v1.6.9-rc3

Changes

• modernize: replace legacy slice/map/range idioms with stdlib (#3658) @mmetc
• CI: ensure tests don't alter the repository (#3616) @mmetc
• refact apiclient.Config: remove field Scenarios (#3622) @mmetc
• CI: release-drafter configuration: permissions, skip-changelog label (#3631) @mmetc
• refact: cleanup bats helper (#3636) @mmetc
• refact cmd/crowdsec: remove login code obsoleted by 16d0677 (#3620) @mmetc
• CI: update codecov list and fix workflow (#3617) @mmetc
• refact pkg/database: unnecessary pointers (#3611) @mmetc
• CI: update action for generating docker description (#3559) @mmetc
• refact pkg/parser: extract method, avoid calling defer in loop (#3564) @mmetc
• refact: remove unused metod DeleteDecisionsWithFilter() (#3605) @mmetc
• refact alert, decision filters: remove unnecessary pointers (#3607) @mmetc
• CI: update lint complexity thresholds (#3608) @mmetc
• refactor pkg/database/Client.createAlertChunk() (#3585) @mmetc
• refact cscli: hub item - pointer receiver for consistency (#3595) @mmetc
• CI: remove obsolete reference to directory dyn-bats (#3600) @mmetc
• refact: pkg/exprhelpers/debugger, convert switch to function dispatch (#3587) @mmetc
• lint/gocritic: enable importShadow, typeUnparen, unnecessaryDefer (#3583) @mmetc
• refact pkg/database: dry decision count (#3586) @mmetc
• refact parser Init: argument types (#3578) @mmetc
• tests: refact localtest helper, use testify.suite (#3574) @mmetc
• refact: logrus.GetLevel() -> logrus.IsLevelEnabled() (#3579) @mmetc
• test: add cold log event assert (#3577) @mmetc
• Refact pkg/database/decisions.go (#3541) @mmetc
• replace go-acc, richgo with gotestsum (#3567) @mmetc
• refact pkg/hubtest: use os.CopyFS() (#3539) @mmetc
• lint/refactor: defer, reflectvaluecompare, stylecheck (#3544) @mmetc
• CI: golangci-lint v2 (#3558) @mmetc

New Features

• allow watcher to self-delete on shutdown (#3565) @blotus
• allowlists: check during bulk decision import (#3588) @mmetc

Improvements

• PAPI: auto enable on upgrade (#3659) @blotus
• enhance: Remove docker acquis internal timer use docker events (#3598) @LaurenceJJones
• kafka: expose batching configuration (#3621) @blotus
• feat(apiclient): add token save functionality (#3639) @sabban
• enhance: return err if notification has no plugin type (#3638) @LaurenceJJones
• cscli capi status: save auth token, add tests (#3623) @mmetc
• config.yaml: make config_dir and notification_dir optional (#3606) @mmetc
• feat(apic): add ApicAuth client and token re-authentication logic (#3522) @sabban
• allowlists: automatically expire current matching decisions on update (#3601) @blotus
• improve support for parsing time durations with 'day' units (#3599) @mmetc
• cscli inspect: don't show metrics or converted rules if an item is not installed (#3602) @mmetc
• Fix monitorNewFiles for NFS + Remove dead tails from tail map (#3508) @david-garcia-garcia
• enhance: add listen_socket to http acquisition (#3499) @LaurenceJJones
• enhance: Allow the use of 'd' suffix in profiles (#3594) @LaurenceJJones
• lapi: return specific error if a unix socket path is too long for the OS (#3593) @mmetc
• do not return an error if we cannot fetch allowlists when starting the appsec (#3550) @blotus
• Support WithUserAgent in cti client (#3542) @AlteredCoder

