Changelog

​

New features

• Membership audit log page — the membership/role-change history now has a dedicated Audit Log page under Settings → User Management, with search, filters (event type, role, source), date range, and sortable columns.
• Stronger code-review control (SDLC-CTRL-0007) — now requires every commit in the merged PR to be signed (verified == true) and the PR to merge into the protected branch, building on the new verified, signature_state, and base_ref fields in pull_request attestations.
• pull_request attestation fields — V2 pull_request attestations now carry per-commit verified / signature_state and a PR base_ref (populated by CLI v2.27.0+), enabling Rego policies for signed commits and “merged into main”.
• Service account CRUD API — new JSON endpoints under /service-accounts/{org} to create, list, get, update, and delete service accounts, complementing the existing API-key endpoints.

​

Updates

• Artifact name on control decisions — the decisions list and decision tray now show a human-readable artifact name alongside the fingerprint.
• Decision list columns — added control version and attestation name columns to the decisions list.
• Auto-run deletability check — initiating an org-deletion plan now runs the deletability check automatically, with an approval-blocker warning banner on each plan card when checks fail; the manual button is renamed Re-check deletability.
• Archived date for shared orgs — the Archived tab on /organizations/shared now shows an Archived on column.
• Controls UI refresh — the controls list, control detail, control edit/new form, and version list pages have been restyled with new layouts, filtering, and interaction improvements.
• Faster environment snapshot listing — GET /api/v2/snapshots/{org}/{env_name} (and kosli list snapshots) is significantly faster on large/long-lived environments by eliminating per-snapshot ordinal seeks and discarded counts.
• Display name fallback — audit log, controls, and trail views now fall back to login_name when a user has no display name set.
• Signup form — the welcome signup form now shows field labels.
• Wording — “Logout” is now “Sign out” across the app.
• base_ref field placement — in serialized pull_request attestation JSON, base_ref now sits next to head_ref (cosmetic; key order is not significant).

​

Bug fixes

• Concurrent create 500s — fixed 500 errors on concurrent PUT /api/v2/trails/{org}/{flow} (begin trail) and PUT /api/v2/policies/{org}/{name} requests by retrying on duplicate-key races.
• “Added” date reset on role change — fixed a regression where changing a user’s role reset their Added date (and the service account Created date) to today; both now read the original created_at.

​

New features

• kosli get trail --output markdown — get trail now supports GitHub-Flavored Markdown output, suitable for piping into CI job summaries (e.g. $GITHUB_STEP_SUMMARY). The output includes trail metadata, git commit info, attestation statuses with compliance indicators and links to the Kosli app, and an events table with linked commit SHAs, environment snapshots, and attestation references. See the get trail reference.

​

New features

• pull_request attestations capture commit signatures and PR base branch — each commit now records verified and signature_state (GitHub and GitLab), and every PR records base_ref (GitHub, GitLab, Bitbucket, Azure DevOps), enabling Rego policies for signed commits and “merged into main”. Bitbucket and Azure DevOps don’t expose per-commit signature verification, so those fields are omitted for them.

​

Updates

• pull_request attestation commits — record the git author identity and authored timestamp (not the committer) across all providers.
• API key rotation — failures now clean up the duplicate key ID and include details in the error response.

​

New features

• Sign in with SSO — a redesigned sign-in page makes SSO a first-class option alongside other providers.
• Membership history audit log — organization membership and role changes are now appended to an audit history, capturing who changed what and when.
• Short fingerprints on artifact GETs — artifact GET endpoints once again accept short fingerprint prefixes (5–64 chars), restoring documented CLI behavior like kosli get artifact flow@<short-fingerprint>.

​

Updates

• Faster org-scoped queries — trail moments and recently-modified artifact queries now use org-scoped indexes for better performance on large organizations.

​

Bug fixes

• Fixed revoking an already-archived service account API key returning 200 OK instead of 404 Not Found.
• Fixed an order-dependent waiver leak in trail and provenance compliance evaluation where one waived exception could incorrectly carry over to later artifacts.

​

New features

• kosli list environments filtering and pagination — new --name, --type, --space-id, --tag, --page, and --page-limit flags filter and paginate environment listings. See the list environments reference.
• kosli list flows name search — new --name and --ignore-case flags search flows by name. See the list flows reference.

