardware" (matching the enum) and explicitly set in the mapper (REG-21081)
• configuration value is no longer silently dropped from init.yaml when the CLI saves config
• Deleted Airflow DAGs (e.g., ) now get deactivated promptly; reduced from 1 year to 60 seconds so the scheduler detects removed DAG files within a minute
• SARIF compliance integration now correctly extracts CWE IDs from rule.properties.tags strings, resolving false-PASS compliance status for Semgrep and other SAST tools that embed CWEs as tag annotations

[6.29.2.1] 2026-03-23

Changes

• Chatbot Improvements

  • Enhanced system prompts and guardrails to reduce hallucinations and improve response accuracy and reliability.

Fixes

• Evidence Module

  • Fixed an issue where the search field returned “0 Records” despite matching entries existing.

• SSP Export

  • Resolved an issue where Security Categorization was not populating correctly in exports.

• FedRAMP POA&M

  • Fixed an issue preventing POA&M exports from completing successfully.

• Form Builder

  • Fixed an issue where form field validations could not be deleted and did not appear in the builder.
  • Resolved an issue where validation field values were not populating correctly.
  • Fixed tab panel not updating when switching between modules.
  • Fixed fields panel not refreshing when switching between modules.

• SSP Control Implementation

  • Fixed a 404 error occurring when saving a part within a Control Implementation.
  • Resolved an issue where the control preview was not displaying.

Implementation Limitations and Known Issues in this Release

This is for everyone to be aware on any updates for SSO that involve our government customers.
With the .NET 10 upgrade that was part of our 6.29.X release there is no leniency in the verification of the login URL for SSO. There are now two Azure urls. Previously either could be used, they both return the same data indicating the .com url. If the customer is not GCC high, their validation is actually in the commercial (.com) not the government endpoint (.us).

Symptoms: The Console in the browser shows an “Issue mismatch”.

Resolution: If OAuth from Azure Entra fails after upgrading a customer to 6.29.X and their Authority url contains login.microsoftonline.us change it to login.microsoftonline.com.

Other

• To avoid unexpected timeouts and being logged out of the application, set the session timeout value greater than the browser inactivity value. Session timeout is being enforced prior to inactivity. There is currently no warning to the end user before being automatically logged out of the application.

• Inorder to delete an Interconnection the user must have both Update and Delete permissions.

[6.32.0] - 2026-03-18

Changed

• Upgraded Apache Airflow from 3.1.6 to 3.1.7 to address security vulnerabilities
• Compliance integrations now auto-detect framework mismatches and crosswalk controls between frameworks (e.g., NIST source to SOC2 SSP)
• Compliance integrations now skip issue creation for controls that have no matching implementation in the SSP

Added

• Cross-framework control matching in compliance base class for all integrations (Wiz, CrowdStrike, AWS, GCP, etc.)
• Framework auto-detection utility with confidence threshold for SSP and source data

Fixed

• Evidence Model method no longer crashes with a 500 error when called without filter parameters; empty parameters now return all records
• Wiz compliance evidence is now correctly mapped to SSP controls via crosswalk when frameworks differ
• Wiz compliance no longer runs redundant control status updates that duplicated base class logic
• Control matcher now handles generic/custom catalog types (e.g., HITRUST) by falling back to case-insensitive direct matching when no specific framework handler matches