feat: migrate task queues to nats jetstream and add nats broker integration by l50 · Pull Request #244 · dreadnode/ares

l50 · 2026-04-29T20:45:49Z

Key Changes:

Migrated all task queues and tool execution from Redis lists to NATS JetStream
Introduced ares_core::nats module for broker/subject taxonomy and connection
Updated orchestrator, worker, and blue agent to use NATS for all queue traffic
Enforced password spray lockout policy and improved agent safety for AD

Added:

NATS JetStream integration via new ares_core::nats module for all agent
queues, tool RPC, results, and investigation requests
NATS installation, configuration, and systemd service to EC2 and Ansible
provisioning (new Ansible role nats)
NATS_URL/ARES_NATS_URL support to all orchestrator, worker, and blue agent
configs and environment files
NATS stream/subject taxonomy for red team, blue team, tool exec, deferred,
and result channels
NATS connection and stream/consumer creation in orchestrator and worker
startup, with automatic retry and error handling
NATS-based request/reply tool dispatcher and consumer for agent tool calls
Ansible role and playbook logic to provision and verify NATS JetStream server

Changed:

Replaced all Redis-based task and result queues with NATS JetStream subjects
and pull consumers (both in orchestrator and worker)
Blue investigation requests and task queues moved to NATS JetStream
Tool dispatcher and tool executor now use NATS request/reply instead of
Redis BRPOP/LPUSH
Redis is now used only for state: operation metadata, credentials, hosts,
heartbeats, task status, and deferred throttling state
Updated orchestrator and worker configuration, deployment docs, EC2 scripts,
and container templates to require and use NATS
Improved password_spray tool: enforces lockout threshold, disables spraying
without explicit policy or override, adds safety buffer to prevent AD lockouts
Updated playbooks, Ansible docs, and golden image to include NATS service
All orchestrator, worker, and blue agent containers and AMIs now require
NATS_URL in environment or config

Removed:

All Redis BRPOP/LPUSH patterns for task and result queues
Redis PubSub for state update notifications (now NATS core publish)
Redis-based per-task and per-call result mailboxes
Old Python requeue logic and Redis fallback queue handling
Unused file-system or placeholder code for deprecated queue paths
pth-toolkit binaries from expected tool lists (not available in trixie)

**Added:** - Introduced NATS JetStream as the primary broker for all task, tool, and result queues across orchestrator and worker agents - Implemented new `ares-core/src/nats.rs` with subject taxonomy, stream definitions, and broker abstraction for JetStream - Added Ansible `nats` role to provision, configure, and manage NATS JetStream server (with docs and systemd integration) - Updated EC2 setup scripts to install, configure, and manage `nats-server` alongside Redis - Added NATS connection URLs to environment, templates, and container docs - Documented NATS deployment, configuration, and usage in infra and agent docs **Changed:** - All core task, tool, and blue-team queues now use NATS JetStream subjects, replacing Redis List/BRPOP patterns for durable work queues - Orchestrator, workers, and blue agents now require and connect to both Redis (state) and NATS (queues) - Tool dispatch and result collection now use NATS request/reply with inbox subjects, removing the need for dedicated TCP connections for blocking calls - Blue investigation queue and results moved to NATS JetStream subjects - Task status, heartbeats, operation locks, and persistent state remain on Redis - Updated orchestrator, worker, and tool-executor modules to poll and publish via JetStream consumers/producers with explicit acks and bounded redelivery - Refactored orchestrator config, state, and queue code to thread NATS broker handles throughout and ensure streams on startup - Updated all container and agent documentation to mention NATS as required infra - Updated Ansible playbooks and role templates to deploy NATS and wire up environment variables for all agents - Updated diagrams, markdown, and infrastructure docs to show NATS as the broker - Updated Cargo manifests to include `async-nats`, `futures`, and `bytes` dependencies in all crates **Removed:** - Redis-backed work queue code paths, including BRPOP/LPUSH for tasks and tools - Obsolete Redis-only queue length and result-polling implementations - Legacy Redis-only tool dispatcher and result handler logic - All Redis pubsub notification usage for state updates (now NATS core pub) - Unused Redis key prefix constants and result queue definitions in code and docs

codecov · 2026-04-29T20:50:58Z

Codecov Report

❌ Patch coverage is 77.77778% with 630 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.92%. Comparing base (fb65972) to head (7727e89).

Files with missing lines	Patch %	Lines
ares-core/src/state/blue_task_queue.rs	68.70%	128 Missing ⚠️
ares-cli/src/worker/tool_executor.rs	69.07%	94 Missing ⚠️
ares-cli/src/orchestrator/task_queue.rs	75.34%	89 Missing ⚠️
ares-cli/src/worker/task_loop/mod.rs	54.72%	67 Missing ⚠️
ares-core/src/nats.rs	80.22%	53 Missing ⚠️
...c/orchestrator/tool_dispatcher/redis_dispatcher.rs	54.02%	40 Missing ⚠️
...i/src/orchestrator/state/publishing/credentials.rs	42.55%	27 Missing ⚠️
ares-cli/src/worker/task_loop/result_handler.rs	92.78%	23 Missing ⚠️
ares-cli/src/blue/delete.rs	0.00%	17 Missing ⚠️
ares-cli/src/orchestrator/mod.rs	0.00%	16 Missing ⚠️
... and 15 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #244      +/-   ##
==========================================
+ Coverage   75.29%   75.92%   +0.62%     
==========================================
  Files         384      385       +1     
  Lines       81639    83591    +1952     
==========================================
+ Hits        61470    63464    +1994     
+ Misses      20169    20127      -42

Files with missing lines	Coverage Δ
ares-cli/src/orchestrator/config.rs	`98.51% <100.00%> (+0.01%)`	⬆️
ares-cli/src/orchestrator/deferred.rs	`44.85% <ø> (ø)`
...es-cli/src/orchestrator/output_extraction/tests.rs	`100.00% <100.00%> (ø)`
ares-cli/src/orchestrator/throttling.rs	`90.94% <100.00%> (+0.03%)`	⬆️
ares-cli/src/orchestrator/tool_dispatcher/mod.rs	`98.61% <100.00%> (+91.46%)`	⬆️
ares-cli/src/orchestrator/tool_dispatcher/tests.rs	`100.00% <100.00%> (ø)`
ares-cli/src/worker/config.rs	`94.50% <100.00%> (+0.12%)`	⬆️
ares-core/src/state/mock_redis.rs	`97.78% <100.00%> (+0.01%)`	⬆️
ares-cli/src/orchestrator/monitoring.rs	`59.21% <0.00%> (ø)`
...s-cli/src/orchestrator/output_extraction/hashes.rs	`98.03% <96.87%> (-0.19%)`	⬇️
... and 23 more

