Skip to content

cerbos

Secrets & Credentials

An authorization layer that lets you define context‑aware access control rules in YAML policies, managed via Git‑ops.

Track releases GitHub Website
Go Latest v0.53.0 · 29d ago Security brief →

Features

  • Define fine‑grained, context‑aware access rules using simple YAML policies
  • Deploy and manage policies via Git‑ops infrastructure (disk, cloud storage, git, databases)
  • Highly available Policy Decision Point (PDP) APIs for resource checks and planning
  • Supports both RBAC and attribute‑based (ABAC) conditions with dynamic context data
  • Runs as a Kubernetes service/sidecar, systemd daemon, or serverless function

Recent releases

View all 3 releases →
v0.53.0 Bug fix

Fix planner bug where OVERRIDE_PARENT was ignored for parent DENY rules.

Full changelog

Cerbos 0.53.0

View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.53.0.html

Changelog

  • 93a75a6b6279b64ca944db732e66a19978947eba Add Helm release workflow and bump chart version to 0.52.1 (#3133)
  • 218ea228ca2c4f85f36ac95f5bbbe228f2fc3d87 Add v0.53.0 release notes (#3143)
  • 81ab26ea4ed75d2079dd5ccc6595ec4bef2ecde2 Fix rendering of wildcard characters (#3140)
  • 77974a7f11e9895a0b64273f2fd4751cb0959c84 Migrate to cerbos/actions (#3120)
  • 2e8e054b0c4852ca1c95aa3d94a1aec7cd4a5486 Move Helm release to its own workflow (#3135)
  • 7cd3152b94baf2476a1eebddbbcef6e41c0f4b0e Move path functions documentation to correct place (#3139)
  • d72ef61a7496f5999cea6ed63b097817a528eee2 Remove JWT verification cache (#3138)
  • 5028a6fc2206df6db45928f78ca3e139fbf18d35 Remove voxmedia/github-action-slack-notify-build (#3129)
  • ccc98e9d4cdb1df6761363543768a9cc4901fe79 Remove incorrect default tag value from Helm chart (#3131)
  • ea252b9eee4398e59f2c9134368c2245bc7deb03 Set Content-Type to application/x-ndjson on streaming responses (#3130)
  • cc293e263537004f039613864834e3be1e4d1757 Update GitHub Actions deps (#3124)
  • 2261983bf013febb1915907b0845eb592dfa13c9 Update cerbos/actions to bb55708 (#3142)
  • 51ab84367911dd1c668510c38d4b3d55f33a83b9 Update to github.com/ory/dockertest/v4 (#3136)
  • 78d494cab93cf3e3723da18d5390bf9222593560 chore(release): Prepare release 0.53.0
  • 47b23a4471c76534183e7104ca08365801a889f2 chore(version): Bump version to 0.53.0
  • c1d70c946227cf63cd56d605f5f1b1fd6742d42b fix planner ignoring OVERRIDE_PARENT for parent DENYs (#3137)
View release on GitHub
v0.52.0 Breaking risk
Breaking changes
  • Breaking changes to OpenTelemetry support
  • Removal of default auxData.jwt.disableVerification configuration value
Notable features
  • Permissions advisor workflow
  • Path functions added to Cerbos CEL library
  • TraceBatch format for compact trace representation
Full changelog

Cerbos 0.52.0

View the full release notes at https://docs.cerbos.dev/cerbos/latest/releases/v0.52.0.html

