Connector

​

1.38.0

​

Changed

• Restrict the Snowflake stage download proxy to known cloud storage endpoints (S3, Azure Blob, GCS) and cap decompressed response bodies at 256 MB
• Enforce ReadHeaderTimeout on all HTTP-based proxy servers to mitigate slow-client resource exhaustion
• Defer listener readiness until the initial control plane event stream catch-up completes, ensuring consistent configuration before accepting traffic

​

Fixed

• Support WebSocket-based kubectl port-forward introduced in kubectl v1.30+
• Preserve parsed table context when best-effort inventory lookups fail, so policy evaluation still has access to table names and schemas
• Resolve a concurrency issue in listener port lookups that could surface under high connection churn

​

1.37.1

​

Fixed

• Fix PostgreSQL extended query protocol support for PortalSuspended messages when Execute is called with a row limit
• Fix incorrect query attribution in PostgreSQL logs when standard queries (e.g. BEGIN) are sent between Parse and Bind in the extended query protocol

​

1.37.0

​

New

• General availability of stream session analysis for SSH, SSM, and Kubernetes exec sessions

​

1.36.5

​

New

• Add support for agent forwarding for SSH connections

​

1.36.4

​

New

• Add support for assuming roles from command line arguments for SSM (EC2 and ECS) connections

​

1.36.3

​

Fixed

• Fixed a bug with PostgreSQL health checks using GCP Cloud SQL IAM authentication

​

1.36.2

​

Fixed

• Fix PostgreSQL table_paths not including unqualified table names when session schemas are unavailable

​

1.36.1

​

New

• Add API Request verb for Kubernetes policy evaluations

​

1.36.0

​

New

• Add support for Kubernetes WebSockets, v5 stream protocol, and follow requests

​

Fixed

• Block PostgreSQL COPY TO (\copy) operations when response policies are configured

​

1.35.0

​

New

• Initial release of the Formal Connector on Google Cloud Artifact Registry

​

Changed

• Enhanced metadata extraction from PostgreSQL queries, enabling better policy evaluation against DML operations

​

1.34.10

​

Fixed

• Fix a bug with IAM (Assume Role) authentication for EKS clusters

​

1.34.9

​

New

• Customers can now specify the frequency of the resources health check

​

1.34.8

​

Changed

• Improve performance of policy evaluation

​

Fixed

• Fixed a bug where dry-run rewrite policies were being applied to requests

​

1.34.6

​

Changed

• Improve performance of sending logs

​

1.34.5

​

Changed

• Improve performance of responses with many rows

​

1.34.4

​

Fixed

• Improve reliability of large snowflake arrow responses

​

1.34.3

​

New

• Emit the total number of bytes transferred during SFTP sessions in SSH session logs

​

1.34.2

​

New

• Support CEL expressions in policy suspension input conditions
• Added rate-limting support for postgres and mysql and refactored s3 rate-limiting

​

Changed

• Logs are now persisted to disk and retried automatically during Control Plane outages, preventing log loss
• Support multiple policy suspensions for the same policy and identity id

​

Fixed

• Fixed a bug with the nullify redaction option
• Fixed a bug where query-rewrite policies didn’t allow adding LIMIT 0

​

1.34.1

​

New

• Support a custom OTEL metric collector hostname and port

​

Changed

• Improve the behavior of the Connector when Formal Control Plane can’t be reached

​

1.34.0

​

New

• Smart routing is now available for MySQL resources when using the new proxy implementation

​

Changed

• Parallelized Rego policy evaluation to improve performance on large numbers of policies

​

Fixed

• Reduce log noise for timestamp formatting
• Enforce stricter connection timeouts during SSH health checks

​

1.33.2

​

Fixed

• Reduce log noise for certain policy evaluations

​

1.33.1

​

New

• Add a parameter for request/response scope for HTTP AI body analysis

​

1.33.0

​

New

• Add support for MySQL end-user identity propagation in the new proxy implementation

​

Changed

• Include parsed query information in the new MySQL implementation logs

​

1.32.7

​

Fixed

• Fix connector startup failure when using spaces

​

1.32.6

​

Changed

• Add support for DynamoDB resource health checks

​

Fixed

• Address binary protocol issues affecting PlanetScale/Vitess connections when using prepared statements with the new MySQL proxy implementation
• Fix DynamoDB authentication when using the desktop app

