v13.24.0
What's Changed
- 🐛 fix: improve handling of config binding for provider flags to avoid key collisions by @slntopp in #8454
- 🐛 fix: add environment variable support for flag values to prevent config-file key collisions by @slntopp in #8455
- 🧹 ci: replace check-spelling with typos by @chris-rock in #8461
- 🧹 ci: pin spell-check (typos) actions to commit SHAs by @chris-rock in #8463
- Fix systemd service reporting enabled/masked/static when not installed by @syrull in #8465
- 🐛 llx: extend dict.in / dict.notIn to numeric and bool values by @M-gre in #8462
- 🐛 os: filter placeholder serial numbers from platform ID detection by @username-is-already-taken2 in #8466
- ✨ ci: add xgrep security scanning by @chris-rock in #8468
- ⭐ mqlx: first-class Go API for embedding MQL (ADR 027 + sample implementation) by @chris-rock in #8335
- 🐛 aws: guard nil SDK pointer derefs and harden crash-safety by @tas50 in #8457
- 🐛 aws: fix __id collisions for EIPs and network ACL associations by @tas50 in #8458
- 🐛 google-workspace: pass member-read scope when listing group members by @tas50 in #8373
- ✨ helm: parse chart provenance (.prov) for fetched charts by @tas50 in #8040
- 🌟 stackit: new provider for STACKIT cloud by @tas50 in #7670
- 🌟 stackit: add LogMe and SQLServer Flex DBaaS resources by @chris-rock in #8470
- 🌟 stackit: add File Storage (SFS) resources by @chris-rock in #8471
- 🌟 stackit: add Telemetry and Telemetry Router resources by @chris-rock in #8472
- 🌟 stackit: add Model Serving resources by @chris-rock in #8473
- 🐛 stackit: fix client region config, region field, object storage 404, mongodb listing by @chris-rock in #8477
- 🌟 fex: publish Finding Exchange proto contract in the provider SDK by @chris-rock in #8478
- 🐛 os: make native files.find match
find -L(symlinks + perm 0) by @syrull in #8476 - 🐛 mqlc: keep resource type through map(...).flat() by @syrull in #8475
- 🐎 aws: fix data race on account org-description cache by @tas50 in #8460
- fex: add FindingDocument constructor helpers to the SDK by @chris-rock in #8479
- 🎉 aws-13.37.0, google-workspace-13.1.4, helm-13.3.0, os-13.29.0 by @tas50 in #8480
- 🐛 gcp: fix swallowed errors and over-strict error handling by @tas50 in #8484
- 🐛 gcp: fix incorrect field and type mappings by @tas50 in #8482
- upstream: add retry helpers for transient platform failures by @chris-rock in #8485
- 🐛 azure: fix incorrect field/type mappings on flow logs and app sites by @tas50 in #8487
- 🐛 azure: fix security-posture detections returning wrong values by @tas50 in #8488
- 🐛 azure: fix swallowed errors and a discovery-target loop bug by @tas50 in #8489
- 🐛 ms365: fix index map data race and swallowed/nil-policy errors by @tas50 in #8493
- 🐛 ms365: fix paginated reads that silently truncated results by @tas50 in #8492
- 🐛 google-workspace: fix over-strict usage-report error, app merge, ACL id by @tas50 in #8494
- 🐛 ms365: stop leaking Intune secret setting values in cleartext by @tas50 in #8491
- 🐛 gcp: request IAM policy schema v3 so conditional bindings are returned by @tas50 in #8483
- 🐛 azure: fix nil-deref and panic crashes in resource collection by @tas50 in #8486
- 🐛 aws: fix wrong resource name and swallowed errors by @tas50 in #8459
- 🐛 ms365: fix nil-pointer derefs that crash the scan by @tas50 in #8490
- 🐛 gcp: fix nil-deref and panic crashes in resource collection by @tas50 in #8481
- 🐛 gitlab: stop member listings from poisoning gitlab.user security fields by @tas50 in #8496
- 🐛 github: fix headCommit nil-owner panic and unchecked connection hash error by @tas50 in #8498
- 🐛 digitalocean: consistent error handling for scans, spaces keys, pagination by @tas50 in #8500
- 🐛 github: fix 2FA false-negative and swallowed/over-strict error handling by @tas50 in #8499
- 🐛 proxmox: fix cluster storage enabled=false and vm.updates agent failure by @tas50 in #8497
- 🧹 ms365: regression test for Intune secret setting redaction by @tas50 in #8501
