Bug fixes
- Server
- Added support for OpenTofu 1.x (open-source Terraform) integration via Guardrail.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Subscribe to all changelog posts via RSS or follow #changelog on our Slack community to stay updated on everything we ship.
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Stack [Native] > *
policies.Control Types
Policy Types
What's new?
Stack [Native] > *
policies.Control Types
Policy Types
What's new?
Stack [Native] > *
policies.Control Types
Policy Types
What's new?
Stack [Native] > *
policies.Control Types
Policy Types
What's new?
Stack [Native] > *
policies.Control Types
Policy Types
What's new?
Stack [Native] > *
policies.Control Types
Policy Types
What's new?
Stack [Native] > *
policies.Control Types
Policy Types
What's new?
Enhancements
instance_type_pattern
column as an optional qual to the aws_ec2_instance_type
table. (#2301)image_digest
column as an optional qual to the aws_ecr_image_scan_finding
table. (#2357)created_at
and updated_at
columns as optional quals to the aws_securityhub_finding
table. (#2298)account_password_present
column to aws_iam_account_summary
table. (#2346)tags
column to aws_backup_plan table
. (#2336) (Thanks @pdecat for the contribution!)Bug fixes
aws_rds_db_instance
table to correctly return data instead of an error by ignoring the CertificateNotFound
error code. (#2363)What's new?
Bug fixes
Bug fixes
What's new?
What's new?
Bug fixes
AWS > VPC > VPC > Flow Logging
control previously attempted to destroy and recreate flow logs with CloudWatch log groups as the destination on successive runs due to an incorrect ARN reference to the log destination. This issue is now fixed, and the control will no longer unnecessarily destroy and recreate flow logs in such cases.What's new?
encrypt_storage_account
set_mysql_flexible_server_parameter
set_postgres_flexible_server_configuration
set_postgres_flexible_server_require_secure_transport
set_sql_server_tde_key
update_compute_disk_encryption_with_cmk
update_compute_disk
update_key_vault_rbac_authorization
update_sql_server_public_network_access
update_storage_account_blob_public_access
What's new?
generate_iam_credential_report
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Azure > Compute > Virtual Machine Scale Set > Tags
control to ensure tags were updated correctly for Scale Sets launched via the Azure Marketplace. However, the control occasionally failed to update tags for Scale Sets on certain purchase plans. This issue has now been addressed, and the control will update tags correctly and reliably for all types of Scale Sets.Bug fixes
Bug fixes
Bug fixes
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Azure > Turbot > Event Poller
. To get started, set the Azure > Turbot > Event Poller > Excluded Events
policy.Policy Types
What's new?
AWS > SQS > Queue > Encryption at Rest
policy to one of the following values: Check: SQS SSE
, Check: SQS SSE or higher
, Enforce: SQS SSE
or Enforce: SQS SSE or higher
.What's new?
Kubernetes > Cluster > Approved > *
policies.Control Types
Policy Types
Bug fixes
Azure > App Service > Function App > HTTPS Only
control would sometime fail to enable the setting in Azure. This is now fixed.Bug fixes
GCP > Compute Engine > Instance > Serial Port Access
and GCP > Compute Engine > Instance > Block Project Wide SSH Keys
controls would sometimes go into an error state due to incorrect references to CMDB attributes. This is fixed and the controls will now work as expected.What's new?
Bug fixes
Azure > Network > Network Security Group > Ingress Rules > Approved
policy was set to Enforce: Delete unapproved
. This is now fixed.What's new?
What's new?
Bug fixes
createTimestamp
for Web Apps and Function Apps incorrectly when processing update events for these resources. We have updated the internal logic to ensure the createTimestamp
is now updated correctly and more reliably than before.What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
Bug fixes
createdBy
details in their metadata. The internal logic has been updated to ensure createdBy
details are added more reliably for these disks.What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
Bug fixes
GCP > IAM > Service Account Key > Active
control has been updated to use validAfterTime
instead of metadata.createTimestamp
to accurately evaluate the age of the resource.What's new?
What's new?
AWS > RDS > DB Cluster > Approved > Encryption at Rest > *
policies.Policy Types
What's new?
On Target
per Budget. To get started, set the AWS > Account > Budget > Enabled
policy to Check: Budget > State is On Target
.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
AWS > VPC > Route > CMDB
control would go into an error state due to an incorrect use of a function from an internal node package. This is now fixed.Bug fixes
createdBy
details for storage accounts due to mishandled real-time update events. This issue has been fixed, and createdBy
details will now be stored more reliably and consistently than before.createTimestamp
details from being stored in the metadata of new storage accounts upserted in Guardrails CMDB. This issue has now been resolved, and createTimestamp
details are now stored correctly and reliably.What's new?
Enhancements
error
, is_public
, resource_owner_account
and resource_type
optional quals for aws_accessanalyzer_finding
table. (#2331) (Thanks @dbermuehler for the contribution!)aws_s3_object
table to use the HeadObject
API to retrieve object metadata. (#2312) (Thanks @JonMerlevede for the contribution!)Bug fixes
aws_s3_bucket
table to correctly return data by ignoring the not found error in getBucketTagging
and getBucketWebsite
hydrate functions. (#2335)Bug fixes
.cache clear
was not clearing the cache. (#4443)What's new?
powerpipe benchmark run aws_compliance.benchmark.nydfs_23
). (#844)What's new?
createdBy
details in Guardrails CMDB.Bug fixes
AWS > VPC > VPC > Flow Logging
control would sometimes fail to update flow logs if the Max Aggregation Interval in the stack's source policy was updated. This is fixed and the stack control will now update such resources correctly, as expected.What's new?
AWS > VPC > VPC > Flow Logging
control. To get started, set the AWS > VPC > VPC > Flow Logging > Cloud Watch > Maximum Aggregation Interval
policy and/or AWS > VPC > VPC > Flow Logging > S3 > Maximum Aggregation Interval
policy.Policy Types
Enhancements
multi_region
and multi_region_configuration
columns to aws_kms_key
table. (#2338) (Thanks @pdecat for the contribution!)Bug fixes
(<= or >=)
for number and date filter in aws_inspector2_finding
table. (#2332) (Thanks @dbermuehler for the contribution!)Bug fixes
trigger_parameters
column of the circleci_pipeline
table to correctly return data instead of JSON unmarshalling
error. (#53)What's new?
Enhancements
labels
and tags
columns to the gcp_compute_global_forwarding_rule
table. (#678) (Thanks @pdecat for the contribution!)database_installed_version
and maintenance_version
columns to the gcp_sql_database_instance
table. (#677) (Thanks @pdecat for the contribution!)Bug fixes
gcp_compute_instance_group
table to correctly return data for regional instance groups' instances
column. (#670) (Thanks @pdecat for the contribution!)kubernetes_node_pool
table to correctly return data instead of an error for node pools with auto-pilot disabled. (#668) (Thanks @multani for the contribution!)What's new?
Enhancements
firewall_rules
column to the azure_postgresql_flexible_server
table. (#852)Resource Types
Control Types
Policy Types
Action Types
Bug fixes
AWS > IAM > Credential Report
resource type have now been updated to target either the AWS > IAM > Root
or AWS > IAM > User
resource types, depending on the specific control requirements. This adjustment more accurately aligns each control with the relevant resources, enabling more precise and targeted checks.What's new?
powerpipe benchmark run azure_compliance.benchmark.cis_v300
). (#282)Bug fixes
elb_application_lb_waf_enabled
query to correctly flag ELB application load balancers as alarm when the associated WAF is disabled. (#840)cloudfront_distribution_custom_origins_encryption_in_transit_enabled
query to remove duplicate AWS CloudFront distributions from the result. (#829) (Thanks to @sbldevnet for the contribution!)where
clause of the cloudfront_distribution_use_secure_cipher
query to correctly check if the CloudFront distributions have insecure cipher protocols. (#827) (Thanks to @sbldevnet for the contribution!)Bug fixes
Azure > Security Center > Security Center > Auto Provisioning
control is now deprecated and will now move to an Invalid state if enforcements are applied. This follows the deprecation plan announcement from Azure. The control will be removed in a future mod version.Control Types
Renamed
Policy Types
Renamed
Action Types
Removed
All Pipes workspaces are now running Steampipe v1.0.0.
For more information on this Steampipe release, see the launch post or check out the release notes.
All Pipes workspaces are now running Powerpipe v1.0.0.
For more information on this Powerpipe release, see the launch post or check out the release notes.
With a web UI, point-and-click mod installation, and easy integration with Slack and GitHub, Pipes takes workflows-as-code to the next level.
For more information, see the launch post or check out the docs.
All the components of Turbot's open source suite are now fully integrated into Pipes.
For more information, see the launch post or check out the docs.
