> ## Documentation Index
> Fetch the complete documentation index at: https://docs.kosli.com/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.kosli.com/feedback

```json
{
  "path": "/changelog/index",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# Changelog

> Release notes for Kosli products.

<Update label="May 4, 2026" description="" tags={["Platform"]}>
  ## New features

  * **PATCH endpoint for environment updates** — a new `PATCH /environments/{org}/{env_name}` endpoint allows updating individual environment fields without replacing the entire resource. This fixes the issue where setting a description to an empty string was silently ignored, and enables proper support in the [Terraform provider](/terraform-reference/resources/environment).

  ## Updates

  * **Significantly faster environment and snapshot pages** — eliminated thousands of redundant database queries during snapshot reporting and page rendering. For large environments (\~800 artifacts), this removes approximately 5,600 unnecessary database round-trips per snapshot report. The environment events page, which previously took \~60 seconds to load for large environments, now loads normally.
  * **Infinite scroll on snapshot events tab** — the snapshot events tab now loads events incrementally via infinite scroll instead of all at once, improving responsiveness for environments with many events.
  * **Improved environment page search** — search and filter on the environment page now returns all matching artifacts in a single request with loading indicators, fixing broken behavior for large environments.
  * **Faster flow filter lookups** — environment pages that filter by flow now use a pre-materialized collection instead of scanning all artifacts, speeding up load times.
  * **Case-insensitive email lookups** — user and invitation email lookups no longer require exact case matching.
  * **Redirect preserved through login** — when a session expires, the original destination URL (e.g., an org invite page) is now preserved through the logout/login cycle.
  * **API documentation improvements** — the OpenAPI spec title is now "Kosli API", endpoints are sorted alphabetically, and server URLs are absolute for [API playground](/api-reference) compatibility.

  ## Bug fixes

  * Fixed the flows filter incorrectly rejecting substring searches starting with hyphens, underscores, dots, or tildes.
  * Fixed the logical environment snapshot events tab raising an error, and the "Running" badge incorrectly counting exited artifacts.
  * Fixed a 500 error when listing API keys with legacy expiration timestamps.
  * Fixed unhandled exceptions during OAuth and SSO sign-in flows.
  * Security: upgraded xz/xz-libs packages to patch CVE-2026-34743.
</Update>

<Update label="May 4, 2026" description="v2.17.5" tags={["CLI"]}>
  ## Updates

  * **More diagnostic `--debug` output for GitHub calls** — `kosli attest pullrequest github` and other GitHub-backed commands now include the (redacted) `Authorization` header, the resolved proxy URL, and any response body returned alongside transport errors when run with `--debug`. This makes it possible to diagnose corporate proxy and edge filter rejections that previously surfaced only as opaque transport errors.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.17.5)
</Update>

<Update label="May 1, 2026" description="v2.17.4" tags={["CLI"]}>
  ## Updates

  * **Removed automatic update notifications** — the CLI no longer checks for new versions on every command. The update notice introduced in v2.17.0 occasionally polluted captured output (for example `FP=$(kosli fingerprint ...)`), so version checks now run only for the `version` subcommand and the `--version` flag.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.17.4)
</Update>

<Update label="April 30, 2026" description="v2.17.3" tags={["CLI"]}>
  ## Updates

  * **Debug logging for GitHub PR attestations** — running `kosli attest pullrequest github` with `--debug` now prints every GitHub REST and GraphQL request and response (method, URL, headers, body) to stderr, with the `Authorization` header redacted. Useful for diagnosing 4xx/5xx responses and eventual-consistency issues in CI. See the [attest pullrequest github](/client_reference/kosli_attest_pullrequest_github) reference.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.17.3)
</Update>

<Update label="April 29, 2026" description="v0.6.3" tags={["Terraform Provider"]}>
