> ## Documentation Index
> Fetch the complete documentation index at: https://kosli-reference-docs-v2-30-1.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Changelog

> Release notes for Kosli products.

<Update label="June 26, 2026" description="" tags={["Platform"]}>
  ## Updates

  * **Lifecycle status on control version list** — each entry in a control's Version List now shows whether it represents a **Created**, **Edited**, **Archived**, or **Unarchived** event, making history easier to scan.
  * **Consistent Controls list UI** — the Controls Decision List and Version List now use the same card-list layout as the main Controls listing.
</Update>

<Update label="June 25, 2026" description="" tags={["Platform"]}>
  ## New features

  * **Deployment lead time** — `list` and `get` deployment endpoints now expose `lead_time_seconds`.
</Update>

<Update label="June 24, 2026" description="v2.28.2" tags={["CLI"]}>
  ## Updates

  * Dependency updates (AWS SDK, Moby Docker client/API, Google API).

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.28.2)
</Update>

<Update label="June 24, 2026" description="" tags={["Platform"]}>
  ## New features

  * **Archive and unarchive controls** — retired controls can now be archived (and later unarchived) instead of deleted, preserving history while removing them from the active catalog. New `POST /api/v2/controls/{org}/{identifier}/archive` and `unarchive` endpoints, plus UI support.
  * **Controls coverage report** — a new Coverage tab and API show which environments enforce a given control (via a policy whose latest version references it through `for_control`) and which don't.
  * **Filter control decisions by flow** — a control's decisions list can now be filtered by one or more flows.
  * **Controls API in OpenAPI schema (beta)** — the `/api/v2/controls/...` endpoints are now published in the OpenAPI schema, marked beta and gated per-request by the `is-controls-enabled` flag. This unblocks downstream tooling like the Terraform provider.

  ## Updates

  * **Swagger docs can call mutating endpoints again** — requests carrying an `Authorization` header now skip session-CSRF enforcement, so authorized API-key calls from `/api/v2/doc/` no longer fail with `403 CSRF token missing`.
  * **Better flow-template error handling** — invalid flow template YAML now catches a wider range of parser errors instead of returning a 500.
  * **Experimental features opt-in removed** — the unused per-org "experimental features" setting and its API endpoint have been removed.

  ## Bug fixes

  * **Security: SSRF in environment-action webhooks** — webhook and Slack action targets are now validated and re-resolved immediately before each outbound POST, blocking requests to internal infrastructure (loopback, RFC 1918, cloud metadata endpoints, internal Kubernetes services).
  * **Control links with dots in names** — control link names containing `.` are now sanitized for MongoDB storage instead of being rejected.
</Update>

<Update label="June 23, 2026" description="" tags={["Platform"]}>
  ## New features

  * **`decision` attestation in flow templates** — the `decision` attestation type introduced by Controls is now a first-class option in the flow template system and UI.

  ## Updates

  * **"+ Add tag" affordance on controls with no tags** — the view-control page now shows a clear add-tag button when a control has no tags, instead of a lone kebab menu.
</Update>

<Update label="June 22, 2026" description="v2.28.1" tags={["CLI"]}>
  ## Updates

  * **Beta status moved to annotations** — `evaluate`, `attest decision`, and related subcommands no longer prefix their short description with `[BETA]`; beta status is now conveyed via annotations and sidebar tags.

  ## Bug fixes

  * **`kosli snapshot ecs` with empty clusters** — fixed a failure (`InvalidParameterException: Services cannot be empty`) when a scanned ECS cluster had no services.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.28.1)
</Update>

<Update label="June 22, 2026" description="" tags={["Platform"]}>
  ## New features

  * **Membership audit log page** — the membership/role-change history now has a dedicated **Audit Log** page under Settings → User Management, with search, filters (event type, role, source), date range, and sortable columns.
  * **`pull_request` attestation fields** — V2 `pull_request` attestations now carry per-commit `verified` / `signature_state` and a PR `base_ref` (populated by CLI v2.27.0+), enabling Rego policies for signed commits and "merged into main".
  * **Service account CRUD API** — new JSON endpoints under `/service-accounts/{org}` to create, list, get, update, and delete service accounts, complementing the existing API-key endpoints.

  ## Updates

  * **Artifact name on control decisions** — the decisions list and decision tray now show a human-readable artifact name alongside the fingerprint.
  * **Decision list columns** — added **control version** and **attestation name** columns to the decisions list.
  * **Auto-run deletability check** — initiating an org-deletion plan now runs the deletability check automatically, with an approval-blocker warning banner on each plan card when checks fail; the manual button is renamed **Re-check deletability**.
  * **Controls UI refresh** — the controls list, control detail, control edit/new form, and version list pages have been restyled with new layouts, filtering, and interaction improvements.
  * **Faster environment snapshot listing** — `GET /api/v2/snapshots/{org}/{env_name}` (and `kosli list snapshots`) is significantly faster on large/long-lived environments by eliminating per-snapshot ordinal seeks and discarded counts.
  * **Display name fallback** — audit log, controls, and trail views now fall back to `login_name` when a user has no display name set.
  * **Signup form** — the welcome signup form now shows field labels.
  * **Wording** — "Logout" is now "Sign out" across the app.
  * **`base_ref` field placement** — in serialized `pull_request` attestation JSON, `base_ref` now sits next to `head_ref` (cosmetic; key order is not significant).