Bug Fixes
*.ppvars.example
files across the following 24 mods to ensure alignment with the Powerpipe v1.0.0 release:steampipe-mod-alicloud-compliance
steampipe-mod-aws-perimeter
steampipe-mod-aws-tags
steampipe-mod-aws-thrifty
steampipe-mod-aws-top-10
steampipe-mod-azure-compliance
steampipe-mod-azure-tags
steampipe-mod-azure-thrifty
steampipe-mod-digitalocean-thrifty
steampipe-mod-docker-compliance
steampipe-mod-gcp-compliance
steampipe-mod-gcp-labels
steampipe-mod-gcp-thrifty
steampipe-mod-github-compliance
steampipe-mod-kubernetes-compliance
steampipe-mod-microsoft365-compliance
steampipe-mod-net-insights
steampipe-mod-oci-compliance
steampipe-mod-oci-thrifty
steampipe-mod-snowflake-compliance
steampipe-mod-terraform-aws-compliance
steampipe-mod-terraform-azure-compliance
steampipe-mod-terraform-gcp-compliance
steampipe-mod-terraform-oci-compliance
Bug fixes
Bug fixes
--output json
. (#594).max_concurrency
setting is now automatically paused and will successfully resume. (#957).form_url
is now sanitized.What's new?
steampipe check benchmark.cis_v400
). (#836)ebs_encryption_by_default_enabled
and vpc_security_group_restrict_ingress_cifs_port_all
controls to the All Controls
benchmark. (#835)Enhancements
ebs_encryption_by_default_enabled
control to the rbi_cyber_security_annex_i_1_3
benchmark. (#835)python3.8
as deprecated Lambda runtime in lambda_function_use_latest_runtime
control. (#833) (Thanks to @sbldevnet for the contribution!)iam_access_analyzer_enabled_without_findings
and ssm_document_prohibit_public_access
controls to use latest columns and tables from the AWS plugin. (#835)Bug fixes
fedramp_moderate_rev_4_sc_28
benchmark to check if EBS encryption by default is enabled instead of individual volume encryption settings. (#835)Deprecated
ec2_ebs_default_encryption_enabled
control and query. Please use the ebs_encryption_by_default
control and query instead.What's new?
Control Types
Policy Types
Bug fixes
Bug fixes
Bug fixes
verification_token
column toaws_ses_domain_identity
table which was accidentally removed in v1.0.0.Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
What's new?
Policy Types
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Azure > Security Center > Security Center > CMDB
control would go into an error state if it was not able to fetch policy assignment details correctly. This issue has now been fixed.Bug fixes
Bug fixes
Bug fixes
Bug fixes
What's new?
What's new?
What's new?
Bug fixes
We're excited to announce the v1.0.0 release of 43 Powerpipe mods!
These mods now require Powerpipe. Steampipe users should check the migration guide.
Whats new
connection
resource to manage credentials. Documentation.database
property has been added to mod. A database can be a connection reference, connection string, or Pipes workspace to query.Deprecations
database
CLI arg. See Setting the Database for the new syntax to set the database.POWERPIPE_DATABASE
env var. See Setting the Database for the new syntax to set the database.database
workspace profile arg. See Setting the Database for the new syntax to set the database.Breaking changes
The mod functionality, which was previously deprecated and moved to Powerpipe, has been removed in this version.
check
, dashboard
, mod
, and variable
commands. (#4413)watch
and mod-location
CLI args from the query
command. (#4417)dashboard
, dashboard-listen
, and dashboard-port
CLI args from the service
command. (#4418)STEAMPIPE_MOD_LOCATION
and STEAMPIPE_INTROSPECTION
env vars. (#4419)STEAMPIPE_CLOUD_HOST
and STEAMPIPE_CLOUD_TOKEN
env vars. (#4420)watch
, introspection
, and mod-location
workspace profile args. (#4421)check
and dashboard
options from workspace profiles. (#4422)dashboard
option from global options (default.spc
). (#4423)We're excited to announce the v1.0.0 release of all 76 Flowpipe mods, including 29 Library mods, 6 Standard mods, and 41 Sample mods!
Breaking changes
.fpc
), credential
and credential_import
resources have been renamed to connection
and connection_import
respectively.approvers
: list(string)
to list(notifier)
.database
: string
to connection.steampipe
.notifier
: string
to notifier
.approvers
: list(string)
to list(notifier)
.database
: string
to connection.steampipe
.notifier
: string
to notifier
.cred
param to conn
and updated its type from string
to conn
.What's new?
connection
resource to manage credentials. Documentation.connection
and notifier
types for variables and params. (#871)enum
validation for variables and params.Bug fixes
Deprecation
credential
and credential_import
are deprecated to be replaced with connection
and connection_import
.Bug fixes
We’re excited to announce the v1.0.0 release of 116 Steampipe plugins!
While there are no significant changes in the new plugin versions, this release aligns with Steampipe's v1.0.0 launch. The plugins now adhere to semantic versioning, ensuring backward compatibility within each major version.
Bug fixes
What's new?
KeyVault > Vault
Added :
enableSoftDelete
publicNetworkAccess
enableRbacAuthorization
KeyVault > Key
Added :
hsmPlatform
Removed:
key.e
key.n
KeyVault > Secret
Modified :
ID
property does not contain the secret version.Removed:
expires
updated
created
Bug fixes
Azure > Key Vault > Key > CMDB
control would go into an error state while fetching key rotation policy details for managed keys. The control will no longer attempt to fetch the key rotation policy details for such keys and will work as expected.What's new?
What's new?
Server
Activity Retention
feature for Smart Retention control to enhance version and data management.UI
Bug fixes
Server
Notify
or Ignore
keywords were missing in the notification rules.UI
+
button for adding permissions now correctly applies the appropriate attributes.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Policy Types:
Control Types:
Turbot > Smart Retention
control to enhance version and data management.Requirements
What's new?
Azure > MySQL > Flexible Server > Set Minimum TLS Version
policy to Check: TLS 1.2 or higher
.What's new?
Azure > Management Group
Modified :
type
property is updated as type: Microsoft.Management/managementGroups
, earlier it was /providers/Microsoft.Management/managementGroups
What's new?
Bug fixes
What's new?
Renamed:
transparentDataEncryption.status
to transparentDataEncryption.state
databaseThreatDetectionPolicy
to databaseSecurityAlertPolicy
Added:
Azure SQL > Server
administrators
blockisManagedIdentityInUse
autoRotationEnabled
externalGovernanceStatus
minimalTlsVersion
privateEndpointConnections
publicNetworkAccess
restrictOutboundNetworkAccess
serverAzureADAdministrator.azureADOnlyAuthentication
Azure SQL > Database
availabilityZone
currentBackupStorageRedundancy
databaseSecurityAlertPolicy. creationTime
transparentDataEncryption.location
isInfraEncryptionEnabled
isLedgerOn
maintenanceConfigurationId
requestedBackupStorageRedundancy
maintenanceConfigurationId
Azure SQL > ElasticPool
maintenanceConfigurationId
Modified:
serverAzureADAdministrator.name
has been changed from string (activeDirectory
) to string (ActiveDirectory
).databaseThreatDetectionPolicy.disabledAlerts
has been changed from string (""
) to object ([]
).databaseThreatDetectionPolicy.emailAddresses
has been changed from string (""
) to object ([]
).databaseThreatDetectionPolicy.emailAccountAdmins
has been changed from string (Disabled/Enabled
) to boolean (false/true
).disabledAlerts
has been changed from string (""
) to object ([]
).Removed:
databaseThreatDetectionPolicy.useServerDefault
Bug fixes
What's new?
What's new?
Network > NetworkInterface
Added :
auxiliaryMode
auxiliarySku
kind
disableTcpStateTracking
Network > PrivateDNSZone
Added :
internalId
Network > VirtualNetworkGateway
Added :
allowVirtualWanTraffic
allowRemoteVnetTraffic
Modified :
activeActive
property updated as active
What's new?
Added:
tags
kind
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
What's new?
Removed:
clientSecretUrl
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Added:
createMode
Bug fixes
Bug fixes
AWS > Account > Budget > Budget
control would enter an error state for US Gov cloud accounts because the budget APIs are not supported for these accounts. We have updated the control to avoid making these API calls and instead rely on the AWS > Account > Budget > State
policy being updated periodically, allowing the control to evaluate the outcome correctly.What's new?
Control Types
Policy Types
What's new?
What's new?
GCP > Project > ServiceNow > Relationships > *
policies.Control Types
Policy Types
What's new?
Azure > Subscription > ServiceNow > Relationships > *
policies.Control Types
Policy Types
What's new?
AWS > Account > ServiceNow > Relationships > *
policies.Control Types
Policy Types
What's new?
Removed:
tTL
Bug fixes
What's new?
Added:
createdBy
updatedBy
systemData
createdDateTime
Bug fixes
What's new?
Added:
softDeletePolicy
azureADAuthenticationAsArmPolicy
What's new?
Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
GCP > Global Region > ServiceNow > Relationships > *
, GCP > Multi-Region > ServiceNow > Relationships > *
, GCP > Region > ServiceNow > Relationships > *
and GCP > Zone > ServiceNow > Relationships > *
policies respectively.Control Types
Policy Types
What's new?
GCP > Storage > Bucket > ServiceNow > Relationships > *
and GCP > Storage > Object > ServiceNow > Relationships > *
policies respectively.Control Types
Policy Types
What's new?
Azure > Resource Group > ServiceNow > Relationships > *
policies.Control Types
Policy Types
What's new?
