EOL Releases

End of Life (EOL) Releases of NCTL

v4.5

v4.5.0

Enhancements

  • AI-powered remediations enable automated resolution of misconfigurations using Nirmata’s AI technology, enhancing speed and consistency across scans.
  • Unified --show-remediation flag added across all scan commands, including Repository, Kubernetes, Terraform, JSON, Helm, and Docker scans.
  • Removed AWS scan functionality to streamline supported features in NCTL.
  • Help documentation updated to include clear usage examples for all NCTL commands.
  • Refactored loader logic for improved modularity and code maintainability.
  • Internal package structure reorganized to improve scalability and long-term maintainability.

Bug Fixes

  • Clear error message now shown when the Kubernetes cluster is unreachable during scan.
  • Fixed issue where --remediate patch updated temporary files unintentionally.
  • Fixed multiple remediations being triggered for a single source file during scan.

v4.3

v4.3.5

Enhancements

  • Added --show-remediations flag for the nctl scan command. Now you can view the available remediations for scan results.
  • Added scan-report output format for all scan commands. Use -o scan-report to get the output in the scan-report format.

v4.3.4

Enhancements

  • Added the --no-color flag to scan commands. This fixes the color issue when running in Jenkins pipelines.
  • Includes bug fixes across scan commands.
  • Nirmata Control Hub (NCH) rebranding changes.

v4.3.3

Enhancements

  • GitHub Personal Access Token (PAT) can be read from the environment variable GITHUB_TOKEN and need not be passed in the command line.
  • Support for Private Git repositories across all commands.
  • Scan GitLab repo directly from the command line using nctl scan repository <gitlab-repo-url>.
  • Add --branch flag to the nctl scan repository command to scan a specific branch locally.

v4.3.1

Enhancements

  • Add support for the --mutate-policies flag for the remediate command. It is now possible to point to local mutate files that can be used for remediation. This is useful when authoring the mutate policy.

Bug Fixes

  • Include cluster exceptions when scanning a Kubernetes cluster.

v4.3.0

New Features

  • Scan any cluster with either default policy sets or configured policy sets and exceptions in NCH without having to install anything in the cluster. The results can be published to NCH with the --publish flag.

Deprecation

  • Add a deprecation notice to the nctl cluster and nctl login commands. These will be removed in a future release.

Removal

  • Removed --exclude-cluster-policies, --exclude-cluster-exceptions, and --exclude-cluster-resources from the nctl scan kubernetes command. Users relying on this command now have to use --cluster to include all resources (policies, exceptions, and resources) from the cluster. Individual flags are also available to explicitly include resources from the cluster: --cluster-resources, --cluster-policies, and --cluster-exceptions.

Improvements

  • Added the ability to pull policy sets and policy exceptions from NCH.
  • Enhanced debug logging. Use the -v flag to view verbose logs.
  • Added new flags for the nctl scan kubernetes command: --cluster-resources, --cluster-policies, and --cluster-exceptions to explicitly include resources from the cluster.
  • Configure credentials for private Helm charts.

Bug Fixes

  • Remove the --namespace flag for the nctl scan helm command. This flag is not required for this command.
  • Support Git URLs as values for the -p and -r flags in the nctl scan command.
  • Remove info messages when the output format is json.

v4.2

v4.2.1

New Features

  • Install nctl v4.2.1 with the help of Homebrew on macOS and Linux devices. Learn more about nctl installation with Homebrew from the official documentation.

Minor updates and Bug Fixes

  • Add name and ID labels in the scan command.
  • Fix CVE for nctl v4.2.0.
  • Fix Terraform plan scanning.
  • Fix Terraform state scanning.
  • Fix silent errors in scan commands.

v4.2.0

This release comes with new features, updates, and bug fixes.

New Features

  • Use nctl to integrate the PolicyException workflow in NCH with GitOps. As part of this, new commands are added to nctl.
nctl login github
nctl create pull-request

Enhancements

  • Support polr output format for kubernetes scan results.
  • Support --details for non-K8s scans to display detailed outputs.
  • A new flag --continue-on-fail is added to continue processing results even if there is some error or the Kyverno engine panics. It is not advisable to use this flag unless absolutely needed. This flag may be deprecated and removed in the future.

Minor Updates and Bug Fixes

  • Update stdout text for scan results.
  • Fixed dockerfile scan when policy reference is a GitHub path.
  • Fixed regressions for nctl remediate command.
  • Scan locally cloned repository and publish results to NCH (cloned either with ssh or https).

v4.1

v4.1.5

New features

  • Introduced a top-level label in scan reports to identify whether the report ID was autogenerated or user-provided.

Updates and Bug Fixes

  • Added a label for remediation docs in non-K8s reports.
  • Fixed policy UID to match for non-K8s resources in reports and policies sent to NCH.
  • Fixed violation messages for non-K8s scan results.
  • Upgraded Kyverno version to 1.12.5.

Note: v4.1.3 and v4.1.4 are faulty versions. It is advisable to use v4.1.5 for work.

v4.1.2

Bug Fixes

  • Fixed CVE with the update of Golang version 1.22.4.

v4.1.1

Updates and Bug Fixes

  • Removed the --cluster-name flag from the scan kubernetes command.
  • Fixed inconsistency within the scan helm command.
  • Fixed incorrect usage of the explicit values.yaml file for a Helm chart.

v4.1.0

This release comes with new features, updates, and bug fixes.

New Features

  • Added support for scanning both public and private Helm charts.
  • Introduced a new command to scan AWS ECS resources. Refer to the scan command for more details.
  • nctl transform command helps to convert resource files into their JSON equivalent. This is useful when writing Kyverno JSON policies that need JSON input payloads.

Updates and Bug Fixes

  • Supported the --publish flag for all types of scan commands to publish reports to NCH.
  • Fixed status 403 error code in the scan kubernetes --cluster command.
  • Fixed the add cluster command when the user provides custom configuration.
  • Added the --audit-as-warn flag for all types of scan commands so that the command does not exit with a non-zero status. This is useful in CI pipelines to only flag the violation and not fail the pipeline itself.

v4.0

The major improvements and additions of the above version are listed below:

UX Improvements

The v4.0.0 release is a huge release with most commands having breaking UX changes. The general syntax follows the conventional <nctl> <verb> <noun> format.

Note: Only the nctl clusters command follows backward compatibility with 3.x, and all other commands should be carefully investigated before upgrading to this new release. Please contact Nirmata Support for more information and assistance.

Refer to the list of 4.x compatible commands here.

New Commands

nctl scan repository

Scan any Git repository using the nctl scan repository command. This command will recursively scan the entire repository against the policies as configured with the -p flag. NCH customers can view the scan results in NCH under the Policy Reports > Repositories tab. Learn more about the pipeline scanning workflow here.