Release notes

Version: 6.8.0
Build number: 14419
Release date: 2026-01-28 (general availability)
Server version: nanitor-6.8.0.14419-17452-master
Agent version: nanitor-6.8.0.14419-17452-master
Collector version: nanitor-6.8.0.14419-17452-master

Welcome to Nanitor v6.8.0!

This release introduces a modernized Kubernetes Security model that treats Deployments as persistent assets, enabling actionable vulnerability tracking across your containerized workloads.

Behind the scenes, significant efforts have been put into performance optimization, data retention automation, and cross-organization data isolation to ensure Nanitor scales reliably with your infrastructure.

Highlights

Kubernetes: Deployment-Centric Vulnerability Management

Kubernetes cluster page showing workloads hierarchy with vulnerability counts — Navigate from Clusters to Workloads with vulnerability counts at a glance.

We have completely redesigned Kubernetes security in Nanitor, shifting from an image-centric model to a Deployment-centric approach that aligns with modern cloud-native workflows.

Workloads as Assets: Kubernetes Deployments are now treated as persistent assets in Nanitor. This means your remediation history and risk context are preserved across image updates, eliminating the clutter of stale image-based assets.
Broader Cloud Support: The new methodology can work with any Kubernetes cluster (not just AWS EKS limited) and is more lightweight than the previous model that pulled all images.
API-Driven Import: The /assets/import API now supports Kubernetes Clusters and Workloads with full hierarchy support. Workloads automatically link to their parent Cluster, providing clear navigation and context.
Package-Level Vulnerability Details: Imported vulnerabilities now include structured package information (package name, installed version, fixed version), giving you actionable remediation guidance directly in the UI.
Zero-Credential Scanning: Customers perform vulnerability scanning in-cluster using tools like Trivy and push results to Nanitor via API. This eliminates the need to share cloud provider or registry credentials with Nanitor.
Open-Source Import Tool: We've published an open-source Python tool (k8s-import-tool) that converts Trivy Kubernetes scan results into the Nanitor import format, making adoption straightforward.

Kubernetes workload detail page showing vulnerability summary and package details — Workload detail view with vulnerability summary and package-level remediation context.

Migration Notice for EKS Customers

If you are currently using Nanitor's collector-based EKS scanning, we recommend migrating to this new API-driven approach. The new model requires you to run Trivy (or a similar scanner) from your own infrastructure—such as a scheduled job, CI/CD pipeline, or dedicated server—and publish findings to Nanitor via the API. Please contact Nanitor Support for migration assistance. The old EKS support will be phased out in favor of this updated mechanism fully as of next Nanitor version.

The Organizations API now returns the signup_url field in both list and detail endpoints. This enables MSPs and integration partners to retrieve organization sign-up links programmatically for use in deployment scripts and automated provisioning workflows.

Improvements

Performance: Software Overview Query. Optimized the Incompliant Software Overview query that was causing disk space exhaustion on large deployments. The query now filters data earlier and avoids unfiltered large joins.
Performance: Benchmark Rule List. Implemented a materialized view for benchmark change counts, reducing the benchmark rule list page load time from 60+ seconds to under 5 seconds for organizations with high benchmark activity.
Performance: Trend Metrics Export. Fixed timeout issues when exporting Trend Metrics to PDF on large datasets.
Performance: Activity Log Query. Optimized the activity log query by implementing pganalyze advisor suggestions for better index usage.
Data Retention: Activity Log Cleanup. Added an automated cleanup task that removes activity log entries older than 3 years, preventing unbounded table growth.
Data Retention: Benchmark Assignment Cleanup. Added cleanup for archived benchmark assignments older than 6 months, cascading to associated results, issues, and changes.
Self-Hosted Fonts. Replaced Google Fonts (Raleway, Open Sans) with locally hosted font files, improving reliability in restricted or enterprise environments.
OVAL Feed Coverage. Improved the speed at which vulnerability OVAL feed coverage updates for the first time after setting up a new machine through agent installation.
Agent Logging. Reduced Win32_ComputerSystem WMI query failure logging from Warning to Info level, as these are typically caused by system reboots and not actionable errors.
Project Assets View. Added an "Activity state" column to the Assets tab on the Project detail page, showing whether each asset is Active or Inactive without needing to hover.

Benchmarks & Feed Updates

Benchmark updates ship separately via the compliance feed, typically within a few days of the product release. Once available, the Nanitor server fetches them automatically - no manual action required.

Windows Server 2025 Standalone Benchmark

Added the CIS Microsoft Windows Server 2025 Stand-alone v1.0.0 benchmark for Windows Server 2025 systems not joined to Active Directory. This benchmark automatically assigns to non-domain-joined devices.

Windows 11 Enterprise Benchmark v4.0.0

Updated the CIS Microsoft Windows 11 Enterprise Benchmark to version 4.0.0, aligning Nanitor with the latest CIS recommendations.

Bug Fixes

Security: Cross-Organization Data Isolation (Configuration Changes). Fixed an issue where suborganizations could see devices belonging to their parent organization in the Configuration Changes view. The report now correctly filters by the active organization context.
Security: Cross-Organization Device Issues. Fixed a critical data isolation issue where device issues could incorrectly link devices from one organization to issues in another organization. This affected "Missing Software" and certain device-type issues. While the data was correctly filtered out in the UI and no visible data was accessible, it was important for data correctness. A data migration repairs existing invalid rows if they exist.
CSV Export with Label Scope. Fixed an issue where exporting the issue list to CSV as a user with label scope restrictions would fail. The export now correctly filters results based on the user's labels.
Issue Configuration: EOL Toggle. Fixed a bug preventing users from removing the "Device operating system end of life" issue from the baseline. The save operation now completes successfully.
Benchmark Rule: Root Password Detection. Fixed false positive in CIS Debian benchmark rule "5.4.2.4 Ensure root password is set" where valid password hashes were not being detected correctly.
Benchmark Rule: Deny Log On as Service. Fixed false positive in Windows Server 2019 benchmark where the rule "Ensure 'Deny log on as a service' to include 'Guests'" was incorrectly checking sedenyinteractivelogonright instead of sedenyservicelogonright.

Agent Updates

The following agent changes are included in this release:

Linux: The agent now preserves the password hash algorithm identifier (e.g., $6$ for SHA-512, $y$ for yescrypt) when sanitizing /etc/shadow entries. This fixes false positives in CIS Debian/Ubuntu benchmark rule "5.4.2.4 Ensure root password is set".
Windows: Reduced WMI query failure logging from Warning to Info level, as these typically occur when WMI is in a bad state and are not actionable.

Thank you for using Nanitor! For more in-depth documentation, visit the Nanitor User Guide or our Knowledgebase.