Bug Fixes

• kakfa: properly start at last offset when using a consumer group (#3629) @blotus
• cscli: handle sigint/sigterm, cancel context of ongoing http req (#3660) @mmetc
• Makefile: typo (#3628) @mmetc
• Fix spelling mistake in metrics.go (#3618) @robigan
• fix(apiserver): ensure nil is returned after setting token and expiration and before we reauthenticate (#3613) @sabban
• Fix cp -n (#3483) @michacassola
• CI: correct uv.lock path (#3596) @mmetc
• make CTI client available in cscli notifications (#3591) @blotus
• fix: avoid possible race condition while compiling expressions (#3582) @mmetc
• fix mysql client certificate support (#3575) @blotus
• fix: error check on postoverflow config (#3576) @mmetc
• hubtests: correct basename check in parser tests (#3557) @mmetc

Chore / Deps

• update test/README.md (#3652) @mmetc
• go.mod/sum cleanup (#3661) @mmetc
• update coraza (#3657) @blotus
• deprecate option 'daemonize' (#3648) @mmetc
• update expr to 1.17.2 (#3519) @mmetc
• CI: use go 1.24.3 (#3612) @mmetc
• build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 (#3581) @dependabot[bot]
• enable codeql for python (#3545) @mmetc
• update golangci-lint (#3590) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.6.9-rc2

Changes

• refact apiclient.Config: remove field Scenarios (#3622) @mmetc
• CI: release-drafter configuration: permissions, skip-changelog label (#3631) @mmetc
• refact: cleanup bats helper (#3636) @mmetc
• refact cmd/crowdsec: remove login code obsoleted by 16d0677 (#3620) @mmetc
• CI: update codecov list and fix workflow (#3617) @mmetc
• refact pkg/database: unnecessary pointers (#3611) @mmetc
• CI: update action for generating docker description (#3559) @mmetc
• refact pkg/parser: extract method, avoid calling defer in loop (#3564) @mmetc
• refact: remove unused metod DeleteDecisionsWithFilter() (#3605) @mmetc
• refact alert, decision filters: remove unnecessary pointers (#3607) @mmetc
• CI: update lint complexity thresholds (#3608) @mmetc
• refactor pkg/database/Client.createAlertChunk() (#3585) @mmetc
• refact cscli: hub item - pointer receiver for consistency (#3595) @mmetc
• CI: remove obsolete reference to directory dyn-bats (#3600) @mmetc
• refact: pkg/exprhelpers/debugger, convert switch to function dispatch (#3587) @mmetc
• lint/gocritic: enable importShadow, typeUnparen, unnecessaryDefer (#3583) @mmetc
• refact pkg/database: dry decision count (#3586) @mmetc
• refact parser Init: argument types (#3578) @mmetc
• tests: refact localtest helper, use testify.suite (#3574) @mmetc
• refact: logrus.GetLevel() -> logrus.IsLevelEnabled() (#3579) @mmetc
• test: add cold log event assert (#3577) @mmetc
• Refact pkg/database/decisions.go (#3541) @mmetc
• replace go-acc, richgo with gotestsum (#3567) @mmetc
• refact pkg/hubtest: use os.CopyFS() (#3539) @mmetc
• lint/refactor: defer, reflectvaluecompare, stylecheck (#3544) @mmetc
• CI: golangci-lint v2 (#3558) @mmetc

New Features

• allowlists: check during bulk decision import (#3588) @mmetc

Improvements

• enhance: Remove docker acquis internal timer use docker events (#3598) @LaurenceJJones
• kafka: expose batching configuration (#3621) @blotus
• feat(apiclient): add token save functionality (#3639) @sabban
• enhance: return err if notification has no plugin type (#3638) @LaurenceJJones
• cscli capi status: save auth token, add tests (#3623) @mmetc
• config.yaml: make config_dir and notification_dir optional (#3606) @mmetc
• feat(apic): add ApicAuth client and token re-authentication logic (#3522) @sabban
• allowlists: automatically expire current matching decisions on update (#3601) @blotus
• improve support for parsing time durations with 'day' units (#3599) @mmetc
• cscli inspect: don't show metrics or converted rules if an item is not installed (#3602) @mmetc
• Fix monitorNewFiles for NFS + Remove dead tails from tail map (#3508) @david-garcia-garcia
• enhance: add listen_socket to http acquisition (#3499) @LaurenceJJones
• enhance: Allow the use of 'd' suffix in profiles (#3594) @LaurenceJJones
• lapi: return specific error if a unix socket path is too long for the OS (#3593) @mmetc
• do not return an error if we cannot fetch allowlists when starting the appsec (#3550) @blotus
• Support WithUserAgent in cti client (#3542) @AlteredCoder

