Skip to content

Releases: GhostManager/Ghostwriter

Ghostwriter v7.2.0

Choose a tag to compare

@chrismaddalena chrismaddalena released this 01 Jul 00:00
de08d9f

Summary

This release brings a major change to evidence management: the full deprecation of finding-level evidence, as promised in v6.0.

When evidence management was first introduced in Ghostwriter, findings were the only supported evidence destination, so evidence was attached directly to individual findings. As Ghostwriter matured and gained new features, such as report sections and observations, users needed to reuse evidence in more places. To support that, we added the option to attach evidence either to a finding or to a report.

Over time, the community identified limitations with this model and asked we simplify it. That time has come, so please be aware of this and communicate the change to your users before upgrading.

The included migrations will convert any finding-level evidence to report evidence. If there happens to be a naming conflict, the migrations will handle that for you. They will also update references in the finding if the evidence's name changes. This should be a rare occurrence because the client enforced unique names across all evidence under a report, but the database technically allowed duplicate names as long as the name was unique for the finding or report.

CHANGELOG

[7.2.0] - 30 June 2026

Added

  • Added Playwright as a local dev package for end-to-end testing
  • Added evidence metadata parser coverage for collaborative editor evidence loading

Changed

  • Breaking: All evidence now attaches to a report object and is available to all findings and other report fields
  • XLSX report exports now populate the "Supporting Evidence" column from report evidence references used by each finding
    • This includes first-class evidence objects, legacy {{.Evidence Name}} tags, {{.ref Evidence Name}} references, and {{.caption Evidence Name}} captions
  • Collaborative editor evidence loading now validates report metadata before querying evidence and keeps the evidence tool disabled only until report-scoped evidence context is ready
    • Users can still upload and insert report evidence from finding, observation, and report extra field editors
  • Previews of extra fields now more closely match your report configuration
    • Image evidence will appear in accordance with your border, image width, and alignment configurations
    • Captions will appear above or below evidence based on the configured location
    • Text evidence now matches other code blocks as they typically do in the final reports
      • They no longer inherit a border based on the border configuration
      • They are now the full width of the content instead of bound to the evidence width intended for images
  • The extra fields section of the report dashboard now presents fields as cards for easier review and access
  • Loading of JSON extra fields is now "lazy" to defend page performance when these fields contain large JSON blobs
    • The JSON data is also removed after closing the preview to maintain page performance

Fixed

  • Fixed severity colors appearing incorrect in xlsx reports

Removed

  • Breaking: Removed finding-level evidence ownership
    • Existing finding-owned evidence migrates to the owning report
    • In case of friendly name collisions, the migration adjusts the friendly name as needed to preserve both evidence records
    • References to renamed migrated evidence update in the source finding's rich-text fields and extra fields
    • The evidence upload API and Hasura metadata no longer accept non-empty finding or findingId evidence associations

Ghostwriter v7.1.3

Choose a tag to compare

@chrismaddalena chrismaddalena released this 26 Jun 19:01
5bed3ea

Summary

This release includes an optimization for service tokens that should significantly improve speed for large GraphQL queries that might otherwise timeout through the nginx proxy.

CHANGELOG

[7.1.3] - 26 June 2026

Changed

  • Optimized service-token GraphQL user-resolution permissions for large project queries
    • Service-token access now resolves related project users through a database-backed access view instead of repeatedly expanding a large Hasura permission tree
    • Project and operation log service-token scopes remain unchanged

Fixed

  • Fixed icons on filter fields not displaying properly

Ghostwriter 7.1.2

Choose a tag to compare

@chrismaddalena chrismaddalena released this 25 Jun 00:59
7ceb558

Summary

This release further locks down client-associated report templates based on user feedback. It also includes a small bug fix to improve compatibility with older browsers.

CHANGELOG

[7.1.2] - 24 June 2026

Fixed

  • Fixed datetime-local rendering for white card and deconfliction edit forms so saved timestamps display reliably in older browsers (Closes #917)

Security

  • Fixed additional client-scoped report template authorization bypasses in template swapping, report generation, archive generation, linting, and lint result endpoints
    • Report template selection now only accepts global templates or templates scoped to the report project's client
    • This fix includes two temporary breaking changes for the API while we work on a custom endpoint to handle this new business logic:
      • Breaking: The GraphQL API no longer allows user or manager roles to set report template ID columns directly when creating or updating reports
      • Breaking: The GraphQL API no longer allows user or manager roles to update a report's project ID column directly

Ghostwriter v7.1.1

Choose a tag to compare

@chrismaddalena chrismaddalena released this 18 Jun 21:12
625a26b

Summary

This release addresses a pair of issues to make Ghostwriter better.

