--- title: "nctl" description: "nctl CLI release notes" diataxis: how-to applies_to: product: "nctl" audience: ["developer","platform-engineer"] last_updated: 2026-03-25 url: https://docs.nirmata.io/docs/release-notes/nctl/ --- weight: 3 type: docs This section contains the major feature improvements and bug fixes for each release of NCTL. --- ## v4.8.0 ## v4.8.0-RC (Pre-release) ### New Features - **nctl AI Agent**: New personal agent for Policy-as-Code development - Generate Kyverno policies from natural language descriptions - Create automated test suites for policy validation - Interactive CLI mode for policy development ### Enhancements - Custom GitLab Domain Support: Added support for custom GitLab domain configurations - Helm Repository Scanning: Enhanced repository scanning capabilities with Helm chart support - Introduced CPU and memory profiling to `nctl`. --- ## v4.7.0 ## v4.7.10 ### Enhancements * Added ValidatingPolicy support to all scan types. ### Bug Fixes * Fixed incorrect filepath issue for AI remediations. * Automatically add all required permissions for RBAC policyset to reports-controller when using `nctl add cluster`. * CVE fixes ## v4.7.9 ### Updates * Support for AI auto-remediations for resources present in the cluster. ### Bug Fixes * Fix `nctl scan helm --help` showing irrelevant flags. * Fix `nctl scan repository` when local kubeconfig points to an EKS cluster. For scan repository, kubeconfig should not produce any side effects. * CVE fixes ## v4.7.8 ### Updates * Improve logging. Use the `klog` style verbosity logging. * Remove support for `terraform-config` (`.tf`) and `terraform-state` (`.tfstate`) extensions from terraform scan. * Remove (old) remediation annotation from scan report results. ### Bug Fixes * Fix file count mismatch for non-k8s files in repository scanning. * Add more e2e tests for better coverage of `nctl`. ## v4.7.4 ### Major Changes * Using nctl to install Kyverno Operator and Nirmata Kube Controller follow secure-by-default standards (i.e., provide readonly access to resources). * Removed `nctl install` command. The recommended installation method for Enterprise Kyverno and Operator is via Helm. * `nctl scan kubernetes` now include K8s best practices policies out-of-the-box. * Add support for Kyverno 1.14's ValidatingPolicy in `nctl scan kubernetes` command. * Changes to `nctl login` command. By default login is for Nirmata Control Hub. ### Enhancements * Include cluster name in SARIF reports. * Remove redundant logs from `nctl scan` command. * Exclude specific files or directories when using `nctl scan repository` command. * Support for `--analyze` flag for `nctl scan repository` command. * Added support for csv as a policy report output format. * Added severity field in detailed scan reports. * Support for directories in `nctl scan remediate` command. --- ## v4.6.0 ## v4.6.2 ### Enhancements * Policy reports are now analyzed using **Nirmata-powered AI** for **security**, **operational misconfigurations**, and **cost optimizations**. * Added support to exclude specific resources during `nctl scan repository` for more targeted scanning. * Kubernetes Best Practices are now applied by default during scans for improved security and compliance. * Improved `nctl` usability with in-command usage examples displayed via `--help`. * Optimized scanning performance for large clusters through improved concurrency. * Simplified user experience by removing GitHub credential prompts during scans. * Enhanced help documentation with examples for `nctl scan` usage. * Introduced support for scanning non-namespaced resources using Kyverno CLI. * Added user signup support in `nctl` to simplify and streamline onboarding with Nirmata Control Hub. * Modularized internal logic with loader abstraction for better maintainability. ### Bug Fixes * Fixed segmentation fault that occurred during `nctl scan`. * Added validation for Pull Execution Requests (PER) during pull request creation. * Resolved crash during `nctl create pull-request` when provider configuration is missing. --- ## v4.4.0 ## v4.4.1 ### Enhancements * `nctl scan` displays the path of the resources that have violations. * The SARIF report format now contains the `fixes` field, which can be used to showcase remediations when integrating with [DefectDojo](https://www.defectdojo.org/) platform. * Support for GitLab and Bitbucket. ### Bug Fixes * Remove `--policy-report` argument; instead, use `polr` consistently across all scan commands. * Update policyset installation message to provide more clarity on the status and progress of policyset installation. * Consistent fetching of policies from Nirmata Control Hub for scans. ## v4.4.0 ### Enhancements * Improve `nctl remediate` output. NCTL skips printing the resource if it is already compliant with the policies. * Default policysets are fetched from Nirmata Control Hub instead of the pre-packaged policies. * NCTL retrieves policy exceptions from Nirmata Control Hub and marks those results as skipped during scanning. * Add `policy-report` as a supported output format for scan commands. ### Bug Fixes * Fix writing output to a file. * Fix syntax issues in SARIF output format. --- ## EOL Releases ## v4.5 ### v4.5.0 #### Enhancements * AI-powered remediations enable automated resolution of misconfigurations using Nirmata's AI technology, enhancing speed and consistency across scans. * Unified `--show-remediation` flag added across all scan commands, including Repository, Kubernetes, Terraform, JSON, Helm, and Docker scans. * Removed AWS scan functionality to streamline supported features in NCTL. * Help documentation updated to include clear usage examples for all NCTL commands. * Refactored loader logic for improved modularity and code maintainability. * Internal package structure reorganized to improve scalability and long-term maintainability. #### Bug Fixes * Clear error message now shown when the Kubernetes cluster is unreachable during scan. * Fixed issue where `--remediate patch` updated temporary files unintentionally. * Fixed multiple remediations being triggered for a single source file during scan. ## v4.3 ### v4.3.5 #### Enhancements * Added `--show-remediations` flag for the nctl scan command. Now you can view the available remediations for scan results. * Added `scan-report` output format for all scan commands. Use `-o scan-report` to get the output in the scan-report format. ### v4.3.4 #### Enhancements * Added the `--no-color` flag to scan commands. This fixes the color issue when running in Jenkins pipelines. * Includes bug fixes across scan commands. * Nirmata Control Hub rebranding changes. ### v4.3.3 #### Enhancements * GitHub Personal Access Token (PAT) can be read from the environment variable GITHUB_TOKEN and need not be passed in the command line. * Support for Private Git repositories across all commands. * Scan GitLab repo directly from the command line using `nctl scan repository `. * Add `--branch` flag to the `nctl scan repository` command to scan a specific branch locally. ### v4.3.1 #### Enhancements * Add support for the `--mutate-policies` flag for the `remediate` command. It is now possible to point to local mutate files that can be used for remediation. This is useful when authoring the mutate policy. #### Bug Fixes * Include cluster exceptions when scanning a Kubernetes cluster. ### v4.3.0 #### New Features * Scan **any** cluster with either default policy sets or configured policy sets and exceptions in Nirmata Control Hub without having to install anything in the cluster. The results can be published to Nirmata Control Hub with the `--publish` flag. #### Deprecation * Add a deprecation notice to the `nctl cluster` and `nctl login` commands. These will be removed in a future release. ### Removal * Removed `--exclude-cluster-policies`, `--exclude-cluster-exceptions`, and `--exclude-cluster-resources` from the `nctl scan kubernetes` command. Users relying on this command now have to use `--cluster` to include all resources (policies, exceptions, and resources) from the cluster. Individual flags are also available to explicitly include resources from the cluster: `--cluster-resources`, `--cluster-policies`, and `--cluster-exceptions`. #### Improvements * Added the ability to pull policy sets and policy exceptions from Nirmata Control Hub. * Enhanced debug logging. Use the `-v` flag to view verbose logs. * Added new flags for the `nctl scan kubernetes` command: `--cluster-resources`, `--cluster-policies`, and `--cluster-exceptions` to explicitly include resources from the cluster. * Configure credentials for private Helm charts. #### Bug Fixes * Remove the `--namespace` flag for the `nctl scan helm` command. This flag is not required for this command. * Support Git URLs as values for the `-p` and `-r` flags in the `nctl