Skip to content

feat: add registry resource type for Windows#1053

Open
Blankf wants to merge 1 commit intogoss-org:masterfrom
Blankf:feat/registry-resource
Open

feat: add registry resource type for Windows#1053
Blankf wants to merge 1 commit intogoss-org:masterfrom
Blankf:feat/registry-resource

Conversation

@Blankf
Copy link
Copy Markdown

@Blankf Blankf commented Apr 15, 2026
edited
Loading

Depends on: #1055 (fix: bytes.Reader issue in HavePatternsMatcher)

Summary

Adds a new registry resource type that validates Windows registry keys natively using the golang.org/x/sys/windows/registry API. This replaces the need to shell out to PowerShell for registry checks.

Closes #616

Motivation

The ansible-lockdown Windows CIS audit repos (Windows 2016/2019/2025) currently rely entirely on the command resource shelling out to PowerShell for ~300+ registry checks per benchmark. This is slow (~180ms per check due to PowerShell process spawn) and verbose.

With the native registry resource, the same checks run in milliseconds via direct Windows API calls.

Benchmark results (250 identical checks):

Method Time
Native registry resource 0.020s
command + PowerShell 43.784s

Gossfile syntax

registry:
  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName:
    exists: true
    value: "Windows Server 2025 Datacenter"
    type: REG_SZ

For value names containing backslashes (e.g. HardenedPaths UNC entries), use :: as an explicit separator:

registry:
  HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths::\\*\NETLOGON:
    exists: true
    value: "RequireMutualAuthentication=1, RequireIntegrity=1"

Details

  • Supported hives: HKLM, HKCU, HKCR, HKU, HKCC
  • Supported types: REG_SZ, REG_EXPAND_SZ, REG_DWORD, REG_QWORD, REG_BINARY, REG_MULTI_SZ
  • Opens keys with QUERY_VALUE access (read-only, least privilege)
  • On non-Windows platforms, returns an error ("registry resource is only supported on Windows"), following the NullPackage pattern
  • Cross-compilation from Linux continues to work

Files changed

New files:

  • system/registry.go -- Registry interface + key path parser
  • system/registry_test.go -- 17 unit tests for the parser
  • system/registry_notwindows.go -- Non-Windows stub
  • system/registry_windows.go -- Windows implementation
  • resource/registry.go -- Resource type definition
  • integration-tests/goss/windows/tests/registry.goss.yaml -- Integration tests
  • docs/windows-parity-progress.md -- Progress tracker

Modified files:

  • system/system.go -- Added NewRegistry factory
  • resource/resource_list_genny.go + resource/resource_list.go -- Added RegistryMap
  • goss_config.go -- Wired into config
  • add.go -- Added to AddResource switch
  • cmd/goss/goss.go -- Added CLI subcommand
  • docs/schema.yaml -- Added schema definition
  • docs/platforms.md -- Updated platform matrix

Test plan

  • go vet ./... passes
  • go test ./... passes (17 new parser tests + all existing)
  • GOOS=windows GOARCH=amd64 go build cross-compiles successfully
  • gosec ./system/ ./resource/ -- zero findings in new code
  • Tested on Windows Server 2025 -- registry checks work correctly
  • Tested on Windows Server 2025 -- existing command resource still works
  • Benchmarked: 250 registry checks in 0.020s vs 43.784s via PowerShell

@Blankf Blankf requested a review from aelsabbahy as a code owner April 15, 2026 13:33
@Blankf
feat: add registry resource type for Windows
eb7a099 
Add a new registry resource type that validates Windows registry keys
natively using the golang.org/x/sys/windows/registry API. This replaces
the need to shell out to PowerShell for registry checks, providing
significant performance improvements (0.02s vs 44s for 250 checks).

Gossfile syntax:

  registry:
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName:
      exists: true
      value: "Windows Server 2025 Datacenter"
      type: REG_SZ

For value names containing backslashes (e.g. HardenedPaths UNC entries),
use "::" as an explicit separator:

  registry:
    HKLM\...\HardenedPaths::\\*\NETLOGON:
      exists: true

Supported hives: HKLM, HKCU, HKCR, HKU, HKCC.
Supported types: REG_SZ, REG_EXPAND_SZ, REG_DWORD, REG_QWORD,
REG_BINARY, REG_MULTI_SZ.

On non-Windows platforms, the resource returns an error indicating
it is only supported on Windows, following the NullPackage pattern.
@Blankf Blankf force-pushed the feat/registry-resource branch from 7ac5f7b to eb7a099 Compare April 15, 2026 13:36
@Blankf Blankf marked this pull request as draft April 20, 2026 05:24
@Blankf Blankf marked this pull request as ready for review April 20, 2026 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aelsabbahy aelsabbahy Awaiting requested review from aelsabbahy aelsabbahy is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Goss should be able to assert against Windows Registry state

1 participant

@Blankf