v2.23.3
30 July 2020

Download: ZIP TAR

Summary

Model

  • Fixed issue where duplicate permissions caused an error with the unique constraint of model permissions table.

All changes

89664bee (HEAD -> release-2.23.3, tag: v2.23.3, origin/release-2.23.3) Forseti patch changes for v2.23.3 (#3789)

v2.24.3
29 July 2020

Download: ZIP TAR

Summary

Model

  • Fixed issue where duplicate permissions caused an error with the unique constraint of model permissions table.

All changes

a06a4427 (HEAD -> release-2.24.3, tag: v2.24.3, origin/release-2.24.3) Cherry-pick model fix from commit cf6e9d57f1b56d1a797e5cba62788244338dff8f. Cherry-pick unit test fix from commit c9e7cebf9561a5d3bc2a2c86c81c1a98a48aaf5c. Update forseti version. (#3786)

v2.25.2
28 July 2020

Download: ZIP TAR

Summary

Model

  • Fixed issue where duplicate permissions caused an error with the unique constraint of model permissions table.

All changes

bb8e7f01 (HEAD -> release-2.25.2, tag: v2.25.2, origin/release-2.25.2) Changes to fix model creation for release 2.25.2 (#3781)

v2.25.1
01 April 2020

Download: ZIP TAR

Summary

Inventory

  • Fixed method calls for organization policies.

All changes

9b5852a9 (HEAD -> release-2.25.1, tag: v2.25.1, origin/release-2.25.1) Update init (#3720) a6b159c5 Fixing method calls for organization policies (#3713) (#3715)

v2.25.0
17 March 2020

Download: ZIP TAR

Summary

Inventory

  • Add Service Usage Service Resource to Inventory

Scanner

  • Add logic for checking if the policy library is setup correctly for the Config Validator Scanner. This will provide more helpful error messages.
  • Moving rule validation in to a library and improving tests. -…

v2.24.2
25 February 2020

Download: ZIP TAR

Summary

Python Setup

Pinned IDNA to version 2.8.

All changes

7507911f (HEAD -> release-2.24.2, tag: v2.24.2, origin/release-2.24.2) Pinned idna==2.8 to satisfy requests[security]==2.21.0. (#3654) (#3667) 6cb6518a Initial commit for release v2.24.2

v2.23.2
24 February 2020

Download: ZIP TAR

Summary

Python Setup

Pinned IDNA to version 2.8.

All changes

f803f64e (HEAD -> release-2.23.2, tag: v2.23.2, origin/release-2.23.2) Pinned idna==2.8 to satisfy requests[security]==2.21.0. (#3654) (#3659) 6a3adc79 Initial commit for v2.23.2

v2.24.1
11 February 2020

Download: ZIP TAR

Summary

Notifier

  • Restart Forseti to release used memory so that all the fields in the violations are displayed.

v2.23.1
11 February 2020

Download: ZIP TAR

Summary

Notifier

  • Restart Forseti to release used memory so that all the fields in the violations are displayed.

v2.23.0
10 February 2020

Download: ZIP TAR

Summary

This release contains major optimizations that significantly improve the performance of the Inventory and Config Validator processes. We recommend everyone to get this release.

More [details can be found below and on our website.

We would love to hear your feedback on slack on how these optimizations work…

v2.24.0
03 February 2020

Download: ZIP TAR

Summary

Enforcer

  • Added rule name validation.

Notifier

  • Output the inventory summary path in GCS to the logs.
  • Reporting the project ID in CloudSQL violations
  • MailJet connector supports HTML content

Testing

  • Improvements for end-to-end testing.

Thanks to our contributors!

  • @jf-marquis-Adeo

#…

v2.22.0
03 October 2019

Download: ZIP TAR

Summary

Forseti GitHub repository

Instead of maintaining two main branches (dev and master), we are going to consolidate into only using the master branch. In the past we have used the dev branch for merging feature changes and we recommended to fork from this branch. Going forward we…

v2.21.0
19 September 2019

Download: ZIP TAR

Summary

Installer

This release includes a migration script for users of the Forseti Python installer. This script can be used to import existing GCP resources into a Terraform state, which can then be used to upgrade the existing Forseti installation. The Python installer is officially deprecated on September…

v2.20.0
09 September 2019

Download: ZIP TAR

Summary

Inventory

  • Added new Compute resources from Cloud Asset Inventory.
    • Address
    • GlobalAddress
    • Interconnect
    • InterconnectAttachment

Scanner

  • Added functionality to sync the policy library from a public/private GitHub repository as an alternative to manually copying the files to GCS.