Changelog

  • 2812325c18db5365932a12f3b480096af8485660 Add 0.52.0 release notes (#3127)
  • 3f8cfc35b17e91d249f5c6671533519d0ed6f478 Add TraceBatch format for compact trace representation (#2945)
  • 9a8ceb5a3055098aa45a948309d13d9c06547429 Add ability to save Hub credentials (#3067)
  • 78fec1dfdb1e72955dd25468ff1ff1e3f7a18cd5 Add build constraints (#2979)
  • 6e74c625b86f9e1c7027907a7119931a58156f2f Add changelog entry for breaking OpenTelemetry changes (#2954)
  • d7eefbee8a0e9ee2e8aa30f53242790dd93c80b7 Add pages/recipes for common questions (#3106)
  • 9fb62a22a767db533cf84d95a2ccb3200289198d Add path functions to Cerbos CEL library (#3039)
  • f3f464b6244f3b53b67043976ea7febd2d1068e5 Add permissions advisor workflow (#3007)
  • ad8d242efa3a70e28cd8bd01a236e627cd4cfa5d Add siteline to docs (#3093)
  • b9dc7e1ba668efbfec148e64d1dedde33cd5fc7a Add tracer.TracesToBatch (#2958)
  • de243ba883cc2a7d5e380a1c03f5d1052ea8a58a Add verify.BundleStream (#2944)
  • f8a102074c9b7780be20214a617d814018890009 Additional repository statistics (#3025)
  • 681bcf862124b7480ef768768c8d64b99ed11e76 Avoid compiling constant expressions at runtime (#3005)
  • cbfb1b31ba164a64fc1a977c21af3e4292c45ac5 Avoid round-tripping attributes to JSON for schema validation (#3000)
  • f0e0df785d99142b7aaddd9ef51dfa12f46aa60a Bump brace-expansion from 2.0.2 to 2.0.3 in /npm/test/registry (#3062)
  • 74fa896481b1a48a4b72fff75df817472d610d0d Bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#2975)
  • a3f8d30fe96ceb1e9eadff49f6fe6c3744c5165b Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.96.4 to 1.97.3 in /tools (#3083)
  • a02dfd0077a985bd9f600f33a565b19f2895f1a7 Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.97.1 to 1.97.3 (#3082)
  • dce46324d425a3d3976c08995ac505cae05be110 Bump github.com/buger/jsonparser from 1.1.1 to 1.1.2 in /tools (#3054)
  • 489656f26f5d782dc60b2736635b9cb11c7e0858 Bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 (#2980)
  • bf6e74a62fd2e6c45e44db679447fddc5896b7f9 Bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 in /hack/tools/changelog (#2981)
  • 96b53c00b9f7af82bdbb273383f404e38cd773bc Bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 in /tools (#2987)
  • 04960ce3fa2b05e78bd6f622a2fa09d59f6f811f Bump github.com/docker/cli from 27.4.1+incompatible to 29.2.0+incompatible (#3004)
  • a78b47a8f9e310155e531f9d2c8b62b6408ae332 Bump github.com/go-git/go-git/v5 from 5.17.0 to 5.17.1 in /hack/tools/changelog (#3070)
  • 8d29a2fc68be8e19e2e517a658a7cc19191fb21b Bump github.com/go-git/go-git/v5 from 5.17.1 to 5.18.0 in /tools (#3109)
  • 10d8886ed2064e582c4547addf584094f763a487 Bump github.com/go-git/go-git/v6 from 6.0.0-alpha.1 to 6.0.0-alpha.2 in /hack/tools/changelog (#3113)
  • f1706ddf94c89806e0f571716c797c210d6a2ce8 Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#3072)
  • 9d61b19af03da9c59de561dd41008c73a0108b51 Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in /hack/loadtest (#3073)
  • e9bbc5e19f0b78433934cc7b40e3ef41bac882d9 Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in /tools (#3074)