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

…er, and blue queue **Added:** - Unit tests for credential extraction logic in tool dispatcher, including cases for various tools, username/domain presence, and field aliases - Tests for traceparent and operation_id serialization in ToolExecRequest - Tests for ToolExecResponse discovery field handling and default behaviors - Extensive integration tests for push_realtime_discoveries, covering host, credential, hash, vulnerability, share, user, trust, and various error cases - Unit tests for AuthThrottle covering limits, credential separation, and window expiry logic - Tests for set_task_status in result_handler, including overwriting, merging, and handling non-object extras - Unit tests for BlueTaskQueueCore covering serialization, heartbeat, active investigation, alert/model retrieval, and error handling for missing NATS **Changed:** - push_realtime_discoveries and set_task_status made generic over Redis connection type to support mock connections in tests - BlueTaskQueue refactored to use a generic BlueTaskQueueCore with production and test implementations, enabling better unit testability - Imports updated to include ConnectionLike and support new generic types

**Added:** - Added extensive unit tests for `task_queue` covering result checks, batch error handling, lock extension, status management, and serialization behaviors - Added tests for `redis_dispatcher.rs` helper functions, including dispatch error and timeout result formatting, and subject/stream configuration - Added tests for `is_transient_broker_error` logic, task status TTL, message priority overrides, and task result serialization in `task_loop` - Added tests for `tool_executor` helpers: unavailable tool responses, error classification, and discoveries serialization logic - Added tests for NATS subject and stream formatting, retention, and uniqueness in the core NATS module, including environment variable fallback handling **Changed:** - Refactored tool dispatcher to use helper functions for error and timeout result construction, ensuring consistent formatting and easier testability - Replaced inline connection error detection in worker task loop with `is_transient_broker_error` helper for improved maintainability - Refactored tool executor to use helper functions for unavailable tool responses and discoveries serialization, improving clarity and test coverage **Removed:** - Removed inline duplicate logic for error result and discoveries handling in tool dispatcher and tool executor, consolidating into reusable functions

…or testability **Added:** - Introduced helper functions in `task_queue.rs` to build task messages, select task subjects based on priority, and determine final status strings, allowing unit testing of wire message shapes and subject routing logic - Added public functions in `blue_task_queue.rs` to serialize/deserialize task and result messages, enabling easier unit testing without a broker - Implemented builder functions in `redis_dispatcher.rs` for call IDs, tool exec requests, and tool result conversions for improved testability - Added free functions in `result_handler.rs` for building task results from agent outcomes, supporting test coverage of branching logic - Provided construction helpers in `tool_executor.rs` for tool exit errors and response objects, allowing isolated unit tests of response shape logic - Added comprehensive unit tests for all new helper functions and message builders in affected modules **Changed:** - Refactored `TaskQueueCore::submit_task` and related logic to use extracted helper functions for message building and subject selection, improving clarity and testability - Updated `RedisToolDispatcher` to use new builder functions for call IDs and tool exec requests, reducing duplication and improving unit test coverage - Changed `process_task` in `result_handler.rs` to delegate result building and status computation to an extracted function, simplifying main logic - Refactored tool execution response construction in `tool_executor.rs` to use dedicated builder functions, clarifying error and success handling - Modified `BlueTaskQueueCore` methods to use new serialization/deserialization helpers, increasing code clarity and maintainability **Removed:** - Eliminated inlined message construction, subject routing, and status logic from main queue, dispatcher, and worker flows in favor of extracted functions - Removed duplicate code for serializing/deserializing messages within queue implementations, consolidating in free functions for testability

…ility **Added:** - Introduced `build_running_status_extra` and `build_final_status_extra` helper functions to encapsulate construction of status "extra_fields" payloads and ensure field consistency between producer and consumer - Added `busy_current_task` function to standardize formatting of `WorkerStatus.current_task` field - Added `count_discovery_entries` function to count non-empty discovery arrays per type, supporting clearer and unit-testable discovery reporting logic - Implemented comprehensive unit tests for new helper functions to verify payload structure, metadata consistency, and edge case handling **Changed:** - Refactored `process_task` in `result_handler.rs` to use new helper functions for status "extra_fields" payloads, improving maintainability and reducing field duplication - Updated `run_tool_exec_loop` in `tool_executor.rs` to use the new `busy_current_task` helper, enforcing consistent task status formatting - Modified discovery trace emission to use `count_discovery_entries`, replacing inline logic with reusable, tested function for clarity and correctness **Removed:** - Eliminated repeated manual construction of status payload objects in favor of the new helper functions, reducing code duplication and risk of inconsistency

**Added:** - Set cgroup parameters (Delegate, Slice, MemoryHigh, MemoryMax, TasksMax) to contain ares worker processes and prevent system OOMs in setup.sh systemd unit **Changed:** - Added Slice directive to systemd unit in ares@.service.j2 and removed obsolete incident reference in comment

**Key Changes:** - Wrapped each `provider.chat()` call inside `call_with_retry` in its own `llm.call` info span so timing and token usage are attributed to the attempt that produced them - Captured per-attempt input, output, and cache token counts, duration, stop reason, and error message as span fields - Recorded `task.id`, `llm.model`, `llm.attempt`, `llm.tool_count`, and `llm.message_count` at span creation for filterable Tempo queries **Added:** - Per-attempt `llm.call` `info_span!` in `ares-llm/src/agent_loop/retry.rs` with `Empty` placeholders for fields that are only known after the call returns (`llm.input_tokens`, `llm.output_tokens`, `llm.cache_read_tokens`, `llm.cache_creation_tokens`, `llm.duration_ms`, `llm.stop_reason`, `llm.error`) - Wall-clock duration measurement via `std::time::Instant` recorded into `llm.duration_ms` so retry waits are not folded into the successful call's latency - `tracing::Instrument` instrumentation of the `provider.chat()` future so async work runs inside the span context **Changed:** - `ares-llm/src/agent_loop/retry.rs` `use` line now imports `std::time::Instant` plus `tracing::{field::Empty, info_span, Instrument}` alongside the existing `warn` - Result handling in `call_with_retry` was split: the call result is first inspected to record token usage / stop reason / error on the span, then the existing retry decision logic runs on that same result

