Releases: wallarm/wallarm-go
Release list
v0.13.0
[v0.13.0] - 2026-05-28
Adds the
APIDiscoveryclient interface for reading and upserting the per-tenant API Discovery configuration.
New Features
- feat(api_discovery): new
APIDiscoveryinterface withAPIDiscoveryConfigRead(clientID int)andAPIDiscoveryConfigUpdate(clientID int, cfg *APIDiscoveryConfig) errormethods. Backing structs:APIDiscoveryConfig+APIDiscoveryProtocols,APIDiscoverySensitiveSamples,APIDiscoveryEndpointStability,APIDiscoveryServerVariability,APIDiscoveryServerVariabilityByCustomPaths,APIDiscoveryExtensionsWhitelist. Composed into the aggregateAPIinterface inconfig.go.
v0.12.2
[v0.12.2] - 2026-05-04
Upgrade Steps
- [ACTION REQUIRED] Direct callers of
ActionCreate/ActionBodymust renameMaxAliasesSizeKb→MaxAliases. JSON tag (max_aliases) is unchanged.
Breaking Changes
ActionCreate.MaxAliasesSizeKbandActionBody.MaxAliasesSizeKbrenamed toMaxAliases— count (number of GraphQL aliases), not kilobytes.
New Features
HintUpdateV3Params.MaxAliases *int— adds the missing GraphQL-detection alias-count field to the Update payload. Probe-confirmed the API accepts in-place mutation on PUT.
v0.12.1
[v0.12.1] - 2026-05-01
ActionCreaterate-limit fields switched to*intso callers can transmit literal zero. Non-pointerint+omitemptywas silently dropping zero, and the Wallarm API rejected the resulting payload ascan't be blank.
Upgrade Steps
- [ACTION REQUIRED] Direct callers of
ActionCreatemust wrap zero values in pointers:Rate: lo.ToPtr(0),Burst: lo.ToPtr(0),Delay: lo.ToPtr(0),OverlimitTime: lo.ToPtr(0). Non-pointer assignments no longer compile.
Breaking Changes
ActionCreate.Rate,.Burst,.Delay,.OverlimitTimechanged fromintto*int.RspStatusstaysint(valid range400..599excludes zero, soomitemptycorrectly drops absent).HintUpdateV3ParamsandActionBodyare unchanged — only the Create body needed the pointer migration.
v0.12.0
[v0.12.0] - 2026-04-28
Expose the full mutable-rule-field surface on
HintUpdateV3Paramsand let callers detectHintDeleteno-ops via the response body.
Upgrade Steps
- [ACTION REQUIRED]
HintDeletesignature changed from(*HintDelete) errorto(*HintDelete) (*HintDeleteResp, error). Code using_, err := api.HintDelete(...)keeps compiling; call sites that stored the function reference or used named returns must update.
Breaking Changes
HintDeletereturns(*HintDeleteResp, error)— the newHintDeleteResp{Status int, Body []ActionBody}exposes the API response. Inspectlen(resp.Body) == 0to detect the no-op path: the Wallarm API returns HTTP 200 in all cases (rule already absent, never existed, or delete blocked server-side as for counter hints), and the body is the only signal of whether anything was actually deleted.
New Features
HintUpdateV3Paramsextended with the full mutable-field surface — adds 30+ new pointer fields (omitempty) covering common attributes (Title,Active,Set), per-rule fields (Mode,AttackType,Stamp,Regex,LoginRegex,CaseSensitive,CredStuffType,Size, GraphQL limits,OverlimitTime,Parser,State, rate-limit knobs, response-headerName/Values,FileType), and mitigation-control nested structs (Threshold,Reaction,EnumeratedParameters). ExistingCommentandVariativityDisabledare unchanged. Pointer +omitemptysemantics let callers send only the fields they want to update; nil fields stay out of the wire payload.
v0.11.0
[v0.11.0] - 2026-04-24
API spec client expansion with new endpoints and payload fields, plus Go-idiomatic initialism renames across the API spec and rules settings types.
Upgrade Steps
- [ACTION REQUIRED] Rename any
wallarm.ApiSpec*references in downstream code towallarm.APISpec*(types, methods, fields, error strings) — affectsApiSpecCreate,ApiSpecRead,ApiSpecDelete,ApiSpecBody, and related identifiers acrossapi_spec.goandget_hits.go. - [ACTION REQUIRED] Rename
RulesSettingsResponseBody.ClientIdtoClientID. JSON tagclientidis unchanged.
