v1.8.0 - Risk Posture Orchestration (RPO) Platform

Changelog

All notable changes to this project will be documented in this file.

and this project adheres to Semantic Versioning.

[1.8.0] - 2026-04-24

Added

• Orchestration Command (wardex assess): A unified command for multi-layer compliance and asset-based assessment.
• Layer Delta Analysis: Automatic identification of "Paper Security" (documented only) and "Shadow Security" (implemented only).
• Asset Compliance Models: Context-aware scoring for individual business systems (Criticality, Exposure, Threats).
• Risk-Based Scoring v2: New roadmap prioritization formula incorporating ContextWeight and Effectiveness.
• Flexible Ingestion: Support for root-level lists in YAML/JSON control and asset definitions.

Changed

• BREAKING: Architectural Flattening: Consolidated pkg/accept into a unified high-performance package.
• Coverage Strictness: The global coverage metric now requires the implemented layer for a Covered status.
• Documentation Overhaul: Updated Playbook and Technical View for the RPO Platform transition.
• Cleanup: Purged legacy PoCs and non-essential artifacts; reorganized research data.

Fixed

• Deduplication Logic: LoadMany now correctly handles same-ID controls across different layers (ID|Layer).
• Model Inconsistency: Updated Asset schema to support advanced exposure context and threat scenarios.

---

[1.7.2] - 2026-04-21

Added

• SDK API: New programmatic API for integration (pkg/sdk/assess.go)
• NIS2/DORA Support: Policy templates for NIS2 and DORA frameworks
• Calibrated Risk Gate: Enhanced calibration with NAICS organizational profiles
• Playbook Documentation: Comprehensive operational playbook
• Comprehensive USECASES.md: 10 didactic scenarios for training

Changed

• Updated Go dependencies (AWS SDK v2, Cloud Logging)
• GitHub Actions updated to latest versions
• Improved documentation and CLI banner redesign
• Enhanced risk calibration with statistical bootstrapping

Fixed

• Fixed .golangci.yml configuration (v2 → v3 format)
• StaticCheck QF1003 resolved (if/else → switch)
• Various README typos and linter configurations

Security

• Isolated empirical research scripts to /research
• Internal docs moved to /internal/doc/ for cleaner public clone

---

... [rest of the file remains unchanged]

Wardex v1.7.2 - Security Posture & SDK

What's Changed

• Wardex v1.7.1 - TeamPCP Hardening & Tooling Modernization by @had-nu in #28
• Merge pull request #28 from had-nu/dev by @had-nu in #29
• feat: policy subcommand + documentation overhaul + USECASES by @had-nu in #30
• build(deps): bump golangci/golangci-lint-action from 6.1.1 to 9.2.0 by @dependabot[bot] in #31
• build(deps): bump actions/setup-go from 5.3.0 to 6.4.0 by @dependabot[bot] in #32
• build(deps): bump actions/checkout from 4.2.2 to 6.0.2 by @dependabot[bot] in #33
• build(deps): bump github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs from 1.65.0 to 1.66.0 by @dependabot[bot] in #34
• feat(v1.7.1): governance commands and empirical risk calibration by @had-nu in #36
• Main by @had-nu in #37
• feat(frameworks): add policy templates for SOC 2, NIS 2, and DORA by @had-nu in #38
• chore: isolate empirical research scripts to /research by @had-nu in #40
• build(deps): bump cloud.google.com/go/logging from 1.13.2 to 1.14.0 by @dependabot[bot] in #41
• build(deps): bump github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs from 1.66.0 to 1.68.0 by @dependabot[bot] in #42
• build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.13 to 1.32.14 by @dependabot[bot] in #43
• feat: calibrated risk-based gate and organizational profiles by @had-nu in #44
• build(deps): bump cloud.google.com/go/logging from 1.14.0 to 1.16.0 by @dependabot[bot] in #45
• build(deps): bump github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs from 1.66.0 to 1.68.0 by @dependabot[bot] in #46
• feat: Add SDK API and fix critical inconsistencies (v1.7.2) by @had-nu in #47
• Test/novabank demo by @had-nu in #50

Full Changelog: v1.7.1...v1.7.2

Release v1.7.1 - TeamPCP Hardening & Modernization

We are proud to announce the release of Wardex v1.7.1, which introduces critical security hardening measures to mitigate the TeamPCP campaign and modernizes our build infrastructure.

Security & Hardening (TeamPCP Campaign Mitigation)

Infrastructure & CI/CD

• Immutable CI/CD: All GitHub Actions are now pinned to specific SHA256 hashes to prevent tag-poisoning and supply chain attacks.
• Workflow Isolation: Restricted pull_request_target permissions and removed PAT exposure in CLA automation to prevent unauthorized code execution.

