- Forseti violations can now be outputted for integration with Cloud Security Command Center on GCP. Sign-up for the Cloud SCC alpha program here!
- Added a configurable
retention_daysoption to purge the snapshot database tables.
ke_version_scannerrule file to detect kubernetes nodes affected by severe vulnerabilities CVE-2017-1002101 and CVE-2017-1002102, allowing containers to access files outside the container.
- Supported IAM policy member of
domaintype in IAM scanner's required mode,
- Fixed group_email to use
@googlegroups.comin bigquery rule file.
- Improved regex matching on users.
- Fixed forsetisecurity.org links in installer script.
Thanks to Our Contributors!
Findings Notification (#1251 )
8a11b05 fix forsetisecurity.org links in installer script (#1253)
505a0db Update KE critical CVE rule. (#1248)
a28c699 Regex match (#1244)
2c7f17d Update README.md (#1212)
5465c2a Fix group_email to use @googlegroups.com (#1237)
2708cf5 Add configurable cleanup of inventory tables (#438) (#1129)
6a3bc81 Support iam policy member of domain type in iam scanner's required mode, (#1093)
To enable Forseti violations to be outputted for CSCC integration, add the following to the
notifier section in your
forseti_conf.yaml file, and specify the correct GCS bucket path where Forseti violation should be saved for CSCC to ingest. This will transform Forseti violations into CSCC findings format. You will need to sign up for the CSCC alpha program to know which bucket to use.
violation: cscc: enabled: true # gcs_path should begin with "gs://" gcs_path: gs://<path to the CSCC bucket>
To enable the purging of the snapshot database tables, add the following to the
inventory section in your
forseti_conf.yaml file, and specify the
retention_days that you prefer. Then each time that inventory is run, any database tables older than the
retention_days will be deleted.
# Number of days to retain inventory data: # -1 : (default) keep all previous data forever # 0 : delete all previous inventory data before running retention_days: -1
To enable the updated ke_scanner rule file, you will need to copy the new
ke_rules.yaml file to your Forseti GCS
rules bucket, and replace the old
To update your Forseti deployment to the new version.
deploy-forseti.yamland change the property "branch-name" to v1.1.11, or "release-version" to "1.1.11"
- Update your deployment:
gcloud deployment-manager deployments update <YOUR DEPLOYMENT NAME> --config deploy-forseti.yaml
- Restart the Forseti GCE instance.