January 15th, 2026
New drag-and-drop Workflow Designer experience
Workflow Template Library
Digital Signatures workflow action
Ability to preview a questionnaire without assigning it
New questionnaire question types including Yes/No, True/False, Number, Rating Scale, Likert Scale, URL, and Currency
Filters on the Report Builder listing page
Ability to assign questionnaire reviews to a group
Assessment Scorecard enhanced with five new views
Added Risk Assessment help text in the Risks module
Ability to delete fields in Form Builder
Condensed Statusboard designs for improved scannability
Restricted questionnaire reopening to questionnaire administrators only
Ability to reassign questionnaires
Improved visibility of question-level user assignment
Renamed Questionnaire Response Managed Uploads button to Upload File
Prevented question-level assignees from submitting questionnaires
Modernized and streamlined Newsfeed, Look Ahead, and Workbench experiences
Improved dashboard widgets and reporting experience
Ability to import and export Assessment Plans in bulk
Streamlined Line of Inquiry experience
Improved button contrast in the unsaved changes modal
Fixed saving of custom fields
Corrected SPRS Scorecard behavior with CMMC Compliance Settings
Auto-Summarize now includes Inherited, Cloud Implementation, and Customer Responsibility fields
Ensured workflow emails send consistently
Enabled default Implementation Status and Control Origin selection for Catalog Templates
Allowed security plans to be children of other security plans when edited via API
Enabled hiding of the Maturity and Quality tab in Control Implementations via Form Builder
Updated Report Builder to reflect Form Builder field name changes
Removed need to refresh when switching RegScale instances
Corrected System Implementation export order in Appendix A
Fixed Security Plan scorecard calculation for Parts
Corrected Compliance Rollup mappings for CMMC settings
Fixed Response Automation exports
Displayed human-readable questionnaire response statuses in Report Builder
Prevented required checkbox fields in Form Builder
Fixed Export Builder template uploads
Enabled automatic scaling of Form Section Headers
Fixed Vulnerabilities selection in the navigation panel
Corrected sorting by asset count on the vulnerability scorecard
Prevented null values and slashes in Form Builder section names
Fixed Vulnerability Statusboard filtering across full data sets
Displayed empty custom fields correctly in Report Builder
Fixed RegML Policy Generator behavior
Allowed commas in questionnaire prompt list values
Enabled target risk scores greater than 1 in the Risk module
Corrected export options shown in the Catalog export modal
Allowed saving of hidden fields that contain data
Cleaned up required fields in the Assessment module
Improved Organization status toggle behavior
Fixed typo in the RegML Rich Text Editor
Corrected questionnaire response export alignment
Fixed Catalog import for NRC RG 5.71 Rev. 1
Enabled Update Assigned Instances in the Questionnaires module
Fixed api/scanHistory/getAllByParentRecursive endpoint
Corrected Configuration Check Status badging in the Assets module
Added support for special characters in usernames
Fixed questionnaire email delivery
Corrected questionnaire endpoints in Swagger documentation
Fixed Policy Template Editor display after saving
Removed need to refresh after adding Control Implementations to Security Plans
Fixed Catalog count display on the Security Profiles Mappings tab
Enabled adding Risk Treatments in the Risk module
Corrected help text display in the Security Plan Cockpit
Enforced sequential Catalog imports
Fixed selecting existing options for Component Control Implementations
Corrected Other Compliance Rollup value behavior
Fixed unsaved changes detection in the Data Subsystem
Improved eMASS POA&M export handling for missing Security Checks
Ensured associated Wayfinders are deleted with Security Plans
Corrected Workbench counts
Enabled cursor focus anywhere within Rich Text fields
Updated Evidence Forms after backend changes
Fixed Security Plan Evidence report data
Enabled search for terms shorter than four characters
Fixed account confirmation email links
Improved export warning messages for invalid file types
Enforced Control ID uniqueness in the Security Controls module
Ensured Organization endpoint returns Organization ID
Fixed /api/evidence/getEvidenceSecurityPlan/{intID} endpoint
Fixed /api/evidence/getEvidenceByDate/{intDays} endpoint
Corrected required field handling on CAP Tasks Boards