  ## Bug fixes

  * **Concurrent create 500s** — fixed 500 errors on concurrent `PUT /api/v2/trails/{org}/{flow}` (begin trail) and `PUT /api/v2/policies/{org}/{name}` requests by retrying on duplicate-key races.
  * **"Added" date reset on role change** — fixed a regression where changing a user's role reset their **Added** date (and the service account **Created** date) to today; both now read the original `created_at`.
</Update>

<Update label="June 18, 2026" description="v2.28.0" tags={["CLI"]}>
  ## New features

  * **`kosli get trail --output markdown`** — `get trail` now supports GitHub-Flavored Markdown output, suitable for piping into CI job summaries (e.g. `$GITHUB_STEP_SUMMARY`). The output includes trail metadata, git commit info, attestation statuses with compliance indicators and links to the Kosli app, and an events table with linked commit SHAs, environment snapshots, and attestation references. See the [get trail reference](/client_reference/kosli_get_trail).

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.28.0)
</Update>

<Update label="June 16, 2026" description="v2.27.0" tags={["CLI"]}>
  ## New features

  * **`pull_request` attestations capture commit signatures and PR base branch** — each commit now records `verified` and `signature_state` (GitHub and GitLab), and every PR records `base_ref` (GitHub, GitLab, Bitbucket, Azure DevOps), enabling Rego policies for signed commits and "merged into main". Bitbucket and Azure DevOps don't expose per-commit signature verification, so those fields are omitted for them.

  ## Updates

  * **`pull_request` attestation commits** — record the git **author** identity and authored timestamp (not the committer) across all providers.
  * **API key rotation** — failures now clean up the duplicate key ID and include details in the error response.

  <Warning>
    The new `base_ref` field is rejected by Kosli servers older than the matching server change. **Self-hosted users must upgrade their Kosli server before upgrading this CLI**, otherwise `pull_request` attestations will fail validation. Kosli SaaS (app.kosli.com / app.us.kosli.com) is already updated.
  </Warning>

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.27.0)
</Update>

<Update label="June 12, 2026" description="" tags={["Platform"]}>
  ## New features

  * **Sign in with SSO** — a redesigned sign-in page makes SSO a first-class option alongside other providers.
  * **Membership history audit log** — organization membership and role changes are now appended to an audit history, capturing who changed what and when.
  * **Short fingerprints on artifact GETs** — artifact GET endpoints once again accept short fingerprint prefixes (5–64 chars), restoring documented CLI behavior like `kosli get artifact flow@<short-fingerprint>`.

  ## Updates

  * **Faster org-scoped queries** — trail moments and recently-modified artifact queries now use org-scoped indexes for better performance on large organizations.

  ## Bug fixes

  * Fixed revoking an already-archived service account API key returning `200 OK` instead of `404 Not Found`.
  * Fixed an order-dependent waiver leak in trail and provenance compliance evaluation where one waived exception could incorrectly carry over to later artifacts.
</Update>

<Update label="June 11, 2026" description="v2.26.0" tags={["CLI"]}>
  ## New features

  * **`kosli list environments` filtering and pagination** — new `--name`, `--type`, `--space-id`, `--tag`, `--page`, and `--page-limit` flags filter and paginate environment listings. See the [list environments reference](/client_reference/kosli_list_environments).
  * **`kosli list flows` name search** — new `--name` and `--ignore-case` flags search flows by name. See the [list flows reference](/client_reference/kosli_list_flows).

  ## Updates

  * **`kosli attest jira`** — clearer help text for CVE and multi-segment identifier filtering behavior. See the [attest jira reference](/client_reference/kosli_attest_jira).

  ## Bug fixes

  * **Service account API key prompts** — the revoke confirmation prompt now reads inline, and cancellation messaging and key ID styling are consistent with other commands.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.26.0)
</Update>

<Update label="June 9, 2026" description="v2.25.0" tags={["CLI"]}>
  ## New features

  * **`kosli service-account api-keys`** — new command group (alias `sa ak`) to manage service account API keys from the CLI, with `create`, `revoke`, `rotate`, and `list` subcommands.
  * **Short aliases for top-level verbs** — `get` (`g`), `rename` (`re`), `disable` (`dis`), `enable` (`en`), `log` (`lo`), and `status` (`s`, `st`) now have shorter aliases.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.25.0)
</Update>

<Update label="June 4, 2026" description="" tags={["Platform"]}>
  ## Updates

  * **Consistent "organization" wording** — standardized spelling across user-facing strings in the app.
  * **Simpler invite acceptance** — accepting an invite now requires OTP verification only when the logged-in user's email doesn't match the invitation; matching emails are accepted directly regardless of auth provider.

