[6.30.0.0] 2026-03-30

Fixes

Platform & Data Integrity

• Fixed an issue where Security Profile Exports did not include JSON files compatible for re-import.
• Fixed multiple Export Builder issues affecting Appendix A, Appendix Q, and SOD exports.
• Resolved placeholder text appearing in final exports.
• Fixed issue preventing customer records from being saved.
• Fixed Appendix Q export failures.
• Resolved asset mapping issues for vulnerabilities creating issues.

Vulnerability & Issue Management

• Fixed multiple issues with and endpoints:
  • Issues not appearing in reports
  • Missing asset associations
  • Incorrect default status (“Closed”)
  • Mop-up functionality failures
  • Missing POA&M fields
  • KEV auto-detection not functioning
• Fixed KEV filtering returning incorrect results.
• Corrected issue where “Mitigated” vulnerabilities appeared in Open filters.
• Fixed Auto Close issues for scanner integrations.
• Resolved Issues Analytics graph issues (KEV identification, Issues Due by Month).

Navigation & UI/UX

• Fixed Wayfinder deep links to ensure reliable navigation across modules and records.
• Resolved UI issues including:
  • Pagination display cutoffs
  • Quick Links truncation
  • Dashboard and Compliance Certificate console errors
• Fixed navigation between Assets, Issues, Vulnerabilities, and Assessments.
• Fixed missing logos in cross-app views.

Security & Access Control

• Fixed multiple authorization and tenant isolation issues:
  • Tenant users accessing restricted admin routes via direct URL
  • Tenant admins viewing users across tenants
  • Tenant admins creating global admin accounts
• Fixed separation of duties enforcement issues.
• Fixed Compliance Certificate visibility and access control issues.

Integrations & APIs

• Fixed Axonius integration failure when no SSP controls exist.
• Fixed Frontend API base URL mismatch causing GCP environment failures.
• Fixed CI/CD workflow issue preventing Docker images from deploying to ACR.
• Fixed SSP Author query filtering bug.

Logging & System Behavior

• Fixed errors when navigating audit logs.
• Fixed inconsistent pagination in security logs.
• Fixed error when submitting consecutive bug bounty reports.

Access Requests & Workflows

• Fixed errors when approving/rejecting access requests.
• Fixed Capabilities/Milestones issue where Responsible Person was not updating.

Miscellaneous Fixes

• Fixed inability to create Service Accounts.
• Fixed UI confusion in Create Product and Create Company flows.
• Fixed Trust Center Inbox and Branding access via direct URL.

Changes & Enhancements

Navigation & User Experience

• Improved cross-object navigation:
  • One-click navigation between vulnerabilities, issues, assets, and assessments
  • Linked navigation across compliance failures and security plans
• Added filtering capabilities:
  • Assets by vulnerabilities and issues
  • Issues by POA&M, identification, and source report

Vulnerability & Risk Management

• Added automatic KEV CVE detection for vulnerability ingestion.
• Introduced vulnerability-to-disposition linking.
• Added POA&M and Milestones rollup status board.
• Improved asset visibility in compliance failures.

RegML & AI Enhancements

• Improved RegML query handling with structured support.
• Reduced chatbot hallucinations and stale data responses.
• Enhanced dynamic policy harvesting capabilities.

Platform & Architecture

• Refactored Auditor Service to use structured response schemas.
• Updated control implementation patterns for CLI CSAM integration.

UI & Workflow Improvements

• Added Issue-to-Asset mapping UI enhancements.
• Improved Compliance Certificate interactions.
• Enhanced SSP Inventory visualizations with graph labels.

Developer & API Improvements

• Enhanced batch processing APIs to align with vulnerability disposition logic.
• Improved feature flag handling for SSP Author dynamic harvesting.