**Changed:** - Switched git source from `nimbus_range` to `ares` repository and updated reference to `main` branch - Updated file provisioner and shell steps to copy the ansible collection from the new `ares` repo location, ensuring the correct subtree (`ansible/`) is used for the collection directory

> ℹ️ **Note** > > This PR body was truncated due to platform limits. This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | major | `v3.28.19` → `v4.35.3` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v4.35.3`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.35.2...v4.35.3) - *Upcoming breaking change*: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#3837](https://redirect.github.com/github/codeql-action/pull/3837) - Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. [#3850](https://redirect.github.com/github/codeql-action/pull/3850) - Best-effort connection tests for private registries now use `GET` requests instead of `HEAD` for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. [#3853](https://redirect.github.com/github/codeql-action/pull/3853) - Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. [#3852](https://redirect.github.com/github/codeql-action/pull/3852) - Update default CodeQL bundle version to [2.25.3](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3). [#3865](https://redirect.github.com/github/codeql-action/pull/3865) ### [`v4.35.2`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.35.1...v4.35.2) - The undocumented TRAP cache cleanup feature that could be enabled using the `CODEQL_ACTION_CLEANUP_TRAP_CACHES` environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the `trap-caching: false` input to the `init` Action. [#3795](https://redirect.github.com/github/codeql-action/pull/3795) - The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. [#3789](https://redirect.github.com/github/codeql-action/pull/3789) - Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. [#3794](https://redirect.github.com/github/codeql-action/pull/3794) - Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. [#3807](https://redirect.github.com/github/codeql-action/pull/3807) - Update default CodeQL bundle version to [2.25.2](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2). [#3823](https://redirect.github.com/github/codeql-action/pull/3823) ### [`v4.35.1`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.35.0...v4.35.1) - Fix incorrect minimum required Git version for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://redirect.github.com/github/codeql-action/pull/3781) ### [`v4.35.0`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.34.1...v4.35.0) - Reduced the minimum Git version required for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://redirect.github.com/github/codeql-action/pull/3767) - Update default CodeQL bundle version to [2.25.1](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://redirect.github.com/github/codeql-action/pull/3773) ### [`v4.34.1`](https://redirect.github.com/github/codeql-action/releases/tag/v4.34.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.34.0...v4.34.1) - Downgrade default CodeQL bundle version to [2.24.3](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://redirect.github.com/github/codeql-action/pull/3762) ### [`v4.34.0`](https://redirect.github.com/github/codeql-action/releases/tag/v4.34.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.33.0...v4.34.0) - Added an experimental change which disables TRAP caching when [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://redirect.github.com/github/codeql-action/pull/3569) - We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#3584](https://redirect.github.com/github/codeql-action/pull/3584) - Update default CodeQL bundle version to [2.25.0](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#3585](https://redirect.github.com/github/codeql-action/pull/3585) ### [`v4.33.0`](https://redirect.github.com/github/codeql-action/releases/tag/v4.33.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.32.6...v4.33.0) - Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://redirect.github.com/github/codeql-action/pull/3562) To opt out of this change: - **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow. - **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow. - **User-owned repositories using advanced setup:** Set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow. - Fixed [a bug](https://redirect.github.com/github/codeql-action/issues/3555) which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. [#3557](https://redirect.github.com/github/codeql-action/pull/3557) - The CodeQL Action now loads [custom repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) on GitHub Enterprise Server, enabling the customization of features such as `github-codeql-disable-overlay` that was previously only available on GitHub.com. [#3559](https://redirect.github.com/github/codeql-action/pull/3559) - Once [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. [#3563](https://redirect.github.com/github/codeql-action/pull/3563) - Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://redirect.github.com/github/codeql-action/pull/3564) - A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. [#3570](https://redirect.github.com/github/codeql-action/pull/3570) ### [`v4.32.6`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.6) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.32.5...v4.32.6) - Update default CodeQL bundle version to [2.24.3](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3). [#3548](https://redirect.github.com/github/codeql-action/pull/3548) ### [`v4.32.5`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.32.4...v4.32.5) - Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://redirect.github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://redirect.github.com/github/codeql-action/pull/3507) - Added an experimental change so that when [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. [#3487](https://redirect.github.com/github/codeql-action/pull/3487) - The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. [#3515](https://redirect.github.com/github/codeql-action/pull/3515) - Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. [#3516](https://redirect.github.com/github/codeql-action/pull/3516) - Added an experimental change which lowers the minimum disk space requirement for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158), enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. [#3498](https://redirect.github.com/github/codeql-action/pull/3498) - Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. [#3512](https://redirect.github.com/github/codeql-action/pull/3512) - The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. [#3503](https://redirect.github.com/github/codeql-action/pull/3503), [#3504](https://redirect.github.com/github/codeql-action/pull/3504) ### [`v4.32.4`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.32.3...v4.32.4) - Update default CodeQL bundle version to [2.24.2](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2). [#3493](https://redirect.github.com/github/codeql-action/pull/3493) - Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. [#3473](https://redirect.github.com/github/codeql-action/pull/3473) - When the CodeQL Action is run [with debugging enabled in Default Setup](https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup) and [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries), the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. [#3486](https://redirect.github.com/github/codeql-action/pull/3486) - Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. [#3485](https://redirect.github.com/github/codeql-action/pull/3485) - Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a [nightly CodeQL CLI release](https://redirect.github.com/dsp-testing/codeql-cli-nightlies) instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. [#3484](https://redirect.github.com/github/codeql-action/pull/3484) ### [`v4.32.3`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.32.2...v4.32.3) - Added experimental support for testing connections to [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. [#3466](https://redirect.github.com/github/codeql-action/pull/3466) ### [`v4.32.2`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.32.1...v4.32.2) - Update default CodeQL bundle version to [2.24.1](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1). [#3460](https://redirect.github.com/github/codeql-action/pull/3460) ### [`v4.32.1`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.32.0...v4.32.1) - A warning is now shown in Default Setup workflow logs if a [private package registry is configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) using a GitHub Personal Access Token (PAT), but no username is configured. [#3422](https://redirect.github.com/github/codeql-action/pull/3422) - Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. [#3421](https://redirect.github.com/github/codeql-action/pull/3421) ### [`v4.32.0`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.11...v4.32.0) - Update default CodeQL bundle version to [2.24.0](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#3425](https://redirect.github.com/github/codeql-action/pull/3425) ### [`v4.31.11`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.11) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.10...v4.31.11) - When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#3409](https://redirect.github.com/github/codeql-action/pull/3409) - Improved error handling throughout the CodeQL Action. [#3415](https://redirect.github.com/github/codeql-action/pull/3415) - Added experimental support for automatically excluding [generated files](https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github) from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. [#3318](https://redirect.github.com/github/codeql-action/pull/3318) - The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. [#3403](https://redirect.github.com/github/codeql-action/pull/3403) ### [`v4.31.10`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.10) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.9...v4.31.10) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 4.31.10 - 12 Jan 2026 - Update default CodeQL bundle version to 2.23.9. [#3393](https://redirect.github.com/github/codeql-action/pull/3393) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.10/CHANGELOG.md) for more information. ### [`v4.31.9`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.9) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.8...v4.31.9) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 4.31.9 - 16 Dec 2025 