Bug Fixes

• Makefile: typo (#3628) @mmetc
• Fix spelling mistake in metrics.go (#3618) @robigan
• fix(apiserver): ensure nil is returned after setting token and expiration and before we reauthenticate (#3613) @sabban
• Fix cp -n (#3483) @michacassola
• CI: correct uv.lock path (#3596) @mmetc
• make CTI client available in cscli notifications (#3591) @blotus
• fix: avoid possible race condition while compiling expressions (#3582) @mmetc
• fix mysql client certificate support (#3575) @blotus
• fix: error check on postoverflow config (#3576) @mmetc
• hubtests: correct basename check in parser tests (#3557) @mmetc

Chore / Deps

• update expr to 1.17.2 (#3519) @mmetc
• CI: use go 1.24.3 (#3612) @mmetc
• build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 (#3581) @dependabot[bot]
• enable codeql for python (#3545) @mmetc
• update golangci-lint (#3590) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.6.9-rc1

Changes

• CI: update codecov list and fix workflow (#3617) @mmetc
• refact pkg/database: unnecessary pointers (#3611) @mmetc
• CI: update action for generating docker description (#3559) @mmetc
• refact pkg/parser: extract method, avoid calling defer in loop (#3564) @mmetc
• refact: remove unused metod DeleteDecisionsWithFilter() (#3605) @mmetc
• refact alert, decision filters: remove unnecessary pointers (#3607) @mmetc
• CI: update lint complexity thresholds (#3608) @mmetc
• refactor pkg/database/Client.createAlertChunk() (#3585) @mmetc
• refact cscli: hub item - pointer receiver for consistency (#3595) @mmetc
• CI: remove obsolete reference to directory dyn-bats (#3600) @mmetc
• refact: pkg/exprhelpers/debugger, convert switch to function dispatch (#3587) @mmetc
• lint/gocritic: enable importShadow, typeUnparen, unnecessaryDefer (#3583) @mmetc
• refact pkg/database: dry decision count (#3586) @mmetc
• refact parser Init: argument types (#3578) @mmetc
• tests: refact localtest helper, use testify.suite (#3574) @mmetc
• refact: logrus.GetLevel() -> logrus.IsLevelEnabled() (#3579) @mmetc
• test: add cold log event assert (#3577) @mmetc
• Refact pkg/database/decisions.go (#3541) @mmetc
• replace go-acc, richgo with gotestsum (#3567) @mmetc
• refact pkg/hubtest: use os.CopyFS() (#3539) @mmetc
• lint/refactor: defer, reflectvaluecompare, stylecheck (#3544) @mmetc
• CI: golangci-lint v2 (#3558) @mmetc

New Features

• allowlists: check during bulk decision import (#3588) @mmetc

Improvements

• config.yaml: make config_dir and notification_dir optional (#3606) @mmetc
• feat(apic): add ApicAuth client and token re-authentication logic (#3522) @sabban
• allowlists: automatically expire current matching decisions on update (#3601) @blotus
• improve support for parsing time durations with 'day' units (#3599) @mmetc
• cscli inspect: don't show metrics or converted rules if an item is not installed (#3602) @mmetc
• Fix monitorNewFiles for NFS + Remove dead tails from tail map (#3508) @david-garcia-garcia
• enhance: add listen_socket to http acquisition (#3499) @LaurenceJJones
• enhance: Allow the use of 'd' suffix in profiles (#3594) @LaurenceJJones
• lapi: return specific error if a unix socket path is too long for the OS (#3593) @mmetc
• do not return an error if we cannot fetch allowlists when starting the appsec (#3550) @blotus
• Support WithUserAgent in cti client (#3542) @AlteredCoder

