Skip to content

v13.24.0

Choose a tag to compare

@czunker czunker released this 23 Jun 11:24
c39e44d

What's Changed

  • 🐛 fix: improve handling of config binding for provider flags to avoid key collisions by @slntopp in #8454
  • 🐛 fix: add environment variable support for flag values to prevent config-file key collisions by @slntopp in #8455
  • 🧹 ci: replace check-spelling with typos by @chris-rock in #8461
  • 🧹 ci: pin spell-check (typos) actions to commit SHAs by @chris-rock in #8463
  • Fix systemd service reporting enabled/masked/static when not installed by @syrull in #8465
  • 🐛 llx: extend dict.in / dict.notIn to numeric and bool values by @M-gre in #8462
  • 🐛 os: filter placeholder serial numbers from platform ID detection by @username-is-already-taken2 in #8466
  • ✨ ci: add xgrep security scanning by @chris-rock in #8468
  • ⭐ mqlx: first-class Go API for embedding MQL (ADR 027 + sample implementation) by @chris-rock in #8335
  • 🐛 aws: guard nil SDK pointer derefs and harden crash-safety by @tas50 in #8457
  • 🐛 aws: fix __id collisions for EIPs and network ACL associations by @tas50 in #8458
  • 🐛 google-workspace: pass member-read scope when listing group members by @tas50 in #8373
  • ✨ helm: parse chart provenance (.prov) for fetched charts by @tas50 in #8040
  • 🌟 stackit: new provider for STACKIT cloud by @tas50 in #7670
  • 🌟 stackit: add LogMe and SQLServer Flex DBaaS resources by @chris-rock in #8470
  • 🌟 stackit: add File Storage (SFS) resources by @chris-rock in #8471
  • 🌟 stackit: add Telemetry and Telemetry Router resources by @chris-rock in #8472
  • 🌟 stackit: add Model Serving resources by @chris-rock in #8473
  • 🐛 stackit: fix client region config, region field, object storage 404, mongodb listing by @chris-rock in #8477
  • 🌟 fex: publish Finding Exchange proto contract in the provider SDK by @chris-rock in #8478
  • 🐛 os: make native files.find match find -L (symlinks + perm 0) by @syrull in #8476
  • 🐛 mqlc: keep resource type through map(...).flat() by @syrull in #8475
  • 🐎 aws: fix data race on account org-description cache by @tas50 in #8460
  • fex: add FindingDocument constructor helpers to the SDK by @chris-rock in #8479
  • 🎉 aws-13.37.0, google-workspace-13.1.4, helm-13.3.0, os-13.29.0 by @tas50 in #8480
  • 🐛 gcp: fix swallowed errors and over-strict error handling by @tas50 in #8484
  • 🐛 gcp: fix incorrect field and type mappings by @tas50 in #8482
  • upstream: add retry helpers for transient platform failures by @chris-rock in #8485
  • 🐛 azure: fix incorrect field/type mappings on flow logs and app sites by @tas50 in #8487
  • 🐛 azure: fix security-posture detections returning wrong values by @tas50 in #8488
  • 🐛 azure: fix swallowed errors and a discovery-target loop bug by @tas50 in #8489
  • 🐛 ms365: fix index map data race and swallowed/nil-policy errors by @tas50 in #8493
  • 🐛 ms365: fix paginated reads that silently truncated results by @tas50 in #8492
  • 🐛 google-workspace: fix over-strict usage-report error, app merge, ACL id by @tas50 in #8494
  • 🐛 ms365: stop leaking Intune secret setting values in cleartext by @tas50 in #8491
  • 🐛 gcp: request IAM policy schema v3 so conditional bindings are returned by @tas50 in #8483
  • 🐛 azure: fix nil-deref and panic crashes in resource collection by @tas50 in #8486
  • 🐛 aws: fix wrong resource name and swallowed errors by @tas50 in #8459
  • 🐛 ms365: fix nil-pointer derefs that crash the scan by @tas50 in #8490
  • 🐛 gcp: fix nil-deref and panic crashes in resource collection by @tas50 in #8481
  • 🐛 gitlab: stop member listings from poisoning gitlab.user security fields by @tas50 in #8496
  • 🐛 github: fix headCommit nil-owner panic and unchecked connection hash error by @tas50 in #8498
  • 🐛 digitalocean: consistent error handling for scans, spaces keys, pagination by @tas50 in #8500
  • 🐛 github: fix 2FA false-negative and swallowed/over-strict error handling by @tas50 in #8499
  • 🐛 proxmox: fix cluster storage enabled=false and vm.updates agent failure by @tas50 in #8497