​

1.32.5

​

Fixed

• Fix end-user not appearing in logs for SSH connections

​

1.32.4

​

Changed

• Add support for gRPC resource health checks

​

1.32.3

​

Changed

• Add support for custom message and timeout parameters in MFA policy actions

​

1.32.2

​

New

• Add support in the policy engine for tags on resources

​

1.32.1

​

Fixed

• Always use the incoming request port if it’s different from the listener port for Snowflake S3 support

​

1.32.0

​

New

• Add a new MySQL proxy implementation. This is a fundamentally different and more robust implementation, starting with a minimal feature set that we plan to expand quickly. This feature is behind a feature flag, contact us to enable it for your organization.
• Add MFA policy enforcement across all technologies via the Desktop App

​

1.31.31

​

Changed

• Downgrade health check failure logs to debug level to reduce log noise

​

1.31.30

​

Fixed

• Fix AWS RDS IAM authentication for resources in a different AWS region than the connector

​

1.31.29

​

New

• Log policy version in triggered policy logs

​

1.31.28

​

Fixed

• Fix a race condition on concurrent cache queries in BigQuery

​

1.31.26

​

Changed

• Emit formal.connector.resource_health_check metric for earlier health check failure stages

​

Fixed

• Fix window resize handling for SSH connections

​

1.31.22

​

New

• Add formal.connector.resource_health_check metric

​

1.31.21

​

New

• Support seamless authentication via the Formal console for the S3 browser. Users do not need to manually enter their Formal username and access token to access the S3 browser.

​

1.31.20

​

New

• Add support for scp (SFTP) to the SSH proxy for SSH resources

​

Fixed

• Fix session log entry values for failed SSH logins.

​

1.31.19

​

New

• Support optionally sending policy evaluation inputs to the Formal Control Plane based on log configuration settings.
• Support “request” and “response” as evaluation stage names in policies instead of “pre_request” and “post_request”.
• Enable row-level filtering for Snowflake responses.

​

Changed

• Preserve end-user across BigQuery job lifecycle requests to avoid authentication failures when impersonation is used.

​

Fixed

• Fix session log entry values for SSM (EC2/ECS) resources.
• Don’t attempt to start the Connector state server if it can’t write on disk.

​

1.31.12

​

New

• Support cross-account AWS role assumption for EC2/ECS SSM
• Support custom error messages for Postgres and MySQL request evaluation

​

Fixed

• Fix downloads for S3 objects with special characters in object keys
• Fix S3 technology failures when using the AWS JavaScript SDK

​

1.29.12

​

New

• Add AWS account ID and name to resource health check events for easier multi-account tracking

​

1.29.11

​

Fixed

• Fix S3 request logs to include formal user name, improving auditability

​

1.29.10

​

New

• Add per-bucket S3 health checks with autodiscovery, showing bucket names for faster diagnostics

​

1.29.9

​

New

• Add policy input logging for session and request stages with request/session IDs for better traceability
• Add sync of autodiscovered S3 buckets to the connector, with pagination and live updates

​

Changed

• Standardize request/session ID propagation across connectors, including Snowflake IDs, for consistent logs
• Enforce stricter policy engine capabilities for safer, more predictable evaluations

​

1.29.8

​

New

• Add S3 bucket access metrics to policies for rate limiting and blocking
• Add connector, resource, and space IDs to policy input logs for filtering

​

Changed

• Improve S3 access counting accuracy, include current request and drop daily counts
• Add bucket, path, action, and last modified to S3 policy inputs for finer control
• Provide richer user and query context in post-request policy checks across databases

​

Fixed

• Fix S3 auth failures to return 403 Forbidden with AWS-style XML
• Fix MySQL auth to forward native error packets to clients

​

1.29.7

​

New

• Add structured S3 logs with action, bucket, path, and last-modified, consistent across access styles

​

Fixed

• Fix S3 PutObject authentication by honoring payload hashes and signing required headers to prevent auth errors
• Fix query aggregation failures for long SQL statements in analytics to improve reliability

​

1.29.6

​

New

• Add normalized SQL queries to datastore request logs for easier analysis
• Add response-stage policy input logging in PostgreSQL, improving policy analysis

​

Changed

• Treat S3 hostnames as global endpoints, enabling ListBuckets and vhost/path access

​

1.29.5

​

Fixed

• Fix column matching to ignore case and spaces, preventing mismatches from formatting differences

​

1.29.4

​

New

• Add support for MCP resources, enabling MCP traffic parsing and accurate technology logs for auditing

​

1.29.3

​

New

• Add AI satellite integration, enforcing one link only with data classifier to prevent conflicts
• Add request log evaluation in policy backtests for fuller coverage
• Add MySQL and MariaDB support for hashed tokens, avoiding password length limits

​

Fixed

• Fix HTTP response handling for non-JSON payloads to prevent misclassification

​

1.29.2

​

Fixed

• Fix TLS defaults when no config is present, restoring secure connections and preventing connection errors

​

1.29.1

​

New

• Add configurable retention for policy evaluation input logs

​

1.29.0

​

New

• Add AI satellite integration for HTTP with automatic fallback for compatibility
• Add audit logs for frontend API create, update, delete actions for traceability

​

Changed

• Enforce required environment variables across environments to prevent misconfigurations
• Include uses row data flag in policies for consistent behavior across services

​

1.28.10

​

New

• Add support for duplicate columns in SQL queries, ensuring results match source databases.

