Version 1.1 is our biggest release since launch. It introduces a severity-weighted posture score that replaces the old pass/fail percentage, a new agent subcommand for running audits in your own infrastructure, keyless authentication for GCE and Workload Identity Federation, and a complete email notification system. Here is everything that changed.
Posture Score & Grades
The old pass rate was a simple ratio: checks passed divided by total checks. It treated a failed MFA enforcement check the same as a failed label naming convention check. That made the number misleading — a tenant could show 92% with critical gaps in admin security.
The new posture score is a severity-weighted value between 0 and 100. Each failed finding carries a penalty proportional to the square of its severity weight. Critical findings use a weight of 8, so their squared penalty is 64. High findings carry a weight of 4 (penalty 16), medium is 2 (penalty 4), and low is 1 (penalty 1). Findings with a WARN status count as half a failure, applying 0.5x their normal penalty. Inventory checks (those marked scored=false) are excluded entirely from the calculation.
The score maps to a letter grade with fixed thresholds: A for 90 and above, B for 80–89, C for 70–79, D for 50–69, and F for anything below 50. The grade appears everywhere posture matters: the overview dashboard gauge, the scan history list, compliance framework summaries, trend charts, integration webhook payloads, and email notifications.
Grade Thresholds
This means a single unresolved critical finding — like domain-wide delegation to an unreviewed service account — can drop your grade from A to C. That visibility is intentional. The old percentage masked risk; the new score surfaces it.
Agent Mode
Until now, running an audit through Argus Cloud meant uploading a service account key to the console, where the worker would use it to call Google Admin SDK APIs. That works, but some organizations have policies that prohibit sharing service account credentials with third-party platforms. Agent mode solves this.
The new gws-auditor agent subcommand runs the full audit locally — on a GCE VM, in a GitHub Actions runner, or on any machine with valid Google credentials. When the audit completes, the agent pushes the results to the Argus console via a tenant-scoped API key. The console stores the findings, computes the posture score, and sends notifications exactly as if it had run the scan itself.
# GCE VM with attached service account
gws-auditor agent --auth-method gce --subject admin@company.com --api-key ask_xxxxx
# GitHub Actions with Workload Identity Federation
gws-auditor agent --auth-method workload_identity --subject admin@company.com --api-key $ARGUSSEC_API_KEY
# Or use a config file for all settings
# config.yaml
auth:
method: gce
subject: admin@company.com
agent:
api_key: ask_xxxxx
CI/CD Exit Codes
The agent exits with code 0 when all checks pass, 1 when there are failures, and 2 when critical failures are found. Use these in your CI/CD pipeline to gate deployments or flag configuration drift.
Agent mode pairs with a config file (config.yaml) that accepts all CLI flags as structured YAML. This makes it straightforward to version-control your audit configuration alongside your infrastructure code and run it on a schedule without interactive flags.
Keyless Authentication
Service account JSON key files are the most common authentication method for Google Workspace admin APIs, but they are also the most risky. Keys do not expire, they can be exfiltrated, and rotating them requires coordination across every system that holds a copy.
Version 1.1 adds two keyless authentication methods that eliminate long-lived credentials entirely:
-
GCE Attached Service Account
When running on a Google Compute Engine instance, the auditor retrieves short-lived access tokens from the VM's metadata server. No key file is downloaded, stored, or transmitted. The service account is bound to the VM at creation time and managed through IAM, giving you centralized control over permissions and automatic credential rotation.
-
Workload Identity Federation
For workloads running outside Google Cloud — GitHub Actions, AWS EC2, Azure VMs — Workload Identity Federation exchanges an external identity token for a short-lived Google access token. The auditor reads the federation configuration from
GOOGLE_APPLICATION_CREDENTIALSand handles the token exchange automatically. No JSON key file is involved.
Both methods keep credentials within the client environment. When using agent mode, nothing is uploaded to the console — the only data that leaves your infrastructure is the audit result payload. The console's tenant configuration now includes an auth method selector so you can track which authentication approach each tenant uses.
Email Notification System
Argus now sends email notifications for key events across the platform. The system is built on 14 Jinja2 templates rendered server-side and delivered through Celery tasks with automatic retry on transient failures.
Notifications fall into four categories:
-
Console Actions (preference-gated)
Scan completed, scan failed, critical findings detected, backup completed, backup failed. These are only sent when the user has opted in through notification preferences.
-
Billing (always sent)
Subscription activated, payment confirmed, payment failed, subscription canceled. These emails are transactional and cannot be disabled, since they relate to financial obligations.
-
Transactional
Email verification, welcome message, team invitation. Triggered by account-level actions and delivered immediately.
-
Periodic
Monthly security newsletter summarizing posture changes, new checks, and platform updates. Opt-in only.
Every non-transactional email includes a one-click unsubscribe link in both the header (List-Unsubscribe) and the footer, meeting CAN-SPAM and GDPR requirements. Unsubscribe tokens are HMAC-signed to prevent tampering.
Notification Preferences
Before a user triggers their first scan, Argus shows an opt-in dialog with three toggles: product updates, security newsletter, and console action alerts. All three default to checked, giving new users full visibility from the start while keeping the choice explicit.
Preferences can be changed at any time under Settings > Notifications. The interface presents each category as a toggle switch with a short description of what it controls. Changes take effect immediately — there is no confirmation step or delay.
Preferences are stored server-side per user, so they persist across devices and sessions. Billing emails are not shown in the preferences panel because they cannot be disabled.
Tenant-Scoped API Keys
API keys can now be bound to a specific tenant. This is required for agent mode — when the agent pushes results to the console, it needs to know which tenant the scan belongs to, and the API key provides that mapping.
Tenant-scoped keys are created in Settings > API Keys by selecting a tenant from the dropdown during key creation. The key list shows an AGENT badge next to scoped keys so you can distinguish them from organization-wide keys at a glance.
Scoped keys can only perform actions within their bound tenant — they cannot list other tenants, trigger scans on different tenants, or access organization-level settings. This follows the principle of least privilege and limits the blast radius if a key is compromised.
Pass Rate Calculation Fix
The pass rate formula previously calculated passed / (passed + failed), which excluded warnings from the denominator. If a tenant had 80 passes, 10 failures, and 10 warnings, the rate showed 89% instead of the correct 80%.
The updated formula is passed / (passed + failed + warnings). This gives a more accurate picture of posture, since warnings represent checks that did not fully pass and should not be invisible in the denominator. Existing scan results are recalculated on the next view.
Security Improvements
Two targeted security hardening changes ship in this release:
-
Path Traversal Guard on Report Uploads
Report filenames submitted via the agent upload endpoint are now sanitized to prevent directory traversal. Characters like
../and absolute paths are stripped before the file is written, ensuring reports are stored only in the intended directory. -
HMAC-Signed Unsubscribe Tokens
Unsubscribe links use HMAC-signed tokens tied to the user ID and notification category. This prevents attackers from crafting unsubscribe URLs to silence notifications for other users. The token is verified server-side before any preference change is applied.