Infrastructure

  • Updated…

v2.19.1
23 August 2019

Download: ZIP TAR

Summary

Inventory

  • Add try-except block for CAI export to handle disablement of resources in CAI.

Notifier

  • Fixed bugs in notifier where Python strings were being passed to functions expecting byte-arrays
  • Minor code fix to comply with style guide

Unit Tests

  • Fixed flaky…

v2.18.0
13 August 2019

Download: ZIP TAR

Summary

Inventory

  • Added better handling of CAI exported resources.
  • Updated to retrieve Kubernetes Cluster resource from CAI instead of GCP API.

Infrastructure

  • Update python base image to slim-stretch.

Scanner

  • Updated ke_rules to scan KE versions for the following vulnerabilities:
    • CVE-2019-11477 -…

v2.19.0
10 August 2019

Download: ZIP TAR

Summary

Inventory

  • Added better handling of CAI exported resources.
  • Added feature to allow users to exclude resources during the inventory phase.
  • Added error handling when root resource is not configured properly.
  • Fixed missing group members in Inventory.
  • Muted 501 Not Implemented for listing…

v2.17.0
10 August 2019

Download: ZIP TAR

Summary

Installer

  • Used get-ancestors method instead of gcloud describe to get org id.

Inventory

  • Added better handling of CAI exported resources.
  • Skipped logging error messages for delete pending projects during Inventory creation.
  • Added CAI data for Kubernetes resources:
    • Namespace
    • Node -…

v2.16.0
30 May 2019

Download: ZIP TAR

Summary

Python 3 Migration

The Forseti application has been updated to run in python3 as python2 is no longer supported.

All changes

0b333851 (tag: v2.16.0) Decode content to string before attaching to an email. (#2866) aaac3c50 Removed uncessary call to site.main(). (#2863) 436f8f3d Incremented version to 2.16.0 5f78b6ad…

v2.15.1
21 May 2019

Download: ZIP TAR

Summary

Inventory

  • Skip storing 404 response for Service Account not found due to #2798.
  • Hide inventory warning messages when running command forseti inventory list to improve user experience.

v2.14.2
21 May 2019

Download: ZIP TAR

Summary

Inventory

  • Skip storing 404 response for Service Account not found due to #2798.
  • Hide inventory warning messages when running command forseti inventory list to improve user experience.

v2.13.2
21 May 2019

Download: ZIP TAR

Summary

Inventory

  • Skip storing 404 response for Service Account not found due to #2798.
  • Hide inventory warning messages when running command forseti inventory list to improve user experience.

v2.12.1
21 May 2019

Download: ZIP TAR

Summary

Inventory

  • Skip storing 404 response for Service Account not found due to #2798.
  • Hide inventory warning messages when running command forseti inventory list to improve user experience.

v2.11.2
21 May 2019

Download: ZIP TAR

Summary

Inventory

  • Skip storing 404 response for Service Account not found due to #2798.
  • Hide inventory warning messages when running command forseti inventory list to improve user experience.

v2.10.1
21 May 2019

Download: ZIP TAR

Summary

Inventory

  • Skip storing 404 response for Service Account not found due to #2798.
  • Hide inventory warning messages when running command forseti inventory list to improve user experience.

v2.9.0
18 December 2018

Download: ZIP TAR

Summary

Inventory

  • Added CAI data for:
    • Cloud Storage buckets.
    • Cloud Storage access controls from IAM policy.
    • Key Management Service assets.
    • Kubernetes Engine clusters.
  • Added support for:
    • BigQuery dataset IAM policy equivalents.
    • Disabling specific APIs for inventory creation.