  ## Bug fixes

  * **Race condition on environment rename** — renaming a `kosli_environment` or `kosli_logical_environment` resource label while keeping the same `name` no longer fails with a 404 ("Environment has been archived"). The provider now retries the post-create read with bounded backoff and re-asserts desired state when it observes the parallel destroy + create race. If you are intentionally renaming an environment, use `terraform state mv` as documented in the [`kosli_environment`](/terraform-reference/resources/environment) reference.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.6.3)
</Update>

<Update label="April 29, 2026" description="v0.6.2" tags={["Terraform Provider"]}>
  ## Bug fixes

  * **Clearing environment descriptions** — `kosli_environment` and `kosli_logical_environment` updates now use the `PATCH` endpoint, so setting `description = ""` correctly clears the environment's description. The previous `PUT`-based flow silently ignored empty descriptions. See the [`kosli_environment`](/terraform-reference/resources/environment) and [`kosli_logical_environment`](/terraform-reference/resources/logical_environment) references.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.6.2)
</Update>

<Update label="April 29, 2026" description="v2.17.2" tags={["CLI"]}>
  ## New features

  * **`--assert` / `--no-assert` for evaluate commands** — `kosli evaluate trail`, `kosli evaluate trails`, and `kosli evaluate input` now accept a mutually-exclusive `--assert` / `--no-assert` flag pair. Pass `--no-assert` to use these commands as a policy decision point: the verdict is printed and the command exits 0, leaving any assertion to a downstream step. Default behaviour is unchanged — a policy deny still exits non-zero. These commands are now marked `[BETA]`. See the [evaluate trail](/client_reference/kosli_evaluate_trail), [evaluate trails](/client_reference/kosli_evaluate_trails), and [evaluate input](/client_reference/kosli_evaluate_input) references.

  ## Updates

  * Help text for `kosli attest artifact` and `kosli fingerprint` now clarifies that `--artifact-type=docker` requires the image to have been pushed to or pulled from a registry, and points to `--artifact-type=oci` as the preferred alternative for registry-resident images. See the [attest artifact](/client_reference/kosli_attest_artifact) reference.

  ## Bug fixes

  * Reduced API request payload sizes by switching to compact JSON marshalling for both multipart (`--attestation-data`, `--user-data`) and non-multipart request bodies. Multipart payloads no longer hit the server's per-part size limit at \~400-500 KB on disk, and non-multipart bodies are 30-55% smaller on the wire. Debug and dry-run output remains pretty-printed.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.17.2)
</Update>

<Update label="April 23, 2026" description="v2.17.1" tags={["CLI"]}>
  ## Bug fixes

  * **GitHub PR attestation reliability** — `kosli attest pullrequest github` and `kosli assert pullrequest github` now correctly detect pull requests merged seconds before CI runs. The CLI falls back to a REST + per-PR GraphQL lookup when GitHub's GraphQL `associatedPullRequests` returns no results due to eventual consistency, with retries up to 60 seconds.

  ## Updates

  * Improved help text for `kosli attest artifact` to clarify that `--repo-id`, `--repo-url`, and `--repository` must be set together, and which CI systems set them automatically. See the [attest artifact](/client_reference/kosli_attest_artifact) reference.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.17.1)
</Update>

<Update label="April 21, 2026" description="v0.6.1" tags={["Terraform Provider"]}>
  ## Bug fixes

  * Bumped `hc-install` to v0.9.4 to use the renewed HashiCorp GPG key, restoring provider installation in environments that verify the key.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.6.1)
</Update>

<Update label="April 21, 2026" description="v2.17.0" tags={["CLI"]}>
  ## New features

  * **Automatic update notifications** — the CLI now checks for available updates after each command and prints a notice to stderr when a newer version is released. Notices are suppressed in debug mode and for commands with programmatic output (e.g. `--output json`).
  * **`kosli --version` enhancements** — `kosli --version` now prints the full version struct and shows an update notice when a newer version is available.

  ## Bug fixes

  * Attestation `--name` validation now rejects names with a leading dot (e.g. `.foo`), trailing dot, or more than one dot (e.g. `foo.bar.baz`) with a clear error message instead of silently mishandling them.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.17.0)
</Update>

<Update label="April 20, 2026" description="" tags={["Platform"]}>
  ## New features

  * **API key management for service accounts** — programmatically create and manage API keys for service accounts, making it easier to automate integrations.
