[6.29.2.0] - 2026-03-13

Changes

• Added notifications for Access Requests to improve visibility for administrators.
• Introduced Request Access link to streamline user onboarding.
• Implemented Cross-BU reporting capabilities.
• Added endpoint to return available exports for all modules.
• Added RBAC endpoint to add or remove group permissions from a record in AppBuilder.
• Added support for enabling modules during tenant creation.
• Migrated module enablement seeding from to module configuration files.
• Updated RegScale AI routing to leverage v1 primitives instead of calling models directly.
• Implemented prompt access pattern (), response contracts, and telemetry usage for RegML integration with the RegScale app.
• Marked legacy Export Builder exports as DEPRECATED.
• Removed NGRX Store from the application.
• Added New Threat Models functionality.
• Introduced New Risk creation option on Capability Risks tab.

Fixes

Access Requests & User Access

• Fixed issue where new user access requests were not handled correctly.
• Fixed issue where users could not approve access requests from Setup > Users.
• Fixed issue where access requests disappeared after refreshing the page.
• Fixed issue where users were incorrectly redirected to the App Store page to request access after upgrade.
• Fixed issue preventing users from being added to the tenant admin list.

Performance & API

• Improved performance of the Request Access API, which previously took ~50 seconds to respond.
• Fixed query failures when was not set.
• Fixed Policy Generator timeout issues due to insufficient async polling attempts with v1 query.

Security & RBAC

• Fixed multiple role-based access control issues, including:

  • Users with CR access able to update Assessment Plans
  • Users with CR access able to delete Assessment Plans
  • Users with CRU access able to delete Threats
  • IssueScreener and IssueUser roles not receiving Issue Screening access

UI / UX

• Fixed Browse Applications grid spacing issues on lower screen widths.
• Fixed Login banner intermittently not appearing.
• Fixed App Management > Group back button navigating incorrectly to General instead of Groups.
• Fixed Create New buttons appearing in Cross-App mode where creation should not be allowed.
• Fixed Bulk Editor appearing in Cross-App mode.
• Fixed Component > Bulk Actions appearing in Cross-App mode.
• Fixed Add Mappings appearing in Cross-App mode.
• Fixed Multiple field not disabled on Questionnaire while in Cross-App mode.
• Fixed Create New appearing in Component > Score Card > Manage Risk when not permitted.
• Fixed Create New Risk appearing incorrectly in certain contexts.
• Fixed Mini Subsystem buttons missing in UI.
• Fixed Tags dropdown opening behind modal in Mini Subsystem files.

Data Integrity

• Fixed issue where file attachment (paperclip) created records with incorrect parent ID/module.
• Fixed issue allowing access to Request records after deletion.
• Fixed issue where Threat Model owner field changed unexpectedly on creation.

Export Builder

• Fixed Export Builder preview errors when viewing export files.
• Fixed Export Builder XLSX functionality regressions introduced in 6.29.1.

RegML / AI Features

• Fixed Response Automation not returning responses.
• Fixed AI Generator progress status bar not updating correctly.
• Fixed AI Generator cost savings showing when run by app users or admins.
• Fixed RegML features returning 403 errors.

AppBuilder / Controls

• Fixed Control Builder Primary Responsible Role not setting correctly (422 error).
• Fixed Control Implementations loading slowly.
• Fixed Tasks Advanced Search not working.

System / Environment

• Fixed email functionality not enabling correctly.

Reporting

• Fixed issue where Reports failed to load in Cross-App view with a 400 console error.
• Fixed issue where Tenant Admins could not create new reports in Cross-App view.

Vulnerabilities & Security

• Fixed vulnerability in mop-up functionality.
• Fixed error loading vulnerability data.

Implementation Limitations and Known Issues in this Release

This is for everyone to be aware on any updates for SSO that involve our government customers.
With the .NET 10 upgrade that was part of our 6.29.X release there is no leniency in the verification of the login URL for SSO. There are now two Azure urls. Previously either could be used, they both return the same data indicating the .com url. If the customer is not GCC high, their validation is actually in the commercial (.com) not the government endpoint (.us).

Symptoms: The Console in the browser shows an “Issue mismatch”.

Resolution: If OAuth from Azure Entra fails after upgrading a customer to 6.29.X and their Authority url contains login.microsoftonline.us change it to login.microsoftonline.com.

Other

• To avoid unexpected timeouts and being logged out of the application, set the session timeout value greater than the browser inactivity value. Session timeout is being enforced prior to inactivity. There is currently no warning to the end user before being automatically logged out of the application.

• Inorder to delete an Interconnection the user must have both Update and Delete permissions.

[6.30.1.0] - 2026-03-12

Fixed

Changed

• Updated error_and_exit to show where it was called from

Fixed

• Scanner integrations now correctly assign assets to components when using
  -FedRAMP POAM Import:
  • No longer crashes with an illegal hardware instruction on CPUs that lack AVX2 support; pandas is used automatically as a fallback
  • Correctly falls back to the default POAM ID column when a custom value is not present on a given sheet
  • AttributeError failures when POAM IDs are stored as integers in the spreadsheet
  • Incorrect column numbers in various warning messages
• unit and integration tests package import issue
• ci build-info updates

[6.29.1.2] - 2026-03-10

Fixes

• Export Builder
  • Fixed an issue that was preventing control enhancements from populating for FedRAMP Appendix A.