- 🧹 gcp: regression test for alert-policy filter parsing by @tas50 in #8502
- 🐛 azure: re-land stranded review fixes + add regression tests by @tas50 in #8503
- 🧹 proxmox: regression test for cluster storage enabled normalization by @tas50 in #8504
- 🐛 cloudflare: guard nil zone account in r2/workers/stream accessors by @tas50 in #8509
- 🐛 kustomize: keep no-fieldPaths replacement targets and unique image ids by @tas50 in #8507
- 🐛 helm: split rendered manifests on real YAML separators only by @tas50 in #8506
- 🐛 bicep: make extractBlock string- and comment-aware by @tas50 in #8511
- 🐛 ansible: tolerate non-integer max_fail_percentage by @tas50 in #8512
- 🐛 arista: build STP interface command from arguments by @tas50 in #8510
- 🐛 atlassian: paginate admin users/policies/domains and guard empty org by @tas50 in #8508
- 🐛 cloudformation: guard section bodies against non-mapping YAML (panic fix) by @tas50 in #8505
- ⭐ aws: add cross-resource edges for security policy authoring by @tas50 in #8513
- ✨ aws: add EKS control plane egress mode and Cognito domain TLS policy by @tas50 in #8514
- 🧹 deps: bump provider SDK dependencies by @tas50 in #8515
- ⭐ aws: CloudFormation provenance, instance→LB backref, faster role usage by @tas50 in #8516
- ⭐ aws: computed instance internet-exposure (inPublicSubnet, internetReachable) by @tas50 in #8518
- ⭐ aws: managedBy provenance field for unmanaged-resource detection by @tas50 in #8517
- 🐛 llx: array/map all/any/none/one fail gracefully on a null receiver by @syrull in #8520
- 🐛 os: registrykey.property fails gracefully on a missing property by @syrull in #8522
- 🐛 gcp: require --project-id/--zone for instance and snapshot scanning by @tas50 in #8439
- 🐛 gcp: sanitize and length-cap snapshot scanner disk names by @tas50 in #8440
- ⭐ add network.neighbors and windows.smb resources by @AdamVB in #8444
- 🐛 os: file.user/file.group fail gracefully on an unknown owner uid/gid by @syrull in #8524
- 🐛 github: surface workflow access errors instead of returning empty by @syrull in #8525
- 🐛 vsphere: populate vulnmgmt.packages and fix disk-group id collision by @tas50 in #8495
- ⭐ aws: consistent internet-exposure predicates (isPublic, rds internetReachable) by @tas50 in #8526
- ⭐ digitalocean: discover specific assets (database, k8s, lb, firewall, spaces) by @tas50 in #8528
- ⭐ aws: NACL-aware reachability, Lambda Function URL + API Gateway exposure by @tas50 in #8527
- ⭐ hetzner: discover specific assets (firewall, loadbalancer) by @tas50 in #8529
- 🐛 aws: detect wide-CIDR and prefix-list public sources (fix false negatives) by @tas50 in #8531
- ⭐ digitalocean: expand droplet, load balancer, database, k8s, and app fields by @tas50 in #8530
- ⭐ aws: external-sharing fields for AMIs and snapshots by @tas50 in #8533
- 🎉 hetzner-13.3.0, digitalocean-13.7.0 by @tas50 in #8534
- ⭐ aws: mitigation-context fields (exposed-and-undefended detection) by @tas50 in #8532
- ⭐ aws: trust, egress, and embedded-config exposure predicates by @tas50 in #8535
- ⭐ openstack: security-insights expansion (identity, field gaps, typed refs) by @tas50 in #8537
- ⭐ aws: shared network.exposure sub-resource for RDS, DocumentDB, and ELB by @tas50 in #8538
- ⭐ aws: link IAM Access Analyzer findings to resources (observed exposure) by @tas50 in #8539
- ⭐ digitalocean: droplet network-exposure breakdown by @tas50 in #8540
- ⭐ hetzner: server network-exposure breakdown by @tas50 in #8541
- ⭐ openstack: internet-exposure modeling (servers + Octavia load balancers) by @tas50 in #8542
- ⭐ stackit: server network-exposure breakdown by @tas50 in #8543
- ⭐ aws: ec2.instance.exposure sub-resource (internet-exposure breakdown) by @tas50 in #8536
- ⭐ openstack: discover security groups as openstack-security-group assets by @tas50 in #8552
- ⭐ aws: add internet-exposure analysis across resources by @tas50 in #8551
- ⭐ stackit: add internet-exposure analysis across resources by @tas50 in #8550