Azure > Storage > Container > ServiceNow > Relationships > *
, Azure > Storage > File Share > ServiceNow > Relationships > *
, Azure > Storage > Queue > ServiceNow > Relationships > *
and Azure > Storage > Storage Account > ServiceNow > Relationships > *
policies respectively.Control Types
Policy Types
What's new?
AWS > VPC > Elastic IP > ServiceNow > Relationships > *
, AWS > VPC > Internet Gateway > ServiceNow > Relationships > *
and AWS > VPC > NAT Gateway > ServiceNow > Relationships > *
policies respectively.Control Types
Policy Types
Control Types
Policy Types
What's new?
AWS > EC2 > AMI > ServiceNow > Relationships > *
, AWS > EC2 > Instance > ServiceNow > Relationships > *
, AWS > EC2 > Key Pair > ServiceNow > Relationships > *
, AWS > EC2 > Network Interface > ServiceNow > Relationships > *
, AWS > EC2 > Snapshot > ServiceNow > Relationships > *
and AWS > EC2 > Volume > ServiceNow > Relationships > *
policies respectively.Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
AWS > VPC > Flow Log > ServiceNow > Relationships > *
, AWS > VPC > Network ACL > ServiceNow > Relationships > *
, AWS > VPC > Security Group > ServiceNow > Relationships > *
and AWS > VPC > Security Group Rule > ServiceNow > Relationships > *
policies respectively.Control Types
Policy Types
What's new?
AWS > VPC > Route Table > ServiceNow > Relationships > *
, AWS > VPC > Subnet > ServiceNow > Relationships > *
and AWS > VPC > VPC > ServiceNow > Relationships > *
policies respectively.Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
AWS > S3 > Bucket > ServiceNow > Relationships > *
policies.Control Types
Policy Types
What's new?
AWS/Billing/Admin
, AWS/Billing/Metadata
and AWS/Billing/Operator
now also include purchase orders permissions.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
What's new?
What's new?
Resource Types
Control Types
Policy Types
Action Types
What's new?
Added:
In Azure > Compute > Disk:
supportedCapabilities.diskControllerTypes
diskIopsReadWrite
lastOwnershipUpdateTime
In Azure > Compute > Virtual Machine:
resources
timeCreated
etag
In Azure > Compute > Virtual Machine Scale Set:
constrainedMaximumCapacity
etag
scaleInPolicy
timeCreated
upgradePolicy
storageProfile. diskControllerType
In Azure > Compute > Snapshot:
dataAccessAuthMode
incrementalSnapshotFamilyId
Removed:
In Azure > Compute > Virtual Machine:
statuses.time
Bug fixes
What's new?
Added:
Azure > App Service > App Service Plan
elasticScaleEnabled
numberOfWorkers
zoneRedundant
Azure > App Service > Function App
configuration.acrUseManagedIdentityCreds
configuration.acrUserManagedIdentityID
configuration.elasticWebAppScaleLimit
configuration.ipSecurityRestrictionsDefaultAction
configuration.metadata
configuration.minTlsCipherSuite
configuration.scmIpSecurityRestrictionsDefaultAction
dnsConfiguration
publicNetworkAccess
vnetBackupRestoreEnabled
vnetContentShareEnabled
vnetImagePullEnabled
vnetRouteAllEnabled
Azure > App Service > Web App
configuration.acrUseManagedIdentityCreds
configuration.acrUserManagedIdentityID
configuration.elasticWebAppScaleLimit
configuration.ipSecurityRestrictionsDefaultAction
configuration.metadata
configuration.minTlsCipherSuite
configuration.scmIpSecurityRestrictionsDefaultAction
dnsConfiguration
publicNetworkAccess
vnetBackupRestoreEnabled
vnetContentShareEnabled
vnetImagePullEnabled
vnetRouteAllEnabled
Bug fixes
What's new?
What's new?
Renamed:
JitNetworkAccessPolicies
to jitNetworkAccessPolicies
Pricing
to pricing
Locations
to locations
Bug fixes
What's new?
Bug fixes
What's new?
Added:
frontdoorId
rulesEngines
extendedProperties
backendPoolsSettings
backendPool.privateLinkAlias
backendPool.privateLinkLocation
backendPool.privateEndpointStatus
backendPool.privateLinkResourceId
backendPool.privateLinkApprovalMessage
routingRule.rulesEngine
routingRule.routeConfiguration.odataType
routingRule.routeConfiguration.cacheConfiguration.cacheDuration
routingRule.routeConfiguration.cacheConfiguration.queryParameters
routingRule.webApplicationFirewallPolicyLink
Modified:
routingRule.backendPool
to routingRule.routeConfiguration.backendPool
routingRule.forwardingProtocol
to routingRule.routeConfiguration.forwardingProtocol
routingRule.customForwardingPath
to routingRule.routeConfiguration.customForwardingPath
routingRule.cacheConfiguration.dynamicCompression
to routingRule.routeConfiguration.cacheConfiguration. dynamicCompression
routingRule.cacheConfiguration.queryParameterStripDirective
to routingRule.routeConfiguration.cacheConfiguration. queryParameterStripDirective
Bug fixes
What's new?
Bug fixes
What's new?
Added:
networkProfile.podCidrs
networkProfile.ipFamilies
networkProfile.outboundType
networkProfile.serviceCidrs
networkProfile.networkPolicy
networkProfile.loadBalancerProfile.backendPoolType
networkProfile.loadBalancerProfile.countIPv6
networkProfile.loadBalancerProfile.idleTimeoutInMinutes
networkProfile.loadBalancerProfile.allocatedOutboundPorts
agentPoolProfiles.mode
agentPoolProfiles.osSKU
agentPoolProfiles.enableFips
agentPoolProfiles.osDiskType
agentPoolProfiles.spotMaxPrice
agentPoolProfiles.scaleDownMode
agentPoolProfiles.enableUltraSSD
agentPoolProfiles.kubeletDiskType
agentPoolProfiles.upgradeSettings.maxSurge
agentPoolProfiles.nodeImageVersion
agentPoolProfiles.enableEncryptionAtHost
agentPoolProfiles.currentOrchestratorVersion
Bug fixes
What's new?
Added:
hostNamePrefix
serverless. connectionTimeoutInSeconds
Bug fixes
What's new?
Added:
Azure > Service Bus > Namespace
disableLocalAuth
status
zoneRedundant
Azure > Service Bus > Queue
maxMessageSizeInKilobytes
Azure > Service Bus > Topic
maxMessageSizeInKilobytes
Bug fixes
What's new?
Bug fixes
What's new?
Added: Azure > Recovery Service > Vault
properties.backupStorageVersion
properties.bcdrSecurityLevel
properties.publicNetworkAccess
properties.restoreSettings
properties.secureScore
properties.securitySettings
Bug fixes
Bug fixes
AWS > RoboMaker > Robot Application > CMDB
, AWS > RoboMaker > Fleet > CMDB
and AWS > RoboMaker > Robot > CMDB
policies will now be set to Skip
by default because the resource types have been deprecated and will be removed in the next major version. Please check end of support for more information.What's new?
AWS > ECS > Account Settings > Fargate FIPS Mode
policy.Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Resource Types
Control Types
Policy Types
Action Types
What's new?
Server
UI
+
sign to grant permissions in the context of both the identity and resource.Bug fixes
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Enhancements
blocks
to the post_message
pipeline. (#24) (Thanks @johnlayton for the contribution!)Bug fixes
resource/turbot_policy_pack_attachment
: terraform apply
failed to detect existing Policy Pack attachments. (#181)What's new?
Added:
flowType
requestSource
Bug fixes
What's new?
Bug fixes
Resource Types
Policy Types
What's new?
AWS/User
grant should include support:*
permissions. To get started, set the AWS > Account > Permissions > Support Level
policy.Policy Types
Bug fixes
AWS > Turbot > IAM
stack control did not correctly evaluate user memberships in custom IAM groups when the AWS > Turbot > Permissions > Custom Group Levels [Account]
policy was set, and users were granted permissions for those custom IAM groups. This issue has now been fixed.Bug fixes
AWS > EC2 > Volume > CMDB
control would sometimes run unnecessarily due to a bad internal GraphQL dependency. This is now fixed.Bug fixes
Kubernetes > Cluster > CMDB > Expiration
policy was inadvertently added to the Kubernetes > Cluster > CMDB
control. This precheck condition has now been removed.Resource Types
Control Types
Policy Types
Action Types
What's new?
What's new?
Bug fixes
rules
column in okta_signon_policy
, okta_password_policy
, okta_idp_discovery_policy
and okta_authentication_policy
tables to correctly return data instead of null
. (#145)Dependencies
1.22
. (#146)All Pipes workspaces are now running Steampipe v0.24.0.
For more information on this Steampipe release, see the release notes.
Bug fixes
Enforce: Enabled
for the service.What's new?
Added:
authOptions
disableLocalAuth
encryptionWithCmk
networkRuleSet
privateEndpointConnections
publicNetworkAccess
semanticSearch
sharedPrivateLinkResources
Bug fixes
Enhancements
netgo
package.version
flag to the plugin's Export tool. (#65)Bug fixes
Dependencies
1.22
. (#43)What's new?
What's new?
What's new?
Action Types
Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.What's new?
