Changelog

Free-tier monthly rate limiter: GitHub App scans and MCP tool-calls are now quota-tracked per installation / source IP. D1-backed with Cloudflare Queue for eventual-consistency writes — the check adds no synchronous latency to under-quota callers.

Added

• Monthly quota — GitHub App. 60 PR scans per installation per calendar month. Over-quota events are silently skipped (no error comment posted); the counter self-resets on the first of each UTC month.
  v0.19.0
• Monthly quota — MCP server. 250 tool-calls per source IP per calendar month. Over-quota calls return JSON-RPC error -32001 with a 429 HTTP status.
  v0.19.0
• Cloudflare Queue — async counter writes. Each scan / tool-call enqueues a single increment message; the queue consumer upserts into D1 after the work completes. Eventual consistency means a caller can exceed quota by a handful of calls before throttling engages — deliberately acceptable.
  v0.19.0

Bedrock + AI infrastructure coverage: four new security rules for the AWS service category where AI coding agents deploy compute and where zero existing scanners have coverage.

Added

• AWS_BEDROCK_001 — Bedrock confused-deputy. Fires when an IAM role's trust policy allows bedrock.amazonaws.com without an aws:SourceArn condition. Any Bedrock resource in the account can assume the role — the specific attack pattern documented by CSA Labs (2026-02) for the MMDS credential-exfiltration path.
  v0.18.0
• AWS_BEDROCK_002 — Agent conversation data unencrypted. Fires when a Bedrock agent lacks customer_encryption_key_arn. Conversation session data uses an AWS-managed key, which cannot be independently audited, rotated, or immediately revoked.
  v0.18.0
• AWS_BEDROCK_003 — Agent session TTL too long. Fires when idle_session_ttl_in_seconds > 3600 (the AWS-documented maximum). Long TTLs extend the session replay window.
  v0.18.0
• AWS_XREF_023 — Bedrock agents without invocation logging. Cross-resource check: fires once when the workspace declares aws_bedrockagent_agent resources but no aws_bedrock_model_invocation_logging_configuration. Without invocation logs there is no forensic audit trail of what was sent to foundation models or retrieved from knowledge bases.
  v0.18.0

Parser improvements: conditional resource detection (count/for_each on variables), module model defaults enabling deeper rule coverage, and improved cross-resource rule evaluation for synthesized module resources.

Added

• Conditional resource detection. Resources whose count or for_each depends on a variable (e.g. count = var.enable_feature) are now tagged Completeness::Conditional. Their findings are severity-downgraded one step and annotated "conditionally created" — reducing noise on infrastructure that may not exist.
  v0.17.0
• Module model defaults — deeper rule coverage. Three module models gained new defaults that unblock rules gated on required_attributes: function_name on the lambda module (unlocks four rules including DLQ and code-signing), identifier on the RDS module (unlocks performance-insights + KMS rules), and viewer_certificate.minimum_protocol_version on the CloudFront module (unlocks the TLS version check). Defaults are injected as default-derived — bare module calls remain clean; only explicit insecure values fire.
  v0.17.0

MCP V2: four new tools, server-side hardening, and a new cross-resource reference validator that catches the primary LLM hallucination pattern.

Added

• AWS_XREF_DANGLING — undeclared module reference detector. Catches resources that reference module.X where no module "X" block is declared — the most common hallucination pattern when AI agents write Terraform code.
  v0.14.35
• MCP V2: four new tools. dry_run_autofix previews what autofix would change (unified diff, no writes). explain_finding returns structured rule metadata for any catalog rule ID. get_context_graph exposes the cross-resource relationship graph — invocation edges, IAM role assignments, DLQ links, and the full list of suppressed findings with their rationale, giving coding agents a glass-box view of why a finding was suppressed.
  v0.16.0

Changed

• MCP hardening. Input validation on all tools: filename allowlist, path-traversal rejection, null-byte stripping. Per-isolate rate limiting (60 req/IP/min, HTTP 429 on exceed). Autofix output validation: new paths and 2× size bloat are rejected server-side.
  v0.16.0

Fewer false positives on secret rotation. The rotation finding now understands cross-resource setup.

Added

• Secrets Manager rotation is now context-aware. The "secret should have automatic rotation" finding no longer fires when a sibling aws_secretsmanager_secret_rotation resource already configures it — audytx resolves the cross-resource link and suppresses the finding with a rationale, so it surfaces only on secrets with no rotation configured anywhere.
  v0.14.0

Performance — less CPU per scan, same findings. A determinism-safe optimization pass (verified byte-for-byte against a golden fixture): the engine no longer repeats avoidable work on every request.