- ⭐ digitalocean: add internet-exposure analysis across resources by @tas50 in #8547
- ⭐ hetzner: add internet-exposure analysis across resources by @tas50 in #8548
- ⭐ gcp: add internet-exposure analysis across resources by @tas50 in #8546
- ⭐ proxmox: add internet-exposure analysis across resources by @tas50 in #8545
- ⭐ gcp: compute instance network-exposure breakdown by @tas50 in #8544
- 🎉 digitalocean-13.8.0, hetzner-13.4.0, openstack-13.5.0, proxmox-0.2.0, stackit-13.1.0 by @tas50 in #8553
- ⭐ azure: add internet-exposure analysis across resources by @tas50 in #8549
- 🌟 Add windows.defender resources for Microsoft Defender status and settings by @tas50 in #8555
- 🌟 Add windows.winrm resource for WinRM client and service policy by @tas50 in #8560
- Add windows.deviceGuard resource for VBS, HVCI, and Credential Guard policy by @tas50 in #8568
- Harden windows.defender availability detection for non-English systems by @tas50 in #8562
- 🌟 Add windows.lsa resource for LSA / NTLM / secure-channel security settings by @tas50 in #8569
- Extend windows.smb with server and client SMB configuration by @tas50 in #8561
- 🌟 Add windows.exploitProtection resource for system-wide exploit mitigations by @tas50 in #8559
- Add windows.update.policy resource for Windows Update for Business GPO settings by @tas50 in #8556
- Extend windows.rdp to cover all CIS Remote Desktop / Terminal Services checks by @tas50 in #8558
- Add windows.spooler resource for Print Spooler hardening by @tas50 in #8563
- Add windows.bitlocker.policy resource for BitLocker (FVE) Group Policy settings by @tas50 in #8564
- 🌟 Add windows.smartScreen resource for Microsoft Defender SmartScreen by @tas50 in #8557
- 🌟 Add windows.telemetry resource for diagnostic-data and consumer cloud-content policy by @tas50 in #8565
- Add windows.rdp endSessionWhenTimeLimitReached and cloudClipboardIntegrationDisabled fields by @tas50 in #8570
- Bump crate-ci/typos from 1.46.0 to 1.47.2 by @dependabot[bot] in #8573
- Bump alpine from 3.24.0 to 3.24.1 by @dependabot[bot] in #8571
- ✨ k8s: surface Pod Security Standards + ValidatingAdmissionPolicy by @tas50 in #8574
- ✨ k8s: typed RBAC policy rules + privilege-escalation predicates by @tas50 in #8575
- 📄 k8s: add multi-line descriptions to top-level resources by @tas50 in #8576
- Bump actions/checkout from 5.0.1 to 6.0.3 by @dependabot[bot] in #8572
- ✨ Add expressive debug logging to GCP and Azure providers by @tas50 in #8366
- ✨ k8s: workload-level securityContext rollup predicates by @tas50 in #8577
- 🧹 k8s: expand regression test coverage (cross-refs, filters, platform ids) by @tas50 in #8579
- 🎉 k8s-13.3.0 by @tas50 in #8580
- ✨ k8s: seccomp profile rollup predicates for workloads by @tas50 in #8581
- 🐛 k8s: fix admission DELETE panic, discovery error swallowing, and SA nil deref by @tas50 in #8578
- ✨ k8s: compute Pod Security Standards level for workloads by @tas50 in #8582
- 🧹 windows: model binary registry settings as bool instead of int by @tas50 in #8583
- 🌟 Add windows.powershell resource for PowerShell logging policy by @tas50 in #8566
- ✨ k8s: RBAC binding-level access rollups by @tas50 in #8584
- ✨ k8s: effective-access rollups for service accounts by @tas50 in #8585
- ✨ k8s: container resource-limit rollups for workloads by @tas50 in #8586
- ✨ k8s: Secret-consumption rollups for workloads by @tas50 in #8587
- ✨ k8s: admission-enforcement posture predicates by @tas50 in #8588
- ✨ k8s: image-provenance rollups for workloads by @tas50 in #8589
- ✨ k8s: running image digests & digest drift on pods (runtime truth) by @tas50 in #8591
- ✨ k8s: image pull-policy & unpinned-image provenance rollups by @tas50 in #8590
- ✨ k8s: authoritative RBAC via SubjectAccessReview (k8s.accessReview) by @tas50 in #8592
- feat(k8s): model Kubernetes network posture by @tas50 in #8593
- ✨ k8s: effective-access RBAC (k8s.rbacSubjects + k8s.rbac.whoCan) by @tas50 in #8594
- ✨ k8s: exposure→workload attack paths + secret hygiene predicates by @tas50 in #8598
