Skip to content

chore(deps): bump Kensa to v0.6.0 (atomicity engine; 538 rules)#670

Merged
remyluslosius merged 2 commits into
mainfrom
chore/kensa-v0.6.0
Jun 23, 2026
Merged

chore(deps): bump Kensa to v0.6.0 (atomicity engine; 538 rules)#670
remyluslosius merged 2 commits into
mainfrom
chore/kensa-v0.6.0

Conversation

@remyluslosius

Copy link
Copy Markdown
Contributor

Updates the bundled Kensa scan engine + rule corpus v0.5.2 → v0.6.0 and keeps the three version pins in sync (go.mod, internal/kensa.KensaModuleVersion, specs/system/kensa-executor.spec.yamlTestKensaModuleVersion + TestSpec_VersionPin enforce that all three agree).

What's in v0.6.0

  • Remediation "atomicity engine": crash-recovery intent journal + kensa recover, mandatory post-apply VALIDATE re-check, post-state recapture into the signed evidence envelope, a footprint pre-commit gate, agent-mode kernel-IO handlers. Kensa's CHANGELOG marks the consumed api/ surface as additive, no breaking change — confirmed by the clean build + scan-path tests.
  • Rule corpus: 539 → 538. One STIG rule removed (system/pkg-gdm-absent.yml); none added.
  • Pulls 3 new indirect deps (elastic/go-libaudit, elastic/go-licenser, kballard/go-shellquote) from the agent-mode kernel-IO features.

Test results (all green)

  • go build ./... clean, go vet ./... clean
  • internal/kensa tests pass (after the 3 version pins were synced)
  • server scan-config / variable-catalog / lens tests pass
  • specter check 113/113, coverage gate 100%

Follow-up (not in this PR)

The docs/README/guides say "539 rules"; they need a 539 → 538 update once this lands. Left out here to avoid colliding with the pending README PR #669. CI will run govulncheck on the 3 new transitive deps.

Updates the bundled Kensa scan engine + rule corpus from v0.5.2 to v0.6.0,
keeping the three version pins in sync (go.mod, internal/kensa.KensaModuleVersion,
specs/system/kensa-executor.spec.yaml — TestKensaModuleVersion/TestSpec_VersionPin
enforce agreement).

What's in v0.6.0:
- The remediation "atomicity engine": crash-recovery intent journal + `kensa
  recover`, mandatory post-apply VALIDATE re-check, post-state recapture into
  the signed evidence envelope, a footprint pre-commit gate, and agent-mode
  kernel-IO handlers. Kensa's CHANGELOG marks the consumed `api/` surface as
  additive (crash-recovery types) with no breaking change; the OpenWatch build
  and scan-path tests confirm it.
- Rule corpus: 539 -> 538. One STIG rule was removed
  (system/pkg-gdm-absent.yml). No rules added.
- Pulls 3 new indirect deps (elastic/go-libaudit, elastic/go-licenser,
  kballard/go-shellquote) from the agent-mode kernel-IO features.

Verified: go build ./... clean, go vet clean, internal/kensa + the server
scan-config/variable-catalog/lens tests pass, specter check 113/113 at 100%
coverage.

Note: docs/README/guides reference "539" rules; those need a 539->538 follow-up
(left out here to avoid colliding with the pending README PR #669).
Kensa v0.6.0 removed one rule, so the bundled corpus is now 538 (verified
by a live end-to-end scan against a RHEL host: status=completed,
total_rules=538, 0 errors). Update the factual rule-count claims in the
README and the scanning/controls guides to match.

Version-pinned historical statements are intentionally left unchanged
(LINUX_DISTRIBUTION_SUPPORT verified against v0.4.3=539; engineering
plan past measurements), as are the explicitly-approximate "~539"
architectural bounds in the lens handler/openapi (the tilde already
disclaims precision and the bounded-no-pagination claim is unaffected).
@remyluslosius
remyluslosius merged commit 3f07728 into main Jun 23, 2026
13 checks passed
@remyluslosius
remyluslosius deleted the chore/kensa-v0.6.0 branch June 23, 2026 04:29
remyluslosius added a commit that referenced this pull request Jun 23, 2026
Bump version.env to 0.2.0-rc.14 and cut the CHANGELOG [Unreleased]
accumulator into a dated [0.2.0-rc.14] section covering everything landed
since rc.13:
- Kensa engine v0.6.0 / 538-rule corpus (#670)
- known-hosts concurrent first-use fail-closed (#668, Security)
- liveness privilege probe via internal/ssh (#664)
- settings fixes: group-maintenance stub removed (#665), Users
  'Invite member' -> 'Add member' (#666)
- operator-guide accuracy pass (#667), README Go-accuracy + screenshot (#669)

Also corrects the stale rule-count inside the #667 entry (539 -> 538) now
that v0.6.0 is the bundled engine. Local: changelog + version-consistency +
fips + package-build tests pass.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant