5.13.0 Release Notes

.docsearch/config.json

@@ -8,7 +8,7 @@
         "version": [
           "docs",
           "4.0.x",
-          "5.12.0"
+          "5.13.0"
         ]
       }
     }

docs/.vuepress/navbar-menus/previous-versions.js

@@ -3,6 +3,9 @@ export default [
         text: 'Version 5.x',
         children: [
             {
+                text: "5.13.0",
+                link: "https://docs.rundeck.com/5.13.0/"
+            },            {
                 text: "5.12.0",
                 link: "https://docs.rundeck.com/5.12.0/"
             },

docs/.vuepress/notes.md.nj

@@ -69,11 +69,11 @@ Submit your own Pull Requests to get recognition here!
 ## Staff Contributors
 
 * Greg Schueler ([gschueler](https://github.com/gschueler))
-* Alexander Abarca ([alexander-variacode](https://github.com/alexander-variacode))
-* Alexander Grachtchouk ([mrdubr](https://github.com/mrdubr))
 * Carlos Eduardo ([carlosrfranco](https://github.com/carlosrfranco))
+* Eduardo Baltra ([edbaltra](https://github.com/edbaltra))
 * Forrest Evans ([fdevans](https://github.com/fdevans))
 * Jake Cohen ([jsboak](https://github.com/jsboak))
+* Jaya Singh ([jayas006](https://github.com/jayas006))
 * Jason Brooks ([jbrookspd](https://github.com/jbrookspd))
 * Jesus Osuna ([Jesus-Osuna-M](https://github.com/Jesus-Osuna-M))
 * José Vásquez ([hiawvp](https://github.com/hiawvp))

docs/.vuepress/notes.mjs

@@ -94,8 +94,8 @@ async function getRepoData(repo, includeLabels) {
     const contributors = {};
     const reporters = {};
 
-    for (const p of pulls) {'
-      if (excludeUsernames.includes(p.user.login)) continue;'
+    for (const p of pulls) {
+      if (excludeUsernames.includes(p.user.login)) continue;
       if (contributors[p.user.login]) continue;
       const user = await gh.users.getByUsername({ username: p.user.login });
       contributors[user.data.login] = user.data;

docs/.vuepress/setup.js

@@ -1,7 +1,7 @@
 import { BaseTransition } from "vue"
 
-const RUNDECK_VERSION='5.12.0'
-const RUNDECK_VERSION_FULL='5.12.0-SNAPSHOT'
+const RUNDECK_VERSION='5.13.0'
+const RUNDECK_VERSION_FULL='5.13.0-SNAPSHOT'
 const API_VERSION='52'
 const API_DEP_REL='6.0.0'
 const API_DEP_VER='17'

docs/.vuepress/sidebar-menus/administration.ts

@@ -230,7 +230,8 @@ export default [{
         '/administration/security/password-security',
         '/administration/security/ratelimiting',
         '/administration/security/blocklist',
-        '/administration/security/audit-trail'
+        '/administration/security/audit-trail',
+        '/administration/security/audit-stream-plugin'
       ]
     }
   ]

