[6.34.31] - 2026-05-13

Changed

• eMASS importers (, SecCat workbook import, eMASS XML system import) now create new Security Plans with the tenant's DoD compliance setting instead of the default RegScale compliance setting, with the correct ID resolved automatically by framework keyword regardless of the numeric ID assigned in each tenant
• Rapid7 InsightVM integration now uses server-side API pagination for orchestration offset and limit, reducing redundant API calls during parallel job splitting
• Rapid7 InsightVM Console v3 sync_findings now streams findings as soon as their definitions are available instead of waiting for every asset listing to finish first, reducing time-to-first-finding from minutes to seconds on large environments
• Scanner-based asset sync (GCP, Wiz, Tanium, Crowdstrike, SentinelOne, etc.) now respects the configured for the HTTP POST chunk size to ; the previous hardcoded chunk size of 100 only applies when is unset, with the documented default of 500 now taking effect for unconfigured deployments
• Bumped 3.2.0 → 3.2.1 (REG-22036 / Trivy scan): patch-level fix for CVE-2026-38743 (per-DAG access-control bypass on the Human-in-the-Loop endpoint) and CVE-2026-40690 (asset dependency graph leaking nodes outside the viewer's DAG read permissions); operators on the bundled Airflow do not need any deployment change
• Bumped 1.7.0 → 1.7.2 (REG-22036 / Trivy scan): patch for CVE-2026-44681 (OIDC Implicit/Hybrid Authorization open-redirect); affects only the extra, which uses for Azure provider OIDC flows

Added

• New module (REG-22036): the Phase 1 container-startup AWS Secrets Manager loader is extracted from into a focused module so the file-permission / non- path / exception-sanitization hardening can be exercised by a dedicated regression suite. Behavior is unchanged for production callers — the helper is still invoked at import time when and are set.

Fixed

<<<<<<< REG-22156-ssp-safe-update

• Security Plan updates from the CLI no longer wipe optional fields that were not explicitly modified, by fetching the current server copy and merging only the fields the caller set before sending the update

• Security Plan updates now block accidental re-parenting through the CLI unless the caller explicitly opts in via

• SSP and Appendix A imports (including FedRAMP Rev 5) now generate platform-policy-compliant passwords when creating stakeholder users, restoring stakeholder linkage that was previously dropped when the platform rejected weak or incompletely-classed passwords with HTTP 400
• Nessus compliance scan findings now create one Vulnerability per control with all affected hosts preserved instead of collapsing every control under a plugin into a single row

  main

• Airflow DAG listing now returns all RegScale integrations to the RegScale UI instead of silently truncating at the first 100 alphabetically, restoring visibility of Wiz, Trivy, and other late-alphabet integrations on the Integrations page
• Nessus and other large-file scanner imports no longer incorrectly close findings from unrelated sources during multi-batch ingestion; mop-up is now scoped to the final batch of each run instead of every chunk
• Control implementation sync no longer fails with a platform validation error when the Justification for Exclusion field has not been previously set
• , , , and now propagate values as headers on outbound Microsoft Graph calls; previously, mock-server scale configuration was silently ignored, so end-to-end test environments always used the mock server's built-in defaults (, ) instead of the configured values. Header injection covers both the legacy session and the default client
• Scanner integrations now honor , , and from ; previously these keys were silently ignored and per-API-call batches always used the hardcoded defaults
• Issue and Vulnerability descriptions are now capped at 4000 characters client-side at the model layer (matching the backend on ; 's backend limit is 8000 but is capped at the same 4000 by convention so both records produced from one finding stay the same length) so oversized descriptions from any integration (Microsoft Defender, Qualys, ServiceNow, SonarCloud, GitLab, and others) are truncated before sync with a WARNING log instead of being rejected by the platform
• AWS CloudWatch, CloudTrail, and Systems Manager sync now link generated evidence records to the parent Security Plan instead of leaving them unmapped
• AWS Security Hub sync_findings now creates Vulnerabilities with a stable per-control identifier, so the backend auto-creates the corresponding Issues and keeps them open across subsequent scans instead of leaving the tenant with zero Vulnerabilities and closed Issues
• Corrected misleading CLI help text across several commands (eMASS , Axonius and related file-path options, FedRAMP , Azure Intune , ServiceNow, Microsoft Defender, CSAM, CISA, JFrog Xray, OpenText, and the bulk permissions importer) so accurately describes what each command does
• SentinelOne no longer fails for a percentage of records with HTTP 500 from the platform vulnerability endpoint; the SentinelOne agent UUID is no longer leaked into the field of the Vulnerability payload, and the underlying scanner-framework behavior of treating opaque asset identifiers (UUIDs, ARNs, agent IDs) as DNS sources has been removed across all scanners
• SentinelOne (and any scanner using the platform bulk vulnerability endpoint) previously appeared to succeed but persisted zero rows because the request envelope used a misspelled key; vulnerabilities now serialize under the correct envelope key and are written to the security plan as expected
• Bulk vulnerability and issue submission paths now retry transparently on the transient raised by the HTTP/2 connection-pool race under heavy concurrent fan-out, eliminating spurious single-item failures during large per-item fallbacks
• CrowdStrike evidence collection now hydrates host details via the POST-form Hosts API to avoid HTTP 414/431 rejections at upstream ingress when batches approach the GET-form query-string limit

