chore(deps): bump Kensa to v0.6.0 (atomicity engine; 538 rules)#670
Merged
Conversation
Updates the bundled Kensa scan engine + rule corpus from v0.5.2 to v0.6.0, keeping the three version pins in sync (go.mod, internal/kensa.KensaModuleVersion, specs/system/kensa-executor.spec.yaml — TestKensaModuleVersion/TestSpec_VersionPin enforce agreement). What's in v0.6.0: - The remediation "atomicity engine": crash-recovery intent journal + `kensa recover`, mandatory post-apply VALIDATE re-check, post-state recapture into the signed evidence envelope, a footprint pre-commit gate, and agent-mode kernel-IO handlers. Kensa's CHANGELOG marks the consumed `api/` surface as additive (crash-recovery types) with no breaking change; the OpenWatch build and scan-path tests confirm it. - Rule corpus: 539 -> 538. One STIG rule was removed (system/pkg-gdm-absent.yml). No rules added. - Pulls 3 new indirect deps (elastic/go-libaudit, elastic/go-licenser, kballard/go-shellquote) from the agent-mode kernel-IO features. Verified: go build ./... clean, go vet clean, internal/kensa + the server scan-config/variable-catalog/lens tests pass, specter check 113/113 at 100% coverage. Note: docs/README/guides reference "539" rules; those need a 539->538 follow-up (left out here to avoid colliding with the pending README PR #669).
Kensa v0.6.0 removed one rule, so the bundled corpus is now 538 (verified by a live end-to-end scan against a RHEL host: status=completed, total_rules=538, 0 errors). Update the factual rule-count claims in the README and the scanning/controls guides to match. Version-pinned historical statements are intentionally left unchanged (LINUX_DISTRIBUTION_SUPPORT verified against v0.4.3=539; engineering plan past measurements), as are the explicitly-approximate "~539" architectural bounds in the lens handler/openapi (the tilde already disclaims precision and the bounded-no-pagination claim is unaffected).
remyluslosius
added a commit
that referenced
this pull request
Jun 23, 2026
Bump version.env to 0.2.0-rc.14 and cut the CHANGELOG [Unreleased] accumulator into a dated [0.2.0-rc.14] section covering everything landed since rc.13: - Kensa engine v0.6.0 / 538-rule corpus (#670) - known-hosts concurrent first-use fail-closed (#668, Security) - liveness privilege probe via internal/ssh (#664) - settings fixes: group-maintenance stub removed (#665), Users 'Invite member' -> 'Add member' (#666) - operator-guide accuracy pass (#667), README Go-accuracy + screenshot (#669) Also corrects the stale rule-count inside the #667 entry (539 -> 538) now that v0.6.0 is the bundled engine. Local: changelog + version-consistency + fips + package-build tests pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates the bundled Kensa scan engine + rule corpus v0.5.2 → v0.6.0 and keeps the three version pins in sync (
go.mod,internal/kensa.KensaModuleVersion,specs/system/kensa-executor.spec.yaml—TestKensaModuleVersion+TestSpec_VersionPinenforce that all three agree).What's in v0.6.0
kensa recover, mandatory post-apply VALIDATE re-check, post-state recapture into the signed evidence envelope, a footprint pre-commit gate, agent-mode kernel-IO handlers. Kensa's CHANGELOG marks the consumedapi/surface as additive, no breaking change — confirmed by the clean build + scan-path tests.system/pkg-gdm-absent.yml); none added.elastic/go-libaudit,elastic/go-licenser,kballard/go-shellquote) from the agent-mode kernel-IO features.Test results (all green)
go build ./...clean,go vet ./...cleaninternal/kensatests pass (after the 3 version pins were synced)specter check113/113, coverage gate 100%Follow-up (not in this PR)
The docs/README/guides say "539 rules"; they need a 539 → 538 update once this lands. Left out here to avoid colliding with the pending README PR #669. CI will run
govulncheckon the 3 new transitive deps.