docs/administration/security/audit-stream-plugin.md

@@ -0,0 +1,203 @@
+# Audit Stream Plugin
+
+:::enterprise
+:::
+
+This plugin streams **Rundeck audit events** to external systems via secure, configurable webhooks. It's useful for sending specific event logs to tools like **Datadog**, **New Relic**, **Sumo Logic**, or custom endpoints.
+
+---
+
+## What It Does
+
+- Sends audit events as JSON via HTTP POST requests
+- Supports authentication methods required by major observability providers
+- Offers advanced filtering to control which events are sent
+- Can enrich payloads with contextual metadata (user, resource, request)
+
+---
+
+## Prerequisites
+
+- Rundeck version **4.17.0 or higher**
+- An external system that can receive and process HTTP webhooks
+- HTTPS endpoint access from the Rundeck server
+
+---
+
+## Supported Authentication Methods
+
+| Type        | Description                                                       |
+|-------------|-------------------------------------------------------------------|
+| `NONE`      | No authentication headers                                         |
+| `BEARER`    | Adds `Authorization: Bearer <token>` header                       |
+| `AZURE_SAS` | Sends a custom header (e.g. `x-functions-key`) with a token       |
+| `AWS_SIGV4` | Signs the request with AWS Signature V4 credentials               |
+
+---
+
+## Configuration Guide
+
+Access these properties via the System Configuration menu under Plugins → Audit Stream.
+
+### AWS API Gateway Example
+
+```properties
+framework.plugin.AuditEventListener.WebhookAuditListener.webhookUrl=https://api-id.execute-api.us-west-2.amazonaws.com/prod/webhook
+framework.plugin.AuditEventListener.WebhookAuditListener.securityType=AWS_SIGV4
+framework.plugin.AuditEventListener.WebhookAuditListener.awsRegion=us-west-2
+framework.plugin.AuditEventListener.WebhookAuditListener.awsService=execute-api
+```
+- Optional: If you haven’t configured credentials in Rundeck’s Key Storage, you can set them here:
+
+```properties
+framework.plugin.AuditEventListener.WebhookAuditListener.awsAccessKey=<your-access-key>
+framework.plugin.AuditEventListener.WebhookAuditListener.awsSecretKey=<your-secret-key>
+```
+
+### Azure Function Example
+
+
+```properties
+framework.plugin.AuditEventListener.WebhookAuditListener.webhookUrl=https://<your-function-app>.azurewebsites.net/api/rundeckwebhook
+framework.plugin.AuditEventListener.WebhookAuditListener.securityType=AZURE_SAS
+framework.plugin.AuditEventListener.WebhookAuditListener.azureSasToken=<your-function-key>
+framework.plugin.AuditEventListener.WebhookAuditListener.azureHeaderName=x-functions-key
+```
+
+### Bearer Token Example
+
+
+```properties
+framework.plugin.AuditEventListener.WebhookAuditListener.webhookUrl=https://api.example.com/secure-audit
+framework.plugin.AuditEventListener.WebhookAuditListener.securityType=BEARER
+framework.plugin.AuditEventListener.WebhookAuditListener.authToken=<your-bearer-token>
+```
+### Custom Headers Example (Datadog, New Relic, etc.)
+
+#### Datadog:
+
+```properties
+framework.plugin.AuditEventListener.WebhookAuditListener.webhookUrl=https://api.datadoghq.com/api/v2/events
+framework.plugin.AuditEventListener.WebhookAuditListener.securityType=NONE
+framework.plugin.AuditEventListener.WebhookAuditListener.customHeaders=DD-API-KEY:your_api_key,DD-APPLICATION-KEY:your_app_key,Accept:application/json
+```
+
+
+#### New Relic:
+
+```properties
+framework.plugin.AuditEventListener.WebhookAuditListener.webhookUrl=https://insights-collector.newrelic.com/v1/accounts/YOUR_ACCOUNT_ID/events
+framework.plugin.AuditEventListener.WebhookAuditListener.securityType=NONE