​

Updates

• kosli attest jira — clearer help text for CVE and multi-segment identifier filtering behavior. See the attest jira reference.

​

Bug fixes

• Service account API key prompts — the revoke confirmation prompt now reads inline, and cancellation messaging and key ID styling are consistent with other commands.

​

New features

• kosli service-account api-keys — new command group (alias sa ak) to manage service account API keys from the CLI, with create, revoke, rotate, and list subcommands.
• Short aliases for top-level verbs — get (g), rename (re), disable (dis), enable (en), log (lo), and status (s, st) now have shorter aliases.

​

Updates

• Consistent “organization” wording — standardized spelling across user-facing strings in the app.
• Simpler invite acceptance — accepting an invite now requires OTP verification only when the logged-in user’s email doesn’t match the invitation; matching emails are accepted directly regardless of auth provider.

​

Bug fixes

• Security: service account API keys on public orgs — fixed a path that could return an arbitrary membership document for unauthenticated callers on public orgs, potentially exposing service account API keys. is_admin(None) now always returns False.
• Flows page — guarded against a null space_id element that could break the flows listing.
• Redirects — all query parameters are now preserved through redirects.

​

New features

• for_control policy compliance — snapshot compliance now evaluates for_control policy requirements. When a policy requires a passing decision attestation for a specific control, the snapshot is checked against a matching decision for that control.

​

Updates

• Assert artifact response includes for_control — the assert artifact API now returns the control identifier in the resolution context for for_control rule failures, so clients can show which specific control is unsatisfied.

​

New features

• linux/s390x builds — the CLI is now published for linux/s390x so it can be installed natively on IBM Z hosts.

​

Bug fixes

• Bumped Go to 1.26.4 to address standard-library CVEs.

​

Updates

• kosli assert artifact — when a for_control policy rule fails, the failure output now names the specific control identifier that is unsatisfied, making it easier to act on policy failures in CI.

​

Updates

• SonarQube authentication — kosli attest sonar now falls back to HTTP Basic auth (token as username) on self-hosted SonarQube Server versions earlier than 10.0, which reject Authorization: Bearer. The fallback is transparent for self-hosted servers and never applied to SonarCloud. Authentication errors now distinguish 401/403 token or permission problems from 5xx server-availability issues instead of the previous generic “please check your API token” message.

​

New features

• Default organization on user profile — pick a default organization from a dropdown on your profile settings page so the Kosli app opens to it on sign-in.

​

Updates

• visibility optional when creating flows — the create-flow API no longer requires a visibility field. New flows default to private.

​

Bug fixes

• Upgraded libxml2 in the Kosli app image to address CVE-2026-6732 (high-severity denial-of-service in XSD validation).
• Fixed orphaned tooltips lingering on the page after HTMX-driven updates.

​

Bug fixes

• kosli create flow — restored the --visibility flag as a deprecated (rather than removed) option, so existing scripts that pass it keep working. The flag has no effect on newer Kosli servers and will be removed in a future release. See the create flow reference.

​

Updates

• kosli create flow — the --visibility flag is deprecated. Flow visibility now defaults to private server-side and the flag is no longer needed.
• Deprecation warning for legacy flow creation — kosli create flow now prints a warning when neither --template-file nor --use-empty-template is supplied. The legacy code path will stop working in a future release; pass a template file or use the empty template instead. See the create flow reference.

​

Bug fixes

• Fixed malformed URLs in kosli list and kosli diff commands when host or path segments contained extra slashes. Requests are now built with proper URL joining.

​

New features

• Redesigned environments listing page — the environments page in the Kosli app is now a paginated view with filtering by name, type, and tag, and sorting by last-changed time.
• Timestamp filtering on environment events — the env events API accepts from and to timestamp query parameters.
• Service account privilege management — admins can change the privilege level of existing service accounts.
• API key rotation — rotate API keys without invalidating existing integrations.

​

Updates

• Faster environments listing — large environments now load and filter noticeably faster.
• Faster trail and snapshot operations — listing trails and processing snapshots is quicker on large orgs.
• OpenAPI improvements — the API spec has been refined for cleaner SDK generation.
• Magic Link login hardening — added additional protections to the Magic Link sign-in flow.