Added: Azure > Synapse Analytics > Workspace
azureADOnlyAuthentication
createManagedPrivateEndpoint
encryption
extraProperties
publicNetworkAccess
settings
trustedServiceBypassEnabled
workspaceUID
Azure > Synapse Analytics > SQL Pool
storageAccountType
Bug fixes
What's new?
Action Types
What's new?
Added:
authConfig
dataEncryption
standbyAvailabilityZone
network. delegatedSubnetResourceId
network. privateDnsZoneArmResourceId
replicaCapacity
replicationRole
systemData
configurations.documentationLink
configurations.isConfigPendingRestart
configurations.isDynamicConfig
configurations.isReadOnly
configurations.unit
Modified:
firewallRules
has been changed from array ([]
) to object ({}
).Bug fixes
What's new?
Bug fixes
Bug fixes
Dependencies
1.22
. (#450)What's new?
Enhancements
connection_info
column to the gcp_alloydb_instance
table. (#651)Bug fixes
name
column from the gcp_bigquery_table
table since the API response did not include this field. (#648)Dependencies
1.22
. (#635)Bug fixes
steampipe -v
command. (#4388)Bug fixes
Deprecations
Bug fixes
Dependencies
Bug fixes
trigger
introspection output correctly shows param
attribute. (#900)Bug fixes
serviceProperties.table.clientRequestId
and serviceProperties.table.requestId
properties for storage accounts have now been made dynamic
to avoid unnecessary notifications in the activity tab.Bug fixes
Whats new
columns
property containing the column information. This allows us to handle duplicate column names by appending a unique suffix to duplicate column name (#4317)Existing query JSON format:
$ steampipe query "select account_id, arn from aws_account" --output json{ "rows": [ { "account_id": "123456789012", "arn": "arn:aws:::123456789012" } ]}
New query JSON format(with new columns
property):
$ steampipe query "select account_id, arn from aws_account" --output json{ "columns": [ { "name": "account_id", "data_type": "text" }, { "name": "arn", "data_type": "text" } ], "rows": [ { "account_id": "123456789012", "arn": "arn:aws:::123456789012" } ]}
Bug fixes
What's new?
tags
argument in pipeline param
and mod variable
resources. (#898).Docker
dependency to v27.1.2.What's new?
Policy Types
Bug fixes
osquery
error events.Bug fixes
osquery
agent.What's new?
Enhancements
time_created
column to the azure_compute_virtual_machine
table. (#831)ip_configuration
, linked_public_ip_address
, nat_gateway
and service_public_ip_address
columns to the azure_public_ip
table. (#836)azure_postgresql_flexible_server
table. (#824)Bug fixes
ip_configurations
column of the azure_subnet
table to correctly return data instead of null
. (#822)web_application_firewall_configuration
column of azure_application_gateway
table to correctly return data instead of null
. (#835)Dependencies
1.22
. (#832)azure_mysql_flexible_server
and azure_postgresql_flexible_server
tables to use the new Azure ARM Go package. (#820)What's new?
Enhancements
aws_ec2_ami
table to correctly return disabled AMIs on passing the disabled
value to the state
optional qual (where state = 'disabled'
). (#2277)AWS Go SDK v2 1.27.0
. (#2139)Dependencies
1.22
. (#2283)Bug fixes
source
attribute in function step is now evaluated relative to the its mod directory rather than the root mod directory. (#895).What's new?
powerpipe benchmark run aws_compliance.benchmark.acsc_essential_eight
). (#823)What's new?
Policy Types
Control Types
Policy Types
What's new?
Policy Types
Control Types
Policy Types
What's new?
Policy Types
What's new?
Policy Types
Bug fixes
modifyVolume
event for EBS Volume Notifications. This issue is now fixed.What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
Action Types
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
createdBy
details in Guardrails CMDB.Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
AWS > EC2 > Volume > Performance Configuration
control would sometimes fail to set the expected configuration per AWS > EC2 > Volume > Performance Configuration > *
policies and move to an Invalid state if the required data was not available for new volumes in the CMDB. The control will now move to TBD instead and retry after 5 minutes to fetch the required data correctly and set the performance configuration as expected.What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Bug fixes
Enforce: Enabled
for the service.Enhancements
VPC Security Group
detail page now includes information on the following associated services: (#352) (Thanks @maxcorbin for the contribution!)Amazon MQ broker
ECS service
ECS task
GCP integrations now make use of temporary credentials via service account impersonation using the Service Account Token Creator role.
For more information, check out the docs.
What's new?
Azure > Storage> Storage Account > CMDB
control will now also fetch diagnostic settings details and store them in CMDB.Resource Types
Control Types
Policy Types
Bug fixes
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
What's new?
powerpipe benchmark run gcp_compliance.benchmark.soc_2_2017
). (#181)Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Control Types
Policy Types
Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.Bug fixes
Import Set
controls will not require permissions to read the sys_db_object
& sys_dictionary
tables in ServiceNow.What's new?
AWS > RDS > DB Cluster > Parameter Group > *
policies.Control Types
Policy Types
Action Types
Bug fixes
Bug fixes
Enforce: Enabled
for the service.Enhancements
base_tag_rules
variable. (#18)Enhancements
base_tag_rules
variable. (#28)Bug fixes
Bug fixes
Server
UI
Import
button on the Connect page has been updated to Connect
.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
What's new?
You can now configure Master Authorized Networks for region and zone clusters via Guardrails. To get started, set the GCP > Kubernetes Engine > Region Cluster > Master Authorized Networks Config
and GCP > Kubernetes Engine > Zone Cluster > Master Authorized Networks Config
policies respectively.
Improved descriptions for various resource types to ensure they are clearer and more helpful.
Control Types
Policy Types
Action Types
What's new?
Bug fixes
Resource Types
Control Types
Policy Types
Action Types
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
Enforce: Enabled but ignore permission errors
. However, the CMDB control previously ignored permission errors only on the HeadBucket
operation and still entered an error state for permission errors on sub-API calls. The CMDB control will now ignore all sub-API calls if the HeadBucket
operation is denied access. If the HeadBucket operation is successful, the control will attempt to make all sub-API calls and ignore access denied errors if encountered.Bug fixes
pipeline param
no longer fails with a mismatched types
error. (#879).What's new?
Resource Types
Control Types
Policy Types
Action Types
Resource Types
Control Types
Policy Types
Action Types
What's new?
Approved > Usage
policy for resource types will now default to Approved
instead of Approved if AWS > {service} > Enabled
.Bug fixes
AWS > VPC > VPC > Stack
control would sometimes go into an error state while upserting newly created flow logs in Guardrails due to incorrect mapping of its parent resource. This issue has now been fixed, and the control will upsert flow logs more consistently and reliably than before.Bug fixes
Enforce: Enabled
for the service.What's new?
rds-ca-rsa4096-g1
.Resource Types
Control Types
Policy Types
Action Types
What's new?
AWS > Turbot > Logging > Bucket > Default Encryption
policy is now deprecated because all buckets are now encrypted by default in AWS. As a result, all buckets created and managed via the AWS > Turbot > Logging > Bucket
stack control will now be encrypted by AWS SSE
by default. We've also removed ACL settings for buckets and now apply bucket ownership controls instead via the stack control to align with the latest AWS recommendations. Please upgrade the @turbot/aws-s3
mod to v5.26.0 for the stack control to work reliably as before.Policy Types
Renamed
What's new?
aws_s3_bucket_ownership_controls
Terraform resource for buckets.What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
What's new?
AWS > Config > Configuration Recording
stack control. To get started, set the AWS > Config > Configuration Recording > Terraform Version
policy. We recommend using versions 0.11, 0.12, or 0.15 for this control to create and manage resources effectively and reliably.Policy Types
What's new?
What's new?
Enhancements
euuid
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Linode accounts. (#56)netgo
package. (#60)version
flag to the plugin's Export tool. (#65)Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#55)What's new?
GCP > Turbot > Event Handlers > Pub/Sub
control. To get started, set the GCP > Turbot > Event Handlers > Pub/Sub > Topic > Labels
policy.Policy Types
Bug fixes
ec2:RevokeSecurityGroupEgress
and ec2:RevokeSecurityGroupIngress
events. This issue is now fixed.Bug fixes
AWS > Turbot > Event Handlers
control did not correctly raise the real-time CreateTags
and DeleteTags
events for VPC security group rules. This issue is now fixed.Enhancements
Reader
and Data Access
role assignment information to the docs/index.md
file. (#811)Bug fixes
azure_compute_virtual_machine
table to correctly populate the guest_configuration_assignments
column across all Azure
environments. (#816)azure_role_assignment
table to correctly return the result while using any mode of plugin authentication. (#809)azure_monitor_activity_log_event
table. (#810)Enhancements
location_type
column as an optional qual to the aws_ec2_instance_availability
table and 6 new columns to the aws_ec2_instance_type
table. (#2078)aws_appautoscaling_policy
and aws_appautoscaling_target
tables to add information on required quals. (#2247)type
column as an optional qual to the aws_auditmanager_control
table. (#2254)Bug fixes
GetConfig
definition of the aws_auditmanager_control
table to correctly return data instead of an error. (#2254)aws_kms_key_rotation
table to correctly return nil
whenever an AccessDeniedException
error is returned by the API. (#2253)What's new?