[6.31.0.3] 05-12-2026

Enhancements & Changes

POAM Export Performance Improvements

Enhanced the performance and stability of large FedRAMP POAM exports to better support environments with high POAM volumes and complex SSP data sets.

Key improvements include:

• Optimized POAM export processing for large SSPs
• Reduced memory consumption during export generation
• Improved handling of large entity relationships and child record loading
• Added pagination and streaming support for large export operations
• Added safeguards and record count protections for oversized exports

These updates significantly improve export reliability and scalability for enterprise-sized implementations.

Fixes

FedRAMP & SSP

• Resolved an issue causing FedRAMP POAM exports to fail with memory-related errors when processing SSPs containing very large POAM datasets (33k+ records)
• Fixed multiple errors preventing successful SSP ConMonData wipe operations
• Corrected an issue where SSP Author functionality could fail under certain demo and testing scenarios

POAM & Vulnerability Management

• Fixed issues impacting POAM configuration findings behavior
• Fixed an issue where vulnerabilities and issues could not be created from Nessus scan imports
• Corrected a vulnerability lookup error that caused Deviation Request operations to fail with a server error
• Fixed vulnerability search issues impacting specific control searches such as “CM-6”

Deviations & Exports

• Corrected an issue where Deviation exports incorrectly included Deviation Requests in a “Rejected” state

Security & Authentication

• Fixed a password reset validation issue that did not properly enforce updated password requirements

Security Policies

• Fixed an issue preventing values greater than approximately 365 days from being saved in the “Inactive Account De-Activation” policy field

Database & Migration Stability

• Corrected a questionnaire group migration failure caused by foreign key constraint conflicts during database migrations

Changed

• Extended credential-redaction protections across third-party integration log output at all severity levels (Microsoft Defender, Okta, Wiz, Qualys, Prisma Cloud, Azure Intune, GitLab, Jira, SonarCloud, SentinelOne, Sicura, DuroSuite, Tenable, Axonius, CrowdStrike, and the GitLab and GitHub pipeline-compliance providers).
• OpenTelemetry trace exporter now defaults to TLS. Deployments that previously relied on plaintext OTLP export must either point at a loopback collector (, , or ) or front the collector with TLS. Operators should monitor the application log for either WARNING (insecure=True against a non-loopback endpoint, exporter is disabled and spans are dropped) or WARNING (insecure=False against a plaintext http:// endpoint, gRPC TLS handshake fails and spans are dropped). Both modes drop spans silently with no exception raised.
• Hidden the non-functional command group and its subcommands from output to avoid confusion. Use the group for eMASS workbook imports and legacy operations.
• Documented the exact Microsoft Graph and Azure RBAC permissions required for the Azure (Intune) and Microsoft Defender (Defender for Endpoint, Defender for Cloud, and Entra ID evidence collection) integrations so administrators can grant least-privilege access to the corresponding Entra ID app registrations.
• Pinned in the Airflow image build to clear CVE-2026-44307.

Added

• FIPS 140-3 compliant Docker image variant published as (and ) for customers running in FedRAMP High or IL5 environments.

[6.31.0.2] 05-05-2026

Fixes

DoD XCCDF & Assessments

• Resolved an issue where form tabs would disappear after importing an XCCDF benchmark.
• Fixed a bug where navigation failed to load within the XCCDF module.
• Addressed inconsistent behavior when stepping through lightning assessment tests, improving reliability and user flow.

Modules & Configuration

• Fixed an issue where disabling Issue Screening Verification under Modules and Features did not properly remove it from the user interface.
• Resolved a bug where changing implementation status to "Planned" required a manual screen refresh to display the "Steps to Implement" field.

