github northpolesec/santa 2025.9
v2025.9
on GitHub

13 hours ago

Notes

Announcements

🎉 Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It is fully featured, scalable, and enterprise ready. Come learn more at northpole.security.

📣 Santa will be ending support for macOS Ventura in January 2026.

Fixed

❗ Fixed issue when using protobuf logging where the very first batch of messages on startup might be missing the type_url, which could affect parsing

Changed

↔️ Rule output for santactl fileinfo is more helpful, will now state if a rule would have matched but was ignored because the binary being evaluated was signed with a development certificate
↔️ FileAccessPolicyUpdateIntervalSec configuration is now changeable without a restart

Added

➕ FAA block events are now uploaded as part of the sync protocol, similar to execution events.
➕ FAA log rate limiting parameters are now configurable
➕ Signing time information has been added to telemetry logs

If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade.

Santa documentation has undergone a complete overhaul and can be found at northpole.dev.

What's Changed

  • Add a make target for making dev releases by @pmarkowsky in #561
  • docs: Add PayloadUUID to generated payload by @russellhancox in #564
  • docs: Add note about non removable system extensions by @russellhancox in #567
  • sync: Add logging when private key is inaccessible by @russellhancox in #568
  • Support FAA block events in the sync EventUpload phase by @mlw in #569
  • Fix unset type url for the Any protobuf message in the first batch by @mlw in #571
  • Add FAA decision to event upload requests by @mlw in #572
  • Upload FAA blocks to sync server immediately by @mlw in #573
  • Add signing time info to telemetry by @mlw in #575
  • docs: Update docs dependencies by @russellhancox in #576
  • Add macos-26 runners to matrix by @pmarkowsky in #577
  • Fix version issue with last events table upgrade by @mlw in #578
  • Move WatchItems types to common by @mlw in #579
  • Document CEL a little more in the CEL Cookbook by @statico in #580
  • Parse FAA rules in rule download phase by @mlw in #581
  • Support sending FAA rules over XPC from sync service to daemon by @mlw in #583
  • Add FAA rules received and processed counts by @mlw in #584
  • Support changing FAA rate limiting variables via configuration by @mlw in #585
  • Add new table to the rules database for file access rules by @mlw in #586
  • Validate FAA rules on when received via sync server by @mlw in #588
  • Load FAA rules from database at startup by @mlw in #589
  • Attempt to repair corrupted databases on startup by @mlw in #590
  • Fix telemetry export settings name, make them changeable at runtime by @mlw in #591
  • event update: use repeated process for faa events by @tburgin in #587
  • Stop copying data unnecessarily when iterating DB results by @mlw in #593
  • Make fileinfo output helpful when rule was ignored due to dev signed code by @mlw in #594
  • Timer improvements, allow FileAccessPolicyUpdateIntervalSec to be updated dynamically by @mlw in #592

Full Changelog: 2025.8...2025.9

Check out latest releases or
releases around northpolesec/santa 2025.9

Don't miss a new santa release

NewReleases is sending notifications on new releases.

Get notifications