[6.34.31] - 2026-05-13

Changed

• eMASS importers (, SecCat workbook import, eMASS XML system import) now create new Security Plans with the tenant's DoD compliance setting instead of the default RegScale compliance setting, with the correct ID resolved automatically by framework keyword regardless of the numeric ID assigned in each tenant
• Rapid7 InsightVM integration now uses server-side API pagination for orchestration offset and limit, reducing redundant API calls during parallel job splitting
• Rapid7 InsightVM Console v3 sync_findings now streams findings as soon as their definitions are available instead of waiting for every asset listing to finish first, reducing time-to-first-finding from minutes to seconds on large environments
• Scanner-based asset sync (GCP, Wiz, Tanium, Crowdstrike, SentinelOne, etc.) now respects the configured for the HTTP POST chunk size to ; the previous hardcoded chunk size of 100 only applies when is unset, with the documented default of 500 now taking effect for unconfigured deployments
• Bumped 3.2.0 → 3.2.1 (REG-22036 / Trivy scan): patch-level fix for CVE-2026-38743 (per-DAG access-control bypass on the Human-in-the-Loop endpoint) and CVE-2026-40690 (asset dependency graph leaking nodes outside the viewer's DAG read permissions); operators on the bundled Airflow do not need any deployment change
• Bumped 1.7.0 → 1.7.2 (REG-22036 / Trivy scan): patch for CVE-2026-44681 (OIDC Implicit/Hybrid Authorization open-redirect); affects only the extra, which uses for Azure provider OIDC flows

Added

• New module (REG-22036): the Phase 1 container-startup AWS Secrets Manager loader is extracted from into a focused module so the file-permission / non- path / exception-sanitization hardening can be exercised by a dedicated regression suite. Behavior is unchanged for production callers — the helper is still invoked at import time when and are set.

Fixed

<<<<<<< REG-22156-ssp-safe-update

• Security Plan updates from the CLI no longer wipe optional fields that were not explicitly modified, by fetching the current server copy and merging only the fields the caller set before sending the update

• Security Plan updates now block accidental re-parenting through the CLI unless the caller explicitly opts in via

• SSP and Appendix A imports (including FedRAMP Rev 5) now generate platform-policy-compliant passwords when creating stakeholder users, restoring stakeholder linkage that was previously dropped when the platform rejected weak or incompletely-classed passwords with HTTP 400
• Nessus compliance scan findings now create one Vulnerability per control with all affected hosts preserved instead of collapsing every control under a plugin into a single row

  main

• Airflow DAG listing now returns all RegScale integrations to the RegScale UI instead of silently truncating at the first 100 alphabetically, restoring visibility of Wiz, Trivy, and other late-alphabet integrations on the Integrations page
• Nessus and other large-file scanner imports no longer incorrectly close findings from unrelated sources during multi-batch ingestion; mop-up is now scoped to the final batch of each run instead of every chunk
• Control implementation sync no longer fails with a platform validation error when the Justification for Exclusion field has not been previously set
• , , , and now propagate values as headers on outbound Microsoft Graph calls; previously, mock-server scale configuration was silently ignored, so end-to-end test environments always used the mock server's built-in defaults (, ) instead of the configured values. Header injection covers both the legacy session and the default client
• Scanner integrations now honor , , and from ; previously these keys were silently ignored and per-API-call batches always used the hardcoded defaults
• Issue and Vulnerability descriptions are now capped at 4000 characters client-side at the model layer (matching the backend on ; 's backend limit is 8000 but is capped at the same 4000 by convention so both records produced from one finding stay the same length) so oversized descriptions from any integration (Microsoft Defender, Qualys, ServiceNow, SonarCloud, GitLab, and others) are truncated before sync with a WARNING log instead of being rejected by the platform
• AWS CloudWatch, CloudTrail, and Systems Manager sync now link generated evidence records to the parent Security Plan instead of leaving them unmapped
• AWS Security Hub sync_findings now creates Vulnerabilities with a stable per-control identifier, so the backend auto-creates the corresponding Issues and keeps them open across subsequent scans instead of leaving the tenant with zero Vulnerabilities and closed Issues
• Corrected misleading CLI help text across several commands (eMASS , Axonius and related file-path options, FedRAMP , Azure Intune , ServiceNow, Microsoft Defender, CSAM, CISA, JFrog Xray, OpenText, and the bulk permissions importer) so accurately describes what each command does
• SentinelOne no longer fails for a percentage of records with HTTP 500 from the platform vulnerability endpoint; the SentinelOne agent UUID is no longer leaked into the field of the Vulnerability payload, and the underlying scanner-framework behavior of treating opaque asset identifiers (UUIDs, ARNs, agent IDs) as DNS sources has been removed across all scanners
• SentinelOne (and any scanner using the platform bulk vulnerability endpoint) previously appeared to succeed but persisted zero rows because the request envelope used a misspelled key; vulnerabilities now serialize under the correct envelope key and are written to the security plan as expected
• Bulk vulnerability and issue submission paths now retry transparently on the transient raised by the HTTP/2 connection-pool race under heavy concurrent fan-out, eliminating spurious single-item failures during large per-item fallbacks
• CrowdStrike evidence collection now hydrates host details via the POST-form Hosts API to avoid HTTP 414/431 rejections at upstream ingress when batches approach the GET-form query-string limit