[6.33.1] - 2026-03-30

Changed

• Faster CLI startup by deferring DuroSuite module loading until its commands are invoked
• Lazy-loaded RegScale model imports to reduce CLI startup memory by ~20MB
• Reduced default HTTP connection pool size from 200 to 100 to lower memory usage at startup
• Replaced dependency with for lighter, faster CLI progress bars and console output
• Introduced abstract interface for swappable progress bar backends
• Batch API responses now log at DEBUG level on success, INFO only on errors
• Consistent progress bar styling across all CLI commands with cleaner display
• Pydantic model performance and memory optimization across all RegScale CLI models with slots-based storage, Literal type constraints, and TypeAdapter bulk validation
• Assessment model memory footprint reduced via deferred imports, cached endpoint lookups, and annotation deferral

Fixed

• GCP compliance sync now creates issues for failed controls when issue creation is enabled, with a clear log message when turned off
• GCP compliance items now use unique per-resource identifiers from SCC findings instead of the project-level ID, fixing asset deduplication
• Wiz integration now creates Ports & Protocols and Software Inventory records for synced assets, restoring functionality lost during scanner migration
• ComponentMapping and AssetMapping model overrides now accept skip_validation parameter, fixing asset sync failures across all scanner integrations
• GCP findings now use correct issue status values instead of ControlTestResultStatus enums, eliminating status mapping warnings during sync
• Tanium Cloud CVE vulnerability fetch now uses correct GraphQL field names, resolving API 400 errors
• Tanium compliance findings now create unique vulnerabilities per finding instead of collapsing to a handful due to missing plugin identifiers
• Tanium integration now pre-loads endpoint data during findings sync, enabling vulnerability-to-asset linkage when syncing to components
• Server-side POAM creation from vulnerabilities now respects the setting and is off by default ()
• Test suite no longer overwrites the user's when running locally
• Burp integration logger initialization using incorrect parameter

[6.33.0] - 2026-03-24

Changed

• Upgraded CrowdStrike FalconPy SDK from 1.4.5 to 1.6.0 for improved API error handling and bug fixes
• Updated CSAM integration to use new control implementation endpoint for faster loads

Added

• flag on command to select Azure cloud environment (commercial, government, china) at invocation time, enabling a single CLI install to collect Entra evidence from both GovCloud and commercial tenants
• Azure Container Registry (ACR) integration for Microsoft Defender: new CLI command pulls container images from ACR and creates RegScale software assets
  • Supports to target a single registry or to iterate every ACR in the subscription
  • ACR API methods added to DefenderApi: registry listing, OAuth2 token exchange, repository and tag enumeration
  • New (ScannerIntegration) with full asset parsing, error handling, and pagination support
• BigQuery sync_assets_bq subcommand now available in the ROH CLI under both and groups
• Generic SBOM file import command supporting SPDX and CycloneDX JSON files

Fixed

• Axonius V2 : Asset Category and Asset Owner fields are now populated correctly on ingested assets. Changed from non-standard "IT Asset" to "Hardware" (matching the enum) and explicitly set in the mapper
• configuration value is no longer silently dropped from init.yaml when the CLI saves config
• Deleted Airflow DAGs (e.g., ) now get deactivated promptly; reduced from 1 year to 60 seconds so the scheduler detects removed DAG files within a minute
• SARIF compliance integration now correctly extracts CWE IDs from rule.properties.tags strings, resolving false-PASS compliance status for Semgrep and other SAST tools that embed CWEs as tag annotations

[6.33.0] - 2026-03-24

Changed

• Upgraded CrowdStrike FalconPy SDK from 1.4.5 to 1.6.0 for improved API error handling and bug fixes
• Updated CSAM integration to use new control implementation endpoint for faster loads

Added

• flag on command to select Azure cloud environment (commercial, government, china) at invocation time, enabling a single CLI install to collect Entra evidence from both GovCloud and commercial tenants
• Azure Container Registry (ACR) integration for Microsoft Defender: new CLI command pulls container images from ACR and creates RegScale software assets (REG-11608)
  • Supports to target a single registry or to iterate every ACR in the subscription
  • ACR API methods added to DefenderApi: registry listing, OAuth2 token exchange, repository and tag enumeration
  • New (ScannerIntegration) with full asset parsing, error handling, and pagination support
• BigQuery sync_assets_bq subcommand now available in the ROH CLI under both and groups
• Generic SBOM file import command supporting SPDX and CycloneDX JSON files