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.9/CHANGELOG.md) for more information. ### [`v4.31.8`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.8) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.7...v4.31.8) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 4.31.8 - 11 Dec 2025 - Update default CodeQL bundle version to 2.23.8. [#3354](https://redirect.github.com/github/codeql-action/pull/3354) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.8/CHANGELOG.md) for more information. ### [`v4.31.7`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.7) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.6...v4.31.7) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 4.31.7 - 05 Dec 2025 - Update default CodeQL bundle version to 2.23.7. [#3343](https://redirect.github.com/github/codeql-action/pull/3343) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.7/CHANGELOG.md) for more information. ### [`v4.31.6`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.6) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.5...v4.31.6) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 4.31.6 - 01 Dec 2025 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.6/CHANGELOG.md) for more information. ### [`v4.31.5`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.4...v4.31.5) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 4.31.5 - 24 Nov 2025 - Update default CodeQL bundle version to 2.23.6. [#3321](https://redirect.github.com/github/codeql-action/pull/3321) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.5/CHANGELOG.md) for more information. ### [`v4.31.4`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.3...v4.31.4) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 4.31.4 - 18 Nov 2025 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.4/CHANGELOG.md) for more information. ### [`v4.31.3`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.2...v4.31.3) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 4.31.3 - 13 Nov 2025 - CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/). - Update default CodeQL bundle version to 2.23.5. [#3288](https://redirect.github.com/github/codeql-action/pull/3288) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.3/CHANGELOG.md) for more information. ### [`v4.31.2`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.1...v4.31.2) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 4.31.2 - 30 Oct 2025 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.2/CHANGELOG.md) for more information. ### [`v4.31.1`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.0...v4.31.1) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 4.31.1 - 30 Oct 2025 - The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.1/CHANGELOG.md) for more information. ### [`v4.31.0`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.30.9...v4.31.0) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 4.31.0 - 24 Oct 2025 - Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://redirect.github.com/github/codeql-action/pull/3223) - When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://redirect.github.com/github/codeql-action/pull/3222) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.0/CHANGELOG.md) for more information. ### [`v4.30.9`](https://redirect.github.com/github/codeql-action/releases/tag/v4.30.9) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.30.8...v4.30.9) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 4.30.9 - 17 Oct 2025 - Update default CodeQL bundle version to 2.23.3. [#3205](https://redirect.github.com/github/codeql-action/pull/3205) - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://redirect.github.com/github/codeql-action/pull/3204) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.30.9/CHANGELOG.md) for more information. ### [`v4.30.8`](https://redirect.github.com/github/codeql-action/releases/tag/v4.30.8) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.30.7...v4.30.8) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 4.30.8 - 10 Oct 2025 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.30.8/CHANGELOG.md) for more information. ### [`v4.30.7`](https://redirect.github.com/github/codeql-action/releases/tag/v4.30.7) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4...v4.30.7) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 4.30.7 - 06 Oct 2025 - \[v4+ only] The CodeQL Action now runs on Node.js v24. [#3169](https://redirect.github.com/github/codeql-action/pull/3169) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.30.7/CHANGELOG.md) for more information. ### [`v4`](https://redirect.github.com/github/codeql-action/compare/v3.35.3...v4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.35.3...v4) ### [`v3.35.3`](https://redirect.github.com/github/codeql-action/releases/tag/v3.35.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.35.2...v3.35.3) - *Upcoming breaking change*: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#3837](https://redirect.github.com/github/codeql-action/pull/3837) - Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. [#3850](https://redirect.github.com/github/codeql-action/pull/3850) - Best-effort connection tests for private registries now use `GET` requests instead of `HEAD` for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. [#3853](https://redirect.github.com/github/codeql-action/pull/3853) - Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. [#3852](https://redirect.github.com/github/codeql-action/pull/3852) - Update default CodeQL bundle version to [2.25.3](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3). [#3865](https://redirect.github.com/github/codeql-action/pull/3865) ### [`v3.35.2`](https://redirect.github.com/github/codeql-action/releases/tag/v3.35.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.35.1...v3.35.2) - The undocumented TRAP cache cleanup feature that could be enabled using the `CODEQL_ACTION_CLEANUP_TRAP_CACHES` environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the `trap-caching: false` input to the `init` Action. [#3795](https://redirect.github.com/github/codeql-action/pull/3795) - The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. [#3789](https://redirect.github.com/github/codeql-action/pull/3789) - Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. [#3794](https://redirect.github.com/github/codeql-action/pull/3794) - Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. [#3807](https://redirect.github.com/github/codeql-action/pull/3807) - Update default CodeQL bundle version to [2.25.2](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2). [#3823](https://redirect.github.com/github/codeql-action/pull/3823) ### [`v3.35.1`](https://redirect.github.com/github/codeql-action/releases/tag/v3.35.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.35.0...v3.35.1) - Fix incorrect minimum required Git version for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://redirect.github.com/github/codeql-action/pull/3781) ### [`v3.35.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.35.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.34.1...v3.35.0) - Reduced the minimum Git version required for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://redirect.github.com/github/codeql-action/pull/3767) - Update default CodeQL bundle version to [2.25.1](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://redirect.github.com/github/codeql-action/pull/3773) ### [`v3.34.1`](https://redirect.github.com/github/codeql-action/releases/tag/v3.34.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.34.0...v3.34.1) - Downgrade default CodeQL bundle version to [2.24.3](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://redirect.github.com/github/codeql-action/pull/3762) ### [`v3.34.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.34.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.33.0...v3.34.0) - Added an experimental change which disables TRAP caching when [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://redirect.github.com/github/codeql-action/pull/3569) - We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#3584](https://redirect.github.com/github/codeql-action/pull/3584) - Update default CodeQL bundle version to [2.25.0](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#3585](https://redirect.github.com/github/codeql-action/pull/3585) ### [`v3.33.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.33.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.32.6...v3.33.0) - Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://redirect.github.com/github/codeql-action/pull/3562) To opt out of this change: - **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow. - **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow. - **User-owned repositories using advanced setup:** Set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow. - Fixed [a bug](https://redirect.github.com/github/codeql-action/issues/3555) which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. [#3557](https://redirect.github.com/github/codeql-action/pull/3557) - The CodeQL Action now loads [custom repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) on GitHub Enterprise Server, enabling the customization of features such as `github-codeql-disable-overlay` that was previously only available on GitHub.com. [#3559](https://redirect.github.com/github/codeql-action/pull/3559) - Once [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. [#3563](https://redirect.github.com/github/codeql-action/pull/3563) - Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://redirect.github.com/github/codeql-action/pull/3564) - A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. [#3570](https://redirect.github.com/github/codeql-action/pull/3570) ### [`v3.32.6`](https://redirect.github.com/github/codeql-action/releases/tag/v3.32.6) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.32.5...v3.32.6) - Update default CodeQL bundle version to [2.24.3](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3). [#3548](https://redirect.github.com/github/codeql-action/pull/3548) ### [`v3.32.5`](https://redirect.github.com/github/codeql-action/releases/tag/v3.32.