northpolesec/santa 2026.2

on GitHub

Notes

Announcements

🎉 Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It is fully featured, scalable, and enterprise ready. Come learn more at northpole.security.

📣 The Santa package now includes two new binaries: a network extension daemon (com.northpolesec.santa.netd) and a helper utility for telemetry export (sleigh). Both are intended for use by Workshop customers only.

Fixed

❗ Fixed issue where the Santa UI could appear to open smaller than needed and then "snap" to the correct size
❗ Fixed a rare UI state race condition that could inadvertently cause the About dialog to be displayed when it shouldn't
❗ Terminal prompts are no longer hidden when an application executed from a terminal is blocked and Santa writes information to the TTY
❗ Fixed regression where custom URLs or EventDetailURL values of "null" were not appropriately removing the button from the UI

Changed

↔️ Santa now properly registers for notifications on startup. Unless the system has a Notifications profile installed, users may see a system banner notifying them that Santa would like to send notifications. No new or additional notifications exist.
↔️ Compiler rules now also track file clone events for tracking executable output in order to create more comprehensive transitive rules. This is commonly seen with newer rust/cargo toolchains.
↔️ santactl doctor feedback around sync availability is now significantly more accurate, with fewer false positives
↔️ Terminology around "USB blocking" has been standardized to "removable media blocking" to better reflect the full range of devices Santa handles, such as SD cards, Thunderbolt drives, and NVMe devices

Added

➕ CEL policies now have access to the executing binary's signing ID during evaluation, enabling capabilities such as wildcard matching
➕ Added support for the FileAccessEventDetailURL and FileAccessEventDetailText configuration keys, used as fallbacks when there is an FAA block and no per-rule URL or text is provided
➕ Execution events sent to the sync server now indicate whether or not the applied rule was a static rule
➕ A CEL playground is now available for testing and validating CEL rules
➕ Added French (France), French (Canada), and Spanish translations
➕ Workshop customers: Removable media block events are now uploaded during sync and viewable in Workshop
➕ Workshop customers: Telemetry filtering expressions allow you to redact/filter telemetry before being exported
➕ Workshop customers: CEL rules can now act upon the process tree when making a decision
➕ Workshop customers: (BETA) Santa can now report network telemetry

Santa documentation can be found at northpole.dev.

What's Changed

• gui: Add notification setup and TMM failure feedback via icon tinting by @russellhancox in #750
• Fix terminal prompt hidden by blocked exec TTY messages by @mlw in #755
• sync: emit events for USB mount blocks by @sharvilshah in #752
• Document rule dictionary structure by @mlw in #757
• Handle network extension enable/disable by @mlw in #753
• santad: Replace syncservice telemetry export with Sleigh by @russellhancox in #756
• build: Add -v flag to notarytool calls by @russellhancox in #758
• sync: add access time to usb network mount events by @sharvilshah in #759
• Fix issues with about dialog re-opening by @mlw in #760
• Fix termination handler placement by @mlw in #761
• Support CLONE events in the compiler controller for transitive rules by @mlw in #762
• santad: Pass files to Sleigh as open FDs by @russellhancox in #763
• Cleanup minor issues on rule download path by @mlw in #768
• Add NetworkActivity to protobuf schema by @mlw in #765
• telemetry: Add TelemetryFilterExpressions, fix waiting for Sleigh by @russellhancox in #770
• Restore jitter for push notifications sent to tags by @pmarkowsky in #766
• Support File Access variants for EventDetailURL and EventDetailText by @mlw in #771
• docs: Add CEL Playground by @russellhancox in #769
• docs: Add shareable link support to CEL playground by @russellhancox in #774
• Restore Known Limitations Page by @pmarkowsky in #775
• docs: Add 'Try in Playground' links to cookbook examples by @russellhancox in #776
• Update FAA cookbook rule for macOS 26.3 by @pmarkowsky in #778
• docs: Fix top-and-bottom CEL Playground editors by @russellhancox in #779
• events: add USB Mount decision matrix and remount args to the event by @sharvilshah in #777
• santactl/doctor: Check sync health via syncservice by @russellhancox in #773
• Clarify docs for entitlement filtering config keys by @mlw in #783
• sync: Add static_rule to events acted upon by a static rule by @sharvilshah in #785
• santad: Add Ancestors field to CELv2 rules by @russellhancox in #780
• build: Codesign sleigh as part of build by @russellhancox in #787
• build: Quote codesign_opts by @russellhancox in #788
• build: Always sign sleigh stub by @russellhancox in #791
• docs: force-update qs dependency by @russellhancox in #792
• sync v2: add token enforcement by @tburgin in #786
• Add infra to support network flow logging by @mlw in #781
• Add ThinLTO to Builds by @pmarkowsky in #795
• deps: Update NATS dep to use local_defines by @russellhancox in #796
• Normalize language around removable media by @sharvilshah in #790
• Don't trigger FAA violations from the Santa bundle service by @mlw in #784
• Add hash field to NetworkActivity proto message by @mlw in #797
• santad: Populate new signing_id field in CEL context by @russellhancox in #793
• sync: Add syncing of telemetry_filter_expressions for syncv2 by @russellhancox in #799
• Handle automatic network extension install on reboot by @mlw in #800
• docs: force-update minimatch dependency by @mlw in #803
• Add network extension info to santactl status by @mlw in #805
• Notify network extension when settings change by @mlw in #801
• Add santanetd version info to santactl version by @mlw in #802
• gui: Ensure window size is correct before displaying by @russellhancox in #807
• Strongly type settings for the network extension by @mlw in #806
• misc: remove open from proto by @sharvilshah in #808
• Add class to support reacting to power state changes by @mlw in #809
• Install/upgrade network extension on system wake by @mlw in #810
• Add LLM translations for French and Spanish by @pmarkowsky in #811
• Fix nested flow logging by @mlw in #812
• Add support for null custom_url to remove open button by @pmarkowsky in #813
• gui: Poll TMM countdown less frequently, re-use date formatter by @russellhancox in #815
• santad: Fix flushcache by @russellhancox in #816
• cache: backfill and format signingID as teamId:signingId by @sharvilshah in #817
• Add santanetd to list of critical binaries by @mlw in #818
• Fix TOCTOU in XPC invalidation handler by @mlw in #819
• docs: Add 'ancestors' field to CEL playground by @russellhancox in #820
• pkg: Fix signing ID for sleigh by @russellhancox in #822
• santad: Push exportTelemetryWithReply: on to command queue by @russellhancox in #823
• docs: Update minimatch dep, again by @russellhancox in #825
• docs: Update more dependencies by @russellhancox in #826
• Fix logging issue for transitive rules added from CLONE events by @mlw in #827

New Contributors

• @sharvilshah made their first contribution in #752

Full Changelog: 2026.1...2026.2