  • 35fd059df1b80f385c6110f1856a81df90bf02d0 Bump github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2 (#3118)
  • d4cd21c5e7d88f1338fa4e1fe265bbd39cb5384b Bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 in /tools (#3104)
  • 6febdf3221f7990ad44a747472c11412c27a605d Bump go.opentelemetry.io/otel from 1.40.0 to 1.41.0 in /api/genpb (#3121)
  • ebe00a5b24e50c19c99b35e03a51692e8979e825 Bump go.opentelemetry.io/otel from 1.40.0 to 1.41.0 in /hack/loadtest (#3126)
  • 6071f594e0fee25d5b26cc4618fd329e5f6e09b8 Bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 in /tools (#2986)
  • 73c754d9aebb733bf0f4d4c79b5bc88a2ba5d721 Bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 in /tools (#3097)
  • 52a9526ba6aba4d9fc1adcf83fa15d5a3fe670f2 Bump golang.org/x/net to 0.51.0 (#2985)
  • d99d182309287fc72684fac0fe828688d03f9024 Bump google.golang.org/grpc from 1.78.0 to 1.79.3 in /hack/loadtest (#3043)
  • d435c7d8b5442041676219b4a53fb2aa5c8c7964 Bump google.golang.org/grpc from 1.79.1 to 1.79.3 in /tools (#3045)
  • 079bd8fbbedb53eacd78acbb96a338496d9d90f8 Bump google.golang.org/grpc from 1.79.2 to 1.79.3 in /api/genpb (#3044)
  • fdad5977692669a35d746d746e2a0108ddea0989 Bump helm.sh/helm/v3 from 3.20.0 to 3.20.2 in /tools (#3096)
  • 615ac4a439e93dd6a9832b9dfd814b709f098acc Bump lodash and verdaccio in /npm/test/registry (#3077)
  • 6040d04af8b98468012dffb9ffe7002e9ab5e5a6 Bump path-to-regexp from 0.1.12 to 0.1.13 in /npm/test/registry (#3066)
  • b751856cc396562b0c552d91679f1a25657734bb Custom bitmap (#3071)
  • a72c2c3a505e677232bf5f2c257cb8f626f70f19 Dependency pruning (#3027)
  • 56b7ae5feeaeb12d7158096dae4119db53af8411 Don't re-run E2E failed tests (#3037)
  • 024e80776852c1cdf6f513cc1d2726807587aa2b Downgrade go-git to v5.16.5 (#3022)
  • abdcd1eab32b030629a175c3917b1aff0ec78342 Downgrade go-git to v5.16.5 (#3035)
  • ef3093eb72d44ef7171c2c92450c813a1459f700 Downgrade go-git to v5.16.5 (#3055)
  • 8df25a2de39f36ba924e6a49d3ccd5f172a02b7a Embedded mode awareness (#2964)
  • 8dce85f99994882bde4de88c73536ab6ea74784c Fix Seaweedfs Helm chart version to 4.0.413 (#3017)
  • 1ce5020697e5214c3c9d854b9810f89a79decced Fix change detection in PR workflow (#3014)
  • f39311c6f0312d79817a3301fdac14eca8765110 Fix git cloning issue (#3116)
  • 0b1e79833d2523fd7209ae64c9d0f5da68ce891a Fix issues with the directory watch system (#3061)
  • ceb3058d98b22b4f750fe258909d8ebb41770852 Fix return keys in ListKeys (#2965)
  • 1b3961bab872a8407f9bad90c39e18a0d8667416 Fix test case indentation (#3024)
  • 34670e0faa48804fae413611a30134b022683afa GitHub Actions hardening (#3002)
  • 2b2f914ebf544b60bcc28fe6fafe16070af62eed Import protobuf annotations conditionally (#3084)
  • 2f61f8cf943221cb4739bfc8f631ae108a9457c3 Index parent role ancestors in backends (#2974)
  • 66560899caa15d06c212b2001b9bc5cbe5eb6775 Integrate Synapse docs (#3056)
  • 85e7f0505866cc4948c245ade1c7eae27c20c3a7 Lay groundwork for lazily-evaluated variables (#3038)
  • becde8d5ce1c86ce5e3f6cb50ddc9b1837295f6d Loadtest switch to ghz (#2982)