CHANGELOG

[7.1.1] - 18 June 2026

Fixed

  • Fixed project collaborative notes failing to load for users with project access (Fixes #913)
    • The collaborative editor JWT is now scoped to the project so assigned users, project invitees, client invitees, managers, and admins can edit shared project notes

Security

  • Fixed an authorization bypass that allowed authenticated users to download client-scoped report templates by direct URL
    • Template downloads now use the same client access check as the template detail page
    • Please see security advisory for details: GHSA-hx63-6fvp-4rpv

Ghostwriter v7.1.0

Choose a tag to compare

@chrismaddalena chrismaddalena released this 16 Jun 22:38
2a92a80

Summary

This release includes a few enhancements for existing features, but the major changes are in the dependencies. Ghostwriter is now updated to Django v5.2. The most noticeable change is the switch to a fork of the docxtpl library. This change introduces a several upstream performance enhancements that will significantly reduce report generation time. In testing, a report with a 2,000 row table generated in under two seconds.

CHANGELOG

[7.1.0] - 16 June 2026

Added

  • Added a workflow to check the GraphQL codegen whenever models change to ensure there is no drift (Closes #849)
  • Added tracking for the active report in the browser's localStorage along with a mechanism to re-activate the report on user login

Changed

  • Switched from docxtpl to a Ghostwriter fork to implement performance improvements (Fixes #585; Closes #822)
    • Implemented changes in the upstream docxtpl development branch
    • Will consider returning to using the Pypi package when the new maintainers are able to merge the development changes and begin tagging releases
  • Updated Django to v5.2 with groundwork completed for Django v6.x (Closes #824)
    • Going slow with version upgrades to ensure there are no issues with dependencies
  • The dashboard calendar will now show all projects accessible to the user (Closes #871)
    • For most users, the calendar will not appear to have changed, except for now including more details
    • For managers and others with access to more projects, they will now be able to see how all their projects relate to each other in the calendar
  • Improved operation log narrative outline insertion for report fields
    • Preserves formatted comments, inserts operation log output as code blocks, and keeps linked evidence with matching {{.ref ...}} lines
    • Formats commands as inline code and user context as italic text in inserted narrative lines
    • Uses only the operation log output field for output blocks, not attached terminal recording text

Fixed

  • Adjusted how the TinyMCE editors load to fix pages sometimes scrolling down to newly initialized TinyMC

Ghostwriter v7.0.2

Choose a tag to compare

@chrismaddalena chrismaddalena released this 15 Jun 00:12
ff28ecd

Summary

Small release to address an evidence listing issue that could affect managers and admins helping with reporting while not assigned to a project.

CHANGELOG

[7.0.2] - 10 June 2026

Fixed

  • Fixed evidence listings inside the collab editor for privileged users
    • The list of evidence could appear empty for admins and managers if they were not assigned to the related project
    • Permissions checked for project data access via invites and assignments, but missed access from the privileged roles

Ghostwriter v7.0.1

Choose a tag to compare

@chrismaddalena chrismaddalena released this 10 Jun 17:29
1bfe254

Summary

This is a small hotfix for some users who may experience this PostgreSQL error: cannot ALTER TABLE "api_apikey" because it has pending trigger events"

CHANGELOG

[7.0.1] - 10 June 2026

Fixed

  • Fixed API database migrations breaking when the existing database has many existing API tokens

Ghostwriter v7.0.0

Choose a tag to compare

@chrismaddalena chrismaddalena released this 03 Jun 22:24
918e381

Summary

This release marks a significant turn in automation. It hardens authentication by replacing user-managed JWT API tokens with opaque gwat_ credentials, adding scoped gwst_ service tokens for non-human integrations, tightening JWT/session validation, and moving service-token GraphQL access to a scoped service role. Existing user-managed JWT API tokens should be re-rolled by rotating them to receive a new opaque API token; changing an API token’s expiry now also generates a replacement token and immediately invalidates the old credential, so dependent automation must be updated with the newly shown token. Admin-created user-bound API tokens should be replaced with either user-created API tokens or scoped service tokens, depending on whether the credential should act as a human user or a non-human service.

Read more here: https://www.ghostwriter.wiki/features/access-authentication-and-session-controls/user-profile-and-tokens

CHANGELOG

[7.0.0] - 3 June 2026

Breaking Changes

  • User-managed API tokens are now opaque gwat_ credentials instead of JWTs
    • Existing user-managed JWT API tokens must be rotated to receive an opaque API token
    • API token expiry edits rotate the token prefix, secret hash, and UUID identifier, which immediately invalidates the previous credential
  • Django admin can no longer create user-bound API tokens
    • Use service principals and service tokens for non-human integrations
    • Admin-created user-bound API tokens should be replaced with user-created API tokens or scoped service tokens, depending on whether the credential should act as a user or as a non-human service
  • Login and collaborative editor JWTs now use explicit JWT typing and are accepted only by their intended authentication paths
    • Collaborative editor JWTs authenticate to Hasura only as a restricted collab role for the editor's required read-only queries
    • Login JWTs require a tracked, unrevoked user session bound by the jti claim
  • Service-token GraphQL access now uses the new service role and scoped service-token permissions instead of inheriting a creating user's permissions