Bug Fixes

• fix(apiserver): ensure nil is returned after setting token and expiration and before we reauthenticate (#3613) @sabban
• Fix cp -n (#3483) @michacassola
• CI: correct uv.lock path (#3596) @mmetc
• make CTI client available in cscli notifications (#3591) @blotus
• fix: avoid possible race condition while compiling expressions (#3582) @mmetc
• fix mysql client certificate support (#3575) @blotus
• fix: error check on postoverflow config (#3576) @mmetc
• hubtests: correct basename check in parser tests (#3557) @mmetc

Chore / Deps

• update expr to 1.17.2 (#3519) @mmetc
• CI: use go 1.24.3 (#3612) @mmetc
• build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 (#3581) @dependabot[bot]
• enable codeql for python (#3545) @mmetc
• update golangci-lint (#3590) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.6.8

Changes

• build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#3531) @dependabot[bot]
• CI: enable linter "noctx" (#3528) @mmetc
• CI: enable linter "containedctx" (#3529) @mmetc
• only warn about capi_whitelists_path being deprecated if actually in use (#3535) @blotus
• CI: pin hub branch during functional tests (#3526) @mmetc
• empty back-merge from release branch (#3527) @mmetc

Improvements

• explicit message for malformed data URL in local items (#3537) @mmetc
• Migration script from debian/ubuntu package 1.4.6 (#3420) @mmetc

Bug Fixes

• Allowlists: fix range check in LAPI endpoint (#3538) @blotus
• revert ActionPlan info/warning to StandardLogger (#3536) @mmetc
• fix #3532 "reload causes crashing process" (#3534) @mmetc

Chore / Deps

• use replace for coraza instead of renaming the entire package (#3530) @blotus

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.6.7

Changes

• build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#3531) @dependabot[bot]
• CI: enable linter "noctx" (#3528) @mmetc
• CI: enable linter "containedctx" (#3529) @mmetc
• only warn about capi_whitelists_path being deprecated if actually in use (#3535) @blotus
• CI: pin hub branch during functional tests (#3526) @mmetc
• empty back-merge from release branch (#3527) @mmetc

Improvements

• explicit message for malformed data URL in local items (#3537) @mmetc
• Migration script from debian/ubuntu package 1.4.6 (#3420) @mmetc

Bug Fixes

• revert ActionPlan info/warning to StandardLogger (#3536) @mmetc
• fix #3532 "reload causes crashing process" (#3534) @mmetc

Chore / Deps

• use replace for coraza instead of renaming the entire package (#3530) @blotus

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.6.7-rc1

Changes

• CI: enable linter "noctx" (#3528) @mmetc
• CI: enable linter "containedctx" (#3529) @mmetc
• only warn about capi_whitelists_path being deprecated if actually in use (#3535) @blotus
• CI: pin hub branch during functional tests (#3526) @mmetc
• empty back-merge from release branch (#3527) @mmetc

Bug Fixes

• revert ActionPlan info/warning to StandardLogger (#3536) @mmetc
• fix #3532 "reload causes crashing process" (#3534) @mmetc

Chore / Deps

• use replace for coraza instead of renaming the entire package (#3530) @blotus

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.6.6

Overview

This release introduces centralized allowlists: you can now manage allowlists directly from LAPI or from the console.
Those allowlists will applied by LAPI to local decisions, appsec rules and blocklists, no need to deploy specific allowlists to each machine.

You can learn more about them in our documentation.

This release also deprecates capi_whitelists_path, and we encourage users to migrate to centralized allowlists as they are more flexible.

