Changelog

​

New features

• PATCH endpoint for environment updates — a new PATCH /environments/{org}/{env_name} endpoint allows updating individual environment fields without replacing the entire resource. This fixes the issue where setting a description to an empty string was silently ignored, and enables proper support in the Terraform provider.

​

Updates

• Significantly faster environment and snapshot pages — eliminated thousands of redundant database queries during snapshot reporting and page rendering. For large environments (~800 artifacts), this removes approximately 5,600 unnecessary database round-trips per snapshot report. The environment events page, which previously took ~60 seconds to load for large environments, now loads normally.
• Infinite scroll on snapshot events tab — the snapshot events tab now loads events incrementally via infinite scroll instead of all at once, improving responsiveness for environments with many events.
• Improved environment page search — search and filter on the environment page now returns all matching artifacts in a single request with loading indicators, fixing broken behavior for large environments.
• Faster flow filter lookups — environment pages that filter by flow now use a pre-materialized collection instead of scanning all artifacts, speeding up load times.
• Case-insensitive email lookups — user and invitation email lookups no longer require exact case matching.
• Redirect preserved through login — when a session expires, the original destination URL (e.g., an org invite page) is now preserved through the logout/login cycle.
• API documentation improvements — the OpenAPI spec title is now “Kosli API”, endpoints are sorted alphabetically, and server URLs are absolute for API playground compatibility.

​

Bug fixes

• Fixed the flows filter incorrectly rejecting substring searches starting with hyphens, underscores, dots, or tildes.
• Fixed the logical environment snapshot events tab raising an error, and the “Running” badge incorrectly counting exited artifacts.
• Fixed a 500 error when listing API keys with legacy expiration timestamps.
• Fixed unhandled exceptions during OAuth and SSO sign-in flows.
• Security: upgraded xz/xz-libs packages to patch CVE-2026-34743.

​

Updates

• More diagnostic --debug output for GitHub calls — kosli attest pullrequest github and other GitHub-backed commands now include the (redacted) Authorization header, the resolved proxy URL, and any response body returned alongside transport errors when run with --debug. This makes it possible to diagnose corporate proxy and edge filter rejections that previously surfaced only as opaque transport errors.

​

Updates

• Removed automatic update notifications — the CLI no longer checks for new versions on every command. The update notice introduced in v2.17.0 occasionally polluted captured output (for example FP=$(kosli fingerprint ...)), so version checks now run only for the version subcommand and the --version flag.

​

Updates

• Debug logging for GitHub PR attestations — running kosli attest pullrequest github with --debug now prints every GitHub REST and GraphQL request and response (method, URL, headers, body) to stderr, with the Authorization header redacted. Useful for diagnosing 4xx/5xx responses and eventual-consistency issues in CI. See the attest pullrequest github reference.

​

Bug fixes

• Race condition on environment rename — renaming a kosli_environment or kosli_logical_environment resource label while keeping the same name no longer fails with a 404 (“Environment has been archived”). The provider now retries the post-create read with bounded backoff and re-asserts desired state when it observes the parallel destroy + create race. If you are intentionally renaming an environment, use terraform state mv as documented in the kosli_environment reference.

​

Bug fixes

• Clearing environment descriptions — kosli_environment and kosli_logical_environment updates now use the PATCH endpoint, so setting description = "" correctly clears the environment’s description. The previous PUT-based flow silently ignored empty descriptions. See the kosli_environment and kosli_logical_environment references.

​

New features

• --assert / --no-assert for evaluate commands — kosli evaluate trail, kosli evaluate trails, and kosli evaluate input now accept a mutually-exclusive --assert / --no-assert flag pair. Pass --no-assert to use these commands as a policy decision point: the verdict is printed and the command exits 0, leaving any assertion to a downstream step. Default behaviour is unchanged — a policy deny still exits non-zero. These commands are now marked [BETA]. See the evaluate trail, evaluate trails, and evaluate input references.

​

Updates

• Help text for kosli attest artifact and kosli fingerprint now clarifies that --artifact-type=docker requires the image to have been pushed to or pulled from a registry, and points to --artifact-type=oci as the preferred alternative for registry-resident images. See the attest artifact reference.

​

Bug fixes

• Reduced API request payload sizes by switching to compact JSON marshalling for both multipart (--attestation-data, --user-data) and non-multipart request bodies. Multipart payloads no longer hit the server’s per-part size limit at ~400-500 KB on disk, and non-multipart bodies are 30-55% smaller on the wire. Debug and dry-run output remains pretty-printed.