  ## Bug fixes

  * **Security: service account API keys on public orgs** — fixed a path that could return an arbitrary membership document for unauthenticated callers on public orgs, potentially exposing service account API keys. `is_admin(None)` now always returns `False`.
  * **Flows page** — guarded against a null `space_id` element that could break the flows listing.
  * **Redirects** — all query parameters are now preserved through redirects.
</Update>

<Update label="June 3, 2026" description="" tags={["Platform"]}>
  ## New features

  * **`for_control` policy compliance** — snapshot compliance now evaluates `for_control` policy requirements. When a policy requires a passing decision attestation for a specific control, the snapshot is checked against a matching decision for that control.

  ## Updates

  * **Assert artifact response includes `for_control`** — the assert artifact API now returns the control identifier in the resolution context for `for_control` rule failures, so clients can show which specific control is unsatisfied.
</Update>

<Update label="June 3, 2026" description="v2.24.2" tags={["CLI"]}>
  ## New features

  * **`linux/s390x` builds** — the CLI is now published for `linux/s390x` so it can be installed natively on IBM Z hosts.

  ## Bug fixes

  * Bumped Go to 1.26.4 to address standard-library CVEs.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.24.2)
</Update>

<Update label="June 3, 2026" description="v2.24.1" tags={["CLI"]}>
  ## Updates

  * **`kosli assert artifact`** — when a `for_control` policy rule fails, the failure output now names the specific control identifier that is unsatisfied, making it easier to act on policy failures in CI.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.24.1)
</Update>

<Update label="June 2, 2026" description="v2.24.0" tags={["CLI"]}>
  ## Updates

  * **SonarQube authentication** — `kosli attest sonar` now falls back to HTTP Basic auth (token as username) on self-hosted SonarQube Server versions earlier than 10.0, which reject `Authorization: Bearer`. The fallback is transparent for self-hosted servers and never applied to SonarCloud. Authentication errors now distinguish 401/403 token or permission problems from 5xx server-availability issues instead of the previous generic "please check your API token" message.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.24.0)
</Update>

<Update label="June 2, 2026" description="" tags={["Platform"]}>
  ## New features

  * **Default organization on user profile** — pick a default organization from a dropdown on your [profile settings page](https://app.kosli.com/settings/profile) so the Kosli app opens to it on sign-in.

  ## Updates

  * **`visibility` optional when creating flows** — the create-flow API no longer requires a `visibility` field. New flows default to `private`.

  ## Bug fixes

  * Upgraded `libxml2` in the Kosli app image to address CVE-2026-6732 (high-severity denial-of-service in XSD validation).
  * Fixed orphaned tooltips lingering on the page after HTMX-driven updates.
</Update>

<Update label="June 1, 2026" description="v2.23.2" tags={["CLI"]}>
  ## Bug fixes

  * **`kosli create flow`** — restored the `--visibility` flag as a deprecated (rather than removed) option, so existing scripts that pass it keep working. The flag has no effect on newer Kosli servers and will be removed in a future release. See the [create flow reference](/client_reference/kosli_create_flow).

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.23.2)
</Update>

<Update label="May 30, 2026" description="v2.23.0" tags={["CLI"]}>
  ## Updates

  * **`kosli create flow`** — the `--visibility` flag is deprecated. Flow visibility now defaults to `private` server-side and the flag is no longer needed.
  * **Deprecation warning for legacy flow creation** — `kosli create flow` now prints a warning when neither `--template-file` nor `--use-empty-template` is supplied. The legacy code path will stop working in a future release; pass a template file or use the empty template instead. See the [create flow reference](/client_reference/kosli_create_flow).

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.23.0)
</Update>

<Update label="May 29, 2026" description="v2.22.1" tags={["CLI"]}>
  ## Bug fixes

  * Fixed malformed URLs in `kosli list` and `kosli diff` commands when host or path segments contained extra slashes. Requests are now built with proper URL joining.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.22.1)
</Update>

<Update label="May 26, 2026" description="" tags={["Platform"]}>
  ## New features

  * **Redesigned environments listing page** — the environments page in the Kosli app is now a paginated view with filtering by name, type, and tag, and sorting by last-changed time.
  * **Timestamp filtering on environment events** — the env events API accepts `from` and `to` timestamp query parameters.
  * **Service account privilege management** — admins can change the privilege level of existing service accounts.
  * **API key rotation** — rotate API keys without invalidating existing integrations.

  ## Updates

  * **Faster environments listing** — large environments now load and filter noticeably faster.
  * **Faster trail and snapshot operations** — listing trails and processing snapshots is quicker on large orgs.
  * **OpenAPI improvements** — the API spec has been refined for cleaner SDK generation.
  * **Magic Link login hardening** — added additional protections to the Magic Link sign-in flow.