  • 🧹 ms365: regression test for Intune secret setting redaction by @tas50 in #8501
  • 🧹 gcp: regression test for alert-policy filter parsing by @tas50 in #8502
  • 🐛 azure: re-land stranded review fixes + add regression tests by @tas50 in #8503
  • 🧹 proxmox: regression test for cluster storage enabled normalization by @tas50 in #8504
  • 🐛 cloudflare: guard nil zone account in r2/workers/stream accessors by @tas50 in #8509
  • 🐛 kustomize: keep no-fieldPaths replacement targets and unique image ids by @tas50 in #8507
  • 🐛 helm: split rendered manifests on real YAML separators only by @tas50 in #8506
  • 🐛 bicep: make extractBlock string- and comment-aware by @tas50 in #8511
  • 🐛 ansible: tolerate non-integer max_fail_percentage by @tas50 in #8512
  • 🐛 arista: build STP interface command from arguments by @tas50 in #8510
  • 🐛 atlassian: paginate admin users/policies/domains and guard empty org by @tas50 in #8508
  • 🐛 cloudformation: guard section bodies against non-mapping YAML (panic fix) by @tas50 in #8505
  • ⭐ aws: add cross-resource edges for security policy authoring by @tas50 in #8513
  • ✨ aws: add EKS control plane egress mode and Cognito domain TLS policy by @tas50 in #8514
  • 🧹 deps: bump provider SDK dependencies by @tas50 in #8515
  • ⭐ aws: CloudFormation provenance, instance→LB backref, faster role usage by @tas50 in #8516
  • ⭐ aws: computed instance internet-exposure (inPublicSubnet, internetReachable) by @tas50 in #8518
  • ⭐ aws: managedBy provenance field for unmanaged-resource detection by @tas50 in #8517
  • 🐛 llx: array/map all/any/none/one fail gracefully on a null receiver by @syrull in #8520
  • 🐛 os: registrykey.property fails gracefully on a missing property by @syrull in #8522
  • 🐛 gcp: require --project-id/--zone for instance and snapshot scanning by @tas50 in #8439
  • 🐛 gcp: sanitize and length-cap snapshot scanner disk names by @tas50 in #8440
  • ⭐ add network.neighbors and windows.smb resources by @AdamVB in #8444
  • 🐛 os: file.user/file.group fail gracefully on an unknown owner uid/gid by @syrull in #8524
  • 🐛 github: surface workflow access errors instead of returning empty by @syrull in #8525
  • 🐛 vsphere: populate vulnmgmt.packages and fix disk-group id collision by @tas50 in #8495
  • ⭐ aws: consistent internet-exposure predicates (isPublic, rds internetReachable) by @tas50 in #8526
  • ⭐ digitalocean: discover specific assets (database, k8s, lb, firewall, spaces) by @tas50 in #8528
  • ⭐ aws: NACL-aware reachability, Lambda Function URL + API Gateway exposure by @tas50 in #8527
  • ⭐ hetzner: discover specific assets (firewall, loadbalancer) by @tas50 in #8529
  • 🐛 aws: detect wide-CIDR and prefix-list public sources (fix false negatives) by @tas50 in #8531
  • ⭐ digitalocean: expand droplet, load balancer, database, k8s, and app fields by @tas50 in #8530
  • ⭐ aws: external-sharing fields for AMIs and snapshots by @tas50 in #8533
  • 🎉 hetzner-13.3.0, digitalocean-13.7.0 by @tas50 in #8534
  • ⭐ aws: mitigation-context fields (exposed-and-undefended detection) by @tas50 in #8532
  • ⭐ aws: trust, egress, and embedded-config exposure predicates by @tas50 in #8535
  • ⭐ openstack: security-insights expansion (identity, field gaps, typed refs) by @tas50 in #8537
  • ⭐ aws: shared network.exposure sub-resource for RDS, DocumentDB, and ELB by @tas50 in #8538
  • ⭐ aws: link IAM Access Analyzer findings to resources (observed exposure) by @tas50 in #8539
  • ⭐ digitalocean: droplet network-exposure breakdown by @tas50 in #8540
  • ⭐ hetzner: server network-exposure breakdown by @tas50 in #8541
  • ⭐ openstack: internet-exposure modeling (servers + Octavia load balancers) by @tas50 in #8542
  • ⭐ stackit: server network-exposure breakdown by @tas50 in #8543
  • ⭐ aws: ec2.instance.exposure sub-resource (internet-exposure breakdown) by @tas50 in #8536
  • ⭐ openstack: discover security groups as openstack-security-group assets by @tas50 in #8552
  • ⭐ aws: add internet-exposure analysis across resources by @tas50 in #8551
  • ⭐ stackit: add internet-exposure analysis across resources by @tas50 in #8550