  * **Filter repositories by name** — the repositories list now supports filtering by name for faster navigation.

  ## Updates

  * Significantly improved environment snapshot page performance, including faster artifact loading, lazy loading, and optimized search.

  ## Bug fixes

  * Fixed a 500 error when listing API keys for keys that had never been used.
  * Fixed YAML syntax errors in policies returning a 500 instead of a 400 error.
  * Fixed snapshot rejection when a repository has no provider set.
</Update>

<Update label="April 20, 2026" description="v2.16.0" tags={["CLI"]}>
  ## New features

  * **Custom CA bundle support for k8s-reporter** — the [k8s-reporter Helm chart](/helm/k8s_reporter) now supports `extraVolumes`, `extraVolumeMounts`, `extraEnvVars`, and a `customCA` convenience wrapper for environments behind a TLS-inspecting proxy. See the [Helm chart reference](/helm/k8s_reporter) for details.
  * **SonarQube pull request scan support** — `kosli attest sonar` now retrieves scan results for pull request analyses. Pass `--pull-request` to specify the PR number, or let the CLI detect it automatically from the SonarQube metadata file. See the [attest sonar](/client_reference/kosli_attest_sonar) reference.
  * **`--sonar-ce-task-url` flag** — pass the SonarQube CE task URL directly to `kosli attest sonar`, bypassing the need for the `.scannerwork/report-task.txt` file. Useful in CI environments where the scanner and CLI run in separate containers.

  ## Updates

  * The Helm chart now uses `appVersion` as the default CLI version.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.16.0)
</Update>

<Update label="April 15, 2026" description="v0.6.0" tags={["Terraform Provider"]}>
  ## New features

  * **Tags support for environments, logical environments, and flows** — you can now manage tags directly on [`kosli_environment`](/terraform-reference/resources/environment), [`kosli_logical_environment`](/terraform-reference/resources/logical_environment), and [`kosli_flow`](/terraform-reference/resources/flow) resources and their corresponding data sources. Tags are applied as diffs, so only changed tags are sent to the API.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.6.0)
</Update>

<Update label="April 15, 2026" description="v2.15.3" tags={["CLI"]}>
  ## Updates

  * Updated dependencies across Go libraries, OpenTelemetry SDK, and CI tooling to incorporate the latest security patches and stability improvements.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.15.3)
</Update>

<Update label="April 13, 2026" description="v2.15.2" tags={["CLI"]}>
  ## Updates

  * **`kosli assert artifact` flag validation** — the `--environment` and `--policy` flags are now validated as mutually exclusive client-side, giving you a faster error message without a server round-trip. The `--flow` flag can be combined with either mode to narrow the artifact lookup scope. See the [assert artifact](/client_reference/kosli_assert_artifact) reference.

  ## Bug fixes

  * Fixed `kosli list repos` and `kosli get repo` displaying garbled text when the latest activity field was empty.
  * Updated dependencies to resolve security vulnerabilities in Go standard library and OpenTelemetry packages.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.15.2)
</Update>

<Update label="April 6, 2026" description="v0.5.0" tags={["Terraform Provider"]}>
  ## New features

  * **`kosli_flow` resource and data source** — manage Kosli [flows](/getting_started/flows) as Terraform resources. Define name, description, and YAML template inline or via `file()`. The data source lets you query existing flows and reuse their templates. See the [resource](/terraform-reference/resources/flow) and [data source](/terraform-reference/data-sources/flow) reference.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.5.0)
</Update>

<Update label="April 6, 2026" description="v2.15.1" tags={["CLI"]}>
  ## New features

  * **`kosli evaluate input`** — evaluate a local JSON file (or stdin) against a Rego policy with no API dependency. Enables local policy development and fast iteration without a running Kosli server. See the [evaluate input](/client_reference/kosli_evaluate_input) reference.
  * **`--params` flag for policy evaluation** — pass configuration data (thresholds, expected counts, etc.) to Rego policies via `--params` on [`kosli evaluate trail`](/client_reference/kosli_evaluate_trail), [`kosli evaluate trails`](/client_reference/kosli_evaluate_trails), and [`kosli evaluate input`](/client_reference/kosli_evaluate_input). Accepts inline JSON or a file reference. Parameters are available as `data.params` in the policy.