​

Bug fixes

• GitHub PR attestation reliability — kosli attest pullrequest github and kosli assert pullrequest github now correctly detect pull requests merged seconds before CI runs. The CLI falls back to a REST + per-PR GraphQL lookup when GitHub’s GraphQL associatedPullRequests returns no results due to eventual consistency, with retries up to 60 seconds.

​

Updates

• Improved help text for kosli attest artifact to clarify that --repo-id, --repo-url, and --repository must be set together, and which CI systems set them automatically. See the attest artifact reference.

​

Bug fixes

• Bumped hc-install to v0.9.4 to use the renewed HashiCorp GPG key, restoring provider installation in environments that verify the key.

​

New features

• Automatic update notifications — the CLI now checks for available updates after each command and prints a notice to stderr when a newer version is released. Notices are suppressed in debug mode and for commands with programmatic output (e.g. --output json).
• kosli --version enhancements — kosli --version now prints the full version struct and shows an update notice when a newer version is available.

​

Bug fixes

• Attestation --name validation now rejects names with a leading dot (e.g. .foo), trailing dot, or more than one dot (e.g. foo.bar.baz) with a clear error message instead of silently mishandling them.

​

New features

• API key management for service accounts — programmatically create and manage API keys for service accounts, making it easier to automate integrations.
• Filter repositories by name — the repositories list now supports filtering by name for faster navigation.

​

Updates

• Significantly improved environment snapshot page performance, including faster artifact loading, lazy loading, and optimized search.

​

Bug fixes

• Fixed a 500 error when listing API keys for keys that had never been used.
• Fixed YAML syntax errors in policies returning a 500 instead of a 400 error.
• Fixed snapshot rejection when a repository has no provider set.

​

New features

• Custom CA bundle support for k8s-reporter — the k8s-reporter Helm chart now supports extraVolumes, extraVolumeMounts, extraEnvVars, and a customCA convenience wrapper for environments behind a TLS-inspecting proxy. See the Helm chart reference for details.
• SonarQube pull request scan support — kosli attest sonar now retrieves scan results for pull request analyses. Pass --pull-request to specify the PR number, or let the CLI detect it automatically from the SonarQube metadata file. See the attest sonar reference.
• --sonar-ce-task-url flag — pass the SonarQube CE task URL directly to kosli attest sonar, bypassing the need for the .scannerwork/report-task.txt file. Useful in CI environments where the scanner and CLI run in separate containers.

​

Updates

• The Helm chart now uses appVersion as the default CLI version.

​

New features

• Tags support for environments, logical environments, and flows — you can now manage tags directly on kosli_environment, kosli_logical_environment, and kosli_flow resources and their corresponding data sources. Tags are applied as diffs, so only changed tags are sent to the API.

​

Updates

• Updated dependencies across Go libraries, OpenTelemetry SDK, and CI tooling to incorporate the latest security patches and stability improvements.

​

Updates

• kosli assert artifact flag validation — the --environment and --policy flags are now validated as mutually exclusive client-side, giving you a faster error message without a server round-trip. The --flow flag can be combined with either mode to narrow the artifact lookup scope. See the assert artifact reference.

​

Bug fixes

• Fixed kosli list repos and kosli get repo displaying garbled text when the latest activity field was empty.
• Updated dependencies to resolve security vulnerabilities in Go standard library and OpenTelemetry packages.

​

New features

• kosli_flow resource and data source — manage Kosli flows as Terraform resources. Define name, description, and YAML template inline or via file(). The data source lets you query existing flows and reuse their templates. See the resource and data source reference.

​

New features

• kosli evaluate input — evaluate a local JSON file (or stdin) against a Rego policy with no API dependency. Enables local policy development and fast iteration without a running Kosli server. See the evaluate input reference.
• --params flag for policy evaluation — pass configuration data (thresholds, expected counts, etc.) to Rego policies via --params on kosli evaluate trail, kosli evaluate trails, and kosli evaluate input. Accepts inline JSON or a file reference. Parameters are available as data.params in the policy.
• npm installation — the Kosli CLI is now available as an npm package (@kosli/cli), making it easy to install in JavaScript/Node.js toolchains.

​

Bug fixes

• Fixed Docker API version negotiation — the CLI now automatically negotiates the Docker API version with the host daemon, preventing compatibility errors after SDK upgrades.
• Fixed AWS API rate limiting — snapshot commands for ECS, S3, and Lambda environments now use adaptive retry with up to 10 attempts, preventing failures under heavy API load.
• Fixed git HEAD resolution in linked worktrees.

​

New features

• Deployment list — the repository releases page now includes a deployments tab showing a paginated list of deployments with artifact details, commit links, replaced artifacts, and compliance status.
• Filter deployments by environment — filter the deployment list and metrics by specific environments on the repository releases page.

