github northpolesec/santa 2026.5
v2026.5
on GitHub

9 hours ago

Notes

Announcements

πŸŽ‰ Get the most out of Santa with Workshop! Workshop is North Pole Security's official sync service, built to integrate deeply with Santa. It is fully featured, scalable, and enterprise ready. Learn more at northpole.security.

πŸ“£ If you’re using telemetry with Workshop, please upgrade to Workshop v2026.5 before rolling out Santa v2026.5 to ensure no gaps in collected data.

Fixed

❗ Fixed a rare issue with sync service rate limiting
❗ Fixed reachability handling so Santa reliably resumes syncing after the network comes back
❗ Workshop customers: The network extension's DNS proxy now rides out transient network changes (e.g. VPN reconnects) instead of dropping queries
❗ Workshop customers: Improved push notification connection reliability

Changed

↔️ Uploaded events for platform binaries will now be classified with the decision ALLOW_PLATFORM instead of ALLOW_CERTIFICATE
↔️ The santactl eventupload command has been renamed to santactl inventory (eventupload still works as an alias)

Added

βž• Workshop customers: New rule policy that confines a binary to a specified sandbox profile (BETA)
βž• Workshop customers: Trigger an on-demand binary upload from an endpoint with a real-time push notification (BETA)
βž• Workshop customers: CEL fallback rules can now be used with platform binaries
βž• Workshop customers: CEL policies can now return AUDIT to generate an event without blocking the operation
βž• New July 20 easter egg in the Santa UI for anyone with the FunFontsOnSpecificDays config key set

The Santa Lite package is rarely the right choice. Install the standard package unless you have a specific reason not to. Workshop customers should not install lite since it omits many features. See the lite package documentation for details. Download at: santa-2026.5-lite.pkg.

Santa documentation can be found at northpole.dev.

What's Changed

  • santad: Make CEL fallback rules usable with platform binaries by @russellhancox in #962
  • docs: bump pinned transitive deps by @mlw in #966
  • gui: Add July 20 special date by @russellhancox in #963
  • docs: bump pinned transitive deps by @mlw in #967
  • sync: Fix rate limiter semaphore usage, reachability handling, guarded replies by @russellhancox in #970
  • sync: Remove debug log that prints CEL fallback expressions by @mlw in #971
  • common: add SNTNetworkFlowRule wire model class by @mlw in #965
  • santad: persist network flow rules in SNTRuleTable by @mlw in #969
  • verifyinghasher: extend ParsedCodeDirectory and VerifyingHasher::Result by @mlw in #972
  • santad: extend control XPC for network flow rules by @mlw in #973
  • Bump protos import, update SleighLauncher appropriately by @tburgin in #974
  • bump protos to pick up NetworkFlowSocketFamily enum rename by @mlw in #975
  • santasyncservice: parse, dispatch, and report network flow rules by @mlw in #976
  • verifyinghasher: add KernelCsBlob module by @mlw in #978
  • santad: push network rules + settings to santanetd via combined XPC by @mlw in #977
  • Validate network flow rules from the proto, not a serialized blob by @mlw in #979
  • Add reusable string/code-signing helpers; clean up santanetd stub naming by @mlw in #980
  • docs: update dependencies by @mlw in #985
  • syncservice: Update reachability to avoid retry loop by @russellhancox in #982
  • Force Santa to connect to NATS over TLS immediately and up timeouts. by @pmarkowsky in #983
  • santad: fix broken and over-firing config KVO watchers by @mlw in #984
  • deps: patch nats.c to bound the natsSock_Read no-progress spin by @mlw in #986
  • Plumb sync-configured DNS upstream timeout to the network extension by @mlw in #988
  • syncservice: fix two NATS push client connection races by @mlw in #989
  • revert XPC contract to SNTNetworkExtensionSettings, fold rules in by @mlw in #990
  • commands: binary upload via sleigh by @sharvilshah in #987
  • santactl: Rename EventUpload -> Inventory by @russellhancox in #992
  • santad: Make sandbox executions allow transitive executions of itself by @russellhancox in #981
  • santa: source DNS-proxy upstream timeout from MDM, not sync by @mlw in #993
  • docs: binary upload by @sharvilshah in #994
  • common: ensure AUDIT execution events reach the sync server by @mlw in #995

Full Changelog: 2026.4...2026.5

Check out latest releases or
releases around northpolesec/santa 2026.5

Don't miss a new santa release

NewReleases is sending notifications on new releases.

Get notifications