  * **npm installation** — the Kosli CLI is now available as an npm package (`@kosli/cli`), making it easy to install in JavaScript/Node.js toolchains.

  ## Bug fixes

  * Fixed Docker API version negotiation — the CLI now automatically negotiates the Docker API version with the host daemon, preventing compatibility errors after SDK upgrades.
  * Fixed AWS API rate limiting — snapshot commands for ECS, S3, and Lambda environments now use adaptive retry with up to 10 attempts, preventing failures under heavy API load.
  * Fixed git HEAD resolution in linked worktrees.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.15.1)
</Update>

<Update label="April 6, 2026" description="" tags={["Platform"]}>
  ## New features

  * **Deployment list** — the repository releases page now includes a deployments tab showing a paginated list of deployments with artifact details, commit links, replaced artifacts, and compliance status.
  * **Filter deployments by environment** — filter the deployment list and metrics by specific environments on the repository releases page.

  ## Updates

  * Redesigned the repository run page with improved layout, hover states, and rich tooltips showing artifact fingerprints, snapshot references, and commit details.

  ## Bug fixes

  * Fixed an error when viewing deployment details for artifacts with a missing replaced snapshot index.
</Update>

<Update label="March 30, 2026" description="v2.13.2" tags={["CLI"]}>
  ## Updates

  * **Removed deprecated `kosli expect deployment` command** — deployment expectation is no longer required for compliance. If your pipelines still reference this command, remove or replace it.
  * **CI-ready Docker image** — a new Alpine-based Dockerfile is available for use as a CI runner image (e.g., GitLab CI), providing the Kosli CLI alongside common CI tooling.

  ## Bug fixes

  * Fixed `kosli get attestation-type` displaying `type_schema` as a Go map instead of formatted JSON.
  * The `--debug` flag now shows the HTML response body when a server error occurs, improving troubleshooting.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.13.2)
</Update>

<Update label="March 30, 2026" description="v0.4.2" tags={["Terraform Provider"]}>
  ## Bug fixes

  * Fixed `type_schema` handling — the provider now correctly reads JSON objects returned by the API, replacing the previous Python repr string workaround.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.4.2)
</Update>

<Update label="March 30, 2026" description="" tags={["Platform"]}>
  ## New features

  * **Deployment frequency statistics** — the repository releases page now shows a deployment frequency bar chart with daily counts, a median line, and summary statistics for each environment.

  ## Updates

  * Removed the deprecated deployments API. This aligns with the CLI removal of `kosli expect deployment`.
</Update>

<Update label="March 23, 2026" description="v0.4.0" tags={["Terraform Provider"]}>
  ## New features

  * **`kosli_action` resource and data source** — manage webhook notification actions as Terraform resources. Create, update, and import actions by name, and read existing actions to reference in your configurations.
  * **`kosli_policy` resource and data source** — manage Kosli policies as Infrastructure-as-Code. The data source exposes the policy name, description, content, and latest version.
  * **`kosli_policy_attachment` resource** — manage the relationship between policies and environments, letting you attach and detach policies declaratively.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.4.0)
</Update>

<Update label="March 23, 2026" description="v2.13.0" tags={["CLI"]}>
  ## New features

  * **Repository metadata on attestations** — all `kosli attest` commands and `kosli begin trail` now accept `--repo-id`, `--repository`, `--repo-url`, and `--repo-provider` flags to associate attestations and trails with their source repository. These flags are automatically populated from CI environment variables in GitHub Actions, GitLab CI, Bitbucket Pipelines, Azure DevOps, and CircleCI — no manual configuration needed. See the [CI defaults](/integrations/ci_cd) reference.
  * **Helm chart CronJob configuration** — the [k8s-reporter Helm chart](/helm/k8s_reporter) now lets you configure `concurrencyPolicy`, `failedJobsHistoryLimit`, and `successfulJobsHistoryLimit` for the reporter CronJob.