​

Updates

• Redesigned the repository run page with improved layout, hover states, and rich tooltips showing artifact fingerprints, snapshot references, and commit details.

​

Bug fixes

• Fixed an error when viewing deployment details for artifacts with a missing replaced snapshot index.

​

Updates

• Removed deprecated kosli expect deployment command — deployment expectation is no longer required for compliance. If your pipelines still reference this command, remove or replace it.
• CI-ready Docker image — a new Alpine-based Dockerfile is available for use as a CI runner image (e.g., GitLab CI), providing the Kosli CLI alongside common CI tooling.

​

Bug fixes

• Fixed kosli get attestation-type displaying type_schema as a Go map instead of formatted JSON.
• The --debug flag now shows the HTML response body when a server error occurs, improving troubleshooting.

​

Bug fixes

• Fixed type_schema handling — the provider now correctly reads JSON objects returned by the API, replacing the previous Python repr string workaround.

​

New features

• Deployment frequency statistics — the repository releases page now shows a deployment frequency bar chart with daily counts, a median line, and summary statistics for each environment.

​

Updates

• Removed the deprecated deployments API. This aligns with the CLI removal of kosli expect deployment.

​

New features

• kosli_action resource and data source — manage webhook notification actions as Terraform resources. Create, update, and import actions by name, and read existing actions to reference in your configurations.
• kosli_policy resource and data source — manage Kosli policies as Infrastructure-as-Code. The data source exposes the policy name, description, content, and latest version.
• kosli_policy_attachment resource — manage the relationship between policies and environments, letting you attach and detach policies declaratively.

​

New features

• Repository metadata on attestations — all kosli attest commands and kosli begin trail now accept --repo-id, --repository, --repo-url, and --repo-provider flags to associate attestations and trails with their source repository. These flags are automatically populated from CI environment variables in GitHub Actions, GitLab CI, Bitbucket Pipelines, Azure DevOps, and CircleCI — no manual configuration needed. See the CI defaults reference.
• Helm chart CronJob configuration — the k8s-reporter Helm chart now lets you configure concurrencyPolicy, failedJobsHistoryLimit, and successfulJobsHistoryLimit for the reporter CronJob.

​

Updates

• --repo-url is now validated as a well-formed URL when explicitly provided.
• --repo-provider is validated against the allowed values: github, gitlab, bitbucket, azure-devops.
• For kosli attest pullrequest github and kosli attest pullrequest azure, the --repository flag now also controls which repository is queried for pull requests.

​

Bug fixes

• Fixed an issue where artifact names with leading periods were rejected. Leading periods are now trimmed automatically.

​

New features

• Attestation evidence download — a new API endpoint lets you download evidence files attached to attestations, making it easier to retrieve and audit attestation data programmatically.
• Snapshotter role — a new Snapshotter role is available for users who need to create environment snapshots and manage service accounts without full member permissions. Ideal for environment and operations teams.

​

Bug fixes

• Fixed kosli attest artifact sending empty repository information when no repo data is available.

​

New features

• kosli evaluate trail and kosli evaluate trails — evaluate one or more trails against a Rego policy and get a structured pass/fail decision. Use --attestations to filter which attestations are checked, and --output json for machine-readable results. Exit code reflects the policy decision, making it ideal for CI/CD gates. See the evaluate trail and evaluate trails reference for details.
• Multi-environment K8s reporting — kosli snapshot k8s now accepts a --config-file flag to report multiple Kosli environments in a single command. Define environment-to-namespace mappings in a YAML file instead of running the command once per environment. See the snapshot k8s reference.
• Helm chart v2.0.0 — the k8s-reporter Helm chart now uses a reporterConfig.environments list, enabling multi-environment reporting from a single chart installation. This is a breaking change from v1.x — see the chart README for migration steps.

​

Bug fixes

• Fixed handling of Python boolean (true/false) and null values in custom attestation type schemas.

​

New features

• kosli_logical_environment resource — create and manage logical environments that aggregate multiple physical environments into a single view.
• kosli_logical_environment data source — query details of existing logical environments.
• Drift detection for logical environments — Kosli now detects when the included_environments of a logical environment change outside of Terraform.
• User agent header — the provider now sends a versioned user agent on every API request, improving diagnostics.

​

Bug fixes

• Fixed a missing flow field in pull request attestation resources.
• Fixed terraform plan showing (known after apply) for the type attribute of logical environments instead of "logical".

​

New features

• kosli_environment resource — create and manage physical Kosli environments (K8S, ECS, S3, docker, server, lambda) as Terraform resources.
• kosli_environment data source — query details of existing physical environments.

​

Changes

• schema and jq_rules are now optional fields on kosli_attestation_type, allowing you to create attestation types without a validation schema.