github northpolesec/santa 2025.8
v2025.8
on GitHub

3 days ago

Notes

Announcements

πŸŽ‰ Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It is fully featured, scalable, and enterprise ready. Come learn more at northpole.security.

πŸ“£ Ready for Tahoe. This version has been validated on the latest macOS Tahoe beta (beta 8).

Fixed

❗ A very rare crash that could occur when creating a transitive rule for a new file

Changed

↔️ santactl fileinfo timestamps are now displayed in ISO8601 format, making them suitable to copy/paste into CEL expressions
↔️ Santa's anti-tamper signal protection no longer blocks signal 0 to conform to documented expectations that allow programs to check for PID validity

Added

βž• Support for CEL string extensions
βž• The File Access Authorization dialogs now have a "Copy Details" button
βž• (BETA) Workshop, our official sync server for Santa, can now enable Santa telemetry export to the cloud (AWS S3 or GCP GCS) and provides an easy to use interface to query Santa’s full set of EDR telemetry.

If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade.

Santa documentation has undergone a complete overhaul and can be found at northpole.dev.

What's Changed

  • Clean up citation and add extra location for Spotlight importers by @pmarkowsky in #511
  • project: Check-in git pre-push hook to lint before pushing by @russellhancox in #510
  • docs: Add Slack Cookies FAA policy by @russellhancox in #512
  • sync: Ensure validateBlock is correctly used in sync test by @russellhancox in #505
  • build: Update several bazel modules by @russellhancox in #507
  • Make Spool a template class on type of batcher member by @mlw in #513
  • santad: Stop logging failure to create signing ID for adhoc binaries by @russellhancox in #514
  • Add note to docs about rule requirements for dev signed code by @mlw in #516
  • docs: Fix anchor links, increase h4 font size by @russellhancox in #518
  • docs: Add rule layering section back to the docs by @pmarkowsky in #517
  • santad: Don't block 0 signal, log what signal is sent by @russellhancox in #520
  • Support XXH3 64bit by @mlw in #522
  • Support a new streaming protobuf format by @mlw in #519
  • Remove unnecessary build macro by @mlw in #523
  • Cleanup spool tmp dir on fsspool construction by @mlw in #525
  • Update santactl printlog to support protobufstream formatted logs by @mlw in #526
  • Add binary digest method to SNTXxhash by @mlw in #527
  • telemetry export: prepare for signed URL export by @tburgin in #521
  • Add string extensions to CEL evaluator by @pmarkowsky in #524
  • Add digest to protostream encoding by @mlw in #529
  • docs: Add trailingSlash config by @russellhancox in #532
  • docs: Add llms.txt by @statico in #531
  • telemetry export: post to cloud bucket by @tburgin in #528
  • ci: Merge test and build phases by @russellhancox in #533
  • ci: Move flaky test workflow to 3am EST by @russellhancox in #535
  • ci: Add remote cache by @russellhancox in #537
  • telemetry: stream multiple files by @tburgin in #536
  • santad: Add sending process to tamper resistance logs by @russellhancox in #538
  • docs: Temporarily use NPS docusaurus-plugin-llms plugin by @statico in #539
  • Pin all actions in workflows by @russellhancox in #540
  • Compressed protostream support by @mlw in #541
  • NSData Gzip Decompression, stream compression verification by @mlw in #542
  • Move TemporaryFile class to a standalone ScopedFile class by @mlw in #543
  • tel export: fix http status log by @tburgin in #545
  • santactl/fileinfo: Change timestamps to ISO8601 by @russellhancox in #546
  • Support compressed stream in santactl printlog by @mlw in #544
  • santad: Handle rare compiler controller crash by @russellhancox in #547
  • Add Single Shot mode to Timer mixin class by @mlw in #548
  • build(deps): bump mermaid from 11.6.0 to 11.10.0 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #549
  • Support export batches by @mlw in #550
  • Expose config to enable telemetry export by @mlw in #552
  • Add Copy Details button to the FAA block dialog by @mlw in #554
  • Cookbook: Update slack rules to better handle helper binaries by @pmarkowsky in #553
  • telemetry export: remove extra dot from file extension by @tburgin in #557
  • telemetry: fix content type by @tburgin in #559
  • Ensure to ack files even when all spool files are unsupported by @mlw in #558
  • Add additional prod cert OID by @mlw in #560

Full Changelog: 2025.7...2025.8

Check out latest releases or
releases around northpolesec/santa 2025.8

Don't miss a new santa release

NewReleases is sending notifications on new releases.

Get notifications