Known Limitations and Issues

This is for everyone to be aware on any updates for SSO that involve our government customers.

With the .NET 10 upgrade that was part of our 6.29.X release there is no leniency in the verification of the login URL for SSO. There are now two Azure urls. Previously either could be used, they both return the same data indicating the .com url. If the customer is not GCC high, their validation is actually in the commercial (.com) not the government endpoint (.us).

Symptoms: The Console in the browser shows an “Issue mismatch”.

Resolution: If OAuth from Azure Entra fails after upgrading a customer to 6.29.X and their Authority url contains login.microsoftonline.us change it to login.microsoftonline.com.

[6.29.1.1] - 2026-03-09

Fixes

• Control Implementation

  • Fixed an issue where the More Tools → New Assessment option was missing.
  • Resolved a problem where the Create New button did not function for non-tenant administrators.

• Export Builder

  • Corrected an issue in the Seeded Labs export where certain tables contained missing or misaligned data.

• FedRAMP SSP Export

  • Fixed a failure preventing FedRAMP SSP exports from completing successfully.

Known Limitations and Issues

This is for everyone to be aware on any updates for SSO that involve our government customers.

With the .NET 10 upgrade that was part of our 6.29.X release there is no leniency in the verification of the login URL for SSO. There are now two Azure urls. Previously either could be used, they both return the same data indicating the .com url. If the customer is not GCC high, their validation is actually in the commercial (.com) not the government endpoint (.us).

Symptoms: The Console in the browser shows an “Issue mismatch”.

Resolution: If OAuth from Azure Entra fails after upgrading a customer to 6.29.X and their Authority url contains login.microsoftonline.us change it to login.microsoftonline.com.

[6.29.26.1] - 2026-03-09

Fixed

• Key value pairs being overridden from the default template when running in Automation Manager jobs

[6.29.26.0] - 2026-03-09

Added

• Wiz compliance_report command:
  • creation of evidence records in RegScale: uploads the CSV compliance report, maps it to the SSP, and maps it to each control that has compliance data via the control lookup cache
  • flags (enabled by default) which follows the same pattern as GCP SCC compliance evidence attachment

[6.29.25.0] - 2026-03-06

Added

• ISO 27001:2013-to-2022 cross-edition control mapping for AWS Audit Manager compliance sync (REG-20509)
• Evidence record creation for SSM () and CloudTrail () integrations, matching the Audit Manager pattern

Changed

• BREAKING CHANGE: All AWS integrations now default to creating Evidence records instead of SSP-level file attachments. This makes evidence visible in the RegScale Evidence module. To restore the previous behavior, pass (for SSM, CloudTrail, CloudWatch, S3) or (for GuardDuty, IAM, KMS, Org, Config).

Fixed

• Microsoft Defender crash on when member objects have inconsistent list field types (e.g. empty vs populated )
• AWS Config compliance evidence upload: CLI now builds ConfigEvidenceConfig/ConfigFilterConfig objects instead of passing individual kwargs that were silently discarded
• Evidence file upload: cast parent_id to str in multipart form data to prevent httpx encoding failures, and surface the actual exception instead of a generic "File upload failed" message
• Issue asset-identifier updates: truncate assetIdentifier to 500 chars to avoid API rejections when findings reference many resources
• Incorrect domain being set when running in Automation Manager
• Compliance reports with multiple controls not mapping to Control Implementations during command

[6.29.1.0] - 2026-03-04

Overview

This release represents a major evolution of Export Builder, including:

• Full Excel export framework
• Sub-templating architecture
• Advanced filtering capabilities
• Large-scale FedRAMP and program conversions
• Significant service refactoring and architectural alignment
• Expanded test coverage and stability improvements

New Functionality

Excel (.XLSX / .XLSM) Export Support

• Added support for .XLSX and .XLSM export types in Export Builder..
• Added Formula preservation for statistical and computed fields.
• Added Support for Excel text-based date formats.
• Added worksheet switching in XLSX mapping tab with autosave.
• Added data filtering for:
  • Repeating Excel rows
  • Repeating table row elements

DOCX Enhancements

• Support for RTF data type field mapping.
• Added sub-template document generation support.
• Added autosave when switching between mapping pages.
• Added export capability for data filters when exporting field mappings.
• Added ability to insert multiple images in template via file store tagging.
• Improved style preservation in source template.
• Improved TOC generation reliability.
• Added ability to "clone" standard OOTB templates for customization.

Extended Export Builder Data Services

• Refactored ExportBuilderService into logical alignments with RegScale architecture.
• Added Deviations data to Export Builder data service.
• Added Linked/Mapped Component data for Security Plans.
• Extended data services to return linked control components.
• Added export/import support for field mappings (JSON).