  • b11ffb30dc22284d0b548d1394d5bf823621d40a Lock file maintenance (#2995)
  • fb2c67cb005b5167e065f4ecd79b4f579ad9a187 Lock file maintenance Node.js deps (#2961)
  • 48fd135bf8442784e663fcaa8e90a664b3bc87f7 Make context optional for Authzen batch requests (#3115)
  • 7392ddeeca196348a666417df70c4ca09be4a819 Move synapse docs to own repo (#3059)
  • 9150c2655c286399f13491a7a54c1b63b2a0bd58 Move variable identifier check (#2983)
  • dc0e29b0b1b4ac855f8bff38ede265ef0b2904ed Omit index serialization functions from EPDP builds (#3114)
  • 49f8bbf48be275121de7cbcdf7d5d2df974f293d Optimize repository statistics (#3029)
  • 143bfe0e4e61de020c214fd4d58f0b185b06b7b6 Pin dependencies (#3064)
  • 3de054a3838129951741ed4df2d7e3a1a6ed452d Pin ghcr.io/cerbos/cerbos Docker tag to 8d35a64 (#3075)
  • 98c3b50e39227168c20055a4d467ebad5fa67e05 Policy stats for Hub (#2998)
  • 6ff21cfc888579c9666593bcde332e88b063e875 Pool bitmaps (#3057)
  • d47194d91c39babb4e9fc6dde40f4b42884ba36e Record store version information such as commit hash or bundle ID in audit log entries (#3094)
  • f63e56ca333530aa56b7cbab73e7feb97ae1b483 Reduce timestamp precision in test case (#3026)
  • 5c99432eb9781a3e2dfd08e7d254233f37362904 Refine ruletable index types (#2959)
  • ddae41bdeabe999075914bf72719b9a677c49059 Remove protovalidate dependency from engine (#3006)
  • af89e7eeb9461733ccf09391d60d09692fa04ed6 Remove bitmap stats logging (#3086)
  • 08eddd2b363a31e47b7836d9025d0c74936450a0 Remove deployment ID from Hub telemetry (#3003)
  • 2b01c492f519861c1fd47c6c4170542545fb26de Remove module github.com/google/go-licenses (#2951)
  • 438342bde3dca48bfd3c72878dd812df7ddc659b Remove the default auxData.jwt.disableVerification configuration value (#3036)
  • 599305d067e18757e189ed4dfa8b55c6f25bfe34 Remove unused protobuf imports (#3010)
  • 198c8260d816c95ddba84c8abe4ce61abe2c9009 Replace MinIO with SeaweedFS (#2976)
  • dad0699f77d8f1f32dc105e736d2617ab07c2852 Restrict permissions of workflows (#3013)
  • 33eac710bd1a4ef6f31f8de31491e2c9f5221024 Revert "Avoid compiling constant expressions at runtime" (#3009)
  • 0494bff810b0df3d2e966c4aa33d5509150edcf1 Revert api/genpb to Go 1.25 (#2999)
  • 43ddff3433621439d5e303107c2226e34c32ffae Revert to Go 1.25 (#3001)
  • 144aed988dc437812d1eac67fe18e9cc91316105 Roaring bitmaps (#3041)
  • eec060f22e27385c11e558f56ac90953ace53028 Ruletable bundles support for local source (#3028)
  • 457a2a5196bac5f58df44e032dc6bc6eedf9805a Serializable bitmap index (#3095)
  • b413925ac697c6a86d3fa79049f946f45ac2c7d1 Traces to TraceBatch benchmark clean-up (#2949)
  • edb57a7089b761a0e335e8f72205739131471327 Update E2E workflow to run selected tests (#3011)
  • 660dfc7a32b285787514e43a6bb601197338492b Update GitHub Actions deps (#2947)
  • 9e24f892abdb4796662076adc906f5972fc7fdfe Update GitHub Actions deps (#2977)
  • ee57194261d1f20eb82d203fd751ae5b29cc67d8 Update GitHub Actions deps (#2989)
  • c898be67d2de311917d66104aa138581cf60b7ba Update GitHub Actions deps (#3015)
  • ece7d5274d0506d7fc88a39fc4a97302e9bb8a6c Update GitHub Actions deps (#3031)