This release also introduces various improvements:

• JA4H helper for the appsec to compute hashes for HTTP requests
• Custom CA support and mTLS authentication for PostgreSQL/MySQL
• Various fixes

New Features

• Parallel hubtest (#3509) @mmetc
• deprecate capi_whitelists_path (#3504) @blotus
• Add support for centralized allowlists (#3355) @blotus

Changes

• appsec: use CA from client credentials when connecting to LAPI (#3505) @mmetc
• lint: gocritic/httpNoBody (#3493) @mmetc
• tests: remove modeline (#3486) @mmetc
• pkg/cwhub: refact Item.State.(Downloaded | Installed) (#3476) @mmetc
• refact: context propagation (apiclient, cticlient...) (#3477) @mmetc
• CI: use go 1.24 for windows (#3479) @mmetc
• tests: switch context.Background() -> t.Context() from go 1.24 (#3473) @mmetc
• refact: avoid use of defer calls in loops (#3466) @mmetc
• CI: lint docker tests (#3443) @mmetc
• lint: gocritic/typeDefFirst (ensure type definitions come before methods) (#3404) @mmetc
• file acquisition: remove redundant logging info (#3468) @mmetc
• CI: skip unit tests with dynamic build (#3461) @mmetc

Improvements

• appsec: support custom CA for lapi (#3503) @mmetc
• enhancement: Add additional ssl options to db configuration (#3387) @LaurenceJJones
• move ParseQuery to expr helpers, add ExtractQueryParam (#3491) @buixor
• enable/disable options for console enroll - make alert context a default (#3487) @buixor
• enhance: add option to disable magic syslog RFC parsers (#3435) @LaurenceJJones
• add JA4H expr helper (#3401) @blotus
• leaky bucket: reduce log verbosity (#3472) @mmetc

Bug Fixes

• update appsec test runner (#3518) @mmetc
• close appsec transactions after processing request (#3515) @blotus
• opensuse sets OSTYPE to linux (#3514) @blotus
• do not attempt to set db log level if no db config (#3510) @blotus
• appsec: less verbose logging for allowlists and headers check (#3498) @blotus
• enhance: Flags now superceed all log levels (#3496) @LaurenceJJones
• appsec: handle SendAlert() properly for out of band matches (#3497) @blotus
• cscli: review/update argument number checking (#3490) @mmetc
• crowdsec: allow -t to work if using appsec and allowlists (#3484) @blotus
• cron: avoid spamming stdout when the hub index is updated (#3485) @mmetc
• cscli: allow non-local symlinks to have a different name than hub items (#3475) @mmetc
• cscli hub/items: always show action plan; fix --interactive in pipes (#3451) @mmetc
• silence "cscli hub update" if noop in cron jobs (#3460) @mmetc
• cscli: don't attempt to download data files when url="" (#3454) @mmetc

Chore / Deps

• use go 1.24.1 (#3501) @mmetc
• update dependencies: color, go-sqlite3, tail, slack, testify (#3474) @mmetc
• use go 1.24, enable unencrypted http2 (#3470) @mmetc
• deps: use ent 0.14.2 (#3259) @mmetc
• build(deps): bump github.com/golang/glog from 1.2.2 to 1.2.4 (#3431) @dependabot[bot]
• deps: update gin-jwt (#3430) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.6.6-rc5

Changes

• empty back-merge from release branch (#3506) @mmetc
• appsec: use CA from client credentials when connecting to LAPI (#3505) @mmetc
• lint: gocritic/httpNoBody (#3493) @mmetc
• tests: remove modeline (#3486) @mmetc
• pkg/cwhub: refact Item.State.(Downloaded | Installed) (#3476) @mmetc
• refact: context propagation (apiclient, cticlient...) (#3477) @mmetc
• CI: use go 1.24 for windows (#3479) @mmetc
• tests: switch context.Background() -> t.Context() from go 1.24 (#3473) @mmetc
• refact: avoid use of defer calls in loops (#3466) @mmetc
• CI: lint docker tests (#3443) @mmetc
• lint: gocritic/typeDefFirst (ensure type definitions come before methods) (#3404) @mmetc
• file acquisition: remove redundant logging info (#3468) @mmetc
• CI: skip unit tests with dynamic build (#3461) @mmetc

New Features

• Parallel hubtest (#3509) @mmetc
• deprecate capi_whitelists_path (#3504) @blotus
• Add support for centralized allowlists (#3355) @blotus