GCP > Network > Subnetwork > Flow Log
policy.Control Types
Policy Types
Action Types
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
variable
command no longer fails if the .flowpipe
directory in the user's home directory is not created yet. (#872).What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
What's new?
GCP > IAM > Service Account > Active
or GCP > IAM > Service Account > Approved
policy to Enforce: Disable inactive with <x> days warning
or Enforce: Disable unapproved
respectively.Action Types
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy
details in Turbot CMDB.
Bug fixes
AWS > ECR > Repository > CMDB
control went into an error state for shared repositories upserted incorrectly in Guardrails CMDB. Shared repositories will now not be upserted under shared accounts or regions, but will only be upserted under their owner accounts and regions.Bug fixes
ec2:CreateReplaceRootVolumeTask
for instances. This is now fixed.Enhancements
All Controls
benchmark: (#176)alloydb_instance_log_error_verbosity_database_flag_default_or_stricter
alloydb_instance_log_min_error_statement_database_flag_configured
alloydb_instance_log_min_messages_database_flag_error
Enhancements
All Controls
benchmark: (#274)application_gateway_waf_uses_specified_mode
application_insights_block_log_ingestion_and_querying_from_public
log_analytics_workspace_block_log_ingestion_and_querying_from_public
log_analytics_workspace_block_non_azure_ingestion
Bug fixes
storage_account_block_public_access
query to correctly check if the public_network_access
column of the azure_storage_account
table is correctly set to disabled
or not as per the CIS documentation. (#277)v0.14.0 of the Terraform Provider for Pipes is now available.
Breaking Changes
resources/pipes_workspace_connection
moved to manage connections at the workspace level. Previously, the resource used to manage attachment
of connections to the workspace defined at the respective identity level. Please follow the migration guide for migrating your existing configuration into the new model.resources/pipes_connection
does not support management of user level connections in line with changes in Pipes.What's new?
pipes_organization_connection
pipes_organization_connection_folder
pipes_organization_connection_folder_permission
pipes_organization_connection_permission
pipes_organization_integration
pipes_tenant_connection
pipes_tenant_connection_folder
pipes_tenant_connection_folder_permission
pipes_tenant_connection_permission
pipes_tenant_integration
pipes_user_integration
pipes_workspace_connection_folder
pipes_workspace_schema
Enhancements
resources/pipes_workspace_mod
add support for storing attribute state_reason
v0.10.0 of the Pipes SDK Go is now available.
What's new?
Tenants
, Users
, Organizations
, UserWorkspaces
and OrgWorkspaces
.Connections
and ConnectionFolders
.Enhancements
What's new?
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > Resource Group > ServiceNow > Configuration Item
control would fail to fetch instance credentials internally and did not process the data correctly in ServiceNow. This issue has now been fixed.Bug fixes
Bug fixes
Bug fixes
Control Types
Policy Types
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
What's new?
What's new?
What's new?
AWS/DynamoDB/Admin
, AWS/DynamoDB/Metadata
and AWS/DynamoDB/Operator
now include permissions for Resource Policy, Imports, Time to Live and Global Table Version.Breaking changes
gcp_cloudfunctions_function
table to align with the new API response structure: (#612)environment_variables
source_upload_url
version_id
What's new?
impersonate_access_token
config argument to support plugin authentication by using a pre-generated temporary access token. (#621)Enhancements
gcp_cloudfunctions_function
table. (#612)Bug fixes
SecretManager
service client creation. (#624)What's new?
Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
Table logging
for Storage Accounts
via Azure > Storage > Storage Account > Table > Logging
control. To get started, set the Azure > Storage > Storage Account > Table > Logging
policy.Control Types
Policy Types
Action Types
Azure > Storage > Storage Account > Update Encryption at Rest
Azure > Storage > Storage Account > Update Storage Account Table Logging
The Storage Account CMDB data will now also include information about the account's table service properties.
We've removed the dependency on listKeys
permission for Azure > Storage Account > Container > Discovery
to run its course to completion. This release includes breaking changes in the CMDB data for containers. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Renamed:
isImmutableStorageWithVersioningEnabled
to isImmutableStorageWithVersioning.enabled
Removed:
preventEncryptionScopeOverride
Bug fixes
Azure > Storage > Storage Account > CMDB
control would go into an error state while trying to fetch default Queue and Blob properties if Guardrails did not have permission to list the storage account keys. The control will now not attempt to fetch default Queue and Blob properties if Guardrails does not have the required access for listKeys
, and will run its course to completion without going into an error state.Bug fixes
AWS > S3 > Bucket > CMDB
control if it would go into an error state due to insufficient permissions for the headBucket
operation.What's new?
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Import a tree of folders and projects as Pipes connections, control permissions for workspaces, and auto-create aggregators.
For more information, see the launch post or check out the docs.
You can now create connections at the custom tenant, organization or workspace level in Pipes, along with grouping of these within folders to allow easier sharing of related connections.
This is coupled with a fine-grained permissions model, allowing you to share connections & folders broadly across a custom tenant, or restrict access to specific organizations and/or their workspaces.
For more information, check out the docs:
Import a tree of management groups and subscriptions as Pipes connections, control permissions for workspaces, and auto-create aggregators.
For more information, see the launch post or check out the docs.
Import a tree of OUs and accounts as Pipes connections, control permissions for workspaces, and auto-create aggregators.
For more information, see the launch post or check out the docs.
What's new?
Control Types
Policy Types
What's new?
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
What's new?
AWS > S3 > Bucket > CMDB
control would go into an error state if Guardrails did not have permissions to call the headBucket
operation on a bucket. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > S3 > Bucket > CMDB
policy to Enforce: Enabled but ignore permission errors
.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > App Service > Web App > Client Certificate Mode
control, ensuring that the Client Certificate Mode is set to Require
correctly. However, we missed an edge case where the control wouldn’t enforce any mode other than the default setting of Ignore
. We have now addressed all cases, and the control will work more reliably and consistently than before.What's new?
flowpipe pipeline run
command when running in Client mode and not using the --verbose
arg.--data-dir
parameter to specify the location of the event store database. (#852).--execution-id
parameter to specify custom execution id for pipeline run. (#856).Go
version to v1.22.4.Bug fixes
What's new?
detect and correct
pipelines to identify unused and underutilized GCP resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see GCP Thrifty Mod.What's new?
env
, owner
).secret
, key
).cc
to cost_center
).Prod
to prod
).For detailed usage information and a full list of pipelines, please see GCP Labels Mod.
What's new?
detect and correct
pipelines to identify unused and underutilized Azure resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see Azure Thrifty Mod.What's new?
env
, owner
).secret
, key
).cc
to cost_center
).Prod
to prod
).For detailed usage information and a full list of pipelines, please see Azure Tags Mod.
What's new?
What's new?
env
, owner
).secret
, key
).cc
to cost_center
).Prod
to prod
).For detailed usage information and a full list of pipelines, please see AWS Tags Mod.
What's new?
What's new?
Server
UI
Smart Folders
are now called Policy Packs
.Policy Packs
from UI.Bug fixes
Server
UI
Policy Packs
from the UI.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Enforce: Sync
policy value for integrating Import Sets in ServiceNow.Control Types
Policy Types
Control Types
Policy Types
Control Types
Policy Types
Control Types
Policy Types
Control Types
Policy Types
What's new?
What's new?
Bug fixes
power_state
column of the azure_compute_virtual_machine
table to correctly return data instead of a nil pointer dereference
error. (#804)Bug fixes
Azure > App Service > Web App > Client Certificate Mode
control did not apply Enforce: Require
settings correctly. This is now fixed.What's new?
google_monitoring_alert_policy
and google_monitoring_notification_channel
Terraform resources.Control Types
Policy Types
What's new?
google_logging_metric
Terraform resource.Control Types
Policy Types
Bug fixes
Azure > Storage > Storage Account > Queue > Logging
control failed to set queue logging properties correctly. This issue has been fixed, and the control will now function correctly as intended.Bug fixes
Bug fixes
Bug fixes
What's new?
insecure_skip_verify
connection config argument to support bypassing the SSL/TLS
certificate verification while querying the tables. (#48)Enhancements
netgo
package.Dependencies
Bug fixes
What's new?
GCP > Compute > Instance > Shielded Instance Configuration > *
policies.Control Types
Policy Types
Action Types
What's new?
Azure > CIS v2.0 > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
control will also evaluate SQL databases for SKU Basic/Consumption.Control Types
Policy Types
Bug fixes
Azure > CIS v2.0 > 4 - Database Services > 01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
control did not evaluate the result correctly, as expected. This is now fixed.The CrowdStrike plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
What's new?
DOCUMENTATION:
resource/turbot_policy_pack
: Added documentation for akas
attribute for the resource. (#179)What's new?
GCP > SQL > Instance > Encryption In Transit
policy.Control Types
Policy Types
Action Types
What's new?
Control Types
Policy Types
What's new?
Basic
to Standard
for Public IP Addresss via Azure > Network > Public IP Address > Standard SKU
control. To get started, set the Azure > Network > Public IP Address > Standard SKU
policy.Control Types
Policy Types
Action Types
What's new?
