Release Notes for Self-Hosted Styra DAS
Self-Hosted Styra DAS 0.13.0 was released on 06-09-23.
Notice
As of June 9, 2023, This release contains a known vulnerability in libcrypto3 -- CVE-2023-2650. At this time there is no base image without this vulnerability. Styra intends to publish an updated release as soon as possible.
Fixed Issues
This section describes issues that have been resolved.
Access Keys No Longer Required When Connecting to an s3 Bucket With Role Auth
Restores previous behavior from self hosted 0.7.x that did not require access keys when configuring access to s3 buckets when Styra DAS is configured with an IAM role (IRSA).
Corrected JSON Serialization for Dates in Data Sources
It was possible for dates in external Data Sources to be considered changed even if their values did not change. This would trigger unnecessary bundle builds. This has now been fixed.
New Features and Enhancements
This section describes new features and changes.
Updated to OPA 0.53.0
The internal version of OPA used by Styra DAS has now been updated to OPA 0.53.0.
Improved Policy Authoring Experience
Policy files now load up to ten times faster when browsing them in the Styra DAS UI.
Terraform State Compliance
The Styra DAS Terraform v2 system type supports evaluating existing Terraform rules against Terraform state representing the currently deployed resource configurations to report on compliance violations. Terraform state can be added in a Terraform system as one or more data sources from S3, GCS, git, or http, with data transforms for .tfstate files, Terraform Cloud workspaces, and Terraformer cloud plan outputs into a standard policy input format.
Terraform Code Scanning with Styra CLI
The Styra CLI validate check-local command supports scanning Terraform HCL .tf and .tf.json files in addition to Kubernetes YAML manifests. Allows customers to run Terraform policy checks using the Styra CLI during development, in pre-commit hooks, and in commit/PR checks before a Terraform plan has been run.
Terraform Rule Exemptions
The Styra DAS Terraform v2 system type supports defining rule exemptions using any type of data source in JSON format. Rule exemptions use the rule ID and resource address to exempt a resource from rule violations.
Terraform Policy Library Rule Metadata Improvements
All rules in the Styra DAS Terraform v2 policy library now have a unique rule ID defined, which is used for Terraform Rule Exemptions. The rule target metadata (currently fully defined for all Styra-built rules) has been defined for most KICS Terraform rules to provide context of the Terraform resource types targeted by the rule.
Email Now Optional for SSO Configurations
DAS admins can now configure an SSO provider to uniquely identify a user using
a custom claim. Prior to this change, DAS had used the email claim by default
for this purpose. Support has now been added to the /v1/identity-providers
object for a unique_claim field to specify the claim to be used as the
unique identifier instead of email. If not set, DAS will continue to use the
value from email claim to set the user id.
While configuring the unique_claim value, the associated value for
allowed_domains MUST be set to []string{"*"}.
DAS admins must be careful to set the unique_claim to an SSO claim that is
unique. Otherwise, multiple SSO-authenticated users may get assigned the
same User ID within DAS.
WorkspaceSystemCreator
Styra DAS has a new role. WorkspaceSystemCreator grants the ability to create a new System. Upon creating one, the user is assigned the SystemOwner role for that new System.
Data Source Upload Scale Improvements
Data Source agents now supports uploading data in a compressed binary JSON format that allows Data Sources up to 1 GB to be uploaded to Styra DAS.
This causes other scaling issues to occur in Styra DAS – compliance now supports large Data Sources; however, preview and validate functionality of rego importing a large Data Source will time out when the data is larger than roughly 300 MB.
OPA Timeout Value
In the Styra DAS UI, OPAs are now considered disconnected from a System after one hour, after which they no longer show in the system Deployments view. Previously, OPAs were shown up to 24 hours after they were disconnected from a System.
Styra DAS and Styra Load Integration
Styra DAS now includes Styra Load integration.
Cosign-Based Image Validation
This release adds support for cosign-based image validation to the Kubernetes System. The OPA Webhooks can be configured to use cosign policy snippets with a list of images to verify and their associated parameters.
SLP Update
Styra DAS is updated with SLP 0.7.0. SLP 0.7.0 adds an internal validation API to be used with the cosign policy snippet.