​

Bug fixes

• Fixed empty-digest reports always creating a new snapshot instead of reusing the existing one.
• Fixed the environments listing not falling back to a user’s login name when no display name was set.
• Fixed an authentication flow issue caused by a trailing slash in default Descope URLs.

​

Bug fixes

• kosli attest jira — fixed false-positive Jira issue key matches from multi-segment identifiers such as CVE numbers (CVE-2026-41284 no longer matches as a Jira key). See the attest jira reference.
• kosli attest junit — JUnit XML ingestion now walks directories recursively, deduplicates file scans, and returns a clearer error message for non-UTF-8 encoded XML files. See the attest junit reference.

​

Bug fixes

• Fixed CLI flags rendering as em dashes in the generated CLI reference pages. Flag names (--flag, -x) are now wrapped in backticks so Mintlify’s smart-typography renderer leaves them intact.

​

Updates

• kosli approval commands deprecated — the kosli approval command tree is now marked as deprecated. Use attestations going forward.

​

Updates

• Migrated the Docker client dependency from github.com/docker/docker to github.com/moby/moby and related modular packages (moby/moby/api, moby/moby/client).
• Updated github.com/open-policy-agent/opa to v1.16.2.

​

New features

• kosli snapshot cloud-run is now generally available — the Cloud Run snapshotter is no longer hidden and now reports its coverage table alongside the snapshot.
• Path filters for kosli snapshot s3 — added --include-regex and --exclude-regex flags to kosli snapshot s3 so you can scope a snapshot to a subset of objects in a bucket.

​

Bug fixes

• Fixed kosli attest snyk and other SonarQube-backed attestations not forwarding the branch name to SonarQube’s project_analyses/search endpoint, which previously returned results from the wrong branch.

​

New features

• Remote policies for kosli evaluate — --policy on kosli evaluate now accepts remote http(s) URLs in addition to local file paths, so you can evaluate against centrally-hosted policy files.
• --quiet flag — a new global --quiet flag suppresses non-essential output from the CLI, useful for scripting and CI pipelines that only care about exit codes.
• Expanded Cloud Run support — kosli snapshot cloud-run now reports Cloud Run Jobs in addition to services, and recovers missing image digests via a registry lookup when the runtime does not expose them directly.

​

Bug fixes

• Fixed bare URLs in CLI flag descriptions producing broken links in the generated reference docs.
• Fixed the Helm chart docs templates so they render correctly in Mintlify.

​

Updates

• Toolchain update — the Terraform provider is now built with Go 1.26. No user-facing behavior changes.

​

New features

• Cloud Run Jobs support in kosli snapshot cloud-run — the Cloud Run snapshotter can now report Cloud Run Jobs alongside services, and its wire format has been cleaned up.

​

Bug fixes

• Fixed kosli snapshot docker crashing when it encountered a container that the Docker daemon could not inspect. Such containers are now skipped with a warning and the snapshot continues.
• Fixed a broken http-proxy example link in the CLI reference docs.

​

New features

• PATCH endpoint for environment updates — a new PATCH /environments/{org}/{env_name} endpoint allows updating individual environment fields without replacing the entire resource. This fixes the issue where setting a description to an empty string was silently ignored, and enables proper support in the Terraform provider.

​

Updates

• Significantly faster environment and snapshot pages — eliminated thousands of redundant database queries during snapshot reporting and page rendering. For large environments (~800 artifacts), this removes approximately 5,600 unnecessary database round-trips per snapshot report. The environment events page, which previously took ~60 seconds to load for large environments, now loads normally.
• Infinite scroll on snapshot events tab — the snapshot events tab now loads events incrementally via infinite scroll instead of all at once, improving responsiveness for environments with many events.
• Improved environment page search — search and filter on the environment page now returns all matching artifacts in a single request with loading indicators, fixing broken behavior for large environments.
• Faster flow filter lookups — environment pages that filter by flow now use a pre-materialized collection instead of scanning all artifacts, speeding up load times.
• Case-insensitive email lookups — user and invitation email lookups no longer require exact case matching.
• Redirect preserved through login — when a session expires, the original destination URL (e.g., an org invite page) is now preserved through the logout/login cycle.
• API documentation improvements — the OpenAPI spec title is now “Kosli API”, endpoints are sorted alphabetically, and server URLs are absolute for API playground compatibility.