​

Fixed

• Fix returning MySQL responses when analysis fails, ensuring accurate error reporting.

​

1.28.9

​

New

• Add qualified wildcards (table., alias.) and column alias detection for accurate multi-table queries

​

Fixed

• Fix metric setup with automatic startup retries, ensuring monitoring works when agents start late

​

1.28.8

​

Fixed

• Fix device trust errors in Postgres when using custom native usernames, preventing login failures.

​

1.28.7

​

Fixed

• Fix production connector image to include required files, preventing startup failures

​

1.28.5

​

Changed

• Limit inventory to labeled objects, tracking label add/removal updates

​

1.28.4

​

New

• Add native DB user context to PostgreSQL policy checks

​

1.28.3

​

Changed

• Change S3 health checks to use network connectivity

​

1.28.2

​

Changed

• Improve MySQL query performance when policies are enabled

​

1.28.1

​

New

• Add multi stage resource health checks for HTTP, SSH, and SSM
• Make the connector health check port configurable to prevent port conflicts in shared environments.

​

1.28.0

​

New

• Add resource health checks for Kubernetes, ClickHouse, and Snowflake with connection and authentication validation

​

Changed

• Remove policy evaluation details from logs

​

1.27.2

​

Fixed

• Fix incorrect query parameters in Postgres
• Fix JIT SSO

​

Changed

• Update Datadog profiling: support agent URL via env vars, check reachability with retries to reduce startup errors

​

1.27.1

​

New

• Add auto-creation of MySQL discovery connections, preventing failures when no prior connection exists

​

1.27.0

​

New

• Add per-stage connection health logs covering network, security, login, and data

​

1.26.11

​

Changed

• Apply log level changes from the UI instantly during CDC syncs, no restart needed

​

1.26.10

​

Changed

• Standardize log timestamps for consistent parsing across tools

​

1.26.9

​

New

• Add support for MariaDB databases, expanding compatibility

​

Fixed

• Fix MySQL connection failures when clients omit auth plugin, improving compatibility with older clients

​

Changed

• Enable on-demand test connection checks from the Formal console for faster troubleshooting

​

1.26.8

​

New

• Add password redaction for SQL queries in PostgreSQL and Snowflake, with CLI support
• Add formal user type to SSH stream logs for clearer auditing

​

Changed

• Remove Redshift technology support
• Remove query fingerprints from logs

​

1.26.7

​

Changed

• Stop publishing the Redshift connector, making it unavailable in new releases

​

1.26.6

​

New

• Add MCP technology support using HTTP flow, simplifying MCP integrations
• Add native auth types: SSH key, Snowflake key, HTTP basic, bearer, API key
• Enhance logging with unique request IDs, event types

​

Fixed

• Fix inconsistent stage labels in logs for clearer filtering

​

1.26.5

​

Changed

• Allow startup without TLS when no certificate is provided, simplifying initial deployment; enable TLS later

​

1.26.4

​

New

• Add API to generate and upload CloudFormation templates, simplifying connector deployment automation

​

Changed

• Update TLS handling to run without a certificate, preventing errors in non-TLS environments

​

1.26.3

​

Fixed

• Fix remote access checks for ECS clusters with cross-region configs, enabling successful connections
• Fix empty service name display when connecting to ECS containers using a service ARN, improving clarity

​

1.26.2

​

New

• Add GCP autodiscovery for Compute Engine, GKE, and Cloud SQL to speed setup

​

Fixed

• Fix errors during data classification when JSON contains empty or null fields
• Fix SSH session logs missing resource details on startup

​

Changed

• Remove field-level encryption, simplifying setup and avoiding unused complexity

​

1.26.1

​

New

• Add AI-driven scenario monitoring for Kubernetes exec with risk scores, policy enforcement, and session-end audit logs
• Terminate Kubernetes exec sessions automatically when users become blocked