  • 53df0dafbce2013bf2f46051b34775be248532fb Update GitHub Actions deps (#3047)
  • 43fdbe1857b24f436454bb8cec6e2ddd37b6a850 Update GitHub Actions deps (#3065)
  • 47cb447604eda031f726a72866168d2e20cd9249 Update GitHub Actions deps (#3099)
  • 6b93e503aba018b605c70cf33ebc76212ced7dc2 Update GitHub Actions deps (#3111)
  • 39d2b6986d6974c0bbda9642aabae88d49484c38 Update GitHub Actions deps to v4 (major) (#3020)
  • f4a5c49a5545c1d4744d1e7a3700564280742599 Update GitHub Actions deps to v4 (major) (#3052)
  • 9e613617ae1f515518cdbbe4332ea9b2d0b26475 Update GitHub Actions deps to v7 (major) (#3021)
  • decefeab272dedca0dead54f3c756756da942fed Update Go deps (#2939)
  • c477f194b47c1a4dea2c8712d2a92b0a2963ccd2 Update Go deps (#2952)
  • 57e2aef83ed85321d2bfdf1106020b016f76a76f Update Go deps (#2970)
  • 5aa3bf6b71ce1de6348de0855fa146caac4438f9 Update Go deps (#2978)
  • ad2e43d7bbfc532ed5f07de055c14ca0f321eaa5 Update Go deps (#2988)
  • 5389866c90586662ae4658578b80018d1542f36f Update Go deps (#2994)
  • b2546f3140d824456d89b0a4c5e28c123221d7a4 Update Go deps (#3012)
  • e1de91ed7591202813096696b1385811feff81df Update Go deps (#3016)
  • ba4b41ac441cf8dd8eaf1b79045c20793a9e5e8a Update Go deps (#3032)
  • 08ea4c392c2fa8a9f56adb443515cc6f17f9141e Update Go deps (#3048)
  • 01c71a188a5bab7e42f109a9d42a105143c65f48 Update Go deps (#3100)
  • a2b197023f60c294a19f2e498d1180f5406e9a7a Update Go deps (#3112)
  • d238a0195180096f704a9d2be52f74f432150320 Update Go deps (#3122)
  • 81ca129ffe40d97771187abea60c9a92361c11f6 Update Helm release seaweedfs to v4.16.0 (#3034)
  • 97918e6b353b2dbeda92f845d15920baf4b6d6c0 Update Helm release seaweedfs to v4.17.0 (#3050)
  • 006766bd368f4e4e4e6aaa7d2c6e420cb1ad8e4b Update Helm release seaweedfs to v4.21.0 (#3125)
  • 01d4e38675e11b7b0d4b19b43bf247a8e83acc75 Update Node.js deps (#2971)
  • 767e0236f3083d94f210d790f7269dd1571cf476 Update Node.js deps (#2990)
  • d13c8b872c525fd1fec463eb6e806a8004078ad2 Update Node.js deps (#3018)
  • 420a9ab8c4a8014ec809fb179a51ab58633e65a0 Update Node.js deps (#3033)
  • d950e89088c2a6b267191d01dae2b5483b868485 Update Node.js deps (#3049)
  • 4ddd76f167d7976332623fb95decefc3cd5aee10 Update Node.js deps (#3076)
  • cb5625d9d8eb780be9c440acaf13a7a43d313029 Update Node.js deps (#3123)
  • 558d393b3050b6bff8476dca890b17583de21278 Update actions/download-artifact action to v8 (#2991)
  • f122b270e77917eddc5ccb3bf70c1fd105bc197a Update aws-actions/configure-aws-credentials action to v6 (#2960)
  • 8a581892b90ec037d8c75ccf7d07a88b8a991163 Update buf to v1.65.0 and fix protobuf errors (#2946)
  • 86589a120ad400a69cf2e4f08bf5c77bceacc2e4 Update dawidd6/action-download-artifact action to v13 (#2948)
  • 3d86c2724fc93f8f9520daf38d376ce53dfd2949 Update dawidd6/action-download-artifact action to v14 (#2950)
  • aef6dc18d787cf979aaf7507aae21dfbe1127dba Update dawidd6/action-download-artifact action to v15 (#2993)
  • 37abb110f482567cd5395d045663fc561fa555b7 Update dawidd6/action-download-artifact action to v16 (#3019)
