2025.11.05

What's Changed

• Adjust glob matching for the ansible label by @mcdonnnj in #891
• Change the model of the dashboard instance by @mcdonnnj in #892
• Add an ExecStop configuration to the service that manages cisagov/ncats-webui usage by @mcdonnnj in #894
• Migrate bastion instances to Graviton-based models by @mcdonnnj in #893
• ⚠️ CONFLICT! Lineage pull request for: skeleton by @cisagovbot in #896
• Support Graviton portscan instances by @mcdonnnj in #897
• ⚠️ CONFLICT! Lineage pull request for: skeleton by @cisagovbot in #899
• ⚠️ CONFLICT! Lineage pull request for: skeleton by @cisagovbot in #903
• Update the usage of the ClamAV Ansible role for Debian Buster by @jsf9k in #904
• Database and reporter performance improvements by @dav3r in #911

Full Changelog: 2025.09.09...2025.11.05

2025.09.09

What's Changed

• Add a workflow to automatically label pull requests by @mcdonnnj in #883
• Fix Nessus activation code extraction by @mcdonnnj in #884
• Base the bastion AMI on Debian Trixie by @mcdonnnj in #885
• Update the Terraform providers and use a Terraform lock file by @mcdonnnj in #886
• Bump hashicorp/aws from 6.8.0 to 6.10.0 in /terraform by @dependabot[bot] in #887
• Bump actions/labeler from 5 to 6 by @dependabot[bot] in #889
• Support scanning by hostname by @dav3r in #859

Full Changelog: 2025.07.31...2025.09.09

2025.07.31

Important

This is the first version for this project after sustained development.