​

Fixed

• Fix typos in Kubernetes exec error messages for clearer troubleshooting

​

1.26.0

​

New

• Add secure satellite and policy data loader connections with certificate loading, on-demand issuance, and auto renewal

​

Changed

• Ensure columns are consistently ordered at runtime for predictable output

​

Fixed

• Fix missing resource technology in session listings

​

1.25.7

• Fixed a bug in the TLS certificate renewal process

​

1.25.6

• Streamlined TLS certificate handling at connector startup

​

1.25.5

• Fixed a bug that would prevent connector TLS certificates from being updated on renewal unless the connector is restarted

​

1.25.4

• Enabled satellite hostnames linked to a Connector to be configured from the Control Plane and read by the Connector
• Added ‘ConnectorName’ attribute for better tracking and logging during telemetry operations

​

1.25.3

• Removed a specific MongoDB configuration created for a legacy client, streamlining the process for connecting to DocDB with client-side options

​

1.25.1

• Introduced metrics to monitor opened, closed, and currently active connections, enhancing visibility into connection management for performance optimization and troubleshooting
• Implemented new metrics to monitor the number of received Control Plane pings, increasing observability of system interactions

• Fixed some errors with S3 authentication

​

1.25.0

• Regularly send connector instance heartbeat as a gauge metric via OpenTelemetry, bolstering real-time monitoring capabilities
• Default to starting up etcd without failing if the etcd cluster doesn’t come up

• Cleaned up configuration and feature flag storage

​

1.24.12

• Removed unnecessary quotes from table names when parsing SQL queries to make policies easier to write

​

1.24.11

• Moved classifier-related environment variables into the new formal_resource_classifier_configuration Control Plane objects

​

1.24.10

• Fixed column detection issues with parsing UNION statements with wildcards within Common Table Expressions (CTEs)

​

1.24.9

• Enhanced logging to include connector ID, improving traceability for debugging and monitoring purposes

​

1.24.8

• Resolved connection issues in the MySQL proxy that were caused by handshake problems with MariaDB

​

1.24.7

• Enabled automatic connection to the first task’s first container within a specified ECS service when no specific task or container is selected

• Simplified S3 connection establishment

​

1.24.6

• Resolved issue with Snowflake private key authentication for enhanced connection security

• Removed unused PII_SAMPLING_RATE ensuring cleaner code base and improved performance

• Included desktop app device trust keys in critical data load process for strengthened data security

​

1.24.5

• Improved robustness of desktop app device trust keys

​

1.24.4

• Improved logging around device trust signature verification errors

​

1.24.3

• Added stateless authentication support for Clickhouse

• Fixed the parsing of device info to ensure accurate timestamping in UTC

​

1.24.2

• Reduced wait time for PROXY protocol headers from 10 seconds to 200 milliseconds, enhancing performance and speeding up the handling of new connections

• Fixed MySQL column detection and data label matching for policies

​

1.24.1

• Implemented stateless authentication for Snowflake

​

1.24.0

• Introduced stateless JWT authentication for Kubernetes, PostgreSQL, HTTP, and SSH, enhancing security and streamlining user verification process

​

1.23.6

• Improved reliability for MySQL resources

​

1.23.2

• Enhanced MySQL error messages for better readability during the handshake process

​

1.23.1

• Added support for hashed token authentication for Postgres proxy, providing a new option for users facing length restrictions on database passwords

​

1.23.0

• Added support for SSH private key authentication to upstream, enhancing secure connection options

• Updated MySQL to utilize our unified SQL semantic analyzer, ensuring consistent behavior across databases
• Enabled port fields in resources to be updated for more flexible configurations

​

1.22.2

• Introduced a readiness endpoint for the connector (on health check port 8080 /ready), allowing it to signify when all listeners are initialized and ready to receive traffic

• Achieved consistency in logging and assertion libraries across the system, improving reliability of error logging

​

1.22.1

• Added support for handling Snowflake positional reference syntax in SQL queries
• Introduced capability to resolve Snowflake positional arguments based on actual column names from inventory
• Extended support for LATERAL queries, enabling more complex SQL queries that depend on preceding tables’ columns

• Resolved possible crash when retrieving outbound IP in telemetry, improving stability

• Streamlined MySQL TLS environment variables into a centralized TLS config
• Dropped ability of the connector to exit if a health check fails, boosting connector resilience

​

1.22.0

• Refactored log encryption configuration and improved encryption of exec streams (SSH, SSM, Kubernetes)

• Removed the ability to configure log encryption and encryption keys via environment variables; such configuration will need to be done via the Formal console or Terraform provider