  ## Updates

  * `--repo-url` is now validated as a well-formed URL when explicitly provided.
  * `--repo-provider` is validated against the allowed values: `github`, `gitlab`, `bitbucket`, `azure-devops`.
  * For `kosli attest pullrequest github` and `kosli attest pullrequest azure`, the `--repository` flag now also controls which repository is queried for pull requests.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.13.0)
</Update>

<Update label="March 23, 2026" description="v2.13.1" tags={["CLI"]}>
  ## Bug fixes

  * Fixed an issue where artifact names with leading periods were rejected. Leading periods are now trimmed automatically.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.13.1)
</Update>

<Update label="March 23, 2026" description="" tags={["Platform"]}>
  ## New features

  * **Attestation evidence download** — a new API endpoint lets you download evidence files attached to attestations, making it easier to retrieve and audit attestation data programmatically.
  * **Snapshotter role** — a new [Snapshotter role](/administration/managing_users/roles_in_kosli) is available for users who need to create environment snapshots and manage service accounts without full member permissions. Ideal for environment and operations teams.
</Update>

<Update label="March 16, 2026" description="v2.12.1" tags={["CLI"]}>
  ## Bug fixes

  * Fixed `kosli attest artifact` sending empty repository information when no repo data is available.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.12.1)
</Update>

<Update label="March 16, 2026" description="v2.12.0" tags={["CLI"]}>
  ## New features

  * **`kosli evaluate trail` and `kosli evaluate trails`** — evaluate one or more trails against a [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) policy and get a structured pass/fail decision. Use `--attestations` to filter which attestations are checked, and `--output json` for machine-readable results. Exit code reflects the policy decision, making it ideal for CI/CD gates. See the [evaluate trail](/client_reference/kosli_evaluate_trail) and [evaluate trails](/client_reference/kosli_evaluate_trails) reference for details.
  * **Multi-environment K8s reporting** — `kosli snapshot k8s` now accepts a `--config-file` flag to report multiple Kosli environments in a single command. Define environment-to-namespace mappings in a YAML file instead of running the command once per environment. See the [snapshot k8s](/client_reference/kosli_snapshot_k8s) reference.
  * **Helm chart v2.0.0** — the [k8s-reporter Helm chart](/helm/k8s_reporter) now uses a `reporterConfig.environments` list, enabling multi-environment reporting from a single chart installation. This is a breaking change from v1.x — see the chart README for migration steps.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.12.0)
</Update>

<Update label="February 18, 2026" description="v0.3.1" tags={["Terraform Provider"]}>
  ## Bug fixes

  * Fixed handling of Python boolean (`true`/`false`) and null values in custom attestation type schemas.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.3.1)
</Update>

<Update label="February 18, 2026" description="v0.3.0" tags={["Terraform Provider"]}>
  ## New features

  * **`kosli_logical_environment` resource** — create and manage logical environments that aggregate multiple physical environments into a single view.
  * **`kosli_logical_environment` data source** — query details of existing logical environments.
  * **Drift detection for logical environments** — Kosli now detects when the `included_environments` of a logical environment change outside of Terraform.
  * **User agent header** — the provider now sends a versioned user agent on every API request, improving diagnostics.

  ## Bug fixes

  * Fixed a missing `flow` field in pull request attestation resources.
  * Fixed `terraform plan` showing `(known after apply)` for the `type` attribute of logical environments instead of `"logical"`.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.3.0)
</Update>

<Update label="January 23, 2026" description="v0.2.0" tags={["Terraform Provider"]}>
  ## New features

  * **`kosli_environment` resource** — create and manage physical Kosli environments (K8S, ECS, S3, docker, server, lambda) as Terraform resources.
  * **`kosli_environment` data source** — query details of existing physical environments.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.2.0)
</Update>

<Update label="January 21, 2026" description="v0.1.0" tags={["Terraform Provider"]}>
  ## Changes

  * `schema` and `jq_rules` are now optional fields on `kosli_attestation_type`, allowing you to create attestation types without a validation schema.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.1.0)
</Update>