Added

  • Scoped Service Tokens: Added service principals and service tokens for non-human automation credentials (Closes #881)
    • Service principals represent durable integrations or automation services
    • Service tokens are opaque gwst_ credentials with hashed secrets, expiration, revocation, and last-used tracking
    • Service token permissions are assigned to the token instead of inheriting the creating user's permissions
    • Added operation log read/write tokens scoped to one operation log and its entries
    • Added project read-only tokens scoped to selected projects or all projects the creator can access now and later
  • Service Token GraphQL Access: Added a Hasura service role for scoped service-token access
    • The shared service role exposes a combined service-token schema; each token's grants still determine which protected rows and Actions it can use
    • Project read access is backed by database views that validate the service token, service principal, creator status, and current project access
    • Service tokens can read project-related data, project-linked operation logs, evidence, reports, findings, observations, and public libraries
    • Service tokens can call selected read-oriented GraphQL Actions when their token grants allow the target resource, including report generation, evidence and recording downloads, tag lookups, and extra field specs
  • Added service-token management to the Django admin
  • Added documentation for API tokens, service tokens, and service-principal concepts
  • Added user-session tracking for login JWTs so administrators can revoke active GraphQL sessions
  • Added a management command to clean up expired Django sessions and tracked GraphQL login sessions

Changed

  • Reworked the user profile page to organize API tokens and service tokens into clearer cards
    • API tokens are described as user-bound automation credentials
    • Service tokens are described as scoped non-human credentials
    • Expired tokens can be hidden, and that preference is remembered in local storage
    • Token expiry dates now use warning styling when expiring within seven days and expired styling after expiration
    • API tokens now show last-used timestamps alongside service tokens
    • API tokens now have lazy-loaded details modals showing the token user's current project access
  • Added profile controls for editing API token and service token expiry dates
    • API token expiry edits now generate a replacement opaque token so the previous credential stops working immediately
  • Added service-token detail modals that show service principal, project read access, direct operation-log access, stale project grants, and token access summaries
  • Improved dark-mode styling for disabled fields
  • Made the sidebar toggle tab sticky while scrolling
  • Added the DJANGO_MFA_PASSKEY_LOGIN_ENABLED environment variable for controlling passkey login support
  • API tokens are now opaque gwat_ credentials with hashed secrets instead of user-managed JWTs
    • Editing an API token expiry rotates the token prefix, secret hash, and UUID identifier
  • Login and collaborative editor JWTs now use explicit JWT typing
    • Login JWTs bind their jti claim to a tracked user-session identifier
    • Collaborative editor JWTs use a dedicated token type and restricted Hasura role

Fixed

  • Fixed observation library create/edit/delete permissions not being checked for the user role in the GraphQL API
  • Fixed token tables showing as empty when Hide Expired hides every API token or service token
  • Fixed hyperlinks not working properly in open Office alternatives like LibreOffice (Fixes #890; Thanks to @wexew-ware)

Security

  • Updated Django from 4.2.16 to 4.2.30 to address CVE-2026-3902 in ASGIRequest (Fixes #896)
  • Added service-token authorization helpers for Django-backed Hasura Actions so service tokens are denied by default unless an action explicitly opts in
  • Login JWT validation now checks the tracked user session after verifying the JWT signature and expiration so sessions can be revoked on demand
  • Collaborative editor JWTs are restricted to a dedicated Hasura role and accepted by the collaborative editor permission-check endpoint
  • API token validation now verifies the opaque token secret against a stored hash and rejects revoked, expired, or inactive-user tokens
  • API token expiry edits now invalidate the previous credential and show the replacement token once
  • Service-token validation now uses explicit secret-checking terminology internally and keeps full lifecycle validation on the manager path
  • Added Hasura metadata validation tests to catch service-role permission drift, legacy service-token headers, and unexpected service mutations
  • Added validation for service-token permission resource, action, and constraint combinations

Ghostwriter v6.3.6

Choose a tag to compare

@chrismaddalena chrismaddalena released this 26 May 21:51
a8a436b

Summary

This release fixes an issue with client creation that was introduced in a recent release.

CHANGELOG

[6.3.6] - 26 May 2026

Fixed

  • Fixed creating a new client with an incomplete point of contact causing a server error instead of displaying required-field validation errors (Fixes #889)

Ghostwriter v6.3.5

Choose a tag to compare

@chrismaddalena chrismaddalena released this 07 May 20:27
a23087b

Summary

This small release fixes an issue with the CVSS v4 calculator not aligning with the official CVSS spec as intended.

CHANGELOG

[6.3.5] - 7 May 2026

Fixed

  • Fixed "Safety" incorrectly appearing as an option for some fields in the CVSS v4 calculator
  • Fixed invalid CVSS vectors preventing report generation