Improvements

• appsec: support custom CA for lapi (#3503) @mmetc
• enhancement: Add additional ssl options to db configuration (#3387) @LaurenceJJones
• move ParseQuery to expr helpers, add ExtractQueryParam (#3491) @buixor
• enable/disable options for console enroll - make alert context a default (#3487) @buixor
• enhance: add option to disable magic syslog RFC parsers (#3435) @LaurenceJJones
• add JA4H expr helper (#3401) @blotus
• leaky bucket: reduce log verbosity (#3472) @mmetc

Bug Fixes

• update appsec test runner (#3518) @mmetc
• close appsec transactions after processing request (#3515) @blotus
• opensuse sets OSTYPE to linux (#3514) @blotus
• do not attempt to set db log level if no db config (#3510) @blotus
• appsec: less verbose logging for allowlists and headers check (#3498) @blotus
• enhance: Flags now superceed all log levels (#3496) @LaurenceJJones
• appsec: handle SendAlert() properly for out of band matches (#3497) @blotus
• cscli: review/update argument number checking (#3490) @mmetc
• crowdsec: allow -t to work if using appsec and allowlists (#3484) @blotus
• cron: avoid spamming stdout when the hub index is updated (#3485) @mmetc
• cscli: allow non-local symlinks to have a different name than hub items (#3475) @mmetc
• cscli hub/items: always show action plan; fix --interactive in pipes (#3451) @mmetc
• silence "cscli hub update" if noop in cron jobs (#3460) @mmetc
• cscli: don't attempt to download data files when url="" (#3454) @mmetc

Chore / Deps

• use go 1.24.1 (#3501) @mmetc
• update dependencies: color, go-sqlite3, tail, slack, testify (#3474) @mmetc
• use go 1.24, enable unencrypted http2 (#3470) @mmetc
• deps: use ent 0.14.2 (#3259) @mmetc
• build(deps): bump github.com/golang/glog from 1.2.2 to 1.2.4 (#3431) @dependabot[bot]
• deps: update gin-jwt (#3430) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.6.6-rc4

Changes

• empty back-merge from release branch (#3506) @mmetc
• appsec: use CA from client credentials when connecting to LAPI (#3505) @mmetc
• lint: gocritic/httpNoBody (#3493) @mmetc
• tests: remove modeline (#3486) @mmetc
• pkg/cwhub: refact Item.State.(Downloaded | Installed) (#3476) @mmetc
• refact: context propagation (apiclient, cticlient...) (#3477) @mmetc
• CI: use go 1.24 for windows (#3479) @mmetc
• tests: switch context.Background() -> t.Context() from go 1.24 (#3473) @mmetc
• refact: avoid use of defer calls in loops (#3466) @mmetc
• CI: lint docker tests (#3443) @mmetc
• lint: gocritic/typeDefFirst (ensure type definitions come before methods) (#3404) @mmetc
• file acquisition: remove redundant logging info (#3468) @mmetc
• CI: skip unit tests with dynamic build (#3461) @mmetc

New Features

• Parallel hubtest (#3509) @mmetc
• deprecate capi_whitelists_path (#3504) @blotus
• Add support for centralized allowlists (#3355) @blotus

Improvements

• appsec: support custom CA for lapi (#3503) @mmetc
• enhancement: Add additional ssl options to db configuration (#3387) @LaurenceJJones
• move ParseQuery to expr helpers, add ExtractQueryParam (#3491) @buixor
• enable/disable options for console enroll - make alert context a default (#3487) @buixor
• enhance: add option to disable magic syslog RFC parsers (#3435) @LaurenceJJones
• add JA4H expr helper (#3401) @blotus
• leaky bucket: reduce log verbosity (#3472) @mmetc