Fixed

• Axonius V2 : Asset Category and Asset Owner fields are now populated correctly on ingested assets. Changed from non-standard "IT Asset" to "Hardware" (matching the enum) and explicitly set in the mapper (REG-21081)
• configuration value is no longer silently dropped from init.yaml when the CLI saves config
• Deleted Airflow DAGs (e.g., ) now get deactivated promptly; reduced from 1 year to 60 seconds so the scheduler detects removed DAG files within a minute
• SARIF compliance integration now correctly extracts CWE IDs from rule.properties.tags strings, resolving false-PASS compliance status for Semgrep and other SAST tools that embed CWEs as tag annotations

[6.29.2.1] 2026-03-23

Changes

• Chatbot Improvements

  • Enhanced system prompts and guardrails to reduce hallucinations and improve response accuracy and reliability.

Fixes

• Evidence Module

  • Fixed an issue where the search field returned “0 Records” despite matching entries existing.

• SSP Export

  • Resolved an issue where Security Categorization was not populating correctly in exports.

• FedRAMP POA&M

  • Fixed an issue preventing POA&M exports from completing successfully.

• Form Builder

  • Fixed an issue where form field validations could not be deleted and did not appear in the builder.
  • Resolved an issue where validation field values were not populating correctly.
  • Fixed tab panel not updating when switching between modules.
  • Fixed fields panel not refreshing when switching between modules.

• SSP Control Implementation

  • Fixed a 404 error occurring when saving a part within a Control Implementation.
  • Resolved an issue where the control preview was not displaying.

Implementation Limitations and Known Issues in this Release

This is for everyone to be aware on any updates for SSO that involve our government customers.
With the .NET 10 upgrade that was part of our 6.29.X release there is no leniency in the verification of the login URL for SSO. There are now two Azure urls. Previously either could be used, they both return the same data indicating the .com url. If the customer is not GCC high, their validation is actually in the commercial (.com) not the government endpoint (.us).

Symptoms: The Console in the browser shows an “Issue mismatch”.

Resolution: If OAuth from Azure Entra fails after upgrading a customer to 6.29.X and their Authority url contains login.microsoftonline.us change it to login.microsoftonline.com.

Other

• To avoid unexpected timeouts and being logged out of the application, set the session timeout value greater than the browser inactivity value. Session timeout is being enforced prior to inactivity. There is currently no warning to the end user before being automatically logged out of the application.

• Inorder to delete an Interconnection the user must have both Update and Delete permissions.

[6.32.0] - 2026-03-18

Changed

• Upgraded Apache Airflow from 3.1.6 to 3.1.7 to address security vulnerabilities
• Compliance integrations now auto-detect framework mismatches and crosswalk controls between frameworks (e.g., NIST source to SOC2 SSP)
• Compliance integrations now skip issue creation for controls that have no matching implementation in the SSP

Added

• Cross-framework control matching in compliance base class for all integrations (Wiz, CrowdStrike, AWS, GCP, etc.)
• Framework auto-detection utility with confidence threshold for SSP and source data

Fixed

• Evidence Model method no longer crashes with a 500 error when called without filter parameters; empty parameters now return all records
• Wiz compliance evidence is now correctly mapped to SSP controls via crosswalk when frameworks differ
• Wiz compliance no longer runs redundant control status updates that duplicated base class logic
• Control matcher now handles generic/custom catalog types (e.g., HITRUST) by falling back to case-insensitive direct matching when no specific framework handler matches