  • ⭐ digitalocean: add internet-exposure analysis across resources by @tas50 in #8547
  • ⭐ hetzner: add internet-exposure analysis across resources by @tas50 in #8548
  • ⭐ gcp: add internet-exposure analysis across resources by @tas50 in #8546
  • ⭐ proxmox: add internet-exposure analysis across resources by @tas50 in #8545
  • ⭐ gcp: compute instance network-exposure breakdown by @tas50 in #8544
  • 🎉 digitalocean-13.8.0, hetzner-13.4.0, openstack-13.5.0, proxmox-0.2.0, stackit-13.1.0 by @tas50 in #8553
  • ⭐ azure: add internet-exposure analysis across resources by @tas50 in #8549
  • 🌟 Add windows.defender resources for Microsoft Defender status and settings by @tas50 in #8555
  • 🌟 Add windows.winrm resource for WinRM client and service policy by @tas50 in #8560
  • Add windows.deviceGuard resource for VBS, HVCI, and Credential Guard policy by @tas50 in #8568
  • Harden windows.defender availability detection for non-English systems by @tas50 in #8562
  • 🌟 Add windows.lsa resource for LSA / NTLM / secure-channel security settings by @tas50 in #8569
  • Extend windows.smb with server and client SMB configuration by @tas50 in #8561
  • 🌟 Add windows.exploitProtection resource for system-wide exploit mitigations by @tas50 in #8559
  • Add windows.update.policy resource for Windows Update for Business GPO settings by @tas50 in #8556
  • Extend windows.rdp to cover all CIS Remote Desktop / Terminal Services checks by @tas50 in #8558
  • Add windows.spooler resource for Print Spooler hardening by @tas50 in #8563
  • Add windows.bitlocker.policy resource for BitLocker (FVE) Group Policy settings by @tas50 in #8564
  • 🌟 Add windows.smartScreen resource for Microsoft Defender SmartScreen by @tas50 in #8557
  • 🌟 Add windows.telemetry resource for diagnostic-data and consumer cloud-content policy by @tas50 in #8565
  • Add windows.rdp endSessionWhenTimeLimitReached and cloudClipboardIntegrationDisabled fields by @tas50 in #8570
  • Bump crate-ci/typos from 1.46.0 to 1.47.2 by @dependabot[bot] in #8573
  • Bump alpine from 3.24.0 to 3.24.1 by @dependabot[bot] in #8571
  • ✨ k8s: surface Pod Security Standards + ValidatingAdmissionPolicy by @tas50 in #8574
  • ✨ k8s: typed RBAC policy rules + privilege-escalation predicates by @tas50 in #8575
  • 📄 k8s: add multi-line descriptions to top-level resources by @tas50 in #8576
  • Bump actions/checkout from 5.0.1 to 6.0.3 by @dependabot[bot] in #8572
  • ✨ Add expressive debug logging to GCP and Azure providers by @tas50 in #8366
  • ✨ k8s: workload-level securityContext rollup predicates by @tas50 in #8577
  • 🧹 k8s: expand regression test coverage (cross-refs, filters, platform ids) by @tas50 in #8579
  • 🎉 k8s-13.3.0 by @tas50 in #8580
  • ✨ k8s: seccomp profile rollup predicates for workloads by @tas50 in #8581
  • 🐛 k8s: fix admission DELETE panic, discovery error swallowing, and SA nil deref by @tas50 in #8578
  • ✨ k8s: compute Pod Security Standards level for workloads by @tas50 in #8582
  • 🧹 windows: model binary registry settings as bool instead of int by @tas50 in #8583
  • 🌟 Add windows.powershell resource for PowerShell logging policy by @tas50 in #8566
  • ✨ k8s: RBAC binding-level access rollups by @tas50 in #8584
  • ✨ k8s: effective-access rollups for service accounts by @tas50 in #8585
  • ✨ k8s: container resource-limit rollups for workloads by @tas50 in #8586
  • ✨ k8s: Secret-consumption rollups for workloads by @tas50 in #8587
  • ✨ k8s: admission-enforcement posture predicates by @tas50 in #8588
  • ✨ k8s: image-provenance rollups for workloads by @tas50 in #8589
  • ✨ k8s: running image digests & digest drift on pods (runtime truth) by @tas50 in #8591
  • ✨ k8s: image pull-policy & unpinned-image provenance rollups by @tas50 in #8590
  • ✨ k8s: authoritative RBAC via SubjectAccessReview (k8s.accessReview) by @tas50 in #8592
  • feat(k8s): model Kubernetes network posture by @tas50 in #8593
  • ✨ k8s: effective-access RBAC (k8s.rbacSubjects + k8s.rbac.whoCan) by @tas50 in #8594
  • ✨ k8s: exposure→workload attack paths + secret hygiene predicates by @tas50 in #8598