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.32.4...v3.32.5) - Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://redirect.github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://redirect.github.com/github/codeql-action/pull/3507) - Added an experimental change so that when [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. [#3487](https://redirect.github.com/github/codeql-action/pull/3487) - The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. [#3515](https://redirect.github.com/github/codeql-action/pull/3515) - Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. [#3516](https://redirect.github.com/github/codeql-action/pull/3516) - Added an experimental change which lowers the minimum disk space requirement for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158), enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. [#3498](https://redirect.github.com/github/codeql-action/pull/3498) - Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. [#3512](https://redirect.github.com/github/codeql-action/pull/3512) - The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. [#3503](https://redirect.github.com/github/codeql-action/pull/3503), [#3504](https://redirect.github.com/github/codeql-action/pull/3504) ### [`v3.32.4`](https://redirect.github.com/github/codeql-action/releases/tag/v3.32.4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.32.3...v3.32.4) - Update default CodeQL bundle version to [2.24.2](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2). [#3493](https://redirect.github.com/github/codeql-action/pull/3493) - Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. [#3473](https://redirect.github.com/github/codeql-action/pull/3473) - When the CodeQL Action is run [with debugging enabled in Default Setup](https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup) and [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries), the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. [#3486](https://redirect.github.com/github/codeql-action/pull/3486) - Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. [#3485](https://redirect.github.com/github/codeql-action/pull/3485) - Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a [nightly CodeQL CLI release](https://redirect.github.com/dsp-testing/codeql-cli-nightlies) instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. [#3484](https://redirect.github.com/github/codeql-action/pull/3484) ### [`v3.32.3`](https://redirect.github.com/github/codeql-action/releases/tag/v3.32.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.32.2...v3.32.3) - Added experimental support for testing connections to [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. [#3466](https://redirect.github.com/github/codeql-action/pull/3466) ### [`v3.32.2`](https://redirect.github.com/github/codeql-action/releases/tag/v3.32.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.32.1...v3.32.2) - Update default CodeQL bundle version to [2.24.1](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1). [#3460](https://redirect.github.com/github/codeql-action/pull/3460) ### [`v3.32.1`](https://redirect.github.com/github/codeql-action/releases/tag/v3.32.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.32.0...v3.32.1) - A warning is now shown in Default Setup workflow logs if a [private package registry is configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) using a GitHub Personal Access Token (PAT), but no username is configured. [#3422](https://redirect.github.com/github/codeql-action/pull/3422) - Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. [#3421](https://redirect.github.com/github/codeql-action/pull/3421) ### [`v3.32.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.32.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.31.11...v3.32.0) - Update default CodeQL bundle version to [2.24.0](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#3425](https://redirect.github.com/github/codeql-action/pull/3425) ### [`v3.31.11`](https://redirect.github.com/github/codeql-action/releases/tag/v3.31.11) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.31.10...v3.31.11) - When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#3409](https://redirect.github.com/github/codeql-action/pull/3409) - Improved error handling throughout the CodeQL Action. [#3415](https://redirect.github.com/github/codeql-action/pull/3415) - Added experimental support for automatically excluding [generated files](https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github) from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. [#3318](https://redirect.github.com/github/codeql-action/pull/3318) - The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. [#3403](https://redirect.github.com/github/codeql-action/pull/3403) ### [`v3.31.10`](https://redirect.github.com/github/codeql-action/releases/tag/v3.31.10) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.31.9...v3.31.10) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.31.10 - 12 Jan 2026 - Update default CodeQL bundle version to 2.23.9. [#3393](https://redirect.github.com/github/codeql-action/pull/3393) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.31.10/CHANGELOG.md) for more information. ### [`v3.31.9`](https://redirect.github.com/github/codeql-action/releases/tag/v3.31.9) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.31.8...v3.31.9) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.31.9 - 16 Dec 2025 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.31.9/CHANGELOG.md) for more information. ### [`v3.31.8`](https://redirect.github.com/github/codeql-action/releases/tag/v3.31.8) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.31.7...v3.31.8) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.31.8 - 11 Dec 2025 - Update default CodeQL bundle version to 2.23.8. [#3354](https://redirect.github.com/github/codeql-action/pull/3354) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.31.8/CHANGELOG.md) for more information. ### [`v3.31.7`](https://redirect.github.com/github/codeql-action/releases/tag/v3.31.7) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.31.6...v3.31.7) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.31.7 - 05 Dec 2025 - Update default CodeQL bundle version to 2.23.7. [#3343](https://redirect.github.com/github/codeql-action/pull/3343) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.31.7/CHANGELOG.md) for more information. ### [`v3.31.6`](https://redirect.github.com/github/codeql-action/releases/tag/v3.31.6) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.31.5...v3.31.6) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.31.6 - 01 Dec 2025 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.31.6/CHANGELOG.md) for more information. ### [`v3.31.5`](https://redirect.github.com/github/codeql-action/releases/tag/v3.31.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.31.4...v3.31.5) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.31.5 - 24 Nov 2025 - Update default CodeQL bundle version to 2.23.6. [#3321](https://redirect.github.com/github/codeql-action/pull/3321) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.31.5/CHANGELOG.md) for more information. ### [`v3.31.4`](https://redirect.github.com/github/codeql-action/releases/tag/v3.31.4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.31.3...v3.31.4) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.31.4 - 18 Nov 2025 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.31.4/CHANGELOG.md) for more information. ### [`v3.31.3`](https://redirect.github.com/github/codeql-action/releases/tag/v3.31.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.31.2...v3.31.3) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.31.3 - 13 Nov 2025 - CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/). - Update default CodeQL bundle version to 2.23.5. [#3288](https://redirect.github.com/github/codeql-action/pull/3288) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.31.3/CHANGELOG.md) for more information. ### [`v3.31.2`](https://redirect.github.com/github/codeql-action/releases/tag/v3.31.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.31.1...v3.31.2) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.31.2 - 30 Oct 2025 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.31.2/CHANGELOG.md) for more information. ### [`v3.31.1`](https://redirect.github.com/github/codeql-action/releases/tag/v3.31.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.31.0...v3.31.1) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.31.1 - 30 Oct 2025 - The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.31.1/CHANGELOG.md) for more information. ### [`v3.31.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.31.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.30.9...v3.31.0) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.31.0 - 24 Oct 2025 - Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://redirect.github.com/github/codeql-action/pull/3223) - When SARIF files are uploaded by the `analyze` or `upload-sarif` actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the `upload-sarif` action. For `analyze`, this may affect Advanced Setup for CodeQL users who specify a value other than `always` for the `upload` input. [#3222](https://redirect.github.com/github/codeql-action/pull/3222) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.31.0/CHANGELOG.md) for more information. ### [`v3.30.9`](https://redirect.github.com/github/codeql-action/releases/tag/v3.30.9) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.30.8...v3.30.9) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.30.9 - 17 Oct 2025 - Update default CodeQL bundle version to 2.23.3. [#3205](https://redirect.github.com/github/codeql-action/pull/3205) - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#3204](https://redirect.github.com/github/codeql-action/pull/3204) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.30.9/CHANGELOG.md) for more information. ### [`v3.30.8`](https://redirect.github.com/github/codeql-action/releases/tag/v3.30.8) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.30.7...v3.30.8) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.30.8 - 10 Oct 2025 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.30.8/CHANGELOG.md) for more information. ### [`v3.30.7`](https://redirect.github.com/github/codeql-action/releases/tag/v3.30.7) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.30.6...v3.30.7) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.30.7 - 06 Oct 2025 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.30.7/CHANGELOG.md) for more information. ### [`v3.30.6`](https://redirect.github.com/github/codeql-action/releases/tag/v3.30.6) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.30.5...v3.30.6) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.30.6 - 02 Oct 2025 - Update default CodeQL bundle version to 2.23.2. [#3168](https://redirect.github.com/github/codeql-action/pull/3168) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.30.6/CHANGELOG.md) for mor > ✂ **Note** > > PR body was truncated to here. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate).  Co-authored-by: dreadnode-renovate-bot[bot] <184170622+dreadnode-renovate-bot[bot]@users.noreply.github.com> Co-authored-by: Jayson Grace <jayson.e.grace@gmail.com>