Notifier

-…

v2.8.0
14 March 2019

Download: ZIP TAR

Summary

Inventory

  • Added new resources from the Cloud Asset API
    • Cloud IAM Grantable Roles
    • Cloud IAM Organization Roles
    • Cloud IAM Project Roles
    • Cloud Pub/Sub
    • Cloud Storage IAM Policies

Notifier

  • Added G Suite DwD status in Inventory Summary email

All…

v2.7.0
14 March 2019

Download: ZIP TAR

Summary

Inventory

  • Added bigquery datasets and service accounts from Cloud Asset Inventory.
  • Improved the inventory email summary, with a new detail section that breaks out resources in different states(e.g. active vs pending delete projects).

Scanner

  • Added Kubernetes Engine Scanner that uses JMESPath language and…

v2.6.0
18 October 2018

Download: ZIP TAR

Summary

Inventory

  • Added organization policies to inventory crawler and model.
  • Added all supported resource types from CAI to Forseti Inventory.

Scanner

  • Added location Scanner.
  • Updated the violations generated by the log sink scanner to contain proper full name.

Infrastructure

  • Added alter…

v2.15.0
13 May 2019

Download: ZIP TAR

Summary

Inventory

Added Global Forwarding Rule and Region Backend Service from Cloud Asset Inventory.

Scanner

  • Added Custom Role Permission Scanner.
  • Updated config validator violation to include violation message properly.
  • gRPC client can now receive large messages.
  • Removed gmail from default group policy. -…

v2.14.1
05 April 2019

Download: ZIP TAR

Patch Update

Scanner

  • Removed CIS benchmark examples in ke_scanner_rules.yaml. We are working on supporting CIS benchmarks but are not yet able to do so at this time.

Upgrade Instructions

  • Please reset the server VM for changes to take effect.
  • Terraform users, please update the…

v2.14.0
04 April 2019

Download: ZIP TAR

Summary

Installer

  • Added support for installing using composite root.

Inventory

  • Cloud Asset Inventory GA API migration.

Scanner

  • Added Config Validator Scanner that uses Forseti Config Validator to evaluate for violations. Users are now able to define customized policies to scan for resources. -…

v2.13.1
26 March 2019

Download: ZIP TAR

Patch Update

CSCC

  • Updated functionality to handle the case when List API doesn’t retrieve findings from CSCC.

Upgrade Instructions

  • Please reset the server VM for changes to take effect.
  • Terraform users, please update the forseti_version field in main.tf to either point to v2.13.1 or…

v2.13.0
14 March 2019

Download: ZIP TAR

Summary

Explainer

  • Fix to use stream for Explainer methods

CSCC

  • Forseti findings on CSCC dashboard are now synchronized with latest Forseti violations.

Kubernetes

  • A proof of concept of Forseti running on Kubernetes

Thanks to our contributors!

  • @Red-Five

All changes

57005777…

v2.12.0
28 February 2019

Download: ZIP TAR

Summary

Inventory

  • Cloud Asset Inventory data: Addaed support for crawling multiple root resources with a composite root. Added support for Cloud Asset folder level.
  • Inventory status will be PARIAL_SUCCESS if warnings are found.

Scanner

  • KMS Scanner: Added four use cases to the KMS Scanner…

v2.11.1
26 February 2019

Download: ZIP TAR

Patch Update

Scanner

  • KMS scanner now scans for enabled keys only.
    • The KMS key scanner was not ignoring CryptoKeyVersionState ‘DESTROYED’ and reported them in violations. This resulted in polluting real violations with false positives.

Upgrade Instructions

  • Please reset the server VM for changes to…

v2.11.0
14 February 2019

Download: ZIP TAR

Summary

Inventory

  • Fixed CAI import of CloudSQL data.
  • Fixed generation of storage bucket policy when CAI is enabled.
  • Switched the CloudAsset temporary table to store the asset data as JSON.

Scanner

  • Added Key Management Service (KMS) Scanner.
  • Added Resources Scanner.
  • Added…

v2.10.0
12 January 2019

Download: ZIP TAR

Summary

Infrastructure

  • Forseti VMs will now be able to pick the latest patches of the current minor version by resetting the VM (e.g. v2.10.0 -> v2.10.1).

Inventory

  • Cloud Asset Inventory data: Added support for fetching Cloud Dataproc Clusters, CloudSQL instances, PubSub subscriptions, IAM policies, Compute…

v2.5.0
18 October 2018

Download: ZIP TAR

Summary

Inventory

  • Integration with Cloud Asset Inventory (CAI). CAI is a new GCP service that provides data across different resources. We will keep on updating the integration as CAI onboards new resources. This integration also significantly reduces the overall time to build the inventory.
  • Updated quota…

v2.4.0
26 September 2018

Download: ZIP TAR

RELEASE NOTE v2.4.0

Summary

Inventory

  • Added project liens as a new resource to Inventory.