Changed

• Rule catalog parsed once, not per request. The ~247-rule YAML catalog was re-parsed on every PR scan and every MCP call; it's now cached per isolate. Same rules, far less CPU on warm isolates.
  v0.13.0
• Hot-path regexes compiled once. Reference extraction, the EKS security-group check, and the comment-renderer regexes no longer recompile on every call.
  v0.13.0

Plan-enhanced scans (optional). terraform plan -json resolves what static parsing can't — final values, count/for_each expansion, and module-internal resources. Strictly opt-in and enriching: a scan with no plan input is unchanged.

Added

• Plan-JSON ingestion. The engine can merge terraform show -json output onto a normal scan — plan values win per attribute, and resources static parsing never saw (module-internal, count-expanded) are added. Surfaces findings on values behind undefaulted variables and computed expressions.
  v0.12.0
• MCP scan_terraform accepts an optional plan argument — an agent that ran terraform plan can hand the JSON to audytx for a richer scan. Best-effort; omitting it is a normal scan.
  v0.12.0
• Plan-enhanced PR scans via POST /plan-upload — a GitHub Actions workflow uploads its plan JSON, authenticated by the workflow's own OIDC token (nothing to paste, no secret to manage). audytx re-scans the PR with the plan merged in and updates the comment.
  v0.12.1

Suppression integrity — measuring the recall side of the moat. audytx's edge is suppressing false positives via cross-resource reasoning; every suppression is also a latent false negative. This series builds an adversarial "must-not-suppress" corpus, measures how often a suppressor fires when it shouldn't, and tightens the leakiest detectors.

Added

• Suppression-integrity baseline (Phase 8 M1). 16 context-suppression axes measured against 45 adversarial fixtures where the finding is real and must survive: 13 of 16 axes are leak-free. Published, re-runnable, beside the false-positive benchmark.

Fixed

• IMDSv1 no longer hidden by an inherited default. An EC2 instance that sets its own http_tokens = "optional" re-opens IMDSv1 even when a launch template or account default enforces IMDSv2 — instance-level settings win at runtime. The AWS_IAM_023 SSRF-credential-theft finding is no longer suppressed in that case.
  v0.11.0
• Internet-open security groups no longer excused by an "eks" name. An all-ports security group open to 0.0.0.0/0 now fires AWS_VPC_006 even when its name contains "eks" (including incidental matches like weeks-cache). Suppression now applies only to genuine intra-cluster rules (sourced from self / another SG), never to internet exposure.
  v0.11.1
• Missing-DLQ findings restored on async-wired Lambdas. A Lambda with parameterised function_name/handler is no longer treated as a "module template" when it is actually wired to an async-push source (SNS, S3 notification, EventBridge) in-plan — AWS_LAMBDA_004 / AWS_OPS_001 fire because the DLQ requirement is real.
  v0.11.1

IAM v2 — attack paths found by search, not by name. The curated attack-path rules are hand-written per shape; this series begins generalising them into a reachability search over an explicit graph (internet entry → compute → role → sts:AssumeRole chain → escalation-capable role), so multi-hop chains the pairwise rules miss surface too.

Added

• Reachability search — ATTACK_PATH_SEARCH (Phase 7 M4). Generalises the Lambda multi-hop search to ECS Fargate: a public-IP task whose role cannot escalate on its own but pivots via an sts:AssumeRole chain to a privileged role — the gap the pairwise ATTACK_PATH_004 leaves. Reuses the existing AssumeRole edge graph + cycle-safe BFS; additive and deduped against the curated paths so nothing is reported twice.
  v0.10.0

IAM v2 continues — statement math. The escalation engine now evaluates each policy through a single effective-permission entry point that folds Allow/Deny precedence, NotAction inversion (Allow NotAction:[X] grants everything except X), and Condition classification. A wildcard "everything except a few" grant is now attributed to the specific escalation methods it enables, not just flagged as broad.

