Merge branch 'aquasecurity:main' into traceectl

aquasecurity · Jan 30, 2025 · 8a507ef · 8a507ef
2 parents a6ffb9f + cccaf7f
commit 8a507ef
Show file tree

Hide file tree

Showing 157 changed files with 7,277 additions and 3,581 deletions.
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,22 @@
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "gomod"
+    directories:
+      - "/"
+      - "/api"
+      - "/types"
+      - "/signatures/helpers"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "docker"
+    directories:
+      - "/builder"
+    schedule:
+      interval: "daily"
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -1,82 +1,126 @@
+# Define labels for areas and kinds with match objects
+
 #
-# area
+# Area Labels
 #
-# area/grpc
 area/grpc:
-  - pkg/server/grpc/**
-  - pkg/server/grpc/**/*
-# area/api
+  - changed-files:
+      - any-glob-to-any-file:
+          - pkg/server/grpc/**
+          - pkg/server/grpc/**/*
+
 area/api:
-  - api/**
-  - api/**/*
-# area/arm64:
+  - changed-files:
+      - any-glob-to-any-file:
+        - api/**
+        - api/**/*
+
 area/build:
-  - builder/**
-  - "**/Makefile"
-  - "**/Dockerfile"
-  - go.sum
-  - go.mod
-  - staticcheck.conf
-  - .github/**
-  - .clang-format
-  - .dockerignore
+  - changed-files:
+      - any-glob-to-any-file:
+        - builder/**
+        - '**/Makefile'
+        - '**/Dockerfile'
+        - go.sum
+        - go.mod
+        - staticcheck.conf
+        - .github/**
+        - .clang-format
+        - .dockerignore
+
 area/capture:
-  - "*capture*"
-# area/co-re:
+  - changed-files:
+      - any-glob-to-any-file:
+        - '*capture*'
+
 area/ebpf:
-  - pkg/ebpf/*
-  - pkg/ebpf/**/*
+  - changed-files:
+      - any-glob-to-any-file:
+        - pkg/ebpf/*
+        - pkg/ebpf/**/*
+
 area/events:
-  - pkg/events/*
-  - pkg/events/**/*
+  - changed-files:
+      - any-glob-to-any-file:
+        - pkg/events/*
+        - pkg/events/**/*
+
 area/filtering:
-  - pkg/filters/*
-  - pkg/filters/**/*
+  - changed-files:
+      - any-glob-to-any-file:
+        - pkg/filters/*
+        - pkg/filters/**/*
+
 area/flags:
-  - pkg/cmd/flags/*
-  - pkg/cmd/flags/**/*
+  - changed-files:
+      - any-glob-to-any-file:
+        - pkg/cmd/flags/*
+        - pkg/cmd/flags/**/*
+
 area/kubernetes:
-  - deploy/*
-  - deploy/**/*
+  - changed-files:
+      - any-glob-to-any-file:
+        - deploy/*
+        - deploy/**/*
+
 area/logging:
-  - pkg/logger/*
-  - pkg/logger/**/*
-  - pkg/errfmt/*
-  - pkg/errfmt/**/*
-# area/network:
+  - changed-files:
+      - any-glob-to-any-file:
+        - pkg/logger/*
+        - pkg/logger/**/*
+        - pkg/errfmt/*
+        - pkg/errfmt/**/*
+
 area/performance:
-  - pkg/metrics/*
-  - pkg/metrics/**/*
+  - changed-files:
+      - any-glob-to-any-file:
+        - pkg/metrics/*
+        - pkg/metrics/**/*
+
 area/release:
-  - packaging/*
-  - packaging/**/*
-# area/rules:
+  - changed-files:
+      - any-glob-to-any-file:
+        - packaging/*
+        - packaging/**/*
+
 area/signatures:
-  - pkg/signatures/*
-  - pkg/signatures/**/*
-  - signatures/*
-  - signatures/**/*
+  - changed-files:
+      - any-glob-to-any-file:
+        - pkg/signatures/*
+        - pkg/signatures/**/*
+        - signatures/*
+        - signatures/**/*
+
 area/testing:
-  - tests/*
-  - tests/**/*
-  - "**/*_test.go"
-# area/uprobe:
+  - changed-files:
+      - any-glob-to-any-file:
+        - tests/*
+        - tests/**/*
+        - '**/*_test.go'
+
 area/UX:
-  - pkg/cmd/*
-  - pkg/cmd/**/*
-  - cmd/*
-  - cmd/**/*
+  - changed-files:
+      - any-glob-to-any-file:
+        - pkg/cmd/*
+        - pkg/cmd/**/*
+        - cmd/*
+        - cmd/**/*
+
 #
-# kind
+# Kind Labels
 #
+
 kind/documentation:
-  - docs/*
-  - docs/**/*
-  - "**/*.md"
-  - mkdocs.yml
-  - NOTICE
-  - LICENSE
-  - cmd/tracee-gptdocs/*
+  - changed-files:
+      - any-glob-to-any-file:
+        - docs/*
+        - docs/**/*
+        - '**/*.md'
+        - mkdocs.yml
+        - NOTICE
+        - LICENSE
+        - cmd/tracee-gptdocs/*
+
 # kind/bug:
 # kind/chore:
 # kind/feature:
diff --git a/.github/workflows/auto-author-assign.yml b/.github/workflows/auto-author-assign.yml
@@ -15,4 +15,4 @@ jobs:
     name: Assign Author
     runs-on: ubuntu-latest
     steps:
-      - uses: toshimaru/auto-author-assign@ebd30f10fb56e46eb0759a14951f36991426fed0 # v2.1.0
+      - uses: toshimaru/auto-author-assign@16f0022cf3d7970c106d8d1105f75a1165edb516 # v2.1.1
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -0,0 +1,53 @@
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches:
+      - "main"
+      - "v*.*.*"
+  pull_request:
+    branches:
+      - "main"
+      - "v*.*.*"
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: 'ubuntu-latest'
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: c-cpp
+            build-mode: autobuild
+          - language: go
+            build-mode: autobuild
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y libelf-dev clang make gcc pkg-config
+
+    - name: Update submodules
+      run: git submodule update --init --recursive
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -12,4 +12,7 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
+        with:
+          sync-labels: false
+          configuration-path: .github/labeler.yml
diff --git a/.github/workflows/mkdocs-dev.yaml b/.github/workflows/mkdocs-dev.yaml
@@ -20,7 +20,7 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: 3.12.3
       - name: Install dependencies