- ✨ k8s: pod.exposures back-ref + secret certificate-expiry predicates by @tas50 in #8599
- 🎉 k8s-13.4.0 by @tas50 in #8600
- 🧹 Update deps for mql and providers 20260622 by @github-actions[bot] in #8595
- ⚡ providers/test: skip redundant go vet to speed up provider tests by @tas50 in #8554
- ✨ k8s: host-network/hostPort ingress exposure + egress blind spot by @tas50 in #8601
- 🐛 activedirectory: auto-generate krb5 config for Kerberos when no krb5.conf by @syrull in #8596
- ✨ k8s: AppArmor, sysctl, and procMount hardening predicates on workloads by @tas50 in #8603
- ✨ k8s: surface services routing to external (non-pod) endpoints by @tas50 in #8604
- ✨ shodan: add shodan.domain.hosts() to bridge domains to host data by @tas50 in #8605
- 🎉 shodan-13.2.0 by @tas50 in #8606
- ✨ stackit: enrich SKE cluster + node pool with security & network fields by @tas50 in #8602
- 🐛 fix panic parsing PAM bracketed control with no module by @tas50 in #8630
- 🐛 fix authorized_keys line number counting only key entries by @tas50 in #8639
- 🐛 fix files.find -maxdepth rendered in octal instead of decimal by @tas50 in #8635
- 🐛 fix /proc status parser writing PPid into the Pid field by @tas50 in #8631
- 🐛 fix rsyslog content() swallowing non-NotFound read errors by @tas50 in #8625
- 🐛 fix auditd config error reporting empty field name by @tas50 in #8620
- 🐛 fix panic on short lines in iptables ParseStat by @tas50 in #8615
- ✨ google-workspace: security-query helpers and typed group/usage settings by @tas50 in #8611
- 🐛 fix panic parsing /proc/cpuinfo cache size without a unit by @tas50 in #8642
- 🐛 fix unbounded recursion on apache Include cycles by @tas50 in #8641
- 🐛 fix initKubelet returning a nil error on failure paths by @tas50 in #8640
- 🐛 fix dscacheutil group parser logging and bogus gid handling by @tas50 in #8628
- 🐛 resolve systemd-resolved cache state from resolved.conf by @tas50 in #8627
- 🐛 normalize systemd timer Persistent and socket Accept booleans by @tas50 in #8626
- 🐛 fix nil-pointer panic in macOS dscl user enumeration by @tas50 in #8619
- 🐛 fix fstab parser aborting on indented comments and blank lines by @tas50 in #8616
- 🐛 fix grub.cfg parser flushing entries before the opening brace by @tas50 in #8623
- ✨ os/kubelet: typed fields + version, defaults refresh to k8s 1.34, flag-merge fixes by @tas50 in #8612
- 🐛 fix out-of-range index in AIX ps uid parse error path by @tas50 in #8633
- ✨ ms365: add check-authoring helpers for licensing and role assignments by @tas50 in #8613
- 🐛 fix iptables ParseStat error messages dropping context by @tas50 in #8621
- ✨ google-workspace: expose admin policy settings via Cloud Identity Policy API by @tas50 in #8608
- ✨ google-workspace: expose Chrome OS and mobile device posture by @tas50 in #8610
- 🐛 fix sudoers user specs dropped when
=is attached to the host by @tas50 in #8618 - 🐛 fix panic parsing malformed auditd
-asyscall rules by @tas50 in #8614 - 🐛 fix sshd time-value conversion ignoring keyword case by @tas50 in #8617
- ✨ google-workspace: expose admin role assignments by @tas50 in #8609
- 🐛 fix panic on malformed key=value kubelet flag lists by @tas50 in #8637
- 🐛 fix kubelet manifest-url-header reading a stray tab key by @tas50 in #8636
- 🐛 fix lsof TCP state keys and guard malformed T-fields by @tas50 in #8632
- 🎉 Bump minor version for ms365, google-workspace, k8s, and activedirectory providers by @tas50 in #8643
- 🐛 llx: guard isTruthy type assertions against mismatched values by @tas50 in #8438
- 🐛 report effective version when auto-update staged a newer binary (#7751) by @tas50 in #8348
- 🐛 status: add an implicit timeout to network calls by @tas50 in #8351
- 🐛 mqlc/llx: fix switch with constant-boolean case conditions by @tas50 in #8378
- 🌟 os: read per-user registry hives (HKCU) natively by @syrull in #8622
- fix(os/filesfind): shell-quote the find -name argument by @syrull in #8647
Full Changelog: v13.23.0...v13.24.0