…mplate **Changed:** - Bump WARPGATE_VERSION from v4.4.0 to v4.7.0 in all GitHub Actions workflows for build, test, and validation - Simplify ansible source in ares-golden-image template by switching from git-based retrieval to a local path reference, and streamline file copy step to use the local ansible/ subtree directly

**Changed:** - Updated Renovate GitHub Action to v46.1.13 in `.github/workflows/renovate.yaml` to include latest features and fixes - Updated CodeQL upload-sarif action to v4.35.3 in `.github/workflows/semgrep.yaml` for improved security scanning - Updated Rust dependencies in `Cargo.lock`, including upgrades for `redis` (1.2.0 → 1.2.1) and `tokio` (1.52.1 → 1.52.2), and changes to several `windows-sys` package versions for compatibility - Enhanced tracing and instrumentation in `ares-llm/src/agent_loop/retry.rs` by adding detailed spans for LLM calls, including token usage, tool/message counts, duration, and error recording for improved observability **Removed:** - Removed explicit base image reference for Kali Linux in `warpgate.yaml` to defer image selection or simplify configuration

…249) **Key Changes:** - Introduced Azure-specific golden image template with full red-team toolchain and GPU support - Updated AWS template to use unified ares repository for nimbus_range collection - Improved Ansible collection copy logic for AWS image builder - Ensured feature parity and easier maintenance between AWS and Azure images **Added:** - Azure golden image template - Added `ares-golden-azure` directory containing `README.md` and `warpgate.yaml` to provide an Azure-specific variant of the Ares golden image. This includes documentation, provisioning steps, NVIDIA GPU support, and red-team tool installation using the nimbus_range Ansible collection. The template supports publishing to Azure Compute Gallery with all required resource and identity settings. **Changed:** - Source repository and branch for nimbus_range - Updated AWS `ares-golden-image/warpgate.yaml` to pull the nimbus_range collection from the `dreadnode/ares` repository at the `feat/more-attack-cov` branch instead of the old repository, ensuring alignment with Azure and consolidated feature set. - Ansible collection copy logic - Modified the provisioner in the AWS template to copy only the `ansible` subdirectory from the source repo into the target Ansible collection path, matching the new repo structure and preventing unnecessary files from being copied.

**Key Changes:** - Introduced `ares ops sessions` CLI commands for listing, showing, and replaying session logs - Added `SessionsCommands` enum and integrated it with the CLI and ops command dispatch - Implemented session log directory detection and defaulting logic for consistent CLI/file access - Updated dependencies and tests to support new session log features **Added:** - `SessionsCommands` enum to the CLI, enabling subcommands for listing operation/task IDs, showing session logs, and replaying conversations from logs - `sessions.rs` module in `ares-cli/src/ops` implementing the logic for the new CLI commands, including pretty-printing and JSON output - Integration of the new `ops sessions` subcommand into the main ops command handler - Test coverage for the new session log CLI features, including environment isolation and replay behavior - `tempfile` as a dev-dependency for test isolation and temporary directory management **Changed:** - Updated session log directory resolution in `ares-llm` to provide a `default_root()` helper for external consumers (such as CLI commands), ensuring consistent directory lookup - Improved environment variable handling for session log enablement in `SessionLogConfig`, making logging enabled by default unless explicitly disabled - Refactored and consolidated session log environment variable tests for thread safety and correctness - Updated action versions in GitHub workflow files for `actions/upload-artifact` and `actions/setup-go` to new commit SHAs - Bumped the Semgrep analysis container image to a newer version in CI workflow ---------

