v0.9.2 latest

What we shipped

Every release, fix, and breaking change documented. New versions ship to beta accounts first — Enforce tier accounts receive updates within 7 days of beta sign-off.

Azure Management Group traversal depth fix

Fixed an issue where Azure Management Group traversal would stop at depth 3 in organizations with nested group hierarchies deeper than 4 levels. Affected organizations using Azure Government cloud with non-standard root MG configurations.

  • Fixed MG traversal recursion for depth > 4 levels
  • Added retry logic for Azure Resource Manager 429 throttle responses
  • Updated Azure RBAC role requirements — Management Group Reader now sufficient

GitHub Actions native action published

The native-security/enforce-action GitHub Action is now published to the GitHub Actions Marketplace. Drop-in workflow step — no separate CLI install required.

  • Published native-security/enforce-action@v1 to GitHub Marketplace
  • Action accepts plan-file, api-key, account-id, enforcement-level inputs
  • Returns PASS/FAIL as workflow step outcome — no post-processing needed
  • Inline violation summary posted to PR comments (optional, requires write permission)

GCP Organization Policy constraints support

Native Security now reads and evaluates GCP Organization Policy constraints. Connect a GCP organization with a Service Account and get the same control-map view you have for AWS and Azure.

  • Connect GCP organizations via Service Account + roles/orgpolicy.policyViewer
  • GCP constraints appear in the unified control map alongside AWS SCPs and Azure Policies
  • Cross-cloud normalization: control intent mapped across providers
  • GCP guardrail gates now supported in CI pipeline evaluations

Policy simulation mode

Simulation mode lets you preview what your guardrail configuration would have blocked over the past 30 days — before you set any gate to BLOCK level.

  • Available via dashboard and CLI: ns simulate --days 30 --account YOUR_ID --control SCP-NAME
  • Returns a list of Terraform apply events that would have been blocked
  • Simulation reports exportable as JSON or PDF

CI/CD pipeline guardrail gates — General Availability

Guardrail enforcement gates exit beta and are now generally available on the Enforce tier. Latency reduced to <1.2 seconds (p99) for evaluations under 20 resources.

  • GitHub Actions, GitLab CI, and Terraform Cloud integrations GA
  • Sub-1-second evaluation latency (p50) for standard plan sizes
  • Webhook support for custom CI systems
  • Slack + PagerDuty alerting for BLOCK-level violations

AWS SCP condition evaluator v2

Rebuilt the SCP condition evaluation engine from scratch. v2 correctly handles nested condition operators including StringLike, ArnLike, ForAllValues that v1 evaluated incorrectly in some edge cases.

  • Correct evaluation of all IAM condition operators including multi-valued context keys
  • aws:PrincipalTag conditions now correctly resolved against resource policies
  • Performance: 4× faster evaluation for organizations with >500 active SCPs

Initial beta release

Native Security opens to private beta. Founding capability: connect an AWS Organization, read existing SCPs, and build a control map showing coverage gaps.

  • AWS Organizations connection (read-only IAM role)
  • SCP inventory — all policies, all targets, all accounts
  • Coverage gap detection — policies not attached to all expected OUs
  • Control map dashboard — table view with export