Hid CMMC fields in the Policy module when CMMC is disabled
Fixed /api/config/purgeLogs endpoint behavior
Applied various security updates and patches
Applied various application performance improvements
January 15th, 2026
Batch operations now correctly send isPublic field to server, fixing RBAC visibility issues on newly created issues and vulnerabilities
Batch retry logic automatically retries failed batches individually to prevent data loss
FedRAMP test method defaults (Examine, Interview, Test) now automatically loaded from OSCAL catalogs into control test plans
New testMethod field on ControlTestPlan model with validation for valid test methods
OSCAL catalog parser extracts test methods from FedRAMP High Rev5 baselines
CLI command for importing test method mappings
Catalog import process automatically populates test method defaults during updates
CausalAnalysis model implementation with complete getList endpoint and CRUD functionality for root cause analysis tracking
Airflow DAG for OpenText WebInspect scanner integration
API URL construction for http:// domains broken by eMASS integration changes
QRadar compliance assessment now creates issues by default
QRadar POAM creation for failed assessments now properly populates all required fields
Description field uses HTML formatting instead of unformatted Markdown text
Related Controls field populated with comma-separated control IDs
Asset Identifier field populated with AWS Account ID
Recommended Actions field populated with HTML-formatted remediation steps
Date First Detected field populated with current date
POA&M Comments field populated with assessment metadata including date first detected
eMASS XML import now uses standard RegScale model patterns for creating Issues and SecurityPlans
DNS name validation added to vulnerability creation to prevent API rejection of invalid DNS formats
Prisma Cloud CLI commands ImportError preventing access to authenticate, sync_hosts, sync_images, and sync_sbom commands
Qualys integration
Policy import now correctly extracts title and metadata from FO API export format (TITLE vs policyName fields)
Assessment Details formatting now displays correctly without excessive whitespace and empty tables across all compliance integrations
Fixed systemic HTML rendering issue in base ComplianceIntegration class and all derived integrations
Removed literal newline characters () from HTML description generation that broke table and list rendering
AWS Audit Manager, AWS Config, GuardDuty, IAM, KMS, Org, and evidence generators now render HTML properly
QRadar Query Events assessments now display HTML tables and sections correctly
GCP compliance assessments now render without whitespace corruption
"Failed Resources" tables and other HTML content now display all data correctly in UI
Affects 15+ integration files with consistent fix pattern
Prisma Cloud SBOM tar.gz extraction security enhancements
Added archive format validation before extraction to prevent corrupted file processing
Implemented resource consumption limits (1GB file size, 10,000 member count) for zip bomb protection
Enhanced path traversal protection with comprehensive validation
Added symbolic and hard link filtering to prevent symlink attacks
Python 3.12+ data filter support with fallback for older versions
Refactored extraction logic into focused helper functions reducing cognitive complexity from 20 to <15
Added NOSONAR suppression for validation function with detailed security explanation
fixed cicd flow issue
Increased batch sizes from 100 to 1000 for assets, issues, and vulnerabilities for improved sync performance
Removed http.client dependency from eMASS client configuration to eliminate CVE-2025-13836 association
PDF text extraction now uses pypdfium2 (Chrome PDFium engine) for improved performance and reliability
Trivy, Grype, OpenText, Snyk, and Veracode scanner commands now use and options instead of and (breaking change)
Airflow DAGs for Trivy and Grype updated to use and parameters
S3 access for scanner integrations now supports config credentials (awsAccessKey, awsSecretKey, awsRegion) when AWS profile is unavailable
Code formatting migrated from black to ruff for faster formatting and linting
Build system modernized to use pyproject.toml exclusively, removing setup.py dependency
eMASS API client now uses httpx instead of urllib3 for improved performance and modern HTTP handling
QRadar API client migrated from requests/urllib3 to httpx for improved performance and modern HTTP handling
January 15th, 2026