Added

• IAM statement-math engine (Phase 7 M2). New effective_allows(policy, action) decision function — explicit Deny wins, NotAction is correctly inverted, and conditioned grants are classified (and held to the precision bar: conditions on unconstrained escalation grants stay suppressed rather than downgraded). The AWS_IAM_020/021 privilege-escalation catalog now runs on this engine — a strict superset of the prior matching, with precise per-method attribution for NotAction grants.
  v0.9.0

IAM v2 — reasoning about effective permissions, not just shapes. The engine now understands what an action pattern actually grants: iam:*, iam:Get*, s3:*Object* expand against a vendored table of real AWS service actions, so a wildcard grant is matched to the specific privilege-escalation actions it enables.

Added

• IAM action table + wildcard expansion (Phase 7 M1). A trimmed, compile-time table of ~3,200 actions across the 25 escalation-relevant AWS services drives expand() / pattern_covers(); the IAM escalation matcher now resolves globbed action grants, a strict superset of the prior exact/service wildcard matching. Foundation for the effective-permission engine (statement math, resource-policy intersection, reachability search).
  v0.8.0

Seeing through registry modules. Real Terraform composes terraform-aws-modules/* registry modules rather than raw resources — and the engine was blind to what they deploy. v0.7 vendors compact security models of the top modules and expands a module {} call into the resources it creates, so findings surface on module-based infrastructure too.

Added

• Registry-module expansion (Phase 6 M3). A module "x" { source = "terraform-aws-modules/…/aws" } call is expanded into synthesized pseudo-resources from a vendored model. Precision-first: a finding fires only on an explicitly-set insecure input — attributes that fall back to the module's safe default are injected (so nothing is falsely flagged as "missing") and suppressed, since module versions drift. Count of vendored models is at GET /status (module_models).
  v0.7.0

Raising the parser ceiling. The engine now resolves Terraform variables — a resource attribute set to var.x is evaluated against the variable's default (or a .tfvars override), so an insecure default is caught instead of skipped. Raw values are preserved, so the false-positive suppression on module-template code is unaffected.

Added

• Variable / locals / tfvars resolution (Phase 6 M1). variable {} defaults and .tfvars overrides are collected into a resolution map; the rule evaluator resolves var.<name> references to their literal value. Unresolved references keep prior behavior (no guessing).
  v0.6.0

Observability and visibility. Every scan now writes a telemetry row to D1 (installation, outcome, finding counts, duration) and, once the Checks permission is granted, posts a named check-run per PR so failures are visible rather than silent. A new GET /metrics endpoint exposes aggregate-only counts — no repo names, no logins — for operational monitoring.

Added

• Scan telemetry. Each scan inserts an app_scans row at start and updates it on completion with outcome (ok, engine_error, no_tf_files…), findings count, suppressed count, comment-posted flag, and duration. Best-effort D1 writes never block or fail a scan.
  v0.5.0
• Installation tracking. installation.created and installation.deleted webhook events upsert/mark-removed rows in app_installations. Requires Victor to subscribe the App to these events in GitHub App settings (BLOCKED note in code).
  v0.5.0
• Check-run per scan. A named audytx check-run is created as in_progress at scan start and concluded with success / neutral / failure after the comment attempt. Requires Checks: Read & write permission (BLOCKED — needs Victor). Until granted, scans behave exactly as before; the 403 is caught and logged.
  v0.5.0
• GET /metrics. Aggregate-only JSON endpoint: active installs, total installs, scans last 7/30 days, comment rate, outcome breakdown, average duration. No auth needed; aggregate data only (no repo names, no user logins). Cache-Control 60s, same as /status.
  v0.5.0

The agent surface. audytx is now consumable by coding agents, not just by humans reading PR comments: a zero-setup MCP server exposes the full engine — the same context-aware analysis the GitHub App runs — to any MCP-capable agent, plus a server-side autofix loop that applies audytx's precisely-anchored fixes and re-scans until nothing auto-fixable remains.

Added

• MCP server at POST /mcp (stateless Streamable-HTTP JSON-RPC). One line of agent config — claude mcp add --transport http audytx https://audytx.com/mcp — and a coding agent can review Terraform before the PR exists. No CI, no token, no install.
  v0.4.0
• scan_terraform tool. Pass all .tf/ .tfvars files, get findings with file/line evidence, severity, remediation and fix snippets — plus the findings the context layer suppressed as false positives, each with its rationale (suppressions are surfaced, never silent).
  v0.4.0
• autofix_terraform tool — the autofix loop. The server applies the sound one-click fixes (the same precision gates as GitHub suggestion blocks: only exactly line-anchored replacements, never a corrupting edit), re-parses, re-evaluates, and loops up to 3 passes. Returns the fixed file contents, what was applied, and what remains for the agent to fix itself.
  v0.4.0
• Engine autofix module. The fix-application logic lives in the WASM-clean engine (audytx_engine::autofix) with severity-priority conflict resolution, bottom-up splicing, and a real-HCL integration test that drives the full parse → evaluate → fix → re-evaluate loop.
  v0.4.0