…ns (#261) **Key Changes:** - Added `op.id` and `task.id` fields to all agent-related telemetry spans for improved correlation and traceability - Updated agent loop and tool execution logic to propagate and emit these identifiers - Refactored span builder and helper functions to support the new identifiers throughout the codebase **Added:** - `op.id` and `task.id` span attributes to all relevant agent, decision, tool call, discovery, and milestone telemetry spans for OpenTelemetry compatibility and enhanced query/filter capabilities - `task_id` field to the `AgentSpanBuilder` struct and corresponding builder method for consistent span construction - Internal helper function `resolve_operation_id_from_env` in agent loop runner to reliably extract operation ID from environment variables **Changed:** - Refactored agent loop runner (`ares-llm/src/agent_loop/runner.rs`) to nest all agent task execution under a parent span containing `op.id` and `task.id` - Updated span creation in milestones, tool execution, and decision-making to include both operation and task identifiers - Modified span builder and helper functions (`ares-core/src/telemetry/spans/builder.rs`, `helpers.rs`) to accept and propagate the new identifiers as needed - Updated test cases in span module to verify presence of new attributes in spans - Updated GitHub Actions workflows to use the latest versions of `actions/upload-artifact` and `actions/setup-go` - Updated Semgrep workflow to use a new container image version for improved security and compatibility ---------

…omation (#263) **Key Changes:** - Enhanced tracing for all automation task dispatch and builder functions - Introduced root spans for each automation background task to correlate spans in distributed tracing - Added detailed instrumentation to all task request methods for richer context in logs and traces - Updated GitHub Actions workflow dependencies for artifact upload and analysis tools **Changed:** - Orchestrator automation task spawning now wraps each background task in a dedicated `automation.task` root span using `tracing`'s `info_span` and `.instrument()` to ensure all emitted spans are correlated in distributed tracing (ares-cli/src/orchestrator/automation_spawner.rs) - `Dispatcher::throttled_submit` now creates a `automation.dispatch` span with contextual fields (`task_type`, `target_role`, `priority`, etc.), records throttle and submission decisions, and propagates context through async calls for improved observability (ares-cli/src/orchestrator/dispatcher/submission.rs) - All automation task builder methods (e.g., `request_crack`, `request_recon`, `request_lateral`, etc.) are now annotated with `#[instrument]`, capturing key arguments and fields for each task type in trace spans, providing richer context for debugging and monitoring (ares-cli/src/orchestrator/dispatcher/task_builders.rs) - Updated `actions/upload-artifact` and `actions/setup-go` to newer commit hashes in GitHub Actions workflows for improved security and reliability (.github/workflows/build-and-push-templates.yaml, .github/workflows/test-template-builds.yaml, .github/workflows/pre-commit.yaml) - Updated Semgrep analysis container image to a newer version for improved security and features (.github/workflows/semgrep.yaml)

…264) **Key Changes:** - Enhanced tracing span attribution with proper `op.id` and `task.id` separation - Instrumented automation and dispatcher task submission with correlated spans - Added comprehensive regression tests to verify span emission and attributes - Introduced `tracing-test` and custom span capture utilities for testing **Added:** - Regression tests for span emission and correctness in `ares-llm/tests/span_regressions.rs` - Common test helpers and a custom `SpanCapture` tracing subscriber in `ares-llm/tests/common/` - `tracing-test` and `tracing-subscriber` dependencies for enhanced test coverage and span capture **Changed:** - Instrumented all automation dispatcher task builder methods in `ares-cli` with `#[instrument]` to emit detailed spans for each automation action - Updated `throttled_submit` and submission flow in `ares-cli` to record decision and task IDs in spans, ensuring correlation across async boundaries - Modified `spawn_automation_tasks` to wrap spawned automation tasks in their own root spans with `automation.kind` for better trace correlation in Tempo - Enhanced telemetry span builders in `ares-core` to support both `op.id` and `task.id` attributes and propagate them throughout the operation and agent task lifecycle - Refactored agent loop in `ares-llm` to emit a single parent span per agent task, with all child spans inheriting correct operation and task context - Updated all internal tracing helpers in `ares-core` to accept and propagate both `operation_id` and `task_id` - Bumped `actions/upload-artifact` and `actions/setup-go` versions in GitHub Actions workflows for security and compatibility - Updated several dependencies in `Cargo.lock`, including `windows-sys`, and added tracing-related crates for test instrumentation **Removed:** - Orphaned parent context for spawned automation tasks—now every automation task and dispatcher submission is properly correlated in tracing backends ---------

main added task_id to telemetry spans (incl. trace_discovery) and a duplicate ares-golden-image local-source change. Took main's trace_discovery signature with our existing count_discovery_entries loop, and kept our single-step file copy in the golden image template.

…sult demux fetch_result() created a new ephemeral pull consumer on every check_result() call, with filter_subject set to the per-task result subject and inactive_threshold=60s. ARES_TASKS uses WorkQueue retention (one consumer per filter subject, max), so back-to-back polls within 60s collided with the earlier still-cached ephemeral consumer and produced steady-state "create ephemeral result consumer" failures under any non-trivial polling load (~16 WARNs/sec at 8 in-flight tasks). Replace with one long-lived consumer subscribed to ares.tasks.results.> that drains messages into an in-process HashMap keyed by task_id, and make check_result() a non-blocking cache lookup. WorkQueue still acks and removes each message once delivered, so semantics match.

**Changed:** - Updated minimum required Warp Gate version to v4.7.0 in both README.md and warpgate.yaml - Removed the requirement for a GITHUB_TOKEN environment variable from the documentation - Changed default AMI build instance type from t3.large to GPU-capable g4dn.xlarge for hashcat acceleration in README.md

…s in spider parser **Added:** - Added normalization of FQDN credential domains to match known domains by first label in `sanitize_credential`, preventing propagation of LLM-supplied typo domains - Introduced post-split username plausibility checks in the spider credential parser to reject variable references and PowerShell cmdlet tokens as usernames - Added tests for domain normalization and stricter username filtering in both orchestrator and spider parsers **Changed:** - Updated `sanitize_credential` to accept a `known_domains` parameter and apply FQDN domain normalization logic - Modified credential publishing logic to skip synthesizing `dc_secretsdump` vulnerabilities when the krbtgt domain does not resolve to a known DC, preventing empty or misleading findings - Enhanced spider parser to filter out implausible usernames in all relevant credential extraction paths - Updated test fixtures in spider parser to use realistic usernames and passwords **Removed:** - Eliminated synthesis of `dc_secretsdump` vulnerabilities with unresolved or empty DC targets, reducing noise in vulnerability reporting