  ## Bug fixes

  * Fixed empty-digest reports always creating a new snapshot instead of reusing the existing one.
  * Fixed the environments listing not falling back to a user's login name when no display name was set.
  * Fixed an authentication flow issue caused by a trailing slash in default Descope URLs.
</Update>

<Update label="May 26, 2026" description="v2.21.0" tags={["CLI"]}>
  ## Bug fixes

  * **`kosli attest jira`** — fixed false-positive Jira issue key matches from multi-segment identifiers such as CVE numbers (`CVE-2026-41284` no longer matches as a Jira key). See the [attest jira reference](/client_reference/kosli_attest_jira).
  * **`kosli attest junit`** — JUnit XML ingestion now walks directories recursively, deduplicates file scans, and returns a clearer error message for non-UTF-8 encoded XML files. See the [attest junit reference](/client_reference/kosli_attest_junit).

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.21.0)
</Update>

<Update label="May 14, 2026" description="v2.20.1" tags={["CLI"]}>
  ## Bug fixes

  * Fixed CLI flags rendering as em dashes in the generated [CLI reference](/client_reference) pages. Flag names (`--flag`, `-x`) are now wrapped in backticks so Mintlify's smart-typography renderer leaves them intact.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.20.1)
</Update>

<Update label="May 13, 2026" description="v2.20.0" tags={["CLI"]}>
  ## Updates

  * **`kosli approval` commands deprecated** — the `kosli approval` command tree is now marked as deprecated. Use [attestations](/getting_started/attestations) going forward.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.20.0)
</Update>

<Update label="May 12, 2026" description="v2.19.0" tags={["CLI"]}>
  ## Updates

  * Migrated the Docker client dependency from `github.com/docker/docker` to `github.com/moby/moby` and related modular packages (`moby/moby/api`, `moby/moby/client`).
  * Updated `github.com/open-policy-agent/opa` to v1.16.2.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.19.0)
</Update>

<Update label="May 12, 2026" description="v2.18.0" tags={["CLI"]}>
  ## New features

  * **`kosli snapshot cloud-run` is now generally available** — the [Cloud Run snapshotter](/client_reference/kosli_snapshot_cloud-run) is no longer hidden and now reports its coverage table alongside the snapshot.
  * **Path filters for `kosli snapshot s3`** — added `--include-regex` and `--exclude-regex` flags to [`kosli snapshot s3`](/client_reference/kosli_snapshot_s3) so you can scope a snapshot to a subset of objects in a bucket.

  ## Bug fixes

  * Fixed `kosli attest snyk` and other SonarQube-backed attestations not forwarding the branch name to SonarQube's `project_analyses/search` endpoint, which previously returned results from the wrong branch.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.18.0)
</Update>

<Update label="May 11, 2026" description="v2.17.8" tags={["CLI"]}>
  ## New features

  * **Remote policies for `kosli evaluate`** — `--policy` on [`kosli evaluate`](/client_reference/kosli_evaluate_trail) now accepts remote `http(s)` URLs in addition to local file paths, so you can evaluate against centrally-hosted policy files.
  * **`--quiet` flag** — a new global `--quiet` flag suppresses non-essential output from the CLI, useful for scripting and CI pipelines that only care about exit codes.
  * **Expanded Cloud Run support** — [`kosli snapshot cloud-run`](/client_reference/kosli_snapshot_cloud-run) now reports Cloud Run Jobs in addition to services, and recovers missing image digests via a registry lookup when the runtime does not expose them directly.

  ## Bug fixes

  * Fixed bare URLs in CLI flag descriptions producing broken links in the generated reference docs.
  * Fixed the Helm chart docs templates so they render correctly in [Mintlify](/helm).

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.17.8)
</Update>

<Update label="May 11, 2026" description="v0.6.4" tags={["Terraform Provider"]}>
  ## Updates

  * **Toolchain update** — the [Terraform provider](/terraform-reference) is now built with Go 1.26. No user-facing behavior changes.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.6.4)
</Update>

<Update label="May 8, 2026" description="v2.17.7" tags={["CLI"]}>
  ## New features

  * **Cloud Run Jobs support in `kosli snapshot cloud-run`** — the [Cloud Run snapshotter](/client_reference/kosli_snapshot_cloud-run) can now report Cloud Run Jobs alongside services, and its wire format has been cleaned up.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.17.7)
</Update>

<Update label="May 7, 2026" description="v2.17.6" tags={["CLI"]}>
  ## Bug fixes

  * Fixed [`kosli snapshot docker`](/client_reference/kosli_snapshot_docker) crashing when it encountered a container that the Docker daemon could not inspect. Such containers are now skipped with a warning and the snapshot continues.
  * Fixed a broken `http-proxy` example link in the CLI reference docs.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.17.6)
</Update>

<Update label="May 4, 2026" description="" tags={["Platform"]}>
  ## New features

  * **PATCH endpoint for environment updates** — a new `PATCH /environments/{org}/{env_name}` endpoint allows updating individual environment fields without replacing the entire resource. This fixes the issue where setting a description to an empty string was silently ignored, and enables proper support in the [Terraform provider](/terraform-reference/resources/environment).