Issues & POA&M

• Fixed an issue where filtered count tabs on the Issues/POA&M screen did not correctly navigate users to the filtered results.

Exporting & Integrations

• Resolved an issue where seeding Export Builder templates for eMASS failed due to a missing file ID.

Enhancements

Files & Data Handling

• Enhanced Excel preview functionality in the Files subsystem for improved usability and data visibility.

Platform Improvements

• Performed custom cell function cleanup and mapping fixes in Export Builder, improving data consistency and maintainability.
• Added Framework Importer capability for selective installation of Export Builder templates and custom forms to support both SaaS and on-prem custom installations.

Changed

Fixed

• Airflow Docker image now installs the regscale package successfully so all DAGs (including the Wiz DAGs) load on container startup instead of failing with
• Removed an unused runtime dependency that conflicted with and broke for Airflow DAGs that pull from FedRAMP and evidence modules
• Hardened credential handling in container startup, Microsoft Defender authentication, Azure AD authentication, and Airflow initialization

Added

[6.34.28] - 2026-05-04

Changed

• Questionnaire instance creation helpers now target the non-deprecated v2.0 API handler via the header
• Control implementation lookups for a security plan now use the non-deprecated endpoint for forward compatibility
• CrowdStrike now hydrates host details concurrently while scrolling, and Spotlight/Hosts page sizes raised from 100 to 500, materially reducing wall-clock time on large CrowdStrike syncs

Fixed

• GCP sync commands (, , , Cloud SQL inventory, App Engine inventory) no longer fail with when is not configured in init.yaml; mock-header wiring no longer interferes with Application Default Credentials on the production code path
• CrowdStrike Spotlight and Hosts syncs no longer abort partway through long-running fetches when the OAuth bearer token expires mid-pagination; the integration now refreshes the token and retries automatically
• Airflow container startup now runs unconditionally before launching the api-server, scheduler, dag-processor, and triggerer, so minor Airflow version upgrades (e.g. 3.1.x to 3.2.x) self-heal the metadata schema instead of crashing the dag-processor on a missing table; the previous automatic recovery path that ran the destructive has been removed and is now reserved for the explicit operator-invoked entrypoint
• Azure Entra evidence collection now refreshes its Microsoft Graph access token mid-run when it expires (Azure tokens are ~1h, long paginations can outlive that window), so / / no longer fail with after the token expires
• log lines no longer crash on Windows consoles using (the and log records previously contained a Unicode arrow that the default Windows logging stream couldn't encode)
• OpenText WebInspect Airflow DAG () now loads in Airflow without an import error, so the DAG is visible and runnable
• Removed the broken Autotask Airflow DAG () that produced a DAG import error on every Airflow refresh; the connector is not yet available in the synqly ticketing CLI

[6.31.0.1] 04-27-2026

Changes & Enhancements

Security & Compliance

• Added noindex, nofollow meta tags to login page headers to help prevent search engine indexing of sensitive authentication pages.

Platform Maintenance

• Updated core platform dependencies to the latest stable versions to improve performance, stability, and security.

Logging & Observability

• Added support for Splunk HEC (HTTP Event Collector) as a sink in the Serilog logging pipeline, enabling improved log forwarding and integration with Splunk.

Fixes

API & Documentation

• Fixed an issue where Swagger and API documentation links were failing or inaccessible within the application.

Data & Records

• Resolved an issue where XCCDF records were not properly scoped per application, causing them to appear across all applications.

Navigation & UI

• Fixed an issue where the root node was incorrectly displayed in navigation when viewing an XCCDF record.

Form Builder

• Addressed edge cases that caused Form Builder imports to fail under certain conditions.

[6.31.0.0] 04-25-2026

Release Notes LIMITED

This release is designated as a LIMITED release that is only meant for specific customers of RegScale.
All functionality from this release is also generally availabie in the 6.31.0.1 release.