Whole-repo reasoning. The engine now scans the full Terraform tree for context and diff-scopes findings back to the pull request — so cross-resource analysis (toxic combinations, orphaned resources, asymmetric multi-region config) is finally sound instead of guessing from the diff alone. On top of that: cost×security fusion rules, GPU/cryptojacking + bill-shock detection, third-party secret scanning, sound one-click GitHub suggestions, and a per-PR compliance-impact summary.

Added

• Cost × security fusion (AWS_FUSION_001–004). Cross-signal findings that no single-resource scanner can express: a GPU instance alongside an admin-equivalent IAM policy (the cryptomining blueprint), a GPU instance with an openly-assumable role and no budget alarm, an internet-exposed data store carrying a regulated-data signal, and public-facing compute with admin IAM and no WAF (the SSRF → IMDS → takeover chain).
  v0.3.0
• Cross-resource correlation rules (AWS_XREF_001–022). Lambda cold-start-in-VPC timeouts, single-AZ NAT single-points-of-failure, asymmetric Aurora/DynamoDB/CloudFront multi-region config, and orphaned roles / KMS keys / security groups / target groups. Sound now that the engine sees the whole repo, not just the changed files.
  v0.3.0
• GPU / cryptojacking + bill-shock detection (AWS_COST_005) with real us-east-1 GPU pricing. Flags GPU/accelerator instance families (the primary post-credential-compromise mining vector) and oversized *.24xlarge/*.metal types, with exact monthly cost figures from the embedded pricing snapshot.
  v0.3.0
• Secret detection — datastores + third-party keys (AWS_CRED_003 / AWS_CRED_007). Plaintext credentials in RDS / Directory Service / MQ / OpenSearch, plus Stripe, Slack, Google, SendGrid, OpenAI, npm and GitHub-OAuth keys — specific vendor patterns only, so references and Secrets-Manager lookups never trip them.
  v0.3.0
• One-click GitHub suggestions. Per-attribute line tracking anchors a finding at the exact offending line, so a single-attribute fix renders as GitHub's one-click suggestion block — applied cleanly in the Files Changed tab. 129 of 242 rules now carry a concise suggestion; non-scalar fixes fall back to a safe labeled block (never a corrupting apply).
  v0.3.0
• Compliance-impact summary. Each PR comment now aggregates the SOC 2 / PCI-DSS / HIPAA / CIS controls the change's findings touch — driven by the actual findings, with an honest advisory framing (signals that help with controls, not an attestation).
  v0.3.0

Changed

• Whole-repo scan mode. PR scans now fetch the full Terraform tree at the head commit for context and then diff-scope reported findings to the changed files. Cross-resource rules (XREF, FUSION, NAT-without-endpoint cost) that previously saw only the diff — and so could miss a role's consumer or a VPC endpoint in an unchanged file — are now correct. Degrades gracefully to changed-files-only if the tree fetch fails.
  v0.3.0

IAM depth phase: privilege escalation, reachability layer, role-chaining paths, and a 6th reasoning axis. Remediation layer: inline HCL fix blocks in GitHub's Files Changed tab for every finding in the catalog. 206 rules, 6 context-aware axes. First public benchmark vs Checkov shipped.

