From 7403eee7357bc04625a9d5bc2a151d26cd7db073 Mon Sep 17 00:00:00 2001 From: Thomas Labarussias Date: Tue, 17 Sep 2024 17:32:45 +0200 Subject: [PATCH] [github plugin] split the field github.repo into github.repo.name and github.repo.url for easier to write rules + fix bad indentation in the registry table Signed-off-by: Thomas Labarussias update the upload-artifact action version Signed-off-by: Thomas Labarussias --- .../reusable_suggest_rules_version.yaml | 4 +- README.md | 3 +- plugins/github/CHANGELOG.md | 82 ++++++++----------- plugins/github/README.md | 33 ++++---- plugins/github/pkg/github/extract.go | 9 +- plugins/github/pkg/github/github.go | 2 +- plugins/github/rules/github.yaml | 28 +++---- registry.yaml | 3 +- 8 files changed, 78 insertions(+), 86 deletions(-) diff --git a/.github/workflows/reusable_suggest_rules_version.yaml b/.github/workflows/reusable_suggest_rules_version.yaml index ab430e7f..a868ef0a 100644 --- a/.github/workflows/reusable_suggest_rules_version.yaml +++ b/.github/workflows/reusable_suggest_rules_version.yaml @@ -114,7 +114,7 @@ jobs: cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT-${{ inputs.job-index }} - name: Upload PR info as artifact - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 if: steps.compare.outputs.comment_file != '' with: name: pr-${{ inputs.job-index }} @@ -149,7 +149,7 @@ jobs: echo "" - name: Upload PR info as artifact - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: pr path: pr/ diff --git a/README.md b/README.md index 850b64be..b87b3c93 100644 --- a/README.md +++ b/README.md @@ -83,8 +83,7 @@ These comments and the text between them should not be edited by hand --> | [k8smeta](https://github.com/falcosecurity/plugins/tree/main/plugins/k8smeta) | **Field Extraction**
`syscall` | Enriche Falco syscall flow with Kubernetes Metadata

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 | | [k8saudit-gke](https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit-gke) | **Event Sourcing**
ID: 16
`k8s_audit`
**Field Extraction**
`k8s_audit` | Read Kubernetes Audit Events from GKE Clusters

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 | | [journald](https://github.com/gnosek/falco-journald-plugin) | **Event Sourcing**
ID: 17
`journal`
**Field Extraction**
`journal` | Read Journald events into Falco

Authors: [Grzegorz Nosek](https://github.com/gnosek/falco-journald-plugin)
License: Apache-2.0 | -| [kafka](https://github.com/falcosecurity/plugins/tree/main/plugins/kafka) | **Event Sourcing**
ID: 18
`kafka` | Read events from Kafka topics into Falco -

Authors: [Hunter Madison](https://falco.org/community)
License: Apache-2.0 | +| [kafka](https://github.com/falcosecurity/plugins/tree/main/plugins/kafka) | **Event Sourcing**
ID: 18
`kafka` | Read events from Kafka topics into Falco

Authors: [Hunter Madison](https://falco.org/community)
License: Apache-2.0 | | [gitlab](https://github.com/an1245/falco-plugin-gitlab) | **Event Sourcing**
ID: 19
`gitlab`
**Field Extraction**
`gitlab` | Falco plugin providing basic runtime threat detection and auditing logging for GitLab

Authors: [Andy](https://github.com/an1245/falco-plugin-gitlab/issues)
License: Apache-2.0 | | [keycloak](https://github.com/mattiaforc/falco-keycloak-plugin) | **Event Sourcing**
ID: 20
`keycloak`
**Field Extraction**
`keycloak` | Falco plugin for sourcing and extracting Keycloak user/admin events

Authors: [Mattia Forcellese](https://github.com/mattiaforc/falco-keycloak-plugin/issues)