Artifact & Dependency Integrity

• Dependency Integrity: Implemented Subresource Integrity (SRI) hashes for all browser-side dependencies in the simulation engine.
• Artifact Signing: Added initial support for cosign and CycloneDX SBOM generation via Goreleaser to ensure binary transparency and provenance.

Governance & Data Provenance

• Audit Traceability: Added signature_version to risk acceptance records and documented detailed secret rotation procedures in SECURITY.md.
• Data Provenance: EPSS enrichment now captures TLS certificate fingerprints and enforces logical range validation for incoming datasets.

---

Tooling Modernization

Go 1.26 Upgrade

The project has been fully migrated to Go 1.26, leveraging the latest performance improvements and security features of the Go toolchain.

Linter & Security Scanners

• golangci-lint v2.11.4: Updated to the latest major version with optimized configuration for Go 1.26.
• govulncheck v1.1.4: Upgraded to ensure compatibility with Go 1.26 and latest vulnerability database schemas.
• gosec v2.25.0: Updated for enhanced static security analysis.

---

How to Upgrade

To update your local installation and tooling:

# Update Wardex
go get github.com/had-nu/wardex@v1.7.1

# Update Linter to v2.11.4
go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest

v1.7.0

Wardex v1.7.0

Added

• Wardex SaaS Conversion Portal: Built-in interactive web demo (wardex portal) designed for Product-Led Growth (PLG). Automatically clones repositories, coordinates Grype vulnerability scans, and evaluates contextual risk in real-time. Features an embedded dark/neon HTML UI and live Server-Sent Events (SSE) streaming.
• Human-in-the-Loop EPSS API Enrichment: Added the wardex enrich epss command to securely fetch omitted EPSS scores from api.first.org and emit a cryptographically sealed HMAC override record. Injecting --epss-enrichment record.yaml supersedes the gate's 1.0 fallback, preventing pipeline brittleness without compromising non-repudiation.
• Multi-Context Stress Test Report: Validated 237 real CVEs with live FIRST.org EPSS data across 4 organizational profiles (Bank/DORA, Hospital/HIPAA, SaaS Startup, Dev Sandbox).

Changed

• BREAKING: wardex convert grype default-epss 0.05 → 0.0: The converter no longer silently assumes a permissive 5% exploitation probability for unknown EPSS scores. Unknown scores are now 0.0, causing the release gate to assume worst-case (1.0) until the analyst explicitly runs wardex enrich epss. This enforces Wardex's fail-close philosophy.

Wardex v1.5.0 (Framework Expansion Sprint)

Wardex v1.5.0 (Framework Expansion Sprint)

This release officially introduces the Multi-Framework Governance Engine. Wardex is no longer strictly bound to ISO 27001 reporting.

Added

• --framework Dynamic Parameter: A flexible way to scan the same organizational security configurations against different regulatory catalogs. Supported natively out-of-the-box in v1.5.0:
  • --framework iso27001 (Legacy JSON backwards-compatible default)
  • --framework soc2
  • --framework nis2
  • --framework dora

Changed

• The entire application core transitioned from an AnnexAControl schema abstraction to a globally resilient CatalogControl structure.

Wardex v1.4.0 (System Features Sprint)

Wardex v1.4.0 (System Features Sprint)

This release focuses on hardening enterprise telemetry, improving the observability of risk thresholds, and introducing native false-positive suppression via VEX.

Added

• SIEM Forwarding Verification: Added the wardex accept verify-forwarding command to validate that local audit trails (wardex-accept-audit.log) are healthy and formatted correctly for remote SIEM ingestion agents.
• WARN Gate Threshold Observable Context: The release gate now explicitly surfaces the [!] WARN tag and exits cleanly (0) when an evaluated pipeline risk falls between the warn_above and risk_appetite boundaries. This provides critical observability without hard-blocking pipelines unnecessarily.
• Configurable Snapshot File Path: Replaced the hardcoded .wardex_snapshot.json tracker. Monorepo pipelines can now use the --snapshot-file flag to securely isolate their gap analysis states and delta reports.
• VEX Suppressions: The native CycloneDX SBOM importer natively parses the analysis object. SBOM Vulnerability components with a VEX state of false_positive or not_affected are automatically bypassed by the risk engine, instantly reducing noisy false alarms.

Wardex v1.3.0 (Enterprise Compliance Release)

Wardex v1.3.0 (Enterprise Compliance Release)

This release focuses on enterprise-grade compliance, introducing native SBOM ingestion, dynamic Role-Based Access Control (RBAC) profiling, and a mathematically verifiable cryptographic audit trail for risk exceptions.