FedRAMP, DOE, CMMC, and Program Conversions

Converted the following exports to the new Export Builder framework:

• FedRAMP SSP (Rev 5)
• FedRAMP SAP
• FedRAMP SAR
• FedRAMP CIS/CRM Workbook
• FedRAMP Appendix Q (Cryptography)
• FedrAMP Separation of Duties Matrix (SOD)
• DOE SSP
• BNL SAP
• BNL SAR
• CMMC SSP Report
• Labs SSP
• Tailored SSP

Additional enhancements:

• Support for Master Assessment selection when generating SAP/SAR

Changes

• Removed the word “Template” from Export Builder titles and output file names.
• Improved automapping accuracy and speed in field tagging.
• Added export capability for data filters in field mapping exports.
• Improved filtering behavior in data services.

Fixes

• Fixed “No mappings” message not spanning full UI width.
• Fixed export field mapper paging issue after service refactor.
• Fixed filter options not copying in export configurations.
• Fixed various UI issues in Export Builder.
• Fixed importing export mappings causing field loss.
• Fixed automapping incorrect tag associations.
• Fixed filter tag replacement bug
• Fixed repeating data sets failing in sub-templates.
• Fixed repeating template tables duplicating first row.
• Fixed filtering of References data not persisting.
• Fixed sub-template repeating datasets malfunction.
• Fixed exception on empty DOCX template upload.
• Fixed exceptions during export template upload.
• Fixed 500 error when selecting Security Plan module.
• Fixed Export Builder seeding failure during post-startup.
• Fixed Export Builder SOD output file generation failure.
• Fixed list of Table of Figures causing TOC generation failure.
• Fixed incorrect image replacement during generation.
• Fixed SafelyUpdateParagraphText generation errors.
• Fixed Export Builder not handling documents without tags.
• Fixed inconsistent TOC generation.
• Fixed PersonExportModel (Lead Assessor) not populating.
• Fixed DILs not populating in SSP export.
• Fixed POCs not populating in SSP export.
• Fixed duplicate SOD figure header in SSP Rev 5.
• Removed incorrect content from SSP Rev5 and FedRAMP SAR.
• Fixed parameter replacement in Tailored SSP requirements.
• Fixed no connection between Ports/Protocols and Cryptography data.
• Fixed FR SSP multi-document tagging diagram issue.

[6.29.0.3] - 2026-03-03

Fixes

• Fixed questionnaire ResponseScore persistence bug where manual scores were not cleared when answers changed, causing stale scores to
  persist.
• Resolved progress bar rendering issues in RegML SSP Generator.
• Fixed questionnaire instances not appearing on the SSP Generator.
• Fixed missing blended labor rate causing NaN display on cost savings in SSP Author.
• Fixed dashboard reports with report configurations failing due to unnecessary permission checks.
• Fixed service accounts and DAGs loading prematurely before their tabs were active, causing incorrect app ID associations.
• Fixed Form Builder rule actions and conditions losing correct field/tab references after cross-tenant imports by resolving IDs from
  RegScaleId.
• Fixed custom field values not saving correctly for new records and updates.
• Added server-side validation for required custom fields.
• Fixed RBAC propagation to properly clean up access records when setting records to public.

Changes

• Added confirmation popups for role and app-related administrative actions (role assignment, app configuration, tenant settings).
• Enabled select RegML tools (SSP Author, Control Author) for read-only users.
• Added missing integration logos for Axonius, Grype, Prisma, SentinelOne, Snyk, Tanium, and Trivy on the Automation Manager page.
• Added handling for propagating public visibility to child records.
• Added automation section to App Setup.
• Form Builder now preserves field and tab ordering by sequence when loading modules.
• Improved Automation Manager DAG modal layout and integrations UI.

[6.29.24.0] - 2026-03-02

Added

• Tanium Cloud API Gateway (GraphQL) support for asset, vulnerability, and compliance synchronization
• Automatic detection of Tanium Cloud vs on-premises deployment with configuration option
• Thread-safe httpx client management with automatic domain change detection
• Shared domain normalization utility for consistent URL handling
• Class method for creating clients from Application config

Changed

• is now a property that returns the current Application singleton instead of a stored instance; test mocks using are unaffected, but direct attribute assignments like on real Api instances will raise
• Domain resolution in HttpClientConfig now uses shared utility for consistency with Application logic
• YAML config parsing in Airflow remote fetch now includes error handling for malformed responses
• Nessus import now logs per-file progress (file X/Y: filename) for better visibility during large batch imports

Fixed

• SyntaxWarning noise from nessus_file_reader package when running Nessus commands on Python 3.12+
• Nessus import crashing with out-of-memory on large scan files by using direct file parsing and streaming fallback
• Nessus asset updates failing with 500 errors when hosts have many MAC addresses by using only the first MAC
• CloudWatch evidence upload (REG-20294): File upload to RegScale now works for sync_cloudwatch_ex and sync_cloudwatch_aws by using dict format for multipart (required by httpx; requests accepts it too)
• Wiz Inventory command not fetching Assets from Wiz