​

Bug fixes

• Fixed the flows filter incorrectly rejecting substring searches starting with hyphens, underscores, dots, or tildes.
• Fixed the logical environment snapshot events tab raising an error, and the “Running” badge incorrectly counting exited artifacts.
• Fixed a 500 error when listing API keys with legacy expiration timestamps.
• Fixed unhandled exceptions during OAuth and SSO sign-in flows.
• Security: upgraded xz/xz-libs packages to patch CVE-2026-34743.

​

Updates

• More diagnostic --debug output for GitHub calls — kosli attest pullrequest github and other GitHub-backed commands now include the (redacted) Authorization header, the resolved proxy URL, and any response body returned alongside transport errors when run with --debug. This makes it possible to diagnose corporate proxy and edge filter rejections that previously surfaced only as opaque transport errors.

​

Updates

• Removed automatic update notifications — the CLI no longer checks for new versions on every command. The update notice introduced in v2.17.0 occasionally polluted captured output (for example FP=$(kosli fingerprint ...)), so version checks now run only for the version subcommand and the --version flag.

​

Updates

• Debug logging for GitHub PR attestations — running kosli attest pullrequest github with --debug now prints every GitHub REST and GraphQL request and response (method, URL, headers, body) to stderr, with the Authorization header redacted. Useful for diagnosing 4xx/5xx responses and eventual-consistency issues in CI. See the attest pullrequest github reference.

​

Bug fixes

• Race condition on environment rename — renaming a kosli_environment or kosli_logical_environment resource label while keeping the same name no longer fails with a 404 (“Environment has been archived”). The provider now retries the post-create read with bounded backoff and re-asserts desired state when it observes the parallel destroy + create race. If you are intentionally renaming an environment, use terraform state mv as documented in the kosli_environment reference.

​

Bug fixes

• Clearing environment descriptions — kosli_environment and kosli_logical_environment updates now use the PATCH endpoint, so setting description = "" correctly clears the environment’s description. The previous PUT-based flow silently ignored empty descriptions. See the kosli_environment and kosli_logical_environment references.

​

New features

• --assert / --no-assert for evaluate commands — kosli evaluate trail, kosli evaluate trails, and kosli evaluate input now accept a mutually-exclusive --assert / --no-assert flag pair. Pass --no-assert to use these commands as a policy decision point: the verdict is printed and the command exits 0, leaving any assertion to a downstream step. Default behavior is unchanged — a policy deny still exits non-zero. These commands are now marked [BETA]. See the evaluate trail, evaluate trails, and evaluate input references.

​

Updates

• Help text for kosli attest artifact and kosli fingerprint now clarifies that --artifact-type=docker requires the image to have been pushed to or pulled from a registry, and points to --artifact-type=oci as the preferred alternative for registry-resident images. See the attest artifact reference.

​

Bug fixes

• Reduced API request payload sizes by switching to compact JSON marshalling for both multipart (--attestation-data, --user-data) and non-multipart request bodies. Multipart payloads no longer hit the server’s per-part size limit at ~400-500 KB on disk, and non-multipart bodies are 30-55% smaller on the wire. Debug and dry-run output remains pretty-printed.

​

Bug fixes

• GitHub PR attestation reliability — kosli attest pullrequest github and kosli assert pullrequest github now correctly detect pull requests merged seconds before CI runs. The CLI falls back to a REST + per-PR GraphQL lookup when GitHub’s GraphQL associatedPullRequests returns no results due to eventual consistency, with retries up to 60 seconds.

​

Updates

• Improved help text for kosli attest artifact to clarify that --repo-id, --repo-url, and --repository must be set together, and which CI systems set them automatically. See the attest artifact reference.

​

Bug fixes

• Bumped hc-install to v0.9.4 to use the renewed HashiCorp GPG key, restoring provider installation in environments that verify the key.

​

New features

• Automatic update notifications — the CLI now checks for available updates after each command and prints a notice to stderr when a newer version is released. Notices are suppressed in debug mode and for commands with programmatic output (e.g. --output json).
• kosli --version enhancements — kosli --version now prints the full version struct and shows an update notice when a newer version is available.