Bug Fixes

• close appsec transactions after processing request (#3515) @blotus
• opensuse sets OSTYPE to linux (#3514) @blotus
• do not attempt to set db log level if no db config (#3510) @blotus
• appsec: less verbose logging for allowlists and headers check (#3498) @blotus
• enhance: Flags now superceed all log levels (#3496) @LaurenceJJones
• appsec: handle SendAlert() properly for out of band matches (#3497) @blotus
• cscli: review/update argument number checking (#3490) @mmetc
• crowdsec: allow -t to work if using appsec and allowlists (#3484) @blotus
• cron: avoid spamming stdout when the hub index is updated (#3485) @mmetc
• cscli: allow non-local symlinks to have a different name than hub items (#3475) @mmetc
• cscli hub/items: always show action plan; fix --interactive in pipes (#3451) @mmetc
• silence "cscli hub update" if noop in cron jobs (#3460) @mmetc
• cscli: don't attempt to download data files when url="" (#3454) @mmetc

Chore / Deps

• use go 1.24.1 (#3501) @mmetc
• update dependencies: color, go-sqlite3, tail, slack, testify (#3474) @mmetc
• use go 1.24, enable unencrypted http2 (#3470) @mmetc
• deps: use ent 0.14.2 (#3259) @mmetc
• build(deps): bump github.com/golang/glog from 1.2.2 to 1.2.4 (#3431) @dependabot[bot]
• deps: update gin-jwt (#3430) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.

v1.6.6-rc3

Changes

• empty back-merge from release branch (#3506) @mmetc
• appsec: use CA from client credentials when connecting to LAPI (#3505) @mmetc
• lint: gocritic/httpNoBody (#3493) @mmetc
• tests: remove modeline (#3486) @mmetc
• pkg/cwhub: refact Item.State.(Downloaded | Installed) (#3476) @mmetc
• refact: context propagation (apiclient, cticlient...) (#3477) @mmetc
• CI: use go 1.24 for windows (#3479) @mmetc
• tests: switch context.Background() -> t.Context() from go 1.24 (#3473) @mmetc
• refact: avoid use of defer calls in loops (#3466) @mmetc
• CI: lint docker tests (#3443) @mmetc
• lint: gocritic/typeDefFirst (ensure type definitions come before methods) (#3404) @mmetc
• file acquisition: remove redundant logging info (#3468) @mmetc
• CI: skip unit tests with dynamic build (#3461) @mmetc

New Features

• deprecate capi_whitelists_path (#3504) @blotus
• Add support for centralized allowlists (#3355) @blotus

Improvements

• appsec: support custom CA for lapi (#3503) @mmetc
• enhancement: Add additional ssl options to db configuration (#3387) @LaurenceJJones
• move ParseQuery to expr helpers, add ExtractQueryParam (#3491) @buixor
• enable/disable options for console enroll - make alert context a default (#3487) @buixor
• enhance: add option to disable magic syslog RFC parsers (#3435) @LaurenceJJones
• add JA4H expr helper (#3401) @blotus
• leaky bucket: reduce log verbosity (#3472) @mmetc

Bug Fixes

• appsec: less verbose logging for allowlists and headers check (#3498) @blotus
• enhance: Flags now superceed all log levels (#3496) @LaurenceJJones
• appsec: handle SendAlert() properly for out of band matches (#3497) @blotus
• cscli: review/update argument number checking (#3490) @mmetc
• crowdsec: allow -t to work if using appsec and allowlists (#3484) @blotus
• cron: avoid spamming stdout when the hub index is updated (#3485) @mmetc
• cscli: allow non-local symlinks to have a different name than hub items (#3475) @mmetc
• cscli hub/items: always show action plan; fix --interactive in pipes (#3451) @mmetc
• silence "cscli hub update" if noop in cron jobs (#3460) @mmetc
• cscli: don't attempt to download data files when url="" (#3454) @mmetc

Chore / Deps

• use go 1.24.1 (#3501) @mmetc
• update dependencies: color, go-sqlite3, tail, slack, testify (#3474) @mmetc
• use go 1.24, enable unencrypted http2 (#3470) @mmetc
• deps: use ent 0.14.2 (#3259) @mmetc
• build(deps): bump github.com/golang/glog from 1.2.2 to 1.2.4 (#3431) @dependabot[bot]
• deps: update gin-jwt (#3430) @mmetc

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Installation

Take a look at the installation instructions.