Batch operations now correctly send isPublic field to server, fixing RBAC visibility issues on newly created issues and vulnerabilities
Batch retry logic automatically retries failed batches individually to prevent data loss
FedRAMP test method defaults (Examine, Interview, Test) now automatically loaded from OSCAL catalogs into control test plans
New testMethod field on ControlTestPlan model with validation for valid test methods
OSCAL catalog parser extracts test methods from FedRAMP High Rev5 baselines
CLI command for importing test method mappings
Catalog import process automatically populates test method defaults during updates
CausalAnalysis model implementation with complete getList endpoint and CRUD functionality for root cause analysis tracking
Airflow DAG for OpenText WebInspect scanner integration
API URL construction for http:// domains broken by eMASS integration changes
QRadar compliance assessment now creates issues by default
QRadar POAM creation for failed assessments now properly populates all required fields
Description field uses HTML formatting instead of unformatted Markdown text
Related Controls field populated with comma-separated control IDs
Asset Identifier field populated with AWS Account ID
Recommended Actions field populated with HTML-formatted remediation steps
Date First Detected field populated with current date
POA&M Comments field populated with assessment metadata including date first detected
eMASS XML import now uses standard RegScale model patterns for creating Issues and SecurityPlans
DNS name validation added to vulnerability creation to prevent API rejection of invalid DNS formats
Prisma Cloud CLI commands ImportError preventing access to authenticate, sync_hosts, sync_images, and sync_sbom commands
Qualys integration
Policy import now correctly extracts title and metadata from FO API export format (TITLE vs policyName fields)
Assessment Details formatting now displays correctly without excessive whitespace and empty tables across all compliance integrations
Fixed systemic HTML rendering issue in base ComplianceIntegration class and all derived integrations
Removed literal newline characters () from HTML description generation that broke table and list rendering
AWS Audit Manager, AWS Config, GuardDuty, IAM, KMS, Org, and evidence generators now render HTML properly
QRadar Query Events assessments now display HTML tables and sections correctly
GCP compliance assessments now render without whitespace corruption
"Failed Resources" tables and other HTML content now display all data correctly in UI
Affects 15+ integration files with consistent fix pattern
Prisma Cloud SBOM tar.gz extraction security enhancements
Added archive format validation before extraction to prevent corrupted file processing
Implemented resource consumption limits (1GB file size, 10,000 member count) for zip bomb protection
Enhanced path traversal protection with comprehensive validation
Added symbolic and hard link filtering to prevent symlink attacks
Python 3.12+ data filter support with fallback for older versions
Refactored extraction logic into focused helper functions reducing cognitive complexity from 20 to <15
Added NOSONAR suppression for validation function with detailed security explanation
Increased batch sizes from 100 to 1000 for assets, issues, and vulnerabilities for improved sync performance
Removed http.client dependency from eMASS client configuration to eliminate CVE-2025-13836 association
PDF text extraction now uses pypdfium2 (Chrome PDFium engine) for improved performance and reliability
Trivy, Grype, OpenText, Snyk, and Veracode scanner commands now use and options instead of and (breaking change)
Airflow DAGs for Trivy and Grype updated to use and parameters
S3 access for scanner integrations now supports config credentials (awsAccessKey, awsSecretKey, awsRegion) when AWS profile is unavailable
Code formatting migrated from black to ruff for faster formatting and linting
Build system modernized to use pyproject.toml exclusively, removing setup.py dependency
eMASS API client now uses httpx instead of urllib3 for improved performance and modern HTTP handling
QRadar API client migrated from requests/urllib3 to httpx for improved performance and modern HTTP handling
January 13th, 2026
Resolved issue that customers have been experiencing with SSO OAuth login with EntraID and Okta related to Email, FirstName, or LastName being required in the SSO Claim.
January 11th, 2026
Updated database compatibility to remove unintended dependencies introduced in the previous release, ensuring broader support across supported SQL Server editions.