​

Bug fixes

• Attestation --name validation now rejects names with a leading dot (e.g. .foo), trailing dot, or more than one dot (e.g. foo.bar.baz) with a clear error message instead of silently mishandling them.

​

New features

• API key management for service accounts — programmatically create and manage API keys for service accounts, making it easier to automate integrations.
• Filter repositories by name — the repositories list now supports filtering by name for faster navigation.

​

Updates

• Significantly improved environment snapshot page performance, including faster artifact loading, lazy loading, and optimized search.

​

Bug fixes

• Fixed a 500 error when listing API keys for keys that had never been used.
• Fixed YAML syntax errors in policies returning a 500 instead of a 400 error.
• Fixed snapshot rejection when a repository has no provider set.

​

New features

• Custom CA bundle support for k8s-reporter — the k8s-reporter Helm chart now supports extraVolumes, extraVolumeMounts, extraEnvVars, and a customCA convenience wrapper for environments behind a TLS-inspecting proxy. See the Helm chart reference for details.
• SonarQube pull request scan support — kosli attest sonar now retrieves scan results for pull request analyses. Pass --pull-request to specify the PR number, or let the CLI detect it automatically from the SonarQube metadata file. See the attest sonar reference.
• --sonar-ce-task-url flag — pass the SonarQube CE task URL directly to kosli attest sonar, bypassing the need for the .scannerwork/report-task.txt file. Useful in CI environments where the scanner and CLI run in separate containers.

​

Updates

• The Helm chart now uses appVersion as the default CLI version.

​

New features

• Tags support for environments, logical environments, and flows — you can now manage tags directly on kosli_environment, kosli_logical_environment, and kosli_flow resources and their corresponding data sources. Tags are applied as diffs, so only changed tags are sent to the API.

​

Updates

• Updated dependencies across Go libraries, OpenTelemetry SDK, and CI tooling to incorporate the latest security patches and stability improvements.

​

Updates

• kosli assert artifact flag validation — the --environment and --policy flags are now validated as mutually exclusive client-side, giving you a faster error message without a server round-trip. The --flow flag can be combined with either mode to narrow the artifact lookup scope. See the assert artifact reference.

​

Bug fixes

• Fixed kosli list repos and kosli get repo displaying garbled text when the latest activity field was empty.
• Updated dependencies to resolve security vulnerabilities in Go standard library and OpenTelemetry packages.

​

New features

• kosli_flow resource and data source — manage Kosli flows as Terraform resources. Define name, description, and YAML template inline or via file(). The data source lets you query existing flows and reuse their templates. See the resource and data source reference.

​

New features

• kosli evaluate input — evaluate a local JSON file (or stdin) against a Rego policy with no API dependency. Enables local policy development and fast iteration without a running Kosli server. See the evaluate input reference.
• --params flag for policy evaluation — pass configuration data (thresholds, expected counts, etc.) to Rego policies via --params on kosli evaluate trail, kosli evaluate trails, and kosli evaluate input. Accepts inline JSON or a file reference. Parameters are available as data.params in the policy.
• npm installation — the Kosli CLI is now available as an npm package (@kosli/cli), making it easy to install in JavaScript/Node.js toolchains.

​

Bug fixes

• Fixed Docker API version negotiation — the CLI now automatically negotiates the Docker API version with the host daemon, preventing compatibility errors after SDK upgrades.
• Fixed AWS API rate limiting — snapshot commands for ECS, S3, and Lambda environments now use adaptive retry with up to 10 attempts, preventing failures under heavy API load.
• Fixed git HEAD resolution in linked worktrees.

​

New features

• Deployment list — the repository releases page now includes a deployments tab showing a paginated list of deployments with artifact details, commit links, replaced artifacts, and compliance status.
• Filter deployments by environment — filter the deployment list and metrics by specific environments on the repository releases page.

​

Updates

• Redesigned the repository run page with improved layout, hover states, and rich tooltips showing artifact fingerprints, snapshot references, and commit details.

​

Bug fixes

• Fixed an error when viewing deployment details for artifacts with a missing replaced snapshot index.

​

Updates

• Removed deprecated kosli expect deployment command — deployment expectation is no longer required for compliance. If your pipelines still reference this command, remove or replace it.
• CI-ready Docker image — a new Alpine-based Dockerfile is available for use as a CI runner image (e.g., GitLab CI), providing the Kosli CLI alongside common CI tooling.