  ## Updates

  * **Significantly faster environment and snapshot pages** — eliminated thousands of redundant database queries during snapshot reporting and page rendering. For large environments (\~800 artifacts), this removes approximately 5,600 unnecessary database round-trips per snapshot report. The environment events page, which previously took \~60 seconds to load for large environments, now loads normally.
  * **Infinite scroll on snapshot events tab** — the snapshot events tab now loads events incrementally via infinite scroll instead of all at once, improving responsiveness for environments with many events.
  * **Improved environment page search** — search and filter on the environment page now returns all matching artifacts in a single request with loading indicators, fixing broken behavior for large environments.
  * **Faster flow filter lookups** — environment pages that filter by flow now use a pre-materialized collection instead of scanning all artifacts, speeding up load times.
  * **Case-insensitive email lookups** — user and invitation email lookups no longer require exact case matching.
  * **Redirect preserved through login** — when a session expires, the original destination URL (e.g., an org invite page) is now preserved through the logout/login cycle.
  * **API documentation improvements** — the OpenAPI spec title is now "Kosli API", endpoints are sorted alphabetically, and server URLs are absolute for [API playground](/api-reference/actions/list-actions) compatibility.

  ## Bug fixes

  * Fixed the flows filter incorrectly rejecting substring searches starting with hyphens, underscores, dots, or tildes.
  * Fixed the logical environment snapshot events tab raising an error, and the "Running" badge incorrectly counting exited artifacts.
  * Fixed a 500 error when listing API keys with legacy expiration timestamps.
  * Fixed unhandled exceptions during OAuth and SSO sign-in flows.
  * Security: upgraded xz/xz-libs packages to patch CVE-2026-34743.
</Update>

<Update label="May 4, 2026" description="v2.17.5" tags={["CLI"]}>
  ## Updates

  * **More diagnostic `--debug` output for GitHub calls** — `kosli attest pullrequest github` and other GitHub-backed commands now include the (redacted) `Authorization` header, the resolved proxy URL, and any response body returned alongside transport errors when run with `--debug`. This makes it possible to diagnose corporate proxy and edge filter rejections that previously surfaced only as opaque transport errors.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.17.5)
</Update>

<Update label="May 1, 2026" description="v2.17.4" tags={["CLI"]}>
  ## Updates

  * **Removed automatic update notifications** — the CLI no longer checks for new versions on every command. The update notice introduced in v2.17.0 occasionally polluted captured output (for example `FP=$(kosli fingerprint ...)`), so version checks now run only for the `version` subcommand and the `--version` flag.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.17.4)
</Update>

<Update label="April 30, 2026" description="v2.17.3" tags={["CLI"]}>
  ## Updates

  * **Debug logging for GitHub PR attestations** — running `kosli attest pullrequest github` with `--debug` now prints every GitHub REST and GraphQL request and response (method, URL, headers, body) to stderr, with the `Authorization` header redacted. Useful for diagnosing 4xx/5xx responses and eventual-consistency issues in CI. See the [attest pullrequest github](/client_reference/kosli_attest_pullrequest_github) reference.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.17.3)
</Update>

<Update label="April 29, 2026" description="v0.6.3" tags={["Terraform Provider"]}>
  ## Bug fixes

  * **Race condition on environment rename** — renaming a `kosli_environment` or `kosli_logical_environment` resource label while keeping the same `name` no longer fails with a 404 ("Environment has been archived"). The provider now retries the post-create read with bounded backoff and re-asserts desired state when it observes the parallel destroy + create race. If you are intentionally renaming an environment, use `terraform state mv` as documented in the [`kosli_environment`](/terraform-reference/resources/environment) reference.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.6.3)
</Update>

<Update label="April 29, 2026" description="v0.6.2" tags={["Terraform Provider"]}>
  ## Bug fixes

  * **Clearing environment descriptions** — `kosli_environment` and `kosli_logical_environment` updates now use the `PATCH` endpoint, so setting `description = ""` correctly clears the environment's description. The previous `PUT`-based flow silently ignored empty descriptions. See the [`kosli_environment`](/terraform-reference/resources/environment) and [`kosli_logical_environment`](/terraform-reference/resources/logical_environment) references.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.6.2)
</Update>

<Update label="April 29, 2026" description="v2.17.2" tags={["CLI"]}>
  ## New features

  * **`--assert` / `--no-assert` for evaluate commands** — `kosli evaluate trail`, `kosli evaluate trails`, and `kosli evaluate input` now accept a mutually-exclusive `--assert` / `--no-assert` flag pair. Pass `--no-assert` to use these commands as a policy decision point: the verdict is printed and the command exits 0, leaving any assertion to a downstream step. Default behavior is unchanged — a policy deny still exits non-zero. These commands are now marked `[BETA]`. See the [evaluate trail](/client_reference/kosli_evaluate_trail), [evaluate trails](/client_reference/kosli_evaluate_trails), and [evaluate input](/client_reference/kosli_evaluate_input) references.