Changes & Improvements

DoD Compliance & Workflow

• Enhanced support for NIST 800-53 Rev. 5, including updated catalogs and improved control coverage

• Introduced the ability to map a single ZTA control to multiple NIST controls

• Expanded System Security Plan (SSP) management:

  • Add or remove controls directly within SSPs
  • Map issues and POA&Ms at the control part level
  • Select source SSPs within the authoring experience

• Improved STIG and checklist workflows:

  • New checklist import wizard with support for XCCDF
  • Automated issue lifecycle based on test results
  • Multi-asset orchestration with auto-matching

• Enhanced eMASS interoperability:

  • Expanded export capabilities (POA&Ms, inventories, SCF, test results, and more)
  • Improved ports and protocols submission workflows

• Updated DoD workflows and architecture to better support POA&M processes and custom field management

RegML (AI & Automation)

• Introduced RegML Health Check for improved system visibility

• Added Framework Converter to streamline framework transformations

• Improved authoring with mapping-first workflow design

• Expanded API capabilities:

  • New reranking endpoint for improved results relevance
  • Document chunking and vectorization for advanced AI use cases

• Enhanced performance through caching and improved concurrent request handling

• Improved document processing with smarter content chunking and harvesting

Platform Enhancements

• Launched Wayfinder Explorer for improved navigation and usability

• Enhanced Wayfinder Builder with editable activity links

• Expanded Evidence Preview capabilities

• Introduced a Risk Paging System for better scalability

• Increased flexibility:

  • Higher custom field limits
  • Import/export of form fields across environments

• Security Relevant Patch: Contains Image Hardening and Patching Improvements

• Added new API integrations and data mapping enhancements (including OLIR crosswalk support)

Fixes

DoD

• Resolved issues with checklist imports, including XCCDF visibility and multi-asset handling
• Fixed inconsistencies in control objectives, test plans, and issue hierarchy
• Corrected UI behaviors in checklist screens and Line of Inquiry workflows
• Addressed issues with asset creation and ports/protocols validation

RegML

• Improved stability of AI Auditor and RegML Auditor services
• Fixed issues with query handling, including schema validation and model parameter usage
• Resolved conversation history loss during retries
• Fixed document harvesting and policy import inconsistencies
• Addressed startup and health check reliability issues

Platform

• Fixed issues impacting GraphQL queries, custom fields, and role assignments

• Resolved SSO login redirect issues (Entra SAML)

• Improved Wayfinder stability, including action menus and webhook support

• Fixed data consistency issues across:

  • Reports and dashboards
  • Evidence mapping
  • Assessments and questionnaires

• Addressed export, file handling, and large dataset processing issues

• Fixed multiple UI/UX bugs across forms, builders, and dashboards

• Improved search, filtering, and Excel export accuracy

• Resolved various data integrity and migration-related issues

Notes

• This release is designated as a LIMITED release that is only meant for specific customers of RegScale.
• This release includes significant enhancements to DoD workflows and POA&M processing, which may affect existing integrations or automations.
• RegML capabilities continue to expand, with a focus on AI-driven document processing, vectorization, and improved search relevance.
• All functionality from this release is also generally availabie in the 6.31.01 release.

[6.34.27.0] - 2026-04-30

Changed

• Tanium sync commands now handle scaled environments (100k+ records) without hanging or running out of memory
• Tanium policy and data findings no longer create duplicates for non-CVE results
• Tanium sync runs faster and now logs throughput progress during long-running operations
• SentinelOne integration now uses native SentinelOne agent IDs for asset and finding tracking

Fixed

• Scanner integration batch syncs (Axonius, Tanium, SentinelOne) no longer create duplicate records or drop linked Issues when a batch request times out
• Azure Entra evidence collection no longer hangs on large tenants; live progress is shown, Microsoft Graph throttling is handled automatically, and access review evidence with shared display names is preserved
• Qualys integration now constructs correct API URLs for production deployments where Container Security and VMDR are hosted on different Qualys sub-domains
• Qualys Total Cloud and other JSONL-based scanners no longer fail to start with date format errors
• now supports , , and flags for consistency with other Qualys commands
• SentinelOne vulnerability sync no longer creates duplicate findings when the same CVE affects multiple records
• SentinelOne no longer collapses applications with similar names (e.g., "Microsoft Visual Studio 2019" and "Microsoft Visual Studio 2022") into the same finding
• SentinelOne integration no longer leaks connections during long-running or repeated syncs
• Tanium Cloud endpoint queries now return faster when a record limit is specified
• and no longer stop after 50 records; all matching records are now processed

Added

• Configurable GCP Security Command Center API endpoint via in init.yaml to support alternate or non-Google hosts
• SARIF and commands now accept to run compliance sync against a Component as an alternative to

[6.34.22] - 2026-04-28

Fixed

• Tanium Cloud vulnerability sync no longer creates duplicate findings when the same CVE affects multiple endpoints; one finding is now created per CVE and mapped to all affected assets
• Asset MAC addresses are now normalized to uppercase before submission to prevent validation failures caused by case-sensitive platform checks