diff --git a/.github/workflows/mkdocs-latest.yaml b/.github/workflows/mkdocs-latest.yaml
@@ -20,11 +20,11 @@ jobs:
           fetch-depth: 0
           persist-credentials: true
       - name: Login to docker.io registry
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: 3.12.3
       - name: Install dependencies

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -6,7 +6,8 @@ on:
   workflow_dispatch: {}
   pull_request:
     branches:
-      - main
+      - "main"
+      - "v.*"
     paths:
       - "!docs/**"
       - "!deploy/**"
@@ -78,6 +79,7 @@ env:
     SECURITY_PATH_NOTIFY
     SET_FS_PWD
     SUSPICIOUS_SYSCALL_SOURCE
+    STACK_PIVOT
 jobs:
   #
   # DOC VERIFICATION
@@ -90,7 +92,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Check if flags flags man/markdown docs were changed
         id: changed-files
-        uses: tj-actions/changed-files@2d756ea4c53f7f6b397767d8723b3a10a9f35bf2 # v44.0.0
+        uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f # v45.0.6
         with:
           files_yaml: |
             md_files:
@@ -295,14 +297,15 @@ jobs:
               output="["
               first=1
               for job in "${!job_names[@]}"; do
+                  timestamp=$(date +%s)
                   ami="${job_names[$job]%% *}"
                   arch="${job_names[$job]##* }"
                   if (( first )); then
                       first=0
                   else
                       output+=","
                   fi
-                  output+="{\"job_name\": \"$job\", \"arch\": \"$arch\", \"ami\": \"$ami\", \"sufix\": \"$num\"}"
+                  output+="{\"job_name\": \"$job\", \"arch\": \"$arch\", \"ami\": \"$ami\", \"sufix\": \"$timestamp\"}"
               done
             output+="]"
             echo "matrix$num=$output" >> $GITHUB_OUTPUT

diff --git a/.github/workflows/publish-helm.yaml b/.github/workflows/publish-helm.yaml
@@ -27,21 +27,21 @@ jobs:
           ref: ${{ github.event.inputs.ref }}
           fetch-depth: 0
       - name: Install Helm
-        uses: azure/setup-helm@b7246b12e77f7134dc2d460a3d5bad15bbe29390 # v4.1.0
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
         with:
           version: v3.14.3
       - name: Set up python
-        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: 3.12.3
       - name: Set up aqua charts
         run: |
           helm repo add aqua https://aquasecurity.github.io/helm-charts
       - name: Setup Chart Linting
         id: lint
-        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
       - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
           version: ${{ env.KIND_VERSION }}
           node_image: ${{ env.KIND_IMAGE }}

diff --git a/.github/workflows/release-snapshot.yaml b/.github/workflows/release-snapshot.yaml
@@ -32,7 +32,7 @@ jobs:
       #   with:
       #     cosign-release: 'v2.2.4'
       - name: Login to docker.io registry
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -75,7 +75,7 @@ jobs:
       #   with:
       #     cosign-release: 'v2.2.4'
       - name: Login to docker.io registry
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -117,7 +117,7 @@ jobs:
       #   with:
       #     cosign-release: 'v2.2.4'
       - name: Login to docker.io registry
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}