  ## Updates

  * Help text for `kosli attest artifact` and `kosli fingerprint` now clarifies that `--artifact-type=docker` requires the image to have been pushed to or pulled from a registry, and points to `--artifact-type=oci` as the preferred alternative for registry-resident images. See the [attest artifact](/client_reference/kosli_attest_artifact) reference.

  ## Bug fixes

  * Reduced API request payload sizes by switching to compact JSON marshalling for both multipart (`--attestation-data`, `--user-data`) and non-multipart request bodies. Multipart payloads no longer hit the server's per-part size limit at \~400-500 KB on disk, and non-multipart bodies are 30-55% smaller on the wire. Debug and dry-run output remains pretty-printed.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.17.2)
</Update>

<Update label="April 23, 2026" description="v2.17.1" tags={["CLI"]}>
  ## Bug fixes

  * **GitHub PR attestation reliability** — `kosli attest pullrequest github` and `kosli assert pullrequest github` now correctly detect pull requests merged seconds before CI runs. The CLI falls back to a REST + per-PR GraphQL lookup when GitHub's GraphQL `associatedPullRequests` returns no results due to eventual consistency, with retries up to 60 seconds.

  ## Updates

  * Improved help text for `kosli attest artifact` to clarify that `--repo-id`, `--repo-url`, and `--repository` must be set together, and which CI systems set them automatically. See the [attest artifact](/client_reference/kosli_attest_artifact) reference.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.17.1)
</Update>

<Update label="April 21, 2026" description="v0.6.1" tags={["Terraform Provider"]}>
  ## Bug fixes

  * Bumped `hc-install` to v0.9.4 to use the renewed HashiCorp GPG key, restoring provider installation in environments that verify the key.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.6.1)
</Update>

<Update label="April 21, 2026" description="v2.17.0" tags={["CLI"]}>
  ## New features

  * **Automatic update notifications** — the CLI now checks for available updates after each command and prints a notice to stderr when a newer version is released. Notices are suppressed in debug mode and for commands with programmatic output (e.g. `--output json`).
  * **`kosli --version` enhancements** — `kosli --version` now prints the full version struct and shows an update notice when a newer version is available.

  ## Bug fixes

  * Attestation `--name` validation now rejects names with a leading dot (e.g. `.foo`), trailing dot, or more than one dot (e.g. `foo.bar.baz`) with a clear error message instead of silently mishandling them.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.17.0)
</Update>

<Update label="April 20, 2026" description="" tags={["Platform"]}>
  ## New features

  * **API key management for service accounts** — programmatically create and manage API keys for service accounts, making it easier to automate integrations.
  * **Filter repositories by name** — the repositories list now supports filtering by name for faster navigation.

  ## Updates

  * Significantly improved environment snapshot page performance, including faster artifact loading, lazy loading, and optimized search.

  ## Bug fixes

  * Fixed a 500 error when listing API keys for keys that had never been used.
  * Fixed YAML syntax errors in policies returning a 500 instead of a 400 error.
  * Fixed snapshot rejection when a repository has no provider set.
</Update>

<Update label="April 20, 2026" description="v2.16.0" tags={["CLI"]}>
  ## New features

  * **Custom CA bundle support for k8s-reporter** — the [k8s-reporter Helm chart](/helm/k8s_reporter) now supports `extraVolumes`, `extraVolumeMounts`, `extraEnvVars`, and a `customCA` convenience wrapper for environments behind a TLS-inspecting proxy. See the [Helm chart reference](/helm/k8s_reporter) for details.
  * **SonarQube pull request scan support** — `kosli attest sonar` now retrieves scan results for pull request analyses. Pass `--pull-request` to specify the PR number, or let the CLI detect it automatically from the SonarQube metadata file. See the [attest sonar](/client_reference/kosli_attest_sonar) reference.
  * **`--sonar-ce-task-url` flag** — pass the SonarQube CE task URL directly to `kosli attest sonar`, bypassing the need for the `.scannerwork/report-task.txt` file. Useful in CI environments where the scanner and CLI run in separate containers.

  ## Updates

  * The Helm chart now uses `appVersion` as the default CLI version.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.16.0)
</Update>

<Update label="April 15, 2026" description="v0.6.0" tags={["Terraform Provider"]}>
  ## New features

  * **Tags support for environments, logical environments, and flows** — you can now manage tags directly on [`kosli_environment`](/terraform-reference/resources/environment), [`kosli_logical_environment`](/terraform-reference/resources/logical_environment), and [`kosli_flow`](/terraform-reference/resources/flow) resources and their corresponding data sources. Tags are applied as diffs, so only changed tags are sent to the API.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.6.0)
</Update>

<Update label="April 15, 2026" description="v2.15.3" tags={["CLI"]}>
  ## Updates

  * Updated dependencies across Go libraries, OpenTelemetry SDK, and CI tooling to incorporate the latest security patches and stability improvements.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.15.3)
</Update>

<Update label="April 13, 2026" description="v2.15.2" tags={["CLI"]}>
  ## Updates

  * **`kosli assert artifact` flag validation** — the `--environment` and `--policy` flags are now validated as mutually exclusive client-side, giving you a faster error message without a server round-trip. The `--flow` flag can be combined with either mode to narrow the artifact lookup scope. See the [assert artifact](/client_reference/kosli_assert_artifact) reference.