+framework.plugin.AuditEventListener.WebhookAuditListener.customHeaders=X-Insert-Key:your_insert_key      //This key must have type: INGEST - LICENSE
+```
+> Ensure your insert key is of type INGEST – LICENSE
+
+
+
+#### No Authentication:
+
+```properties
+framework.plugin.AuditEventListener.WebhookAuditListener.webhookUrl=https://internal.example.com/webhook
+framework.plugin.AuditEventListener.WebhookAuditListener.securityType=NONE
+```
+
+
+### Event Filtering
+
+You can filter which audit events are sent by listing specific actionType values:
+
+```properties
+framework.plugin.AuditEventListener.WebhookAuditListener.includedEvents=run,create,login_success
+```
+
+#### Common `actionType` Values
+
+| Type            | Meaning                          |
+|-----------------|----------------------------------|
+| `run`           | Job or command executed          |
+| `create`        | Job or resource created          |
+| `update`        | Resource updated (e.g. job, ACL) |
+| `delete`        | Resource deleted                 |
+| `login_success` | User logged in                   |
+| `login_failed`  | Failed login attempt             |
+| `logout`        | User logged out                  |
+| `view`          | Resource viewed                  |
+
+---
+### Timeout
+
+You can configure the HTTP connection timeout (in seconds). The default is 30:
+
+```properties
+framework.plugin.AuditEventListener.WebhookAuditListener.timeout=20
+```
+
+## JSON Payload Format Sent to Webhook Endpoints
+
+The following are example JSON payloads sent by the plugin, formatted based on the destination provider (e.g., Datadog, New Relic, etc). These payloads can be used to test or validate integration.
+
+### Default (e.g. Azure, AWS, or custom)
+```json
+{
+  "timestamp": "2025-03-03T22:27:48.281Z",
+  "actionType": "CREATE",
+  "userInfo": {
+    "username": "admin",
+    "userRoles": ["admin", "user"]
+  },
+  "resourceInfo": {
+    "type": "job",
+    "name": "backup-database"
+  },
+  "requestInfo": {
+    "serverUUID": "550e8400-e29b-41d4-a716-446655440000",
+    "userAgent": "Mozilla/5.0..."
+  }
+}
+```
+
+### Datadog API v1
+```json
+{
+  "title": "Rundeck Audit Event: login_success",
+  "text": "{\"timestamp\":1746726668522,\"actionType\":\"login_success\",\"userInfo\":{\"username\":\"admin\",\"userRoles\":[\"admin\",\"user\"]},\"resourceInfo\":{\"type\":\"user\",\"name\":\"admin\"},\"requestInfo\":{\"serverUUID\":\"abc123\",\"userAgent\":\"Mozilla/5.0\"}}",
+  "alert_type": "info",
+  "tags": ["rundeck", "action:login_success"]
+}
+```
+
+### Datadog API v2
+```json
+{
+  "data": {
+    "type": "event",
+    "attributes": {
+      "title": "Rundeck Audit Event: login_success",
+      "text": "{\"timestamp\":1746726668522,\"actionType\":\"login_success\",\"userInfo\":{\"username\":\"admin\",\"userRoles\":[\"admin\",\"user\"]},\"resourceInfo\":{\"type\":\"user\",\"name\":\"admin\"},\"requestInfo\":{\"serverUUID\":\"abc123\",\"userAgent\":\"Mozilla/5.0\"}}",
+      "alert_type": "info",
+      "tags": ["rundeck", "action:login_success"]
+    }
+  }
+}
+```
+
+### New Relic
+```json
+{
+  "eventType": "RundeckAuditStreamPlugin",
+  "timestamp": 1746726668522,
+  "actionType": "login_success",
+  "userInfo.username": "admin",
+  "userInfo.userRoles": ["admin", "user"],
+  "resourceInfo.type": "user",
+  "resourceInfo.name": "admin",
+  "requestInfo.serverUUID": "abc123",
+  "requestInfo.userAgent": "Mozilla/5.0"
+}
+```
+
+
+## Troubleshooting Tips
+
+- Check that your webhook endpoint is reachable from the Rundeck host.
+- If using AWS SIGV4, make sure the IAM role or access keys have permissions.