Scanner

  • Added support for Forseti to run from a folder, instead of an organization.
  • Added resource_name column to all scanners and violations which contain human readable names.

Infrastructure

-…

v2.3.0
06 September 2018

Download: ZIP TAR

Summary

Installer

  • More robust installation process by handling ssh failure gracefully, and by enabling additional Google APIs in case they are not enabled by default.

Scanner

  • KE Scanner: Kubernetes rule updated to scan for the below vulnerabilities.
  • CVE-2018-5390 describes a kernel-level networking vulnerability that…

v2.2.0
22 August 2018

Download: ZIP TAR

Summary

Installer

  • Shared VPC Supports: Installer will now be able to handle deployment with shared VPC, by specifying the following flags at the start of the deployment:
    • vpc-host-project-id
    • vpc-host-network
    • vpc-host-subnetwork
  • G Suite updates: G Suite integration is now optional. Forseti will not inventory…

v2.1.0
16 August 2018

Download: ZIP TAR

RELEASE NOTE v2.1.0

Summary

Installer

  • Force the Forseti server to restart at the beginning of the cron run as a temporary fix to the auth issue #1832.
  • Forseti installation process can now be automated by passing in flags for all the prompted values.

Inventory

-…

v1.1.12
31 July 2018

Download: ZIP TAR

Summary

All Changes

6687c0d5 Removed the execution of run_forseti.sh from the startup script c7ffe8a4 Pin idna to version…

v2.0.0
27 June 2018

Download: ZIP TAR

Summary

Forseti 1.0 was first launched at Google Cloud Next ‘17 about a year ago. Since then, over 100 businesses and organizations have adopted Forseti, helping to secure Google Cloud Platform (GCP) environments large and small.

We received great feedback on how we could improve Forseti, and insight into…

v2.0-rc3
27 June 2018

Download: ZIP TAR

We are now in the final stretch for getting Forseti 2.0 released!

We’ve got one last Release Candidate for you to help us test. If you can take some time to help us validate that it works in your environment it would be much appreciated!

I’m in. How do…

v2.0-rc1
27 June 2018

Download: ZIP TAR

Getting started with Forseti Security 2.0

  • Use this guide we’ve put together to install the 2.0 version.

Testing and trying Forseti Security 2.0

  • This testing guide will walk you through the testing we’d like you to do. It includes instructions on testing installation, the client, inventory,…

v2.0-rc2
27 June 2018

Download: ZIP TAR

What is RC2?

RC2 is Forseti 2.0, Release Candidate 2. We anticipate this will be the last release candidate before finalizing Forseti Security 2.0.

Why should I test RC2? What changes are included?

There are many improvements and fixes in RC2. To name just a few:

  • General:…

v1.1.11
20 March 2018

Download: ZIP TAR

Summary

v1.1.10
09 February 2018

Download: ZIP TAR

RELEASE NOTE v1.1.10

Summary

Inventory

  • Kubernetes Engine: Your Kubernetes Engine (KE) Clusters and associated node pools and per zone service configs are now inventoried.

Scanner

  • Kubernetes Engine: Scans kubernetes Engine clusters checking versions. This can be used to detect that cluster nodes are patched against…

v1.1.9
13 December 2017

Download: ZIP TAR

Summary

  • Fix Slack notifications data format.
  • Remove IAM Explain from master branch

All changes

9eb7f5d (HEAD -> master, tag: v1.1.9, origin/master, origin/HEAD) Release 1.1.9 cff8d97 (origin/release-1.1.9, release-1.1.9) Merge branch ‘dev’ into release-1.1.9 da746bf (origin/dev, dev) Removed old Explain version (#892) 1648367 Increment version to 1.1.9 4c0b78e…

v1.1.8
29 November 2017

Download: ZIP TAR

Summary

  • Setup Wizard can deploy Forseti VM to a shared VPC.
  • Tweaks and bug fixes.

Thanks to our contributors!