  ## Bug fixes

  * Fixed `kosli list repos` and `kosli get repo` displaying garbled text when the latest activity field was empty.
  * Updated dependencies to resolve security vulnerabilities in Go standard library and OpenTelemetry packages.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.15.2)
</Update>

<Update label="April 6, 2026" description="v0.5.0" tags={["Terraform Provider"]}>
  ## New features

  * **`kosli_flow` resource and data source** — manage Kosli [flows](/getting_started/flows) as Terraform resources. Define name, description, and YAML template inline or via `file()`. The data source lets you query existing flows and reuse their templates. See the [resource](/terraform-reference/resources/flow) and [data source](/terraform-reference/data-sources/flow) reference.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.5.0)
</Update>

<Update label="April 6, 2026" description="v2.15.1" tags={["CLI"]}>
  ## New features

  * **`kosli evaluate input`** — evaluate a local JSON file (or stdin) against a Rego policy with no API dependency. Enables local policy development and fast iteration without a running Kosli server. See the [evaluate input](/client_reference/kosli_evaluate_input) reference.
  * **`--params` flag for policy evaluation** — pass configuration data (thresholds, expected counts, etc.) to Rego policies via `--params` on [`kosli evaluate trail`](/client_reference/kosli_evaluate_trail), [`kosli evaluate trails`](/client_reference/kosli_evaluate_trails), and [`kosli evaluate input`](/client_reference/kosli_evaluate_input). Accepts inline JSON or a file reference. Parameters are available as `data.params` in the policy.
  * **npm installation** — the Kosli CLI is now available as an npm package (`@kosli/cli`), making it easy to install in JavaScript/Node.js toolchains.

  ## Bug fixes

  * Fixed Docker API version negotiation — the CLI now automatically negotiates the Docker API version with the host daemon, preventing compatibility errors after SDK upgrades.
  * Fixed AWS API rate limiting — snapshot commands for ECS, S3, and Lambda environments now use adaptive retry with up to 10 attempts, preventing failures under heavy API load.
  * Fixed git HEAD resolution in linked worktrees.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.15.1)
</Update>

<Update label="April 6, 2026" description="" tags={["Platform"]}>
  ## New features

  * **Deployment list** — the repository releases page now includes a deployments tab showing a paginated list of deployments with artifact details, commit links, replaced artifacts, and compliance status.
  * **Filter deployments by environment** — filter the deployment list and metrics by specific environments on the repository releases page.

  ## Updates

  * Redesigned the repository run page with improved layout, hover states, and rich tooltips showing artifact fingerprints, snapshot references, and commit details.

  ## Bug fixes

  * Fixed an error when viewing deployment details for artifacts with a missing replaced snapshot index.
</Update>

<Update label="March 30, 2026" description="v2.13.2" tags={["CLI"]}>
  ## Updates

  * **Removed deprecated `kosli expect deployment` command** — deployment expectation is no longer required for compliance. If your pipelines still reference this command, remove or replace it.
  * **CI-ready Docker image** — a new Alpine-based Dockerfile is available for use as a CI runner image (e.g., GitLab CI), providing the Kosli CLI alongside common CI tooling.

  ## Bug fixes

  * Fixed `kosli get attestation-type` displaying `type_schema` as a Go map instead of formatted JSON.
  * The `--debug` flag now shows the HTML response body when a server error occurs, improving troubleshooting.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.13.2)
</Update>

<Update label="March 30, 2026" description="v0.4.2" tags={["Terraform Provider"]}>
  ## Bug fixes

  * Fixed `type_schema` handling — the provider now correctly reads JSON objects returned by the API, replacing the previous Python repr string workaround.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.4.2)
</Update>

<Update label="March 30, 2026" description="" tags={["Platform"]}>
  ## New features

  * **Deployment frequency statistics** — the repository releases page now shows a deployment frequency bar chart with daily counts, a median line, and summary statistics for each environment.