License: Apache-2.0 | diff --git a/plugins/github/CHANGELOG.md b/plugins/github/CHANGELOG.md index 115c858a..f6683d34 100644 --- a/plugins/github/CHANGELOG.md +++ b/plugins/github/CHANGELOG.md @@ -2,113 +2,97 @@ ## v0.7.5 -* [`980fa2e`](https://github.com/falcosecurity/plugins/commit/980fa2e4) update(plugins/github): upgrade sdk and deps - +- [`980fa2e`](https://github.com/falcosecurity/plugins/commit/980fa2e4) update(plugins/github): upgrade sdk and deps ## v0.7.4 - ## v0.7.3 -* [`9298bcb`](https://github.com/falcosecurity/plugins/commit/9298bcb5) update(github): bump version to 0.7.3 - -* [`6f7ef79`](https://github.com/falcosecurity/plugins/commit/6f7ef799) build(deps): bump golang.org/x/net in /plugins/github +- [`9298bcb`](https://github.com/falcosecurity/plugins/commit/9298bcb5) update(github): bump version to 0.7.3 +- [`6f7ef79`](https://github.com/falcosecurity/plugins/commit/6f7ef799) build(deps): bump golang.org/x/net in /plugins/github ## v0.7.2 -* [`f37dd74`](https://github.com/falcosecurity/plugins/commit/f37dd748) chore(github): bump version to 0.7.2 - +- [`f37dd74`](https://github.com/falcosecurity/plugins/commit/f37dd748) chore(github): bump version to 0.7.2 ## v0.7.1 -* [`b0a2735`](https://github.com/falcosecurity/plugins/commit/b0a27351) fix(plugins/github): add length check in if statement - -* [`5e2953f`](https://github.com/falcosecurity/plugins/commit/5e2953f8) build(deps): bump google.golang.org/protobuf in /plugins/github +- [`b0a2735`](https://github.com/falcosecurity/plugins/commit/b0a27351) fix(plugins/github): add length check in if statement +- [`5e2953f`](https://github.com/falcosecurity/plugins/commit/5e2953f8) build(deps): bump google.golang.org/protobuf in /plugins/github ## v0.7.0 -* [`3a7f1b1`](https://github.com/falcosecurity/plugins/commit/3a7f1b19) fix(plugins/github): add a check that before and after commit IDs aren't null... - -* [`81ccd91`](https://github.com/falcosecurity/plugins/commit/81ccd91d) build(deps): bump golang.org/x/net in /plugins/github +- [`3a7f1b1`](https://github.com/falcosecurity/plugins/commit/3a7f1b19) fix(plugins/github): add a check that before and after commit IDs aren't null... +- [`81ccd91`](https://github.com/falcosecurity/plugins/commit/81ccd91d) build(deps): bump golang.org/x/net in /plugins/github ## v0.6.1 - ## v0.6.0 -* [`044d7d3`](https://github.com/falcosecurity/plugins/commit/044d7d3e) fix(plugins/github): fix small typo +- [`044d7d3`](https://github.com/falcosecurity/plugins/commit/044d7d3e) fix(plugins/github): fix small typo -* [`4c22035`](https://github.com/falcosecurity/plugins/commit/4c220355) feat(plugins/github): add github tag to all rules in ruleset file - -* [`409260a`](https://github.com/falcosecurity/plugins/commit/409260ab) fix(plugins/github): fix type field extraction +- [`4c22035`](https://github.com/falcosecurity/plugins/commit/4c220355) feat(plugins/github): add github tag to all rules in ruleset file +- [`409260a`](https://github.com/falcosecurity/plugins/commit/409260ab) fix(plugins/github): fix type field extraction ## v0.5.3 -* [`dc1e87e`](https://github.com/falcosecurity/plugins/commit/dc1e87e9) fix(plugins/github): fix ruleset dependencies - +- [`dc1e87e`](https://github.com/falcosecurity/plugins/commit/dc1e87e9) fix(plugins/github): fix ruleset dependencies ## v0.5.2 - ## v0.5.1 -* [`f1bd3b4`](https://github.com/falcosecurity/plugins/commit/f1bd3b4e) build(deps): bump golang.org/x/net in /plugins/github - +- [`f1bd3b4`](https://github.com/falcosecurity/plugins/commit/f1bd3b4e) build(deps): bump golang.org/x/net in /plugins/github ## v0.5.0 -* [`972cca0`](https://github.com/falcosecurity/plugins/commit/972cca0b) update(plugin/github): bump plugin version to v0.5.0 - -* [`0b6e12b`](https://github.com/falcosecurity/plugins/commit/0b6e12b5) update(rules/github): bump required_plugins_versions for github rules +- [`972cca0`](https://github.com/falcosecurity/plugins/commit/972cca0b) update(plugin/github): bump plugin version to v0.5.0 +- [`0b6e12b`](https://github.com/falcosecurity/plugins/commit/0b6e12b5) update(rules/github): bump required_plugins_versions for github rules ## v0.4.0 -* [`9654722`](https://github.com/falcosecurity/plugins/commit/96547228) update(plugins/github): bump plugin version to v0.4.0 - -* [`9f3a5e0`](https://github.com/falcosecurity/plugins/commit/9f3a5e0e) chore(plugins/github): update readme +- [`9654722`](https://github.com/falcosecurity/plugins/commit/96547228) update(plugins/github): bump plugin version to v0.4.0 -* [`0b7468a`](https://github.com/falcosecurity/plugins/commit/0b7468a0) update(plugins/github): fix makefile cleanup +- [`9f3a5e0`](https://github.com/falcosecurity/plugins/commit/9f3a5e0e) chore(plugins/github): update readme +- [`0b7468a`](https://github.com/falcosecurity/plugins/commit/0b7468a0) update(plugins/github): fix makefile cleanup ## v0.3.1 -* [`1bf3df4`](https://github.com/falcosecurity/plugins/commit/1bf3df4c) update(plugin/github): bump version to 0.3.1 - -* [`cf809fa`](https://github.com/falcosecurity/plugins/commit/cf809fa9) fix(plugins/github): correctly parse git diffs +- [`1bf3df4`](https://github.com/falcosecurity/plugins/commit/1bf3df4c) update(plugin/github): bump version to 0.3.1 +- [`cf809fa`](https://github.com/falcosecurity/plugins/commit/cf809fa9) fix(plugins/github): correctly parse git diffs ## v0.3.0 -* [`c2412cf`](https://github.com/falcosecurity/plugins/commit/c2412cf5) update(plugins/github): bump version to 0.3.0 - +- [`c2412cf`](https://github.com/falcosecurity/plugins/commit/c2412cf5) update(plugins/github): bump version to 0.3.0 ## v0.2.0 -* [`d9c1f08`](https://github.com/falcosecurity/plugins/commit/d9c1f084) update(plugins/github): adapt plugin for plugin-sdk-go v0.4.0 - -* [`71f653f`](https://github.com/falcosecurity/plugins/commit/71f653f3) chore(plugins/github): address review suggestions - -* [`32cccff`](https://github.com/falcosecurity/plugins/commit/32cccff1) chore(plugins/github): use log instead of fmt prints +- [`d9c1f08`](https://github.com/falcosecurity/plugins/commit/d9c1f084) update(plugins/github): adapt plugin for plugin-sdk-go v0.4.0 -* [`dbf7459`](https://github.com/falcosecurity/plugins/commit/dbf7459f) chore(plugins/github): reduce method visibility +- [`71f653f`](https://github.com/falcosecurity/plugins/commit/71f653f3) chore(plugins/github): address review suggestions -* [`a1ef331`](https://github.com/falcosecurity/plugins/commit/a1ef331c) chore(plugins/github): solve warnings +- [`32cccff`](https://github.com/falcosecurity/plugins/commit/32cccff1) chore(plugins/github): use log instead of fmt prints -* [`c79c890`](https://github.com/falcosecurity/plugins/commit/c79c8904) refactor(plugin/github): adhere to package design and init plugin main file +- [`dbf7459`](https://github.com/falcosecurity/plugins/commit/dbf7459f) chore(plugins/github): reduce method visibility -* [`79336d4`](https://github.com/falcosecurity/plugins/commit/79336d4d) chore(plugins/github): insert copyright headers +- [`a1ef331`](https://github.com/falcosecurity/plugins/commit/a1ef331c) chore(plugins/github): solve warnings -* [`57caa6c`](https://github.com/falcosecurity/plugins/commit/57caa6c4) update(plugins/github): bump dependencies version +- [`c79c890`](https://github.com/falcosecurity/plugins/commit/c79c8904) refactor(plugin/github): adhere to package design and init plugin main file -* [`678787f`](https://github.com/falcosecurity/plugins/commit/678787f8) update(plugins/github/rules): add version dependencies in ruleset +- [`79336d4`](https://github.com/falcosecurity/plugins/commit/79336d4d) chore(plugins/github): insert copyright headers -* [`982ac09`](https://github.com/falcosecurity/plugins/commit/982ac09b) refactor(plugins/github): create package directory +- [`57caa6c`](https://github.com/falcosecurity/plugins/commit/57caa6c4) update(plugins/github): bump dependencies version -* [`86b4bc3`](https://github.com/falcosecurity/plugins/commit/86b4bc33) chore(plugins/github): apply suggestions from review +- [`678787f`](https://github.com/falcosecurity/plugins/commit/678787f8) update(plugins/github/rules): add version dependencies in ruleset +- [`982ac09`](https://github.com/falcosecurity/plugins/commit/982ac09b) refactor(plugins/github): create package directory +- [`86b4bc3`](https://github.com/falcosecurity/plugins/commit/86b4bc33) chore(plugins/github): apply suggestions from review +z \ No newline at end of file diff --git a/plugins/github/README.md b/plugins/github/README.md index 2e41485e..58a4f961 100644 --- a/plugins/github/README.md +++ b/plugins/github/README.md @@ -10,11 +10,12 @@ The plugin works by installing a webhook on one or more repositories. It then re ## Usage -### Prerequisites -* You will need a github token for your account, which you can get at . The token needs, at a minimum, full repo scope, to be able to enumerate the user's repositories and install/remove webhooks. Therefore, in the token creation page, make sure `repo` (and its childs) are checked under `Select scopes`. The token can go in one of these two places: - * in a file called `github.token` in `~/.ghplugin` (or in the directory pointed by the `SecretsDir` init parameter) - * in an environment variable called GITHUB_PLUGIN_TOKEN -* The machine where the plugin is running needs a public address and an open firewall that allows either port 80 (for HTTP) or port 443 (for https) +### Prerequisites + +- You will need a github token for your account, which you can get at . The token needs, at a minimum, full repo scope, to be able to enumerate the user's repositories and install/remove webhooks. Therefore, in the token creation page, make sure `repo` (and its childs) are checked under `Select scopes`. The token can go in one of these two places: + - in a file called `github.token` in `~/.ghplugin` (or in the directory pointed by the `SecretsDir` init parameter) + - in an environment variable called GITHUB_PLUGIN_TOKEN +- The machine where the plugin is running needs a public address and an open firewall that allows either port 80 (for HTTP) or port 443 (for https) If you want to use https (**highly recommended**), name your key and certificate `server.key` and `server.crt` and put them in `~/.ghplugin` (or in the directory pointed by the `SecretsDir` init parameter). The plugin will pick them up, validate them and start an https server. If the key and certificate are not valid, the plugin will cause falco to exit with an error. @@ -35,22 +36,25 @@ Finally, specifying `*` as open argument will cause the plugin to instrument all ### Falco configuration examples Instrument three specific repositories: + ```yaml - - name: github - library_path: libgithub.so - init_config: '{"useHTTPs":true, "websocketServerURL" :"http://foo.ngrok.io"}' - open_params: 'falcosecurity/falco, falcosecurity/libs, falcosecurity/test-infra' +- name: github + library_path: libgithub.so + init_config: '{"useHTTPs":true, "websocketServerURL" :"http://foo.ngrok.io"}' + open_params: "falcosecurity/falco, falcosecurity/libs, falcosecurity/test-infra" ``` Instrument all of the user's repositores: + ```yaml - - name: github - library_path: libgithub.so - init_config: '{"websocketServerURL" :"http://foo.ngrok.io"}' - open_params: '*' +- name: github + library_path: libgithub.so + init_config: '{"websocketServerURL" :"http://foo.ngrok.io"}' + open_params: "*" ``` ## Webhook lifecycle + The plugin creates a webhook for each of the instrumented repository using the token specified as the first open argument. Each webhook is configured with a unique, automatically generated secret. This allows the plugin to reject messages that don't come from the righful github webhooks. All of the webhooks are deleted when the plugin event source gets closed (i.e. when Falco reloads or stops). @@ -63,7 +67,8 @@ All of the webhooks are deleted when the plugin event source gets closed (i.e. w | `github.type` | `string` | None | Message type, e.g. 