Resolved an issue where the 6.27.4.0 release introduced a hard dependency on SQL Server Enterprise Edition, restoring compatibility with supported non-Enterprise editions.
Fixed a migration failure related to the CVE column that could cause upgrade issues in the current release.
January 9th, 2026
Centralized CVE validation utility with 200 character limit enforcement
Nessus scanner now creates separate findings for each CVE when vulnerabilities have multiple CVEs
CVE field validation to accept only single CVE values (max 200 characters) on Issue and Vulnerability models
Nessus integration now properly extracts all CVEs from XML instead of only the first one
Nessus integration now correctly extracts IP addresses from scan data instead of using hostnames
Qualys integration
Total cloud key issue
TypeError on single vuln
WAS Invalid api version issue
Policy Compliance API now uses FO API v3.0 with v2.0 fallback instead of unsupported QPS REST endpoints
Asset source module visibility in names and pluginIds to prevent duplication between VMDR and Total Cloud
Regscale Cli Config merge bug adding examples to dynamic dict k,v pairs
Improve Jira file upload error handling
January 8th, 2026
Qualys list_scans command to retrieve scan metadata from VMDR, WAS, Container Security, and Total Cloud modules with filtering by date range and optional JSON export
Qualys diagnostics script enhancements to include scan and report listing validation for all four main Qualys services
Prisma Cloud CSV import modernized to use Scanner Integration framework with shared models and automatic deduplication
Prisma Cloud integration now supports optional software inventory processing with --enable-software-inventory flag
Config updates to improve support and functionality
Prisma Cloud OS version parsing regex backtracking vulnerability replaced with safer lookahead assertions and explicit character classes
Config fixed an issue where merge config would overwrite values with defaults
January 8th, 2026
Improved FedRAMP (Legacy) CIS/CRM workbook generation to dynamically build control lists
Updated eMASS POA&M export formatting to align with eMASS ingest requirements
Improved visibility and usability of export-related info icons
Updated the New Component form to default to the Basic Info tab
Improved consistency of notification messages for Security Profiles JSON exports
Resolved a timeout error when finalizing a Continuous Monitoring Plan
Fixed missing NIST 800-60 identifiers in classification data
Corrected Swagger issues caused by inconsistent API capitalization
Fixed multiple UI layout issues including dark mode visibility, button containment, and redundant columns
Restored broken functionality across Evidence, Incidents, Risks, Requirements, and Security Controls modules
Fixed errors when viewing assets, dashboards, and control implementations
Corrected validation and save errors for Control Implementations, Control Settings, and Parts
Fixed issues preventing SSP deletion when child mappings exist
Resolved import failures for profiles exported from RegScale
Corrected rich text formatting so newline characters render properly
Ensured evidence collected during scheduled assessments appears correctly in reports
Fixed multiple Questionnaire issues including grading, rule application, disappearing responses, and filter errors
Restored generation of FedRAMP OSCAL exports including SAR, SAP, and POA&M
Fixed vulnerability batch processing endpoint failures
Corrected logout errors related to session timeout handling
Fixed dashboard preview issues in Dashboard Builder
Addressed improper field editability and required field indicators across Deviation, Privacy, and Issues modules
Fixed formatting and messaging issues in importer and notification messages
December 31st, 2025
OCSF (Open Cybersecurity Schema Framework) integration support for standardized security event processing
Qualys diagnostics command for troubleshooting API integration issues in isolated environments
Tanium integration
Implements a complete Tanium integration that syncs endpoints, vulnerabilities, and compliance findings to RegScale
CLI commands: tanium test_connection, tanium sync_assets, tanium sync_findings, tanium sync_all
Qualys integration KeyError when ASSET_ID field is missing from Total Cloud data
Qualys Container Security API authentication error messages now include troubleshooting guidance
Qualys WAS API error messages now include module enablement guidance
FedRAMP import errors around owner and leveraged auth metadata.
December 22nd, 2025
Fixed and issue with Control matching for catalog CMMC
GitLab SAST JSON import to sonarcloud import