  ## Updates

  * Removed the deprecated deployments API. This aligns with the CLI removal of `kosli expect deployment`.
</Update>

<Update label="March 23, 2026" description="v0.4.0" tags={["Terraform Provider"]}>
  ## New features

  * **`kosli_action` resource and data source** — manage webhook notification actions as Terraform resources. Create, update, and import actions by name, and read existing actions to reference in your configurations.
  * **`kosli_policy` resource and data source** — manage Kosli policies as Infrastructure-as-Code. The data source exposes the policy name, description, content, and latest version.
  * **`kosli_policy_attachment` resource** — manage the relationship between policies and environments, letting you attach and detach policies declaratively.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.4.0)
</Update>

<Update label="March 23, 2026" description="v2.13.0" tags={["CLI"]}>
  ## New features

  * **Repository metadata on attestations** — all `kosli attest` commands and `kosli begin trail` now accept `--repo-id`, `--repository`, `--repo-url`, and `--repo-provider` flags to associate attestations and trails with their source repository. These flags are automatically populated from CI environment variables in GitHub Actions, GitLab CI, Bitbucket Pipelines, Azure DevOps, and CircleCI — no manual configuration needed. See the [CI defaults](/integrations/ci_cd) reference.
  * **Helm chart CronJob configuration** — the [k8s-reporter Helm chart](/helm/k8s_reporter) now lets you configure `concurrencyPolicy`, `failedJobsHistoryLimit`, and `successfulJobsHistoryLimit` for the reporter CronJob.

  ## Updates

  * `--repo-url` is now validated as a well-formed URL when explicitly provided.
  * `--repo-provider` is validated against the allowed values: `github`, `gitlab`, `bitbucket`, `azure-devops`.
  * For `kosli attest pullrequest github` and `kosli attest pullrequest azure`, the `--repository` flag now also controls which repository is queried for pull requests.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.13.0)
</Update>

<Update label="March 23, 2026" description="v2.13.1" tags={["CLI"]}>
  ## Bug fixes

  * Fixed an issue where artifact names with leading periods were rejected. Leading periods are now trimmed automatically.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.13.1)
</Update>

<Update label="March 23, 2026" description="" tags={["Platform"]}>
  ## New features

  * **Attestation evidence download** — a new API endpoint lets you download evidence files attached to attestations, making it easier to retrieve and audit attestation data programmatically.
  * **Snapshotter role** — a new [Snapshotter role](/administration/managing_users/roles_in_kosli) is available for users who need to create environment snapshots and manage service accounts without full member permissions. Ideal for environment and operations teams.
</Update>

<Update label="March 16, 2026" description="v2.12.1" tags={["CLI"]}>
  ## Bug fixes

  * Fixed `kosli attest artifact` sending empty repository information when no repo data is available.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.12.1)
</Update>

<Update label="March 16, 2026" description="v2.12.0" tags={["CLI"]}>
  ## New features

  * **`kosli evaluate trail` and `kosli evaluate trails`** — evaluate one or more trails against a [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) policy and get a structured pass/fail decision. Use `--attestations` to filter which attestations are checked, and `--output json` for machine-readable results. Exit code reflects the policy decision, making it ideal for CI/CD gates. See the [evaluate trail](/client_reference/kosli_evaluate_trail) and [evaluate trails](/client_reference/kosli_evaluate_trails) reference for details.
  * **Multi-environment K8s reporting** — `kosli snapshot k8s` now accepts a `--config-file` flag to report multiple Kosli environments in a single command. Define environment-to-namespace mappings in a YAML file instead of running the command once per environment. See the [snapshot k8s](/client_reference/kosli_snapshot_k8s) reference.
  * **Helm chart v2.0.0** — the [k8s-reporter Helm chart](/helm/k8s_reporter) now uses a `reporterConfig.environments` list, enabling multi-environment reporting from a single chart installation. This is a breaking change from v1.x — see the chart README for migration steps.

  [View on GitHub](https://github.com/kosli-dev/cli/releases/tag/v2.12.0)
</Update>

<Update label="February 18, 2026" description="v0.3.1" tags={["Terraform Provider"]}>
  ## Bug fixes

  * Fixed handling of Python boolean (`true`/`false`) and null values in custom attestation type schemas.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.3.1)
</Update>

<Update label="February 18, 2026" description="v0.3.0" tags={["Terraform Provider"]}>
  ## New features

  * **`kosli_logical_environment` resource** — create and manage logical environments that aggregate multiple physical environments into a single view.
  * **`kosli_logical_environment` data source** — query details of existing logical environments.
  * **Drift detection for logical environments** — Kosli now detects when the `included_environments` of a logical environment change outside of Terraform.
  * **User agent header** — the provider now sends a versioned user agent on every API request, improving diagnostics.

  ## Bug fixes

  * Fixed a missing `flow` field in pull request attestation resources.
  * Fixed `terraform plan` showing `(known after apply)` for the `type` attribute of logical environments instead of `"logical"`.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.3.0)
</Update>

<Update label="January 23, 2026" description="v0.2.0" tags={["Terraform Provider"]}>
  ## New features

  * **`kosli_environment` resource** — create and manage physical Kosli environments (K8S, ECS, S3, docker, server, lambda) as Terraform resources.
  * **`kosli_environment` data source** — query details of existing physical environments.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.2.0)
</Update>

<Update label="January 21, 2026" description="v0.1.0" tags={["Terraform Provider"]}>
  ## Changes

  * `schema` and `jq_rules` are now optional fields on `kosli_attestation_type`, allowing you to create attestation types without a validation schema.

  [View on GitHub](https://github.com/kosli-dev/terraform-provider-kosli/releases/tag/v0.1.0)
</Update>