To get started configuring these rules through Guardrails, the following policies should set according to your desired firewall rules configuration:
Azure > Cosmos DB > Database Account > Firewall
- Configure default access rules for the public endpoint
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved
- Remove unapproved IP ranges
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required
- Grant access to specific IP ranges
Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved
- Remove unapproved virtual network subnets
Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required
- Grant access to specific virtual network subnets
Please note that if the Azure > Cosmos DB > Database Account > Firewall
policy is set to Enforce: Allow only approved virtual networks and IP ranges
, only applications in the configured IP ranges, virtual network subnets, and trusted Microsoft services will be allowed to access the database accounts. If these boundaries are not properly configured beforehand or an application is outside of these boundaries, it will lose access to the database accounts.
Control Types
Policy Types
Action Types
Bug fixes
Bug fixes
What's new?
Bug fixes
GCP > Project > CMDB
control went into an error state while fetching Access Approval settings for the project if Access Transparency was disabled at the organization level. We have now handled such cases gracefully, and the control will fetch all available details without going into an error state.What's new?
GCP > SQL > Instance > Authorized Network > *
policies.GCP > SQL > Instance > Database Flags
policy.GCP > SQL > CMDB
policy to Enforce: Disabled
.Control Types
Policy Types
Action Types
What's new?
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Storage resources in Guardrails. This release includes breaking changes in the CMDB data for storage accounts. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Renamed:
serviceProperties.blob.DeleteRetentionPolicy
to serviceProperties.blob.deleteRetentionPolicy
serviceProperties.blob.DeleteRetentionPolicy.Days
to serviceProperties.blob.deleteRetentionPolicy.days
serviceProperties.blob.DeleteRetentionPolicy.Enabled
to serviceProperties.blob.deleteRetentionPolicy.enabled
serviceProperties.blob.StaticWebsite
to serviceProperties.blob.staticWebsite
serviceProperties.blob.StaticWebsite.Enabled
to serviceProperties.blob.staticWebsite.enabled
serviceProperties.blob.logging
to serviceProperties.blob.blobAnalyticsLogging
serviceProperties.queue.logging
to serviceProperties.queue.queueAnalyticsLogging
Added:
serviceProperties.blob.deleteRetentionPolicy.AllowPermanentDelete
Modified:
serviceProperties.blob.cors
has been changed from string (""
) to array ([]
).serviceProperties.queue.cors
has been changed from string (""
) to array ([]
).Users can now enable/disable Blob logging
for storage accounts. To get started, set the Azure > Storage > Storage Account > Blob > Logging > *
policies.
Users can now check if storage accounts are approved for use based on Infrastructure Encryption settings. To get started, set the Azure > Storage > Storage Account > Approved > Infrastructure Encryption
policy.
Control Types
Renamed
Policy Types
Renamed
Action Types
Renamed
What's new?
Azure > App Service > Web App > Client Certificate Mode
policy.Control Types
Policy Types
Action Types
What's new?
Enhancements
domain
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Okta organizations. (#120).spc
file for max retries
, request timeout
, and max backoff time
as required. (#112)profile
column to the okta_factor
table. (#130)Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#120)Enhancements
organization_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Linear accounts. (#34)Bug fixes
Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#34)Enhancements
power_state
to the azure_compute_virtual_machine_scale_set_vm
table. (#800) (Thanks @pdepdecatcat for the contribution!)Bug fixes
azure_log_alert
table to correctly return values for actions
, condition
, description
, enabled
, and scopes
columns instead of null
. (#796)What's new?
Resource Types
Control Types
Policy Types
Action Types
What's new?
GCP > BigQuery > Dataset > Encryption at Rest > *
policies.Control Types
Policy Types
Action Types
What's new?
Control Types
Policy Types
Bug fixes
AWS > EC2 > Snapshot > CMDB
policy was set to Enforce: Enabled for Snapshots not created with AWS Backup
. This issue has now been fixed.What's new?
GCP > DNS > Managed Zone > DNSSEC Configuration
policy.GCP > DNS > Policy > Logging
policy.Control Types
Policy Types
Action Types
Bug fixes
What's new?
Azure > Compute > Virtual Machine > Trusted launch
policy.Azure > Compute > Disk > Encryption at Rest > *
policies.Control Types
Policy Types
Action Types
What's new?
Azure > App Service > Web App > System Assigned Identity
policy.Control Types
Policy Types
Action Types
Bug fixes
Azure > App Service > Web App > FTPS State
control failed to set the FTPS State correctly for web apps. This issue is now fixed.What's new?
Policy Types
What's new?
Azure > Network Watcher > Flow Log > Retention Policy > *
policies.Control Types
Policy Types
Action Types
What's new?
Azure > Active Directory > Directory > CMDB
control will now also fetch named locations and authorization policy details and store them in CMDB.Bug fixes
AWS > IAM > Account Password Policy > Settings
control not applying custom settings correctly. This issue is fixed, and the CMDB details will now refresh correctly, allowing the corresponding Settings control to work as expected.What's new?
Bug fixes
What's new?
Azure > Security Center > Security Center > CMDB
control will now also fetch security settings details and store them in CMDB.Bug fixes
Bug fixes
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
The default value for GCP > Storage > Bucket > ServiceNow > Import Set
now shows the resource_type_uri
correctly.
Control Types
Added
Policy Types
Added
What's new?
ServiceNow > Turbot > Watches > GCP Archive and Delete Record
action now supports archiving Import Set
records.Control Types
Added
Policy Types
Added
What's new?
ServiceNow > Turbot > Watches > Azure Archive and Delete Record
action now supports archiving Import Set
records.Bug fixes
ServiceNow > Application > CMDB
, ServiceNow > Cost Center > CMDB
& ServiceNow > User > CMDB
have been updated from Enforce: Enabled
to Skip
.Policy Types
Added
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
OUTBOUND_SECURITY_GROUP_ID
environment variable in Lambda functions now defaults to using the TEF outbound security group when there is no override specified in TEF and TE.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > Network > Network Security Group > Ingress Rules > Approved
and Azure > Network > Network Security Group > Egress Rules > Approved
controls previously deleted an entire rule if at least one of the corresponding port prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected port prefixes instead of deleting the entire rule in such cases.Bug fixes
<nil>
for null
values instead of ""
. (#77)Bug fixes
<nil>
for null
values instead of ""
. (#77)Bug fixes
<nil>
for null
values instead of ""
. (#77)Bug fixes
AWS > RDS > DB Instance > Approved
control will now be skipped for instances that belong to a cluster. To check if a cluster is approved for use, please set the AWS > RDS > DB Cluster > Approved > *
policies.AWS > RDS > DB Instance > Approved
control did not stop an unapproved instance if the corresponding policy was set to Enforce: Stop unapproved
or Enforce: Stop unapproved if new
, and deletion protection for the instance was enabled. The control will now stop instances correctly in such cases.What's new
Enhancements
aws_elasticache_cluster
table. (#2224)Bug fixes
What's new?
EncryptionInTransit
TopicPolicy has shifted from a custom resource to AWS CloudFormation’s AWS::SNS::TopicPolicy
.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Enhancements
log_group_metric_*
queries to minimize API usage, achieving faster performance. (#802)What's new?
Server
UI
Depends-on
tab on the controls page has been renamed to Related
. It now includes the information from the Depends-on tab along with additional related controls information.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > Network > Network Security Group > Ingress Rules > Approved
control would sometimes fail to revoke rejected rules when the corresponding policy was set to Enforce: Delete unapproved
. This has been fixed, and the control will now work more reliably and consistently than before.What's new?
Enhancements
netgo
package. (#101)version
flag to the plugin's Export tool. (#65)Bug fixes
arguments
column of terraform_resource
table to correctly return the type
field. (#99) (#92)Dependencies
What's new?
Enhancements
Bug fixes
Turbot > osquery > Event Handler
action was not able to handle events for large payloads. This issue is now fixed.Bug fixes
GCP > Project > CMDB
control would incorrectly delete a project from Guardrails CMDB if it was unable to fetch Access Approval settings for the project. This issue has been fixed and the control will now attempt to fetch all available details and will not delete the project from CMDB.All Pipes workspaces are now running Steampipe v0.23.2.
For more information on this Steampipe release, see the release notes.
All Pipes workspaces are now running Powerpipe v0.4.0.
For more information on this Powerpipe release, see the release notes.
Bug fixes
Azure > Security Center > Security Center > Auto Provisioning
policy.Control Types
Policy Types
Action Types
Bug fixes
What's new?
Enhancements
aws_s3_bucket
, aws_s3_bucket_intelligent_tiering_configuration
, aws_s3_object
and aws_s3_object_version
tables to use HeadBucket
API instead of GetBucketLocation
to fetch the region that the bucket resides in. (#2082) (Thanks @pdecat for the contribution!)create_time
to aws_ec2_key_pair
table. (#2196) (Thanks @kasadaamos for the contribution!)instance_type
column as an optional qual to the aws_ec2_instance_type
table. (#2200)Bug fixes
akas
column in aws_health_affected_entity
table to correctly return data instead of an error by handling events that do not have any ARN
. (#2189)cname
and endpoint_url
columns of aws_elastic_beanstalk_environment
table to correctly return data instead of null
. (#2201)aws_api_gatewayv2_*
tables to correctly return data instead of an error by excluding support for the new unsupported il-central-1
region. (#2190)What's new?