  • ✨ k8s: pod.exposures back-ref + secret certificate-expiry predicates by @tas50 in #8599
  • 🎉 k8s-13.4.0 by @tas50 in #8600
  • 🧹 Update deps for mql and providers 20260622 by @github-actions[bot] in #8595
  • ⚡ providers/test: skip redundant go vet to speed up provider tests by @tas50 in #8554
  • ✨ k8s: host-network/hostPort ingress exposure + egress blind spot by @tas50 in #8601
  • 🐛 activedirectory: auto-generate krb5 config for Kerberos when no krb5.conf by @syrull in #8596
  • ✨ k8s: AppArmor, sysctl, and procMount hardening predicates on workloads by @tas50 in #8603
  • ✨ k8s: surface services routing to external (non-pod) endpoints by @tas50 in #8604
  • ✨ shodan: add shodan.domain.hosts() to bridge domains to host data by @tas50 in #8605
  • 🎉 shodan-13.2.0 by @tas50 in #8606
  • ✨ stackit: enrich SKE cluster + node pool with security & network fields by @tas50 in #8602
  • 🐛 fix panic parsing PAM bracketed control with no module by @tas50 in #8630
  • 🐛 fix authorized_keys line number counting only key entries by @tas50 in #8639
  • 🐛 fix files.find -maxdepth rendered in octal instead of decimal by @tas50 in #8635
  • 🐛 fix /proc status parser writing PPid into the Pid field by @tas50 in #8631
  • 🐛 fix rsyslog content() swallowing non-NotFound read errors by @tas50 in #8625
  • 🐛 fix auditd config error reporting empty field name by @tas50 in #8620
  • 🐛 fix panic on short lines in iptables ParseStat by @tas50 in #8615
  • ✨ google-workspace: security-query helpers and typed group/usage settings by @tas50 in #8611
  • 🐛 fix panic parsing /proc/cpuinfo cache size without a unit by @tas50 in #8642
  • 🐛 fix unbounded recursion on apache Include cycles by @tas50 in #8641
  • 🐛 fix initKubelet returning a nil error on failure paths by @tas50 in #8640
  • 🐛 fix dscacheutil group parser logging and bogus gid handling by @tas50 in #8628
  • 🐛 resolve systemd-resolved cache state from resolved.conf by @tas50 in #8627
  • 🐛 normalize systemd timer Persistent and socket Accept booleans by @tas50 in #8626
  • 🐛 fix nil-pointer panic in macOS dscl user enumeration by @tas50 in #8619
  • 🐛 fix fstab parser aborting on indented comments and blank lines by @tas50 in #8616
  • 🐛 fix grub.cfg parser flushing entries before the opening brace by @tas50 in #8623
  • ✨ os/kubelet: typed fields + version, defaults refresh to k8s 1.34, flag-merge fixes by @tas50 in #8612
  • 🐛 fix out-of-range index in AIX ps uid parse error path by @tas50 in #8633
  • ✨ ms365: add check-authoring helpers for licensing and role assignments by @tas50 in #8613
  • 🐛 fix iptables ParseStat error messages dropping context by @tas50 in #8621
  • ✨ google-workspace: expose admin policy settings via Cloud Identity Policy API by @tas50 in #8608
  • ✨ google-workspace: expose Chrome OS and mobile device posture by @tas50 in #8610
  • 🐛 fix sudoers user specs dropped when = is attached to the host by @tas50 in #8618
  • 🐛 fix panic parsing malformed auditd -a syscall rules by @tas50 in #8614
  • 🐛 fix sshd time-value conversion ignoring keyword case by @tas50 in #8617
  • ✨ google-workspace: expose admin role assignments by @tas50 in #8609
  • 🐛 fix panic on malformed key=value kubelet flag lists by @tas50 in #8637
  • 🐛 fix kubelet manifest-url-header reading a stray tab key by @tas50 in #8636
  • 🐛 fix lsof TCP state keys and guard malformed T-fields by @tas50 in #8632
  • 🎉 Bump minor version for ms365, google-workspace, k8s, and activedirectory providers by @tas50 in #8643
  • 🐛 llx: guard isTruthy type assertions against mismatched values by @tas50 in #8438
  • 🐛 report effective version when auto-update staged a newer binary (#7751) by @tas50 in #8348
  • 🐛 status: add an implicit timeout to network calls by @tas50 in #8351
  • 🐛 mqlc/llx: fix switch with constant-boolean case conditions by @tas50 in #8378
  • 🌟 os: read per-user registry hives (HKCU) natively by @syrull in #8622
  • fix(os/filesfind): shell-quote the find -name argument by @syrull in #8647

Full Changelog: v13.23.0...v13.24.0