[6.31.0] - 2026-03-16

Changed

• CrowdStrike compliance sync now supports all 7 frameworks (NIST, CSF, SOC2, CMMC, ISO, CIS, OWASP) via option
• CrowdStrike compliance sync now uses SSP compliance settings for proper status mapping (FedRAMP, DoD, NIST)
• CrowdStrike compliance sync auto-detects framework from the SSP's security profile using the framework handler registry
• CrowdStrike integration refactored into modular package structure for improved maintainability
• CrowdStrike SDK reuses authenticated sessions across bulk operations for improved performance
• CrowdStrike compliance notes are now HTML-escaped before rendering
• Consolidated Qualys Airflow DAGs into a single DAG with user-configurable options for VMDR, WAS, Container Security, and Total Cloud services

Added

• CrowdStrike command to export prevention policy configurations as audit evidence
• CrowdStrike command to generate comprehensive SOC2 evidence packages (host inventory, policies, alerts)
• CrowdStrike evidence auto-links to matching control implementations using compliance mapping data with cross-framework support (NIST, SOC2, CSF, CMMC)
• CrowdStrike vulnerability sync from Spotlight API with severity and CVE mapping
• CrowdStrike asset sync from Hosts API with platform detection and device inventory
• CrowdStrike compliance sync supports Full and Partial control implementation levels
• Cross-framework mapping utility to automatically translate compliance controls between NIST, CSF, SOC2, CMMC, ISO, and CIS
• CSF (Cybersecurity Framework) handler for control ID detection and parsing

Fixed

• CrowdStrike FalconPy 1.6.0 deprecated API compatibility (Incidents, Intel, UserManagement)
• CrowdStrike SDK authentication validation and SSL verify configuration support
• CrowdStrike compliance sync no longer requires catalog lookup, reads control implementations directly from SSP
• Entra ID evidence collection no longer fails to upload when PIM licensing (AadPremiumLicenseRequired) is unavailable; successfully collected evidence now uploads to the RegScale SSP regardless of downstream licensing errors (REG-20943)
• Fixed OOM crash in Qualys Total Cloud import caused by swallowing instead of re-raising it, which caused to loop infinitely accumulating values
• Fixed unclosed Rich markup tag in CLI disclaimer ( → ) that could cause rendering artifacts

[6.29.2.0] - 2026-03-13

Changes

• Added notifications for Access Requests to improve visibility for administrators.
• Introduced Request Access link to streamline user onboarding.
• Implemented Cross-BU reporting capabilities.
• Added endpoint to return available exports for all modules.
• Added RBAC endpoint to add or remove group permissions from a record in AppBuilder.
• Added support for enabling modules during tenant creation.
• Migrated module enablement seeding from to module configuration files.
• Updated RegScale AI routing to leverage v1 primitives instead of calling models directly.
• Implemented prompt access pattern (), response contracts, and telemetry usage for RegML integration with the RegScale app.
• Marked legacy Export Builder exports as DEPRECATED.
• Removed NGRX Store from the application.
• Added New Threat Models functionality.
• Introduced New Risk creation option on Capability Risks tab.

Fixes

Access Requests & User Access

• Fixed issue where new user access requests were not handled correctly.
• Fixed issue where users could not approve access requests from Setup > Users.
• Fixed issue where access requests disappeared after refreshing the page.
• Fixed issue where users were incorrectly redirected to the App Store page to request access after upgrade.
• Fixed issue preventing users from being added to the tenant admin list.

Performance & API

• Improved performance of the Request Access API, which previously took ~50 seconds to respond.
• Fixed query failures when was not set.
• Fixed Policy Generator timeout issues due to insufficient async polling attempts with v1 query.

Security & RBAC

• Fixed multiple role-based access control issues, including:

  • Users with CR access able to update Assessment Plans
  • Users with CR access able to delete Assessment Plans
  • Users with CRU access able to delete Threats
  • IssueScreener and IssueUser roles not receiving Issue Screening access

UI / UX

• Fixed Browse Applications grid spacing issues on lower screen widths.
• Fixed Login banner intermittently not appearing.
• Fixed App Management > Group back button navigating incorrectly to General instead of Groups.
• Fixed Create New buttons appearing in Cross-App mode where creation should not be allowed.
• Fixed Bulk Editor appearing in Cross-App mode.
• Fixed Component > Bulk Actions appearing in Cross-App mode.
• Fixed Add Mappings appearing in Cross-App mode.
• Fixed Multiple field not disabled on Questionnaire while in Cross-App mode.
• Fixed Create New appearing in Component > Score Card > Manage Risk when not permitted.
• Fixed Create New Risk appearing incorrectly in certain contexts.
• Fixed Mini Subsystem buttons missing in UI.
• Fixed Tags dropdown opening behind modal in Mini Subsystem files.

