Release v3.2.12

What's Changed

• chore(oscap): re-pin CA bundle hash and fixture base-image digests by @octo-sts-2[bot] in #84
• chore(release): prepare release v3.2.12 by @octo-sts-6[bot] in #85

Full Changelog: v3.2.11...v3.2.12

Release v3.2.11

What's Changed

• chore(deps): bump step-security/harden-runner from 2.16.0 to 2.16.1 in the actions group by @dependabot[bot] in #78
• chore(deps): bump the actions group across 1 directory with 4 updates by @dependabot[bot] in #81
• refactor: improve SRG functionality for directory tests; add E2E testing by @egibs in #82
• chore(release): prepare release v3.2.11 by @octo-sts-6[bot] in #83

New Contributors

• @octo-sts-6[bot] made their first contribution in #83

Full Changelog: v3.2.10...v3.2.11

Release v3.2.10

What's Changed

• chore(signature valdiation): allow prepare-release workflow, github validated signatures by @stevebeattie in #75
• fix: sync RemoteAccessServices pattern in datastream by @jakeva in #76
• chore(release): prepare release v3.2.10 by @octo-sts-2[bot] in #77

Full Changelog: v3.2.9...v3.2.10

Release v3.2.9

What's Changed

• Bump peter-evans/create-pull-request from 7.0.9 to 8.0.0 by @dependabot[bot] in #42
• Bump chainguard-dev/actions from 1.5.10 to 1.5.11 in the actions group by @dependabot[bot] in #46
• Bump the actions group across 1 directory with 3 updates by @dependabot[bot] in #49
• Bump chainguard-dev/actions from 1.5.12 to 1.5.13 in the actions group by @dependabot[bot] in #50
• Bump step-security/harden-runner from 2.14.0 to 2.14.1 in the actions group by @dependabot[bot] in #51
• Bump chainguard-dev/actions from 1.5.13 to 1.5.14 in the actions group by @dependabot[bot] in #52
• Bump the actions group across 1 directory with 3 updates by @dependabot[bot] in #55
• Bump chainguard-dev/actions from 1.5.16 to 1.6.0 in the actions group by @dependabot[bot] in #56
• Bump chainguard-dev/actions from 1.6.0 to 1.6.1 in the actions group by @dependabot[bot] in #57
• Bump chainguard-dev/actions from 1.6.1 to 1.6.2 in the actions group by @dependabot[bot] in #58
• Bump chainguard-dev/actions from 1.6.2 to 1.6.3 in the actions group by @dependabot[bot] in #59
• Bump the actions group across 1 directory with 2 updates by @dependabot[bot] in #61
• Bump the actions group across 1 directory with 3 updates by @dependabot[bot] in #64
• Bump the actions group across 1 directory with 2 updates by @dependabot[bot] in #66
• Bump the actions group across 1 directory with 2 updates by @dependabot[bot] in #68
• Bump chainguard-dev/actions from 1.6.10 to 1.6.11 in the actions group by @dependabot[bot] in #69
• chore(workflows): add workflow linters by @stevebeattie in #71
• fix(workflows): fix zizmor identified issues, actionlint error by @stevebeattie in #72
• chore(release): add two-phase release workflows [PSEC-656] by @stevebeattie in #73
• fix RemoteAccessServicesTest: version-stream-aware pattern by @jakeva in #70
• chore(release): prepare release v3.2.9 by @octo-sts-2[bot] in #74

New Contributors

• @jakeva made their first contribution in #70
• @octo-sts-2[bot] made their first contribution in #74

Full Changelog: v3.2.8...v3.2.9

v3.2.8 release

Improved the openssl FIPs checks to be more comprehensive, as well as fixed some of the language around other checks.

What's Changed

• octo-sts policy: fix subject org by @stevebeattie in #26
• chore: enable dependabot to keep github actions updated by @stevebeattie in #27
• allowed signatures: allow github webui based commits by @stevebeattie in #30
• Bump the actions group with 3 updates by @dependabot[bot] in #28
• Bump sigstore/cosign-installer from 3.9.2 to 4.0.0 by @dependabot[bot] in #29
• Bump the actions group across 1 directory with 4 updates by @dependabot[bot] in #35
• update-ca-cert workflow: fix version ref to create-pull-request action by @stevebeattie in #36
• Update README to reflect SRG profile changes by @some-natalie in #37
• Bump actions/checkout from 5.0.0 to 6.0.1 by @dependabot[bot] in #39
• Bump step-security/harden-runner from 2.13.3 to 2.14.0 in the actions group across 1 directory by @dependabot[bot] in #40
• openssl checks: ensure that openssl.cnf contain expected elements by @stevebeattie in #41
• Fix validation errors and incorrect check by @stevebeattie in #43
• add simple make targets for oscap xccdf validate by @stevebeattie in #44
• fix: make datastreams and combined xml match by @stevebeattie in #45

New Contributors

• @dependabot[bot] made their first contribution in #28
• @some-natalie made their first contribution in #37

Full Changelog: v3.2.7...v3.2.8

v3.2.7 release

What's Changed

• gpos stig: update hash for ca-certificates 20251003-r0 update by @stevebeattie in #24
• add ca-cert PR generator github workflow by @stevebeattie in #25

Full Changelog: v3.2.6...v3.2.7

v3.2.6

What's Changed

• Update CABundleHash by @egibs in #23

Full Changelog: v3.2.5...v3.2.6

v3.2.5

What's Changed

Important note: the format for identifying stig rules has changed in this update, from (e.g.):

xccdf_._rule_V_263659

to:

xccdf_mil.disa.stig_rule_SV-263659r982563_rule

to ensure correct mappings when used in tools like STIGViewer. This will also impact use cases where openscap is used to check specific rules, e.g.:

oscap xccdf eval --verbose WARNING --rule xccdf_mil.disa.stig_rule_SV-263659r982563_rule \
              /usr/share/xml/scap/ssg/content/ssg-chainguard-gpos-ds.xml 

Change history:

• Update ID mappings to fix STIGViewer imports by @egibs in #20
• Revert checksum testing change by @egibs in #22

New Contributors

• @egibs made their first contribution in #20

Full Changelog: v3.2.4...v3.2.5

v3.2.4

What's Changed

• Update image scan instructions by @sschubertchainguard in #19
• Update SHA-256 for latest updates to ca-certificates. by @javacruft in #21

New Contributors

• @sschubertchainguard made their first contribution in #19
• @javacruft made their first contribution in #21

Full Changelog: v3.2.3...v3.2.4

What's Changed

• Update image scan instructions by @sschubertchainguard in #19
• Update SHA-256 for latest updates to ca-certificates. by @javacruft in #21

New Contributors

• @sschubertchainguard made their first contribution in #19
• @javacruft made their first contribution in #21

Full Changelog: v3.2.3...v3.2.4

v3.2.3

What's Changed

• readme: add instructions to run against image by @xnox in #15
• stig: add missing rule for V-259333 check by @stevebeattie in #16
• gitsign: add a policy for signing commits by @stevebeattie in #18
• stig: reflow text by @stevebeattie in #17

New Contributors

• @xnox made their first contribution in #15

Full Changelog: v3.2.2...v3.2.3