aquasecurity/tracee v0.13.0

on GitHub

⚡️ Release notes and discussion: https://github.com/aquasecurity/tracee/discussions/2963⚡️

Docker Images (x86_64 only)

• docker pull docker.io/aquasec/tracee:0.13.0
• docker pull docker.io/aquasec/tracee:0.13.0-full

Docker Images (per architecture)

• docker pull docker.io/aquasec/tracee:x86_64-v0.13.0
• docker pull docker.io/aquasec/tracee:x86_64-v0.13.0-full
• docker pull docker.io/aquasec/tracee:aarch64-v0.13.0
• docker pull docker.io/aquasec/tracee:aarch64-v0.13.0-full

The regular image is built with an embedded portable CO-RE eBPF object and BTFHub (for kernels not supporting BTF info). The full image is built with an embedded portable CO-RE eBPF object and it is capable of building a per kernel non CO-RE eBPF object.

What's Changed

• workflow: turn github node jobs paralell by @rafaeldtinoco in #2805
• docs: small fixes by @yanivagman in #2811
• standardize error/log first letter by @geyslan in #2812
• cleanup: order import blocks by @geyslan in #2815
• docs: fix readme links by @yanivagman in #2816
• [ARM64 TESTS] workflow: add arm64 runners and tests by @rafaeldtinoco in #2817
• builder: add goimports to tracee-make docker imgs by @geyslan in #2828
• workflow: add alma linux as rhel clone to the PR workflow by @rafaeldtinoco in #2831
• Workflow paths by @rafaeldtinoco in #2833
• docs: fix readme docs links by @josedonizetti in #2837
• events: fix signature event name by @josedonizetti in #2839
• chore: go mod tidy by @josedonizetti in #2843
• workflow: pr: reenable TRC-103 by @geyslan in #2840
• workflow: pr: enable tests in arm64 and rhel_arm64 by @geyslan in #2844
• workflow: test other tools builds as well by @rafaeldtinoco in #2848
• maintenance: build: enable arm64 container images, fix building by @rafaeldtinoco in #2849
• workflow: update AMI IDs for 30GB images by @rafaeldtinoco in #2850
• workflow: change release AMI IDs to latest by @rafaeldtinoco in #2851
• chore: fix deprecated nodejs warning for github action by @rafaeldtinoco in #2856
• go: update runc from 1.1.2 to 1.1.4 due to security by @rafaeldtinoco in #2857
• workflow: login to docker.io before docker pulls by @rafaeldtinoco in #2859
• go: fix security issue CVE-2022-1996 by @rafaeldtinoco in #2861
• workflow: fix release-snapshot with dev-full tag by @rafaeldtinoco in #2862
• feat: add PTRACE_POKEDATA to ptrace_code_injection by @roikol in #2846
• workflow: fix: github login action not working by @rafaeldtinoco in #2865
• chore: enable btfhub after arm64 changes by @rafaeldtinoco in #2867
• workflow: change release AMI IDs to latest (#2851) by @rafaeldtinoco in #2869
• feat: add inotify_find_inode event by @roikol in #2794
• errfmt: introduce new package for error formatting by @geyslan in #2842
• workflow: update AMI IDs by @rafaeldtinoco in #2872
• workflow: add PRs labeler by @rafaeldtinoco in #2875
• workflow: updates to the workflow by @rafaeldtinoco in #2877
• workflow: snapshot labels for jenkins are too long by @rafaeldtinoco in #2878
• types: add SignatureContext type for init by @NDStrahilevitz in #2880
• Logger in signatures by @NDStrahilevitz in #2864
• types: matchedScopes -> matchedPolicies by @geyslan in #2881
• rename scopes related to policies by @geyslan in #2845
• make go routines shutdown gracefully by @geyslan in #2784
• ebpf: remove params_type_map and use events_map instead by @yanivagman in #2825
• workflow: re-enable v4.19 and add arm64 version by @rafaeldtinoco in #2879
• workflow: add amzn2 5.10 kernel AMIs to tests by @rafaeldtinoco in #2885
• ebpf: remove bin_args_map by @yanivagman in #2813
• tests: disable cache for integration tests by @geyslan in #2884
• workflow: add gke 5.4, 5.10 and 5.15 kernel AMIs to tests by @rafaeldtinoco in #2886
• check relevant error returns by @geyslan in #2818
• fix: base event filters by @yanivagman in #2897
• fix: fix old_path arg of security_inode_rename by @roikol in #2895
• add bpf byte code capture by @AsafEitani in #2874
• feat: add helpers list to bpf_attach by @roikol in #2855
• ebpf: align execve enter and exit timestamps by @yanivagman in #2853
• workflow: pr: enable tests in all archs by @geyslan in #2863
• workflow: pr: enable TRC-104 test in RHEL ARM64 by @geyslan in #2910
• fix: use correct type for bpf helpers by @roikol in #2912
• feat: use libbpfgo helpers to parse bpf helpers by @roikol in #2905
• libbpf bump by @geyslan in #2911
• Revert "libbpf: bump to v1.1.0 (#2911)" by @rafaeldtinoco in #2917
• refactor: move log-file to be under --log by @josedonizetti in #2909
• skip arg filtering for PrintMemDump by @geyslan in #2914
• Policies by @josedonizetti in #2892
• types: add container and kubernetes context fields by @NDStrahilevitz in #2921
• Enrich image digest by @NDStrahilevitz in #2760
• add syscall support for print_mem_dump by @AsafEitani in #2903
• types: event policy name by @geyslan in #2922
• containers: parse ContainerID by inner cgroup by @NDStrahilevitz in #2925
• policy: enrich matched event with policy name by @geyslan in #2923
• Policy number CLI removal by @geyslan in #2919
• Feature/improve symbols loaded performance by @AlonZivony in #2891
• tests: re-enable integration for policies by @geyslan in #2927
• events: add process_execute_failed event by @OriGlassman in #2858
• events: prevent symbols map cache corruption by @AlonZivony in #2930
• chore: add tracee logos by @itaysk in #2931
• build(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 by @dependabot in #2932
• policies: fix container scope by @josedonizetti in #2938
• Add hidden linux kernel module event by @OriGlassman in #2714
• docs: add policies reference documentation by @josedonizetti in #2936
• docs: update docs to reflect new binary by @geyslan in #2939
• improve policies overview by @yanivagman in #2947
• Fix policy docs newline by @yanivagman in #2948
• k8s: bump version by @rafaeldtinoco in #2949
• chore: release minor fixes by @rafaeldtinoco in #2951
• release: makefile change to sign all images by @rafaeldtinoco in #2952
• release: crane is buggy, remove until fixed by @rafaeldtinoco in #2953
• makefile: remove cosign leftover and fix release makefile by @rafaeldtinoco in #2955
• workflows: make release like the snapshot logic by @rafaeldtinoco in #2958
• release: fix release_notes.txt placement by @rafaeldtinoco in #2959
• release: create tgz at the end because of cleans by @rafaeldtinoco in #2960
• release: re-enable BTFHUB before release by @rafaeldtinoco in #2962

Full Changelog: v0.12.0...v0.13.0