Added

• Native SBOM Ingestion: Wardex now natively ingests and parses Software Bill of Materials. Using wardex convert sbom, pipelines can instantly parse CycloneDX and SPDX JSON files, extracting CVSS vulnerabilities agnostically without relying on third-party security scanners.
• RBAC Configuration Profiles (--profile): Risk thresholds no longer need to be hardcoded globally. The wardex-config.yaml now supports a profiles: block, allowing different teams (e.g., frontend, backend, pci-dss) to be dynamically invoked at runtime via the --profile <name> flag to enforce distinct risk_appetite and warn_above thresholds.
• Cryptographic Acceptances Audit: The Risk Acceptance subsystem has been fortified with HMAC-SHA256 signatures (pkg/accept/signer). Exceptions are now completely tamper-evident, immune to timing side-channel attacks via constant-time verification, and strictly bound to the exact point-in-time compliance report to prevent cross-context replay attacks.

Changed

• Scenario Proof of Concepts: Expanded test/poc/run-all-scenarios.sh to include complex end-to-end integration tests for SBOM conversions and RBAC profile overriding simulations, ensuring zero regressions on the security gate logic.

Wardex v1.2.0

Wardex v1.2.0 (Developer Adoption Release)

This release focuses on dramatically reducing integration friction, enhancing the developer experience, and introducing the much-requested WARN risk band for more flexible CI/CD pipelines.

Added

• Interactive Risk Simulator: Added wardex simulate to instantly spin up an offline web dashboard. This allows teams to visually test how CVSS, EPSS, and compensating controls affect their overall risk score in real-time.
• Grype Converter: Added wardex convert grype to natively transform Grype JSON vulnerability scanner output into Wardex's native YAML format for seamless pipeline integration.
• WARN Risk Band: Added the warn_above configuration threshold. The gate now supports an intermediate band where releases can proceed (with strong warnings) if they exceed warn_above but haven't breached the fatal risk_appetite.
• JSON & CSV Export for Acceptances: The wardex accept list command now supports --output json and --output csv flags for programmatic parsing.
• Configurable Roadmap Limit: Removed the hardcoded 10-item limit for the maturity roadmap. You can now control the report length natively using the --roadmap-limit flag.
• SDK Documentation: Fully annotated the pkg/ directories with standard GoDoc API references, unlocking native programmatic integrations.
• Dynamic Versioning: Added the --version flag, and the ASCII banner now prints the dynamically injected build version.

Changed

• Refactored codebase to abolish emojis and use cleaner ASCII tags ([PASS], [FAIL], [INFO], [WARN]).
• Cleaned up overly verbose inline tutorial comments from core files (main.go, grype.go, scorer.go, test/poc/main.go) for a more professional, SDK-ready codebase.
• Improved validation of banned justification phrases to catch them anywhere within a sentence, rather than requiring an exact string match.

v1.1.1 — Security & Correctness Patch

Bug Fixes

G-01: Duration parser broken for day suffix

time.ParseDuration rejects d suffix — --expires 30d and --warn-before 3d always failed.

• New pkg/duration with ParseExtended() supporting day notation
• Changed --warn-before default from 3d to 72h (safe fallback)

G-02: --config flag ignored by accept subcommands

All 5 accept subcommands hardcoded config.Load("./wardex-config.yaml"), ignoring root --config.

• AddCommands now receives config path pointer from root command
• All 7 hardcoded paths replaced

G-03: Multi-CVE acceptance silently discarded CVEs

reqCVEs[0] only stored the first CVE — users thought all CVEs were accepted.

• Creates 1 acceptance per CVE with unique ID, individual HMAC, individual audit log
• Each CVE independently revocable

G-04: Exit code 2 conflicts with POSIX

os.Exit(2) for gate BLOCK means "misuse of shell builtins" in POSIX.

• New pkg/exitcodes with named constants (GateBlocked=10, ComplianceFail=11)
• All magic exit codes replaced across main.go and cli.go

Tests

29 new unit tests added. Full regression passed on all branches before merge.

v1.1.0 - The Risk Acceptance Engine

Ω Wardex v1.1.0 — The Risk Acceptance Engine

What's New

• Risk Acceptance Workflow — Formal wardex accept subcommand for managing vulnerability exceptions with HMAC-SHA256 cryptographic signing, append-only audit logs, and configuration drift detection.
• Elegant CLI Banner — Redesigned compact banner with gradient aesthetics and the Ω branding.
• Multilingual README — Documentation available in English, French, Spanish, and Portuguese.
• CI Pipeline — Full lint (golangci-lint), security scan (govulncheck, gosec), and test coverage.

Subcommands

wardex accept request   — Request a new risk acceptance
wardex accept list      — List active/expired acceptances
wardex accept verify    — Verify cryptographic integrity
wardex accept revoke    — Revoke an existing acceptance
wardex accept check-expiry — Check for pending expirations

Architecture

• Risk-Based Release Gate with composite risk scoring (CVSS × EPSS × Reachability × Asset Context)
• SDK-ready: importable as a Go library for REST APIs, GRC orchestration, or bots
• ISO/IEC 27001:2022 Annex A mapping across 93 controls