Enhancements
login_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Jira connections. (#119)netgo
package. (#128)version
flag to the plugin's Export tool. (#65)Bug fixes
jira_board
table to correctly return all the data instead of partial results. (#127)Dependencies
What's new?
Bug fixes
public_network_access_for_ingestion
and the public_network_access_for_query
columns of the azure_application_insight
table to be of String
data type instead of JSON
. (#769)azure_role_assignment
table to correctly return values for principal_id
and principal_type
columns instead of null
. (#763)web_application_firewall_configuration
column of the azure_application_gateway
table to correctly return data instead of null
. (#770)What's new?
powerpipe benchmark run azure_compliance.benchmark.fedramp_high
). (#270)What's new?
What's new?
Azure > Security Center > Security Center > Defender Plan
control now also supports services like Cloud Posture, Containers and Cosmos DB.What's new?
Bug fixes
What's new?
Server
@azure/msal-node
package.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
AWS > EC2 > Snapshot > CMDB
policy to Enforce: Enabled for Snapshots not created with AWS Backup
.Bug fixes
AWS > Turbot > Service Roles > Source
policy went to an invalid state if all but the AWS > Turbot > Service Roles > Event Handlers [Global]
policy was enabled. This issue impacted the AWS > Turbot > Service Roles
stack control, preventing the role from being created correctly. This has been fixed, and the AWS > Turbot > Service Roles > Source
policy will now work as expected.Bug fixes
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
control did not evaluate the result correctly, as expected. This is now fixed.Whats new
Bug fixes
POWERPIPE_PORT
env var was not being honoured. (#362)duration
field to duration_ms
for consistency with steampipe. (#368)The rows
property in the JSON
and snapshot
output will now have unique column names for duplicate column names.
The columns property will have the original column name as original_name
.
For example, for the query:
powerpipe query run " select arn as title, account_id as title, title as title from aws_account" --output pps
Here is the updated JSON output:
powerpipe query run " select arn as title, account_id as title, title as title from aws_account" --output json{ "columns": [ { "name": "title", "data_type": "text" }, { "name": "title_t5zj1", "data_type": "text", "original_name": "title" }, { "name": "title_t5zj2", "data_type": "text", "original_name": "title" } ], "rows": [ { "title": "arn:aws:::882789663776", "title_t5zj1": "882789663776", "title_t5zj2": "882789663776" }, ], "metadata": { "rows_returned": 3, "duration_ms": "202ms" }}
Here is the updated snapshot output:
{ "schema_version": "20240130", "panels": { "custom.dashboard.sql_e5br7b82": { "dashboard": "custom.dashboard.sql_e5br7b82", "name": "custom.dashboard.sql_e5br7b82", "panel_type": "dashboard", "source_definition": "", "status": "complete", "title": "Custom query [e5br7b82]" }, "custom.table.results": { "dashboard": "custom.dashboard.sql_e5br7b82", "name": "custom.table.results", "panel_type": "table", "source_definition": "", "status": "complete", "sql": " select arn as title, account_id as title, title as title from aws_account", "properties": { "name": "results" }, "data": { "columns": [ { "name": "title", "data_type": "TEXT" }, { "name": "title_t5zj1", "data_type": "TEXT", "original_name": "title" }, { "name": "title_t5zj2", "data_type": "TEXT", "original_name": "title" } ], "rows": [ { "title": "arn:aws:::876515858155", "title_t5zj1": "876515858155", "title_t5zj2": "morales-aaa" }, { "title": "arn:aws:::882789663776", "title_t5zj1": "882789663776", "title_t5zj2": "882789663776" }, { "title": "arn:aws:::097350876455", "title_t5zj1": "097350876455", "title_t5zj2": "turbot-silverwater" } ] } } }, "inputs": {}, "variables": {}, "search_path": null, "start_time": "2024-06-06T14:50:16.906739+01:00", "end_time": "2024-06-06T14:50:16.991955+01:00", "layout": { "name": "custom.dashboard.sql_e5br7b82", "children": [ { "name": "custom.table.results", "panel_type": "table" } ], "panel_type": "dashboard" }}
What's new?
Updated the existing Flags attribute to include new specific flags that control the operation of Mod Lambda functions within a Virtual Private Cloud (VPC). This update allows Lambdas to use static IP addresses, improving network stability and predictability across different cloud environments. New flags Added to Flags Attribute:
Introduced a new SSM parameter outbound_cidr_ranges to retrieve the Elastic IPs associated with the NAT gateways.
What's new?
Server
osquery/logger
API to support payloads up to 10MB.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Bug fixes
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
control did not evaluate the result correctly, as expected. This is now fixed.What's new?
Bug fixes
Azure > Network > Network Security Group > Ingress Rules > Approved
and Azure > Network > Network Security Group > Egress Rules > Approved
controls previously deleted an entire rule if at least one of the corresponding address prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected address prefix instead of deleting the entire rule in such cases.What's new?
Add support for installing mods from a branch or from the local file system. (#849).
To install from a branch:
flowpipe mod install github.com/turbot/flowpipe-mod-aws-thrifty#main
To reference a mod in the local file system:
flowpipe mod install ../mods/local_mod_folder
Add --pull
flag to mod
command to control the mod update strategy. (#849). Possible update strategies are:
full
- check branch and tags for both latest and accuracylatest
- update everything to latest, but only branches - not tags - are commit checked (which is the same as latest)development
- update branches and broken constraints to latest, leave satisfied constraints unchangedminimal
- only update broken constraints, do not check branches for new commitsBug fixes
What's new?
powerpipe benchmark run azure_compliance.benchmark.rbi_itf_nbfc_v2017
). (#267)Bug fixes
GCP > Turbot > Event Handlers > Logging
would go into an Invalid state because of incorrect filter patterns defined in the GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-bigquerydatatransfer
policy. This is fixed and the control will now work as expected.Bug fixes
compute.networks.delete
for default networks incorrectly, resulting in the inadvertent deletion of those networks from CMDB. This is now fixed.What's new?
Resource Types
Policy Types
What's new?
Control Types
Policy Types
Bug fixes
s3:PutBucketReplication
for buckets. This is now fixed.AWS > S3 > Bucket > Access Logging
control would sometimes go into an error state if the target bucket name started with a number. This is fixed and the control will now work more smoothly and consistently than before.Enhancements
user_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Pipes connections. (#27)netgo
package. (#32)version
flag to the plugin's Export tool. (#65)Bug fixes
Pipes
instead of returning a 401
error. (#30)Dependencies
The Semgrep plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
What's new?
Detect and Correct
pipeline for DynamoDB tables with stale data. (#34)What's new?
delete_dynamodb_table
What's new?
Enhancements
login_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Github connections. (#422)netgo
package. (#219)version
flag to the plugin's Export tool. (#65)Bug fixes
Dependencies
Bug fixes
v1.11.2
to remove unnecessary NOTICE
level log messages. (#469)What's new?
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2
). (#264)Integrate your developer, team or custom tenant with GitHub, enabling you to install custom Powerpipe mods from public or private repositories. Push changes for instant deploys and live updates.
For more information, see the launch post or check out the docs.
Bug fixes
$logs
) for storage accounts. This is now fixed.Bug fixes
What's new?
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
locals
in order of dependency. (#399).What's new?
Enhancements
Whats new
Added support for installing mods from a branch or from the local file system. (#285)
To install from a branch:
powerpipe mod install github.com/turbot/steampipe-mod-aws-well-architected#main
To reference a mod in the local file system:
powerpipe mod install ../mods/local_mod_folder
Added --pull
flag to mod
, dashboard
and benchmark
commands to control the mod update strategy. (#352). Possible update strategies are:
full
- check branch and tags for both latest and accuracylatest
- update everything to latest, but only branches - not tags - are commit checked (which is the same as latest)development
- update branches and broken constraints to latest, leave satisfied constraints unchangedminimal
- only update broken constraints, do not check branches for new commitsBug fixes
osquery
instead of Osquery
.Bug fixes
Kubernetes > Node
resources will no longer include the conditions.lastHeartbeatTime
or resource_version
properties to avoid unnecessary notifications in the activity tab.What's new?
Resource Types
Policy Types
What's new?
Resource Types
Policy Types
Enhancements
tenant_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Microsoft 365 subscriptions. (#50)netgo
package. (#55)version
flag to the plugin's Export tool. (#65)Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#50)Enhancements
tenant_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Azure subscriptions. (#175)netgo
package. (#180)China cloud
endpoint and scope based on the environment. (#174)version
flag to the plugin's Export tool. (#65)Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#175)What's new?
Enhancements
Enhancements
Enhancements
What's new?
Server
api/latest/osquery/enroll
api/latest/osquery/config
api/latest/osquery/logger
serviceNowCredential
resolver specifically for Kubernetes clusters.@turbot/sdk
) to version 5.15.0 and our fn toolkit (@turbot/fn
) to version 5.22.0, to support FIFO queues.UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types
Policy Types
Action Types
What's new?