Added

• Inline HCL fix blocks in GitHub review comments. Every finding with a fix_snippet posts an inline review comment directly on the resource's opening line in the Files Changed tab — showing the corrected HCL block alongside the code being reviewed. All 206+ rules in the catalog now carry a fix_snippet.
  v0.2.35 · v0.2.36 — #82 · #83
• IAM role-chaining paths (AWS_IAM_022). Detects multi-hop sts:AssumeRole chains — where role A can assume role B which holds escalated privileges, even when B's inline policy looks scoped. Resolves targets across label≠name divergence in Terraform module patterns.
  v0.2.15 — #79 · #80
• IAM reachability layer + toxic combinations. Layer-3 cross-resource attack paths. Surfaces pairings where network exposure + over-privileged IAM combine into an exploitable path — e.g., internet-facing Lambda with iam:PassRole and no Condition gate.
  v0.2.12 — #77 · #78
• Privilege escalation skill (AWS_IAM_020). Detects 19 exploitable escalation methods from the Rhino Security Labs catalog, gated on actual exploitability (Allow + Resource:"*" + no Condition). 31 detections on the iam-vulnerable benchmark fixture; 4/5 safe configurations correctly suppressed.
  v0.2.1 — #73
• iam_policy_risk reasoning axis (6th axis). Suppresses IAM-related rules on demonstrably safe configurations — AWS_OPS_035 (permissions boundary) and AWS_OPS_037 (IAM user declaration) now consult the axis before firing.
  v0.2.1 — #74
• ELB rules (AWS_ELB_001/002) — access logging disabled, plaintext HTTP listener.
  v0.2.1
• Neptune rules (AWS_NEPTUNE_001/002/003) — storage encryption, audit log exports, IAM database authentication.
  v0.2.1
• Public benchmark vs Checkov at /benchmarks/checkov-2026-06-03 — 7 real open-source Terraform repos, SARIF-sourced findings, reproducible methodology.
  v0.2.1 — #72

Fixed

• jsonencode() IAM policy parsing. policy = jsonencode({...}) (the modern Terraform idiom) now populates the structured iam_policies model; was silently empty, causing all IAM content rules to miss findings on ~70% of real repos.
  v0.2.1 — #71
• CI path-filter bug. backend-deploy.yml was excluding audytx-aws-parsers/ from the trigger; a parsers-only change would silently skip the prod deploy.
  v0.2.1 — #70
• Role-chain target resolution across label≠name divergence. Terraform module outputs often use a label different from the resource name; the role-chaining resolver now normalizes both sides before matching.
  v0.2.15 — #80

First public version. 201 rules, 5 reasoning axes, visible suppression rationale in PR comments, SARIF v2.1.0, .audytx-baseline.yaml suppression file, and the GitHub App live on Cloudflare Workers.

Added

• 5 context-reasoning axes. lambda_invocation_graph, sqs_dlq_identity, encryption_variants, data_lifetime, network_exposure. Each axis is a pre-computed verdict the rule layer consults before firing. Axis inventory at /status.
• Visible reasoning in PR comments. Every finding the engine suppresses appears in a 🧠 audytx reasoned about N findings block with rule ID, resource address, and the axis-driven rationale.
• SARIF v2.1.0 emission uploaded to GitHub Code Scanning. Context suppressions surface as "dismissed" alerts with their reason — your security lead sees the same dismissals you see.
• 201-rule catalog across IAM, networking, encryption, observability, cost, reliability. Curated AWS rules, not breadth-first.
• Cost optimization findings in the same comment. gp2→gp3, NAT gateway vs VPC endpoints, non-prod Multi-AZ, and others. Dollar bands surface in the PR header when quantifiable.
• .audytx-baseline.yaml suppression file with required expires: dates. Suppressions can't rot silently.
• Per-rule loader resilience. One bad rule no longer poisons the YAML file it lives in. Recovered 57 silently-dropped rules in the first pass.
• JoinSpec::AnyMatch + CompanionRequirement::AtLeastTwo in the rule DSL — "plan-level presence" and "redundancy" checks now expressible without custom code.
• Public testbed repo. audytx-testbed holds long-lived PRs that exercise every reasoning axis end-to-end against the live App.
• Real-HCL integration tests. Three real parser-shape bugs were caught this way during M2.7 (bool-vs-string coercion, jsonencode() stored as string, sqs_managed_sse_enabled shape). Synthetic tests had stayed green.

Fixed

• AWS_OPS_025 gate inversion. "Public ALB has no Route53 health check" was firing on internal LBs and staying silent on public ones. Switched to all_unsatisfied match logic; two real-HCL regression tests added.
  #51
• Tolerant bool coercion + jsonencode scan. ttl.enabled = true stored as String("true"), sqs_managed_sse_enabled = true similarly, redrive_policy = jsonencode({...}) left unevaluated. Added a shared coerce_bool helper and a redrive-policy substring scan to fix three false-positive sources in one pass.
  #42

Changed

• SARIF emitter relocated from backend to engine. The format is part of the engine's output contract. Now lives in audytx-engine::sarif with a real-HCL integration test.
  #45
• Landing-page repositioning. From "cost + security on every Terraform PR" to "the Terraform scanner that knows when not to flag." Reasoning visibility is now the lead differentiator.
  #46 · #47