​

Bug fixes

• Fixed kosli get attestation-type displaying type_schema as a Go map instead of formatted JSON.
• The --debug flag now shows the HTML response body when a server error occurs, improving troubleshooting.

​

Bug fixes

• Fixed type_schema handling — the provider now correctly reads JSON objects returned by the API, replacing the previous Python repr string workaround.

​

New features

• Deployment frequency statistics — the repository releases page now shows a deployment frequency bar chart with daily counts, a median line, and summary statistics for each environment.

​

Updates

• Removed the deprecated deployments API. This aligns with the CLI removal of kosli expect deployment.

​

New features

• kosli_action resource and data source — manage webhook notification actions as Terraform resources. Create, update, and import actions by name, and read existing actions to reference in your configurations.
• kosli_policy resource and data source — manage Kosli policies as Infrastructure-as-Code. The data source exposes the policy name, description, content, and latest version.
• kosli_policy_attachment resource — manage the relationship between policies and environments, letting you attach and detach policies declaratively.

​

New features

• Repository metadata on attestations — all kosli attest commands and kosli begin trail now accept --repo-id, --repository, --repo-url, and --repo-provider flags to associate attestations and trails with their source repository. These flags are automatically populated from CI environment variables in GitHub Actions, GitLab CI, Bitbucket Pipelines, Azure DevOps, and CircleCI — no manual configuration needed. See the CI defaults reference.
• Helm chart CronJob configuration — the k8s-reporter Helm chart now lets you configure concurrencyPolicy, failedJobsHistoryLimit, and successfulJobsHistoryLimit for the reporter CronJob.

​

Updates

• --repo-url is now validated as a well-formed URL when explicitly provided.
• --repo-provider is validated against the allowed values: github, gitlab, bitbucket, azure-devops.
• For kosli attest pullrequest github and kosli attest pullrequest azure, the --repository flag now also controls which repository is queried for pull requests.

​

Bug fixes

• Fixed an issue where artifact names with leading periods were rejected. Leading periods are now trimmed automatically.

​

New features

• Attestation evidence download — a new API endpoint lets you download evidence files attached to attestations, making it easier to retrieve and audit attestation data programmatically.
• Snapshotter role — a new Snapshotter role is available for users who need to create environment snapshots and manage service accounts without full member permissions. Ideal for environment and operations teams.

​

Bug fixes

• Fixed kosli attest artifact sending empty repository information when no repo data is available.

​

New features

• kosli evaluate trail and kosli evaluate trails — evaluate one or more trails against a Rego policy and get a structured pass/fail decision. Use --attestations to filter which attestations are checked, and --output json for machine-readable results. Exit code reflects the policy decision, making it ideal for CI/CD gates. See the evaluate trail and evaluate trails reference for details.
• Multi-environment K8s reporting — kosli snapshot k8s now accepts a --config-file flag to report multiple Kosli environments in a single command. Define environment-to-namespace mappings in a YAML file instead of running the command once per environment. See the snapshot k8s reference.
• Helm chart v2.0.0 — the k8s-reporter Helm chart now uses a reporterConfig.environments list, enabling multi-environment reporting from a single chart installation. This is a breaking change from v1.x — see the chart README for migration steps.

​

Bug fixes

• Fixed handling of Python boolean (true/false) and null values in custom attestation type schemas.

​

New features

• kosli_logical_environment resource — create and manage logical environments that aggregate multiple physical environments into a single view.
• kosli_logical_environment data source — query details of existing logical environments.
• Drift detection for logical environments — Kosli now detects when the included_environments of a logical environment change outside of Terraform.
• User agent header — the provider now sends a versioned user agent on every API request, improving diagnostics.

​

Bug fixes

• Fixed a missing flow field in pull request attestation resources.
• Fixed terraform plan showing (known after apply) for the type attribute of logical environments instead of "logical".

​

New features

• kosli_environment resource — create and manage physical Kosli environments (K8S, ECS, S3, docker, server, lambda) as Terraform resources.
• kosli_environment data source — query details of existing physical environments.

​

Changes

• schema and jq_rules are now optional fields on kosli_attestation_type, allowing you to create attestation types without a validation schema.