SpecterOps · lrfalslev · Apr 16, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -13,10 +13,10 @@ jobs:
       run:
         shell: bash
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
 
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # ratchet:actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
@@ -33,18 +33,18 @@ jobs:
       run:
         shell: bash
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
 
       - name: Login to GHCR
-        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # ratchet:docker/login-action@v4
         if: ${{ ! startsWith(github.event_name, 'pull_request') }}
         with:
           registry: ghcr.io
           username: ${{ secrets.GHCR_USER }}
           password: ${{ secrets.PACKAGE_SCOPE }}
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # ratchet:aws-actions/configure-aws-credentials@v6
         if: ${{ ! startsWith(github.event_name, 'pull_request') }}
         with:
           aws-access-key-id: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
@@ -53,28 +53,28 @@ jobs:
 
       - name: Login to Amazon ECR
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
+        uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 # ratchet:aws-actions/amazon-ecr-login@v2
         if: ${{ ! startsWith(github.event_name, 'pull_request') }}
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # ratchet:docker/metadata-action@v6
         with:
           images: |
             ghcr.io/bloodhoundad/azurehound
             ${{ steps.login-ecr.outputs.registry || 'public.ecr.aws' }}/production/azurehound
           tags: |
             type=edge,branch=main
             type=sha,prefix=edge-,format=short
-      
+
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # ratchet:docker/setup-qemu-action@v4
 
       - name: Set up buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # ratchet:docker/setup-buildx-action@v4
 
       - name: Build Container Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # ratchet:docker/build-push-action@v7
         with:
           context: .
           build-args: VERSION=v0.0.0-rolling+${{ github.sha }}
@@ -87,13 +87,13 @@ jobs:
           outputs: type=oci,dest=/tmp/oci-image.tar
 
       - name: Upload OCI tarball
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7
         with:
           name: oci-image-tar
           path: /tmp/oci-image.tar
 
       - name: Push Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # ratchet:docker/build-push-action@v7
         with:
           context: .
           build-args: VERSION=v0.0.0-rolling+${{ github.sha }}
@@ -118,10 +118,10 @@ jobs:
           - amd64
           - arm64
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
 
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # ratchet:actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
@@ -150,7 +150,7 @@ jobs:
 
       - name: Update Rolling Release
         if: "! startsWith(github.event_name, 'pull_request')"
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # ratchet:softprops/action-gh-release@v3
         with:
           name: Rolling Release (unstable)
           tag_name: rolling

diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
@@ -41,7 +41,7 @@ jobs:
 
       - name: "CLA Assistant"
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: contributor-assistant/github-action@v2.6.1
+        uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # ratchet:contributor-assistant/github-action@v2.6.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PERSONAL_ACCESS_TOKEN: ${{ secrets.REPO_SCOPE }}

diff --git a/.github/workflows/jira-issue-transfer.yml b/.github/workflows/jira-issue-transfer.yml
@@ -24,31 +24,31 @@ jobs:
     runs-on: self-hosted
     if: github.event.label.name == 'ticketed'
     steps:
-        - name: Login
-          uses: atlassian/gajira-login@v3
-          env:
-            JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
-            JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
-            JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
-            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        - name: Jira Create Bug
-          id: bug
-          if: contains(github.event.issue.labels.*.name, 'bug') 
-          uses: atlassian/gajira-create@v3
-          with:
-            project: BP
-            issuetype: 'Bug Report'
-            summary: ${{ github.event.issue.title }}
-            description: "Github Issue Link: ${{ github.event.issue.html_url}} \r\n ${{ github.event.issue.body }}"
-            fields: '{"labels":["GitHubReport"]}'
+      - name: Login
+        uses: atlassian/gajira-login@45fd029b9f1d6d8926c6f04175aa80c0e42c9026 # ratchet:atlassian/gajira-login@v3
+        env:
+          JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
+          JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
+          JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Jira Create Bug
+        id: bug
+        if: contains(github.event.issue.labels.*.name, 'bug')
+        uses: atlassian/gajira-create@59e177c4f6451399df5b4911c2211104f171e669 # ratchet:atlassian/gajira-create@v3
+        with:
+          project: BP
+          issuetype: 'Bug Report'
+          summary: ${{ github.event.issue.title }}
+          description: "Github Issue Link: ${{ github.event.issue.html_url}} \r\n ${{ github.event.issue.body }}"
+          fields: '{"labels":["GitHubReport"]}'
 
-        - name: Jira Create Enhancement
-          id: enhancement
-          if: contains(github.event.issue.labels.*.name, 'enhancement')
-          uses: atlassian/gajira-create@v3 
-          with:
-            project: BP
-            issuetype: 'Product Feature'
-            summary: ${{ github.event.issue.title }}
-            description: "Github Issue Link: ${{ github.event.issue.html_url}} \r\n ${{ github.event.issue.body }}"
-            fields: '{"labels":["GitHubReport"]}'
+      - name: Jira Create Enhancement
+        id: enhancement
+        if: contains(github.event.issue.labels.*.name, 'enhancement')
+        uses: atlassian/gajira-create@59e177c4f6451399df5b4911c2211104f171e669 # ratchet:atlassian/gajira-create@v3
+        with:
+          project: BP
+          issuetype: 'Product Feature'
+          summary: ${{ github.event.issue.title }}
+          description: "Github Issue Link: ${{ github.event.issue.html_url}} \r\n ${{ github.event.issue.body }}"
+          fields: '{"labels":["GitHubReport"]}'
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -23,10 +23,10 @@ jobs:
       FILE_NAME: AzureHound_${{ github.ref_name }}_${{ matrix.os }}_${{ matrix.arch }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
 
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # ratchet:actions/setup-go@v6
         with:
           go-version-file: go.mod
           check-latest: true
@@ -47,7 +47,7 @@ jobs:
 
       - name: Upload as Artifact
         if: matrix.os == 'windows'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7
         with:
           name: azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}
           path: azurehound*
@@ -59,7 +59,7 @@ jobs:
         run: sha256sum ${{ env.FILE_NAME }}.zip > ${{ env.FILE_NAME }}.zip.sha256
 
       - name: Upload Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # ratchet:softprops/action-gh-release@v3
         with:
           files: |
             ${{ env.FILE_NAME }}.zip
@@ -80,13 +80,13 @@ jobs:
       FILE_NAME: AzureHoundEnterprise_${{ github.ref_name }}_${{ matrix.os }}_${{ matrix.arch }}
 
     steps:
-      - uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # ratchet:aws-actions/configure-aws-credentials@v6
         with:
           aws-access-key-id: ${{ secrets.BHE_AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.BHE_AWS_SECRET_ACCESS_KEY }}
           aws-region: us-east-1
 
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8
         with:
           pattern: azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}
           path: unsigned/
@@ -98,7 +98,7 @@ jobs:
 
       - name: Install DigiCert Client Tools
         id: digicert
-        uses: digicert/ssm-code-signing@v1.0.0
+        uses: digicert/ssm-code-signing@1d820463733701cf1484c7eb5d7d24a15ca2c454 # ratchet:digicert/ssm-code-signing@v1.2.1
 
       - name: Set PKCS#11 Paths
         id: pkcs11
@@ -160,25 +160,25 @@ jobs:
     permissions:
       packages: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
 
       - name: Log in to GHCR
-        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # ratchet:docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ secrets.GHCR_USER }}
           password: ${{ secrets.PACKAGE_SCOPE }}
 
       - name: Log in to ACR
-        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # ratchet:docker/login-action@v4
         with:
           registry: ${{ secrets.ACR_AZUREHOUND_REGISTRY_URL }}
           username: ${{ secrets.ACR_CLIENT_ID }}
           password: ${{ secrets.ACR_SECRET }}
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # ratchet:docker/metadata-action@v6
         with:
           images: |
             ghcr.io/bloodhoundad/azurehound
@@ -188,7 +188,7 @@ jobs:
             type=semver,pattern={{major}}.{{minor}},prefix=v
 
       - name: Build Container Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # ratchet:docker/build-push-action@v7
         with:
           context: .
           build-args: VERSION=${{ github.ref_name }}

diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM golang:1.24 as build
+FROM golang:1.25 AS build
 WORKDIR /app
 
 ARG VERSION=v0.0.0
@@ -11,6 +11,6 @@ RUN go mod download
 RUN go build -ldflags="-s -w -X github.com/bloodhoundad/azurehound/v2/constants.Version=$VERSION+docker"
 
 FROM gcr.io/distroless/base-debian12:nonroot
-LABEL org.opencontainers.image.source https://github.com/BloodHoundAD/AzureHound
+LABEL org.opencontainers.image.source=https://github.com/BloodHoundAD/AzureHound
 COPY --from=build /app/azurehound /
 ENTRYPOINT ["/azurehound"]
diff --git a/README.md b/README.md
@@ -24,7 +24,7 @@ The rolling release contains pre-built binaries that are automatically kept up-t
 
 ##### Prerequisites
 
-- [Go 1.18](https://go.dev/dl/) or later
+- [Go 1.25](https://go.dev/dl/) or later
 
 To build this project from source run the following:
 

diff --git a/go.mod b/go.mod
@@ -1,8 +1,6 @@
 module github.com/bloodhoundad/azurehound/v2
 
-go 1.24.0
-
-toolchain go1.24.2
+go 1.25.0
 
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.2
@@ -51,8 +49,8 @@ require (
 	github.com/urfave/cli/v2 v2.3.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.48.0 // indirect
-	golang.org/x/image v0.18.0 // indirect
-	golang.org/x/text v0.34.0 // indirect
+	golang.org/x/image v0.39.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 

diff --git a/go.sum b/go.sum
@@ -117,8 +117,8 @@ golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
 golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/image v0.0.0-20201208152932-35266b937fa6/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/image v0.0.0-20210220032944-ac19c3e999fb/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.18.0 h1:jGzIakQa/ZXI1I0Fxvaa9W7yP25TqT6cHIHn+6CqvSQ=
-golang.org/x/image v0.18.0/go.mod h1:4yyo5vMFQjVjUcVk4jEQcU9MGy/rulF5WvUILseCM2E=
+golang.org/x/image v0.39.0 h1:skVYidAEVKgn8lZ602XO75asgXBgLj9G/FE3RbuPFww=
+golang.org/x/image v0.39.0/go.mod h1:sIbmppfU+xFLPIG0FoVUTvyBMmgng1/XAMhQ2ft0hpA=
 golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
 golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
 golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -131,8 +131,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
 golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
-golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=