scan` command. * Remove info messages when the output format is `json`. ## v4.2 ### v4.2.1 #### New Features * Install nctl v4.2.1 with the help of Homebrew on macOS and Linux devices. Learn more about `nctl` installation with Homebrew from the [official documentation](https://docs.nirmata.io/docs/nctl/installation/). #### Minor updates and Bug Fixes * Add name and ID labels in the scan command. * Fix CVE for nctl v4.2.0. * Fix Terraform plan scanning. * Fix Terraform state scanning. * Fix silent errors in scan commands. ### v4.2.0 This release comes with new features, updates, and bug fixes. #### New Features * Use nctl to integrate the PolicyException workflow in Nirmata Control Hub with GitOps. As part of this, new commands are added to `nctl`. ```bash nctl login github nctl create pull-request ```text #### Enhancements * Support `polr` output format for kubernetes scan results. * Support `--details` for non-K8s scans to display detailed outputs. * A new flag `--continue-on-fail` is added to continue processing results even if there is some error or the Kyverno engine panics. It is not advisable to use this flag unless absolutely needed. This flag may be deprecated and removed in the future. #### Minor Updates and Bug Fixes * Update stdout text for scan results. * Fixed dockerfile scan when policy reference is a GitHub path. * Fixed regressions for `nctl remediate` command. * Scan locally cloned repository and publish results to Nirmata Control Hub (cloned either with ssh or https). ## v4.1 ### v4.1.5 #### New features * Introduced a top-level label in scan reports to identify whether the report ID was autogenerated or user-provided. #### Updates and Bug Fixes * Added a label for remediation docs in non-K8s reports. * Fixed policy UID to match for non-K8s resources in reports and policies sent to Nirmata Control Hub. * Fixed violation messages for non-K8s scan results. * Upgraded Kyverno version to 1.12.5. > Note: v4.1.3 and v4.1.4 are faulty versions. It is advisable to use v4.1.5 for work. ### v4.1.2 #### Bug Fixes * Fixed CVE with the update of Golang version 1.22.4. ### v4.1.1 #### Updates and Bug Fixes * Removed the `--cluster-name` flag from the `scan kubernetes` command. * Fixed inconsistency within the `scan helm` command. * Fixed incorrect usage of the explicit `values.yaml` file for a Helm chart. ### v4.1.0 This release comes with new features, updates, and bug fixes. #### New Features * Added support for scanning both public and private Helm charts. * Introduced a new command to scan AWS ECS resources. Refer to the [scan command](../../commands/v4.x/scan/aws/ecs/_index.md) for more details. * `nctl transform` command helps to convert resource files into their JSON equivalent. This is useful when writing Kyverno JSON policies that need JSON input payloads. #### Updates and Bug Fixes * Supported the `--publish` flag for all types of scan commands to publish reports to Nirmata Control Hub. * Fixed status `403 error code` in the `scan kubernetes --cluster` command. * Fixed the `add cluster` command when the user provides custom configuration. * Added the `--audit-as-warn` flag for all types of scan commands so that the command does not exit with a non-zero status. This is useful in CI pipelines to only flag the violation and not fail the pipeline itself. ## v4.0 The major improvements and additions of the above version are listed below: ### UX Improvements The v4.0.0 release is a huge release with most commands having **breaking UX changes**. The general syntax follows the conventional ` ` format. >**Note**: Only the `nctl clusters` command follows backward compatibility with 3.x, and all other commands should be carefully investigated before upgrading to this new release. Please contact [Nirmata Support](mailto:support@nirmata.com) for more information and assistance. Refer to the list of 4.x compatible commands [here](https://docs.nirmata.io/docs/nctl/commands/nctl/). ### New Commands #### nctl scan repository Scan any Git repository using the `nctl scan repository` command. This command will recursively scan the entire repository against the policies as configured with the `-p` flag. Nirmata Control Hub customers can view the scan results in Nirmata Control Hub under the Policy Reports > Repositories tab. Learn more about the pipeline scanning workflow [here](https://docs.nirmata.io/docs/control-hub/how-to/pipelinescanning/github-action/).