'star' or 'repository'. | | `github.action` | `string` | None | The github event action. This field typically qualifies the github.type field. For example, a message of type 'star' can have action 'created' or 'deleted'. | | `github.user` | `string` | None | Name of the user that triggered the event. | -| `github.repo` | `string` | None | Name of the git repository where the event occurred. Github Webhook payloads contain the repository property when the event occurs from activity in a repository. | +| `github.repo.url` | `string` | None | URL of the git repository where the event occurred. Github Webhook payloads contain the repository property when the event occurs from activity in a repository. | +| `github.repo.name` | `string` | None | Name of the git repository where the event occurred. Github Webhook payloads contain the repository property when the event occurs from activity in a repository. | | `github.org` | `string` | None | Name of the organization the git repository belongs to. | | `github.owner` | `string` | None | Name of the repository's owner. | | `github.repo.public` | `string` | None | 'true' if the repository affected by the action is public. 'false' otherwise. | diff --git a/plugins/github/pkg/github/extract.go b/plugins/github/pkg/github/extract.go index 785fb8e3..959e324f 100644 --- a/plugins/github/pkg/github/extract.go +++ b/plugins/github/pkg/github/extract.go @@ -20,6 +20,7 @@ package github import ( "fmt" "io/ioutil" + "strings" "github.com/falcosecurity/plugin-sdk-go/pkg/sdk" "github.com/valyala/fastjson" @@ -31,7 +32,8 @@ func (p *Plugin) Fields() []sdk.FieldEntry { {Type: "string", Name: "github.type", Display: "Message Type", Desc: "Message type, e.g. 'star' or 'repository'."}, {Type: "string", Name: "github.action", Display: "Action Type", Desc: "The github event action. This field typically qualifies the github.type field. For example, a message of type 'star' can have action 'created' or 'deleted'."}, {Type: "string", Name: "github.user", Display: "User", Desc: "Name of the user that triggered the event."}, - {Type: "string", Name: "github.repo", Display: "Repository", Desc: "Name of the git repository where the event occurred. Github Webhook payloads contain the repository property when the event occurs from activity in a repository."}, + {Type: "string", Name: "github.repo.url", Display: "Repository", Desc: "URL of the git repository where the event occurred. Github Webhook payloads contain the repository property when the event occurs from activity in a repository."}, + {Type: "string", Name: "github.repo.name", Display: "Repository", Desc: "Name of the git repository where the event occurred. Github Webhook payloads contain the repository property when the event occurs from activity in a repository."}, {Type: "string", Name: "github.org", Display: "Organization", Desc: "Name of the organization the git repository belongs to."}, {Type: "string", Name: "github.owner", Display: "Owner", Desc: "Name of the repository's owner."}, {Type: "string", Name: "github.repo.public", Display: "Public", Desc: "'true' if the repository affected by the action is public. 'false' otherwise."}, @@ -114,8 +116,11 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) { res = string(jdata.GetStringBytes("action")) case "github.user": res = string(jdata.Get("sender", "login").GetStringBytes()) - case "github.repo": + case "github.repo.url": res = string(jdata.Get("repository", "html_url").GetStringBytes()) + case "github.repo.name": + res = string(jdata.Get("repository", "html_url").GetStringBytes()) + res = strings.TrimPrefix(res, "https://github.com/") case "github.org": res = string(jdata.Get("organization", "login").GetStringBytes()) case "github.owner": diff --git a/plugins/github/pkg/github/github.go b/plugins/github/pkg/github/github.go index 05a44eb9..7d397c93 100644 --- a/plugins/github/pkg/github/github.go +++ b/plugins/github/pkg/github/github.go @@ -39,7 +39,7 @@ const ( PluginName = "github" PluginDescription = "Reads github webhook events, by listening on a socket or by reading events from disk" PluginContact = "github.com/falcosecurity/plugins" - PluginVersion = "0.7.5" + PluginVersion = "0.8.0" PluginEventSource = "github" ExtractEventSource = "github" ) diff --git a/plugins/github/rules/github.yaml b/plugins/github/rules/github.yaml index 99f3c21b..6f5a257e 100644 --- a/plugins/github/rules/github.yaml +++ b/plugins/github/rules/github.yaml @@ -20,7 +20,7 @@ - required_plugin_versions: - name: github - version: 0.7.0 + version: 0.8.0 - rule: Webhook Connected desc: Detect a webhook