Breaking Changes
- API spec identifiers renamed to idiomatic Go initialisms — every
ApiSpec*symbol is nowAPISpec*(types, methods, fields, test names, error messages). JSON tags are unchanged. Pattern-matching consumers must rename. RulesSettingsResponseBody.ClientIdrenamed toClientID— JSON tag staysclientid.
New Features
- New API spec endpoints —
APISpecReadByID(GET by id),APISpecUpdate(PUT), andAPISpecList(paginated list) replace the old list-and-filter read flow. - API spec policy endpoint —
APISpecPolicyPutfor managing API spec policies, with newAPISpecPolicy,APISpecPolicyCondition, andAPISpecPolicyResptypes. - Extended
APISpecBody— addedpolicy,auth_headers,file, andformatfields, plus supporting typesAPISpecAuthHeader,APISpecFile,APISpecUpdate, andAPISpecListResp. APISpecCreate.AuthHeaders— auth headers for URL-based spec fetch are now settable on create, matching the update/read surface.
Bug Fixes
APISpecReadByIDtreats HTTP 404 asErrNotFound— callers can detect deleted specs viaerrors.Is(err, ErrNotFound).APISpecUpdateandAPISpecPolicyPuttreat HTTP 404 asErrNotFound;APISpecDeletetreats 404 as idempotent success — consistent not-found semantics across the api_spec surface.APISpecUpdatefield types switched to pointers —Title,Description,FileRemoteURLare now*stringandAuthHeadersis*[]APISpecAuthHeader.omitemptyon plain types silently dropped empty-string/empty-slice values, preventing callers from clearing fields via PUT. Pointer semantics let callers distinguish "unset" from "clear".APISpecPolicy.Conditionsno longer hasomitempty— the Wallarm API requires the field to always be present in PUT body (empty array is valid).
Other Changes
- Unit tests for
APISpecReadByID,APISpecUpdate,APISpecList, andAPISpecPolicyPut, plus HTTP 404 coverage forAPISpecReadByID,APISpecUpdate,APISpecPolicyPut, andAPISpecDelete. - Test alignment — api_spec test function names and error strings updated to match the
APISpec*rename. - README — Capabilities bullet for API specs expanded to cover the new CRUD surface, auth headers, and policies.
v0.10.0
Released: April 20, 2026
Expands the client with Attack, Activity Log, and Security Issues APIs, plus
consistency improvements on request validation. Includes two breaking changes
for consumers of GetSecurityIssuesResp.
Features
- Attack APIs:
AttackRead,AttackCount,AttackIP,HitDetails,
HitRawfor attack inspection and hit retrieval. - Activity Log:
ActivityLogReadwith object-type filtering. - Security Issues:
GetSecurityIssues,GetSecurityIssueGroups,
GetSecurityIssueGroupsCount, and related methods for the
/v1/security_issuesendpoints. - Cursor pagination on
AttackRead(Cursor,Pagingfields, all
omitempty— offset-based callers unaffected). - Hit block-status filter:
HitsFilter.BlockStatus []string.
Improvements
- Nil-input guards on all new request methods (attack + security issues).
IPListSearchquery encoding fixed to use nested-filter syntax
(filter[rule_type][],filter[list],filter[query]).AttackandActivityLogadded to theAPIinterface.
Breaking Changes
SecurityIssueMitigations.Vpatchis now*SecurityIssueVPatchwith
json:"vpatch,omitempty". Consumers must nil-check before accessing
Vpatch.RuleID— the API legitimately returns issues without a vpatch.GetSecurityIssuesRespand related types use Go-idiomatic initialisms
(ID,URL,ClientID,HTTPMethod,AASMTemplate,RuleID). JSON
tags unchanged; downstream code pattern-matching on Go field names must
rename.
Upgrade
go get github.com/wallarm/wallarm-go@v0.10.0v0.9.1
Breaking Changes
- Removed
VulnPrefixfromClientCreatestruct andClientInfoBody— the field was removed from the Wallarm API. Sending it causes errors. - Removed
get_vulns.go—Vulnerabilityinterface andGetVulnReadmethod removed. Unused by the provider.
Improvements
make linttarget — added golangci-lint to GNUmakefile.- Test coverage 25.8% → 79.5% — added unit tests for all API methods: Client CRUD, Action/Hint CRUD, IP lists (deny/allow/gray), integrations (11 types), triggers, users, API specs, hits, security issues, credential stuffing, wallarm mode, overlimit settings, utils.
v0.9.0
Adds changelog, fixes attackid filter struct
v0.8.0
Update retry policy and timeous
Added hits fetch mode by attack_id
Implemented APIError type
Updated resource_tenant