What's Changed

• Adding a MongoDB image by @jsf9k in #1
• Adding terraform for mongo by @jsf9k in #2
• Adding a bastion host by @jsf9k in #3
• Feature/terraform for nessus by @dav3r in #4
• Adding docker AMI by @jsf9k in #5
• Creating a VPC for HTTPS and Trustworthy Email scanning by @jsf9k in #6
• Modify VPCs to create routes, ACL rules, and security group rules as top-level entities by @jsf9k in #7
• Feature/setup mongo volumes by @dav3r in #8
• Feature/limit ingress networks by @dav3r in #9
• Add new script to push local version of production.tfvars to the corr… by @dav3r in #10
• Make the gold VPC immortal by @jsf9k in #11
• Change from Mongo 4.0.0 to Mongo 3.2.20 to match version of current C… by @dav3r in #12
• Feature/production recovery prep by @dav3r in #13
• Add Terraform configuration for BOD 18-01 scanning by @jsf9k in #14
• Add new Nmap EC2 instance to the scanner subnet by @dav3r in #16
• Add VPC peering between the CyHy and BOD VPCs by @jsf9k in #15
• Feature/route 53 by @felddy in #17
• Provision MongoDB users via ansible by @jsf9k in #18
• Fixes made while debugging BOD 18-01 scanning and report generation by @jsf9k in #19
• Change code to use the cheaper r4.xlarge instance type. by @jsf9k in #20
• Feature/fix nessus only setup by @dav3r in #22
• Feature/egress pub by @felddy in #21
• Feature/route 53 update by @felddy in #23
• Improved workspace filtering by @jsf9k in #24
• Install and configure CyHy runner by @jsf9k in #25
• Add credentials that allow the commander to ssh to the runners but not vice-versa by @jsf9k in #26
• Improve networking by @jsf9k in #27
• Add systemd unit files for cyhy-runner and cyhy-commander by @jsf9k in #28
• Improvement/egress cloudfront by @felddy in #29
• The Nessus host is not systemd by @jsf9k in #30
• Create /etc/cyhy and move commander.conf into the new dir by @KyleEvers in #31
• Feature/internal dns by @felddy in #33
• Disallow the manual Nessus instances from being deleted by @jsf9k in #32
• Bugfix/add cyhy commander conf by @dav3r in #34
• Improvement/dhcp options by @felddy in #35
• add public DNS entry for the bastion host by @felddy in #37
• fix bastion record being created in wrong zone by @felddy in #38
• Improvement/simplify bod rules by @jsf9k in #36
• add prevent_destroy to very important zones by @felddy in #39
• Add support to query all regions for public IPs instead of just one by @felddy in #40
• Allow the bastion to reach the mongo host via the mongo port by @jsf9k in #41
• Added empty ssh config for commander and added scanners in commander … by @KyleEvers in #42
• add new role to configure login banners by @felddy in #43
• Feature/create places collection by @dav3r in #44
• Use a more customized mongo config file, similar to our previous Prod… by @dav3r in #45
• Bugfix/make mongo great again by @dav3r in #46
• Allow the Nessus UI port (8834) to be tunneled through the bastion by @jsf9k in #47
• Automate setup of Nessus hosts by @jsf9k in #50
• Beefier instance types and root disks for production by @jsf9k in #51
• Increase size of root volume for nessus by @dav3r in #53
• Only update plugins and rebuild database when previously unregistered by @jsf9k in #54
• Improvement/production changes by @dav3r in #55
• Ramp up number of jobs per nmap and nessus host by @dav3r in #57
• Double number of jobs per nmap and nessus host by @dav3r in #59
• Install htop for all AMIs by @jsf9k in #60
• Double number of jobs per nmap and nessus host again by @dav3r in #61
• Add an Ansible role for expanding the ephemeral port range by @jsf9k in #62
• Add nightly cron job to update database with latest NVD data by @dav3r in #63
• Add cron jobs for BOD 18-01 scanning and sending of BOD 18-01 reports by @jsf9k in #64
• Add flow logs that can be turned on or off via a variable by @jsf9k in #65
• Import base nessus policy by @KyleEvers in #67
• Add instance for CyHy reporting by @jsf9k in #68
• Improvement/persist active nmap instance scans by @dav3r in #69
• Grab the master report password from S3 and add it to cyhy.conf by @jsf9k in #70
• Pipe (cron) cyhy-nvdsync output to /usr/bin/logger so it ends up in /… by @dav3r in #71
• Improvement/better egress pub by @felddy in #72
• Various changes for Production based on our testing by @dav3r in #66
• Improvement/swap role by @felddy in #77
• Improvement/consolidate commander and mongo ami by @dav3r in #80
• Build nmap from latest source by @jsf9k in #79
• Install ncats-webd alongside cyhy-reports by @jsf9k in #78
• Improvement/add persistent data volume for nessus by @dav3r in #81
• add registrations and conditionals to swap creation tasks by @felddy in #83
• Add cyhy_ops user to the bastion by @jsf9k in #84
• Operations/add production scanners by @dav3r in #85
• Add cyhy_logrotate ansible role. by @jsf9k in #90
• Improvement/dry provisioning by @felddy in #86
• Fix reporting cron jobs by @jsf9k in #93
• Feature/add cyhy archive job by @dav3r in #94
• Networking changes for FTP by @jsf9k in #95
• Operations/upgrade mongo by @dav3r in #96
• Add Ansible changes that were dropped by @jsf9k in #97
• Fix a typo by @jsf9k in #98
• Remove unnecessary ACL rule by @jsf9k in #99
• Add DNS for the BOD VPC by @jsf9k in #100
• Fix cron jobs by @jsf9k in #101
• Better handling of different Linux distros by @jsf9k in #102
• Operations/upgrade to mongo 3.6 by @dav3r in #103
• Install nmap via package manager by @jsf9k in #104
• Remove now-unused commander Packer json by @jsf9k in #105
• Minor tweaks by @jsf9k in #106
• Correct comment by @jsf9k in #107
• Add a README to the terraform directory. by @jsf9k in #108
• Only create cron jobs in production workspaces by @jsf9k in #109
• Add volumes for CyHy and BOD reports by @jsf9k in #110
• Improvement/mongo commander on debian stretch by @dav3r in #111
• Prefer package to apt where possible by @jsf9k in https://github.com/cisagov/cyhy_...