Resource Types
Control Types
Policy Types
Action Types
What's new?
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
GCP > IAM > Service Account Key > Active
control will no longer attempt to delete a system-managed service account key deemed inactive by the control.What's new?
AWS > IAM > Access Key > Active > Latest
policy.AWS > IAM > Server Certificate > Active > Expired
policy.Policy Types
Enhancements
tenant_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple OCI tenants. (#606)netgo
package. (#614)version
flag to the plugin's Export tool. (#65)Dependencies
Enhancements
project
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple GCP projects. (#564)netgo
package. (#580)version
flag to the plugin's Export tool. (#65)****Bug fixes
gcp_cloudfunctions_function
to list gen2
cloud functions. (#568) (Thanks @ashutoshmore658 for the contribution!)Dependencies
Enhancements
netgo
package. (#756)Bug fixes
server_properties
column in the azure_postgresql_flexible_server
table to correctly return data instead of nil
. (#754)Dependencies
QueryData
passed to ConnectionKeyColumns
value callback is populated with ConnectionManager
. (#755)Enhancements
account_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Alibaba Cloud accounts. (#406)netgo
package. (#419)version
flag to the plugin's Export tool. (#65)Dependencies
Bug fixes
GCP > Project > CMDB
control would go into an error state if Access Approval API was disabled in GCP. This is now fixed.Enhancements
context_name
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Kubernetes connections. (#217)netgo
package. (#219)version
flag to the plugin's Export tool. (#65)Dependencies
Enhancements
netgo
package for both the Linux and Darwin systems. (#219) (#2180)Bug fixes
aws_ebs_snapshot
table to correctly return data instead of an empty row. (#2185)Dependencies
Whats new
Added support for connection key columns: (#768)
A connection key column
defines a column whose value maps 1-1 to a Steampipe connection
and so can be used to filter connections when executing an aggregator query. These columns are treated as (optional) KeyColumns. This means they are taken into account in the query planning.
Added support for verbose timing information. (#4244)
Added support for pushing down sort order. (#447)
Updated limit pushdown logic to push down the limit if all sort clauses are pushed down. (#458)
Added support for WHERE column=val1 OR column=val2 OR column=val3...
Migrated from plugin registry from GCP to GHCR. (#4232)
Bug fixes
Bug fixes
QueryData
passed to connection key column value callback is populated with ConnectionManager
. (#797) What's new?
/processes
prefix from 1 day to 2 days./osquery
prefix.What's new?
Bug fixes
Azure > Compute > Virtual Machine Scale Set > Tags
control would sometimes fail to update tags correctly for Scale Sets launched via Azure marketplace. This is fixed and the control will now update tags correctly, as expected.What's new?
AWS > VPC > Network ACL > Ingress Rules > Approved > *
policies.Bug fixes
What's new?
AWS > EFS > Mount Target > Approved
policy to Enforce: Delete unapproved
.What's new?
aws_cloudwatch_metric_alarm
resources via Guardrails stacks.Control Types
Policy Types
Bug fixes
aws_securityhub_account
Terraform resource.What's new?
createdBy
details in Turbot CMDB.What's new?
Control Types
Policy Types
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Resource Types:
Control Types:
Policy Types:
Action Types:
What's new?
Control Types
Policy Types
Bug fixes
What's new?
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Enhancements
subscription_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Azure subscriptions. (#740)version
flag to the plugin's Export tool. (#65)Bug fixes
Dependencies
Bug fixes
Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved
control did not render correctly on mod inspect. This is now fixed.What's new?
Enhancements
version
flag to the plugin's Export tool. (#65)Bug fixes
Whats new
dashboard_timeout
and benchmark_timeout
--dashboard-timeout
flag for the dashboard run
and server
commands--benchmark-timeout
flag for the benchmark run
commands.POWERPIPE_DASHBOARD_TIMEOUT
and POWERPIPE_BENCHMARK_TIMEOUT
respectively.
(#336)dashboard input list
and dashboard input show
commands.Bug fixes
All new Pipes workspaces will be running Powerpipe v0.2.0 and existing workspaces will be upgraded by Monday 29th April 2024.
For more information on this Powerpipe release, see the release notes.
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > Storage > Storage Account > Data Protection
control would go into an error state when container delete retention policy data was not available in CMDB. This issue is fixed and the control will now work as expected.What's new?
Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > *
and Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > *
policies respectively.Azure > PostgreSQL > Flexible Server > Approved
policy to Enforce: Stop unapproved
or Enforce: Stop unapproved if new
.Control Types
Policy Types
Action Types
Bug fixes
What's new?
Control Types
User consent for applications
is set to Do not allow user consent
Enable Infrastructure Encryption
for Each Storage Account in Azure Storage is Set to enabled
Policy Types
User consent for applications
is set to Do not allow user consent
User consent for applications
is set to Do not allow user consent
> AttestationEnable Infrastructure Encryption
for Each Storage Account in Azure Storage is Set to enabled
What's new?
worker_factory
in the CloudWatch Dashboard widgets "Events Queue Activity" and "Events Queue Backlog"._worker_factory
queue._worker
queue.Bug fixes
Server
UI
template_input
property of the policy setting in the Terraform plan to YAML format, improving clarity and manageability.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Turbot > Process Monitor
control to operate within the priority queue, ensuring more timely and efficient processing of critical tasks.Turbot > Workspace > Background Tasks
control to modify the next_tick_timestamp for any policy values that previously had incorrect defaults.Bug fixes
What's new?
Azure > Storage > Storage Account > Access Keys > Rotation Reminder > *
and Azure > Storage > Storage Account > Data Protection > Soft Delete > *
policies respectively.Control Types
Policy Types
Action Types
What's new?
Azure > SQL > Server > Firewall > IP Ranges > Approved > *
policies.Control Types
Policy Types
Action Types
Enhancements
workspace_dashboard
dashboard to include information on the accounts, resources, and active controls across different workspaces. (#31)workspace_account_report
dashboard to display resources, policy settings, alerts, and active controls across workspaces instead of the TE version. (#31)Enhancements
Bug fixes
rotationPeriod
and nextRotationTime
attributes for Crypto Keys did not update correctly in CMDB when the rotation policy for such keys was removed. This is now fixed.What's new?
Azure > MySQL > Flexible Server > Encryption in Transit > *
policies.createdBy
details in Turbot CMDB.Control Types
Policy Types
Action Types
What's new?
createdBy
details in Turbot CMDB.Policy Types
Bug fixes
AWS > VPC > Flow Log > Configured
control would sometimes go into an error state for flow logs created via the AWS console, even though they were correctly claimed by a Guardrails stack. This is now fixed.What's new?
Enhancements
account_id
column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple AWS accounts. (#2133)Bug fixes
getDirectoryServiceSnapshotLimit
and getDirectoryServiceEventTopics
hydrate calls in the aws_directory_service_directory
table to correctly return nil
for the unsupported ADConnector
services instead of an error. (#2170)What's new?
What's new?
Azure > PostgreSQL > Flexible Server > Audit Logging > *
policies.Control Types
Policy Types
Action Types
What's new?
Azure > Key Vault > Key > Expiration > *
and Azure > Key Vault > Secret > Expiration > *
policies respectively.Control Types
Policy Types
Action Types
What's new?
What's new?
powerpipe benchmark run gcp_compliance.benchmark.cis_v300
). (#158)What's new?
Bug fixes
Azure > Storage > Storage Account > Queue > Logging
control would go into a skipped state for storage accounts, irrespective of any policy setting for Logging. This issue is fixed and the control will now work as expected.What's new?
Github App
. Please refer Github plugin configuration for more information. (#414)Bug fixes
What's new?
Enhancements
snapshot_block_public_access_state
column to aws_ec2_regional_settings
table. (#2077)Bug fixes
getDirectoryServiceSnapshotLimit
and getDirectoryServiceEventTopics
hydrate calls in the aws_directory_service_directory
table to correctly return nil
for unsupported SharedMicrosoftAD
services instead of an error. (#2156)What's new?
What's new?
Azure > Network > Public IP Address > Approved
policy to Enforce: Delete unapproved
.What's new?
Azure > PostgresSql > Flexible Server > Encryption in Transit > *
policies.Control Types
Policy Types
Action Types
Bug fixes
foundational_security_lambda_2
control to check for the latest Lambda runtimes as per the AWS FSBP document. (#778) (Thanks @sbldevnet for the contribution!)secretsmanager_secret_unused_90_day
control. (#783)What's new?
Azure > Active Directory > User > Approved
policy to Enforce: Delete unapproved
.Policy Types
What's new?
Azure > MySQL > Flexible Server > Minimum TLS Version > *
policies.Enhancements
All Controls
benchmark: (#253)cosmosdb_account_uses_aad_and_rbac
iam_user_not_allowed_to_create_tenants
securitycenter_image_scan_enabled
Bug fixes
postgres_db_server_allow_access_to_azure_services_disabled
query to check if the endIpAddress
column is set to 0.0.0.0
instead of 255.255.255.255
as per the CIS documentation. (#253)What's new?
What's new?
What's new?
Control Types
Policy Types
What's new?