docs/history/5_x/version-5.13.0.md

@@ -0,0 +1,121 @@
+---
+
+title: "5.13.0 Release Notes"
+date: 2025-06-25
+image: /images/chevron-logo-red-on-white.png
+description: "Rundeck | Runbook Automation Releases 5.13.0 - New Job Metrics and ROI Graphs"
+feed:
+ enable: true
+ description: "New Job Metrics and ROI Graphs"
+
+---
+
+# 5.13.0 Release Notes
+
+## Overview
+
+
+::: danger Important Security Update
+
+:::
+A security vulnerability was identified and patched in the Enterprise Runner component where certain password patterns containing regex special characters (particularly multiple '+' characters) could bypass the password masking mechanism, potentially exposing sensitive information in error logs. This issue affected Enterprise Runner versions used with Process Automation 4.14.0 through 5.12.0, but did not impact Open Source Rundeck or the Process Automation server itself. The vulnerability has been remediated in version 5.13.0, which includes fixes in both the server and runner components to prevent exposure of secrets containing regex special characters. *Process Automation Self Hosted customers should upgrade both their server and all Enterprise Runners* to version 5.13.0 or later for complete remediation.  Process Automation SaaS servers are already updated, customers should proceed directly to upgrading all their Enterprise Runners.
+
+[Full details on this page](/history/cves/2025-06-runner-security.md)
+
+### Job Metrics
+The Job Metrics plugin provides comprehensive visualization and analysis of your Rundeck job execution patterns, success rates, and timing trends through an intuitive dashboard interface.
+
+![Job Metrics Example](/assets/img/relnotes-5130-alljobs.png)<br>
+
+![Job Metrics Job Data](/assets/img/relnotes-5130-jobdata.png)<br>
+
+### ROI Metrics
+
+The ROI Summary plugin brings your automation's financial impact to life through intuitive visualizations and real-time calculations, helping teams quantify and demonstrate the value of their automation initiatives.
+
+![Job Metrics Example](/assets/img/relnotes-5130-roisummary.png)<br>
+
+![Job Metrics Job Data](/assets/img/relnotes-5130-roijob.png)<br>
+
+
+### Webhook Audit Listener
+
+The [Webhook Audit Listener plugin](/administration/security/audit-stream-plugin.md) enables real-time streaming of Rundeck audit events to external systems through configurable webhook endpoints. This allows teams to integrate Rundeck’s audit trail with external monitoring, logging, or security platforms.
+
+## Runbook Automation Updates
+
+> Also includes all Open Source updates from below
+
+### Additional Updates
+
+
+* Add new UI for Job Metrics and ROI Metrics graphs
+* Fix: Ansible Model Sources return host vars data in key=value format when &quot;Gather Facts&quot; is set to &quot;no&quot;
+* Fix: Webhook events don&#39;t get deleted properly from DB
+* Update vault-storage plugin version to 1.3.14 for CVE-2019-17571
+* Add MongoDB Node Step to allow Runner functionality
+
+
+## Rundeck Open Source Product Updates
+
+* [Added new ansible-plugin release](https://github.com/rundeck/rundeck/pull/9675)
+* [Fix: DELETE query type for stored events is ignored](https://github.com/rundeck/rundeck/pull/9668)
+* [Update multiline-regex-datacapture-filter plugin to 1.1.2 for CVE-2019-17571](https://github.com/rundeck/rundeck/pull/9664)
+* [Allow Audit Events Plugins to refresh config](https://github.com/rundeck/rundeck/pull/9658)
+* [Upgrade Gradle to 7.6.2](https://github.com/rundeck/rundeck/pull/9657)
+* [Upgrade asset-pipeline-grails lib version to 3.4.7](https://github.com/rundeck/rundeck/pull/9656)
+* [upgrade go](https://github.com/rundeck/rundeck/pull/9652)
+* [Fix/Add 72-char limit for BCRYPT passwords to address CVE-2025-22228](https://github.com/rundeck/rundeck/pull/9651)
+* [Upgrade sshj plugin version for Security Fixes](https://github.com/rundeck/rundeck/pull/9649)
+* [Update attribute match plugin to 0.2.1](https://github.com/rundeck/rundeck/pull/9648)
+* [fix: blank string value for &quot;Options&quot; property type causes Exception](https://github.com/rundeck/rundeck/pull/9647)
+* [Add project name to params to get plugin details](https://github.com/rundeck/rundeck/pull/9636)
+* [Add autocomplete behavior to inputs and scripts](https://github.com/rundeck/rundeck/pull/9632)
+* [NextUI: Add job activity list menu action ](https://github.com/rundeck/rundeck/pull/9615)
+* [Upgrade selenium version to 4.31.0](https://github.com/rundeck/rundeck/pull/9323)
+
+
+[Here is a link to the full list of public PRs](https://github.com/rundeck/rundeck/pulls?q=is%3Apr+milestone%3A5.13.0+is%3Aclosed)
+
+## Ansible Plugin Updates
+* [Fix: Ansible Model Sources return host vars data in key=value format when &quot;Gather Facts&quot; is set to &quot;no&quot;](https://github.com/rundeck-plugins/ansible-plugin/pull/411)
+
+
+## Links
+
+- Download the Releases: [Open Source](https://www.rundeck.com/community-downloads/5.13.0) | [Self-Hosted](https://www.rundeck.com/enterprise-downloads/5.13.0)
+- [Sign up for Release Notes](https://www.rundeck.com/release-notes-signup)
+- [Upgrade instructions](/upgrading/index.md)
+- [Catch us on LinkedIn for the Live Stream Release Videos](https://www.linkedin.com/company/pagerduty/events)
+
+## Version Info
+
+Name: <span style="color: red"><span class="glyphicon glyphicon-headphones"></span> "Kirkjufell red headphones"</span>
+
+Release Date: June 25th, 2025
+
+
+## Community Contributors
+
+Submit your own Pull Requests to get recognition here!
+
+* Rui Melo Amaro ([rmeloamaro](https://github.com/rmeloamaro))
+
+
+## Staff Contributors
+
+* Greg Schueler ([gschueler](https://github.com/gschueler))
+* Alexander Abarca ([alexander-variacode](https://github.com/alexander-variacode))
+* Alexander Grachtchouk ([mrdubr](https://github.com/mrdubr))
+* Carlos Eduardo ([carlosrfranco](https://github.com/carlosrfranco))
+* Eduardo Baltra ([edbaltra](https://github.com/edbaltra))
+* Forrest Evans ([fdevans](https://github.com/fdevans))
+* Jake Cohen ([jsboak](https://github.com/jsboak))
+* Jaya Singh ([jayas006](https://github.com/jayas006))
+* Julianna Green ([juliannagreen1](https://github.com/juliannagreen1))
+* Jason Brooks ([jbrookspd](https://github.com/jbrookspd))
+* Jesus Osuna ([Jesus-Osuna-M](https://github.com/Jesus-Osuna-M))
+* José Vásquez ([hiawvp](https://github.com/hiawvp))
+* Luis Toledo ([ltamaster](https://github.com/ltamaster))
+* Rodrigo Navarro ([ronaveva](https://github.com/ronaveva))
+* Sarah Martinelli Benedetti ([smartinellibenedetti](https://github.com/smartinellibenedetti))