github northpolesec/santa 2026.4
v2026.4
on GitHub

5 hours ago

Notes

Announcements

🎉 Get the most out of Santa with Workshop! Workshop is North Pole Security's official sync service, built to integrate deeply with Santa. It is fully featured, scalable, and enterprise ready. Learn more at northpole.security.

Fixed

❗ EventDetailURL template parameters are now properly percent-encoded
❗ Improved File Access event logging when source data had been lost due to cache evictions

Changed

↔️ Clean syncs now also replace all settings managed by the sync server in addition to rules. Sync server operators must send all desired settings during the Preflight phase of a clean sync.
↔️ SyncBaseURL is now required to be HTTPS unless configured to use localhost
↔️ The sync service no longer retries requests on non-transient errors (e.g. most HTTP 4xx errors)
↔️ Keyboard shortcuts now conform to idiomatic system shortcuts. Cmd+W closes windows, Esc closes panes such as the "More Info" pane.

Added

➕ Blocked device mount notifications can now be silenced
➕ Strengthened anti-tamper protections across additional filesystem operations, signal handling, Endpoint Security data validation, and Santa's own upgrade path.

The Santa Lite package is rarely the right choice. Install the standard package unless you have a specific reason not to. Workshop customers should not install lite since it omits many features. The lite package has moved so automation consuming the previous URL will need updating. See the lite package documentation for details. Download at: santa-2026.4-lite.

Santa documentation can be found at northpole.dev.

What's Changed

  • docs: Add lite package page by @russellhancox in #905
  • docs: Document new AntiSuspendSigningIDs key by @russellhancox in #908
  • Don't retry requests on non-transient errors by @mlw in #909
  • Fix latent FD leak in ScopedFile move assignment operator by @mlw in #912
  • Remove the printer proxy workaround that is no longer necessary by @mlw in #913
  • Percent-encode template values in block message event detail URLs by @mlw in #914
  • Track compiler PIDs with pidversion for improved correctness by @mlw in #915
  • Use a rule table query that guarantees proper ordering by @mlw in #916
  • docs: bump deps by @mlw in #918
  • docs: bump deps by @mlw in #919
  • Bump docusaurus version by @mlw in #920
  • sync: enforce HTTP for loopback addresses only by @sharvilshah in #921
  • tamper: subscribe to auth_truncate and auth_link by @sharvilshah in #922
  • docs: document AllowedSantaCommands key by @sharvilshah in #925
  • test: fix ScopedIOObjectRefTest flakiness on hosts without USB devices by @mlw in #926
  • ci: disable bazel-internal metrics in continuous, shrink ArenaGrowthTest by @mlw in #928
  • docs: refresh pnpm lockfile by @mlw in #931
  • detect truncated paths from ES by @sharvilshah in #929
  • Add delegated signal handling support by @sharvilshah in #932
  • gui: Fix FunFontsOnSpecificDays by @russellhancox in #933
  • SNTConfigurator: skip override-file watcher when overrides disabled by @mlw in #936
  • cel: skip ArenaGrowthTest under sanitizers by @mlw in #937
  • Fix sanitizer build by @mlw in #938
  • FAA logging should use ES data as canonical source by @mlw in #939
  • Add proper data length length to string conversion by @mlw in #940
  • Strip trailing whitespace in santaconfig.ts by @mlw in #943
  • Update docs dependencies by @mlw in #945
  • gui: Fix keyboard shortcuts for closing windows by @russellhancox in #941
  • Eliminate TSAN-only race report in processEnrichedMessage:handler: by @mlw in #946
  • Update docs dependencies by @mlw in #948
  • Introduce FD-based code-signature verifier by @mlw in #942
  • gui: Add ability to silence device notifications by @russellhancox in #947
  • docs: Document ancestors by @russellhancox in #950
  • verifyinghasher: add per-call skip_page_hash option by @mlw in #951
  • Add santactl sandbox command and SEATBELT policy handling by @russellhancox in #917
  • common: Fix undeclared variable in SNTConfigurator on release builds by @russellhancox in #952
  • daemon: creating a staging dir for installs by @sharvilshah in #949
  • Extend identity confirmation for unsigned slices by @mlw in #953
  • seatbelt: Expand CWD/HOME/TMP placeholders in policies by @russellhancox in #955
  • sync: support batched mode for sync state and handle clean sync by @sharvilshah in #944
  • FAA: re-derive SNTCachedDecision on cache lookup miss by @mlw in #957
  • celv2: expose AUDIT return value, trigger event upload with flag set by @russellhancox in #956
  • Allow test GUI to configure username by @statico in #958
  • persist pushJWT and pushIssuerJWT by @sharvilshah in #959
  • Handle anti-tamper ops asynchronously by @mlw in #960
  • Tamper: dispatch denial logs off the ES reader thread by @mlw in #961

Full Changelog: 2026.3...2026.4

Check out latest releases or
releases around northpolesec/santa 2026.4

Don't miss a new santa release

NewReleases is sending notifications on new releases.

Get notifications