Data Integrity

• Fixed issue where file attachment (paperclip) created records with incorrect parent ID/module.
• Fixed issue allowing access to Request records after deletion.
• Fixed issue where Threat Model owner field changed unexpectedly on creation.

Export Builder

• Fixed Export Builder preview errors when viewing export files.
• Fixed Export Builder XLSX functionality regressions introduced in 6.29.1.

RegML / AI Features

• Fixed Response Automation not returning responses.
• Fixed AI Generator progress status bar not updating correctly.
• Fixed AI Generator cost savings showing when run by app users or admins.
• Fixed RegML features returning 403 errors.

AppBuilder / Controls

• Fixed Control Builder Primary Responsible Role not setting correctly (422 error).
• Fixed Control Implementations loading slowly.
• Fixed Tasks Advanced Search not working.

System / Environment

• Fixed email functionality not enabling correctly.

Reporting

• Fixed issue where Reports failed to load in Cross-App view with a 400 console error.
• Fixed issue where Tenant Admins could not create new reports in Cross-App view.

Vulnerabilities & Security

• Fixed vulnerability in mop-up functionality.
• Fixed error loading vulnerability data.

Implementation Limitations and Known Issues in this Release

This is for everyone to be aware on any updates for SSO that involve our government customers.
With the .NET 10 upgrade that was part of our 6.29.X release there is no leniency in the verification of the login URL for SSO. There are now two Azure urls. Previously either could be used, they both return the same data indicating the .com url. If the customer is not GCC high, their validation is actually in the commercial (.com) not the government endpoint (.us).

Symptoms: The Console in the browser shows an “Issue mismatch”.

Resolution: If OAuth from Azure Entra fails after upgrading a customer to 6.29.X and their Authority url contains login.microsoftonline.us change it to login.microsoftonline.com.

Other

• To avoid unexpected timeouts and being logged out of the application, set the session timeout value greater than the browser inactivity value. Session timeout is being enforced prior to inactivity. There is currently no warning to the end user before being automatically logged out of the application.

• Inorder to delete an Interconnection the user must have both Update and Delete permissions.

[6.30.1.0] - 2026-03-12

Fixed

Changed

• Updated error_and_exit to show where it was called from

Fixed

• Scanner integrations now correctly assign assets to components when using
  -FedRAMP POAM Import:
  • No longer crashes with an illegal hardware instruction on CPUs that lack AVX2 support; pandas is used automatically as a fallback
  • Correctly falls back to the default POAM ID column when a custom value is not present on a given sheet
  • AttributeError failures when POAM IDs are stored as integers in the spreadsheet
  • Incorrect column numbers in various warning messages
• unit and integration tests package import issue
• ci build-info updates

[6.29.1.2] - 2026-03-10

Fixes

• Export Builder
  • Fixed an issue that was preventing control enhancements from populating for FedRAMP Appendix A.

Known Limitations and Issues

This is for everyone to be aware on any updates for SSO that involve our government customers.

With the .NET 10 upgrade that was part of our 6.29.X release there is no leniency in the verification of the login URL for SSO. There are now two Azure urls. Previously either could be used, they both return the same data indicating the .com url. If the customer is not GCC high, their validation is actually in the commercial (.com) not the government endpoint (.us).

Symptoms: The Console in the browser shows an “Issue mismatch”.

Resolution: If OAuth from Azure Entra fails after upgrading a customer to 6.29.X and their Authority url contains login.microsoftonline.us change it to login.microsoftonline.com.