  • e4397df20e2d2b4f6a89a0fc604ae5453c2d442a Update dawidd6/action-download-artifact action to v19 (#3051)
  • 5334a18c658b8a5c8ccf0e6e677b996bd1db133c Update dependency go to 1.26.x (#2972)
  • dd6a0f03dd7b0ebda3a7d95ea1b8bc121140f3ca Update github.com/cerbos/cerbos/api/genpb digest to 767e023 (#2992)
  • dd43f4eb3c480a082188a754eaae2a8e325b43a7 Update github/codeql-action action to v4.32.2 (#2969)
  • 2c265953a8328ad1215f032c5eba52cdf07e7677 Update go-git to v6.0.0-alpha.1 (#3078)
  • 8287989750deede0db51402e5739cf0ae4d5e454 Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (#2957)
  • 7cd559731483f8ce71405deb7535fa6f61fe0ecb Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (#3069)
  • 29366a1adc6cd84af3907efb364c88db8d593604 Update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.43.0 [SECURITY] (#3089)
  • 531210e105e2fab51f8e6ed8d11272de82965515 Update module go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to v1.43.0 [SECURITY] (#3090)
  • 73b06dbad61b7882cd024a2796336e17dddde25e Update module helm.sh/helm/v3 to v3.20.2 [SECURITY] (#3098)
  • f48a7ee1033bc1d3a893ee61e1f97d6f3c60c5ab Update tablewriter and migrate (#2967)
  • 2c76ee88888720c89219a5e078ed8f424d251914 Update to [email protected] (#3107)
  • 5b346b5d9d66763529d92e6fd9aea7649f515305 Use TraceBatch in test results (#2968)
  • 6f896ceb808e02b01e15d5a4aaf3b194193db149 Use a better link for OpenTelemetry changelog (#2962)
  • 63fd0ef022cea77393d5561ac9bdaab422cefe79 add QueryMulti with optional role-policy deny synthesis (#3117)
  • 9ea380befd74b22252c9c60dcc2fe6daba04e894 build(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 in /tools (#2966)
  • 687446ba01d4cf70c264ddcf9e93120b6789832b chore(release): Prepare release 0.52.0
  • 881253636f8f376311794a2f1def79d31141389e chore(version): Bump version to 0.52.0
  • e2c49f02a753defdd20ad618da9c1f0ee0e3253a docs: Add Synapse header link (#3060)
  • 6f6abbfc07d1640fa24ecc15f690432d773d78f7 docs: Add agent skill link to policies nav (#3105)
  • e28107f8d907624a454aaca6ba618fc446bcdeca docs: Add clarifying note about decision precendence between roles (#2997)
  • f166a6dd503b6a7b0908fd0a9cf3adc6de68b970 docs: Remove Rudderstack reference from telemetry docs (#3042)
  • b9fcf227f40e71ddc8328306f37b8d5cc0180e33 docs: Update siteline edge function (#3103)
  • 2eaa60af7cbc718232f25c9830fbbe6ceb364eea docs: clarify role policies require resource policies (#3085)
View release on GitHub
v0.51.0 New feature
Breaking changes
  • Removed cerbos.runtime.v1.Expr.checked_v2 field
  • DeletePolicy RPC method changed from DELETE to DisablePolicy
Notable features
  • Contextual information attachment to requests
  • Test filter to run selected tests
  • Worker count configuration for Verify call
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
4,436
Forks
191
Languages
Go Shell Go Template
Downloads/week
47 ↓51%
NPM Maintainers
2
Contributors
33
View on GitHub View on npm Homepage Live demo Documentation

Similar tools

logto
openbao
keycloak
Themis
Yopass

Beta — feedback welcome: [email protected]