Brad Leonard

All changes

ad9b00ec fix subnetwork placeholder ad30c506 Make the VPC deployment namings consistent everywhere. (#846) 78c2dbc9 Setup wizard can deploy Forseti to a shared…

v1.1.7
02 November 2017

Download: ZIP TAR

Summary

  • Delay utility.
  • Forseti and rule configuration tweaks.
  • New: Firewall rules scanner.
  • Add new options to setup wizard (G Suite superadmin email, notification recipient email) and pin the default version to the local code’s version.
  • Miscellaneous bug fixes.

Thanks to our contributors!

Alec…

v1.1.6
14 October 2017

Download: ZIP TAR

Summary

  • Add capability to api clients: get global operations, get quota, get disks, get networks, get subnetworks.
  • Support deployment if a user is not a direct org admin, but is a member of a gsuite group that has org admin permissions.
  • Include the notifier component to…

v1.1.5
28 September 2017

Download: ZIP TAR

Summary

  • AppEngine Services, Versions and Instances included in the inventory.
  • Deployment Improvements:
    • Switch forseti inventory and auditor to run as ubuntu instead of root by default
    • Fix service account permissions in deployment.
  • Support for multiple recipients in notifications.
  • Support for Egress and Deny…

v1.1.4
14 September 2017

Download: ZIP TAR

Summary

  • Add compute.projects component to compute repository
  • Fix a bug with the service account scope
  • Add resources to AppEngine API client
  • Slack webhook notifier
  • Add targetServiceAccount to firewall rules inventory
  • Add more information to instance network interface rule violation data

Thanks to…

v1.1.3
31 August 2017

Download: ZIP TAR

Major Features:

  • GCP API clients now use mix-ins of base methods, making it easier and cleaner to add or extend GCP API clients.
  • Logging integration with StackDriver. Log lines will be labeled with “forseti-security”.
  • API client for cloudbilling is added.
  • Copyright ownership changed to reflect…

v1.1.2
22 August 2017

Download: ZIP TAR

Major features:

  • IAM service accounts added to inventory
  • Network interface scanner

Thanks to our contributors!

Special thanks to:

  • Adam Cotenoff (Spotify)
  • Carly Schneider (Spotify)
  • Gianluca Brindisi (Spotify)

All changes:

30225b5 Check if the entry exists (#579) ba2d6d1 Fix network interface scanner (#578) a16d8ca…

v1.1.1
18 August 2017

Download: ZIP TAR

Minor update

  • Update the sample rule for folder IAM
  • Always create tables for inventory resources, even if no resources of that type are found.

All commits:

b108751 Initialize All Tables (#536) 58124a9 Update ISSUE_TEMPLATE.md c4db617 change the iam rule to blacklist (#515)

v1.1.0
25 July 2017

Download: ZIP TAR

Global

  • Moved many flags into a central yaml configuration file.
  • Tuned permissions needed by Forseti.

Inventory

  • Configurable Inventory pipelines.
  • Increased resource coverage.
    • Backend services
    • BigQuery datasets
    • CloudSQL
    • Firewall rules
    • Folders
    • Folder IAM policies
    • GAE applications
  • GCE…

v1.0.2
12 April 2017

Download: ZIP TAR

Inventory

  • Add groups and group member import into inventory.
  • Refactor pipelines to be classes.

Scanner

Case-insensitive rule match.

Miscellaneous

  • Improve deployment manager script to pull Forseti code from git branch.
  • Configure logging to use fluentd/syslog.

Shout-outs

@mcunha

Commits

7f90499 Release 1.0.2…

v1.0.1
29 March 2017

Download: ZIP TAR

Inventory

  • Only active projects will be processed.
  • Don’t fail pipeline on an error with IAM policy.
  • Improved inventory email notification format.

Scanner

  • Fix for rules inheritance.

Miscellaneous

  • Sending email is optional.
  • Remove db password as a commandline option.
  • Documentation updates…

v1.0
16 March 2017

Download: ZIP TAR

Inventory

Build and store an inventory of the following Google Cloud Platform resources:

  • Projects
  • Project IAM policies
  • Organization IAM policies

Scanner

Scan project IAM policies, auditing them with a user-defined set of rules.

Enforcer

Enforce a project Compute Engine firewall policy, given a policy…