…s AD accounts **Added:** - Logic to distinguish well-known local SAM accounts from AD accounts in NTLM extraction, avoiding incorrect domain tagging for local accounts - `hashes.rs`, `secrets.rs` - `is_well_known_local_sam` and `is_local_sam_account` helpers for accurate account attribution - `hashes.rs`, `secrets.rs` - Parsing and deduplication logic in `parse_ntlm_dedup_key` to unify qualified and unqualified NTLM hash keys - `dedup_keys.rs` - Support for the Redis `HKEYS` command in the mock Redis implementation to facilitate hash field introspection - `mock_redis.rs` - Tests for edge cases in NTLM domain attribution and deduplication, including handling of well-known RIDs, pseudo-accounts, and cross-domain scenarios - `hashes.rs`, `tests.rs`, `dedup_keys.rs`, `reader.rs`, `secrets.rs` **Changed:** - NTLM hash extraction now omits the domain for well-known local SAM accounts, preventing phantom AD records and cross-domain collisions - `hashes.rs`, `secrets.rs` - Redis hash deduplication now collapses qualified/unqualified NTLM keys, preferring qualified (populated-domain) entries and removing or skipping shadows - `reader.rs` - Tests updated to reflect correct handling of local SAM vs AD account attribution and deduplication - `hashes.rs`, `tests.rs`, `dedup_keys.rs`, `reader.rs`, `secrets.rs`

**Changed:** - Replaced all "Game of Thrones" sample domains and users (e.g., "north.sevenkingdoms.local", "WINTERFELL$", "jeor.mormont", "essos.local") with standard generic Active Directory examples (e.g., "contoso.local", "child.contoso.local", "DC01$", "alice.jones", "fabrikam.local") in test code, documentation comments, and regression test cases across `ares-cli`, `ares-core`, and `ares-tools` - Updated test assertions and input data to match the new generic AD values for consistency and clarity in documentation and testing

**Changed:** - Broke long string literals onto multiple lines in test cases for better readability in `hashes.rs`

# Conflicts: # ares-cli/src/worker/tool_executor.rs # warpgate-templates/templates/ares-golden-image/warpgate.yaml

…ration (#244) **Key Changes:** - Migrated all task queues and tool execution from Redis lists to NATS JetStream - Introduced `ares_core::nats` module for broker/subject taxonomy and connection - Updated orchestrator, worker, and blue agent to use NATS for all queue traffic - Enforced password spray lockout policy and improved agent safety for AD **Added:** - NATS JetStream integration via new `ares_core::nats` module for all agent queues, tool RPC, results, and investigation requests - NATS installation, configuration, and systemd service to EC2 and Ansible provisioning (new Ansible role `nats`) - `NATS_URL`/`ARES_NATS_URL` support to all orchestrator, worker, and blue agent configs and environment files - NATS stream/subject taxonomy for red team, blue team, tool exec, deferred, and result channels - NATS connection and stream/consumer creation in orchestrator and worker startup, with automatic retry and error handling - NATS-based request/reply tool dispatcher and consumer for agent tool calls - Ansible role and playbook logic to provision and verify NATS JetStream server **Changed:** - Replaced all Redis-based task and result queues with NATS JetStream subjects and pull consumers (both in orchestrator and worker) - Blue investigation requests and task queues moved to NATS JetStream - Tool dispatcher and tool executor now use NATS request/reply instead of Redis BRPOP/LPUSH - Redis is now used only for state: operation metadata, credentials, hosts, heartbeats, task status, and deferred throttling state - Updated orchestrator and worker configuration, deployment docs, EC2 scripts, and container templates to require and use NATS - Improved password_spray tool: enforces lockout threshold, disables spraying without explicit policy or override, adds safety buffer to prevent AD lockouts - Updated playbooks, Ansible docs, and golden image to include NATS service - All orchestrator, worker, and blue agent containers and AMIs now require NATS_URL in environment or config **Removed:** - All Redis BRPOP/LPUSH patterns for task and result queues - Redis PubSub for state update notifications (now NATS core publish) - Redis-based per-task and per-call result mailboxes - Old Python requeue logic and Redis fallback queue handling - Unused file-system or placeholder code for deprecated queue paths - pth-toolkit binaries from expected tool lists (not available in trixie) --------- Co-authored-by: dreadnode-renovate-bot[bot] <184170622+dreadnode-renovate-bot[bot]@users.noreply.github.com>

dreadnode-renovate-bot Bot added area/docs Changes made to project documentation area/templates Changes made to warpgate template configurations labels Apr 29, 2026

Merge branch 'main' into feat/broker-migration

1015561

l50 added 5 commits April 29, 2026 16:33

Merge branch 'main' into feat/broker-migration

5eafc84

l50 force-pushed the main branch 2 times, most recently from 4811845 to ff10d2b Compare April 29, 2026 23:48

l50 and others added 8 commits May 2, 2026 19:20

Merge branch 'main' into feat/broker-migration

1dda0bb

Merge branch 'main' into feat/broker-migration

989658d

dreadnode-renovate-bot Bot added the area/github Changes made to GitHub Actions workflows label May 8, 2026

l50 added 9 commits May 7, 2026 20:56

l50 added 3 commits May 8, 2026 23:23

l50 force-pushed the main branch from 8f68fa1 to fb65972 Compare May 9, 2026 06:03

style: reformat long string literals for readability in tests

4045af9

**Changed:** - Broke long string literals onto multiple lines in test cases for better readability in `hashes.rs`

l50 force-pushed the feat/broker-migration branch from 3de8b1a to 4045af9 Compare May 9, 2026 06:21

Merge remote-tracking branch 'origin/main' into feat/broker-migration

7727e89

# Conflicts: # ares-cli/src/worker/tool_executor.rs # warpgate-templates/templates/ares-golden-image/warpgate.yaml

l50 merged commit 4d07e50 into main May 9, 2026
22 checks passed

l50 deleted the feat/broker-migration branch May 9, 2026 15:56

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: migrate task queues to nats jetstream and add nats broker integration#244

feat: migrate task queues to nats jetstream and add nats broker integration#244
l50 merged 29 commits into
mainfrom
feat/broker-migration

l50 commented Apr 29, 2026

Uh oh!

codecov Bot commented Apr 29, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

l50 commented Apr 29, 2026

Uh oh!

codecov Bot commented Apr 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

codecov Bot commented Apr 29, 2026 •

edited

Loading