link @@ -41,7 +41,7 @@ - rule: Private Repository Becoming Public desc: Detect changing the visibility of a repository to public condition: github.type=repository and github.action=publicized - output: A repository went from private to public (repository=%github.repo repo_owner=%github.owner org=%github.org user=%github.user) + output: A repository went from private to public (repository_name=%github.repo.name repository_url=%github.repo.url repo_owner=%github.owner org=%github.org user=%github.user) priority: CRITICAL source: github tags: [github] @@ -49,7 +49,7 @@ - rule: Public Repository Becoming Private desc: Detect changing the visibility of a repository to private condition: github.type=repository and github.action=privatized - output: A repository went from public to private (repository=%github.repo repo_owner=%github.owner org=%github.org user=%github.user) + output: A repository went from public to private (repository_name=%github.repo.name repository_url=%github.repo.url repo_owner=%github.owner org=%github.org user=%github.user) priority: WARNING source: github tags: [github] @@ -57,7 +57,7 @@ - rule: Create Public Repository desc: Detect the creation of a new public repository condition: github.type=repository and github.action=created and github.repo.public=true - output: A new public repository was created (repository=%github.repo repo_owner=%github.owner org=%github.org user=%github.user) + output: A new public repository was created (repository_name=%github.repo.name repository_url=%github.repo.url repo_owner=%github.owner org=%github.org user=%github.user) priority: WARNING source: github tags: [github] @@ -65,7 +65,7 @@ - rule: Delete Public Repository desc: Detect the deletion of a public repository condition: github.type=repository and github.action=deleted and github.repo.public=true - output: A public repository was deleted (repository=%github.repo repo_owner=%github.owner org=%github.org user=%github.user) + output: A public repository was deleted (repository_name=%github.repo.name repository_url=%github.repo.url repo_owner=%github.owner org=%github.org user=%github.user) priority: WARNING source: github tags: [github] @@ -73,7 +73,7 @@ - rule: Create Repository desc: Detect the creation of a new repository condition: github.type=repository and github.action=created - output: A new repository was created (repository=%github.repo repo_owner=%github.owner org=%github.org user=%github.user) + output: A new repository was created (repository_name=%github.repo.name repository_url=%github.repo.url repo_owner=%github.owner org=%github.org user=%github.user) priority: INFO source: github tags: [github] @@ -81,7 +81,7 @@ - rule: Delete Repository desc: Detect the deletion of a repository condition: github.type=repository and github.action=deleted - output: A repository was deleted (repository=%github.repo repo_owner=%github.owner org=%github.org user=%github.user) + output: A repository was deleted (repository_name=%github.repo.name repository_url=%github.repo.url repo_owner=%github.owner org=%github.org user=%github.user) priority: INFO source: github tags: [github] @@ -89,7 +89,7 @@ - rule: Create Deploy Key desc: Detect the creation of a new deploy key for a repository condition: github.type=deploy_key and github.action=created - output: A new deploy key was created (repository=%github.repo repo_owner=%github.owner org=%github.org user=%github.user) + output: A new deploy key was created (repository_name=%github.repo.name repository_url=%github.repo.url repo_owner=%github.owner org=%github.org user=%github.user) priority: INFO source: github tags: [github] @@ -97,7 +97,7 @@ - rule: Delete Deploy Key desc: Detect the deletion a repository's deploy key condition: github.type=deploy_key and github.action=deleted - output: A deploy key was deleted (repository=%github.repo repo_owner=%github.owner org=%github.org user=%github.user) + output: A deploy key was deleted (repository_name=%github.repo.name repository_url=%github.repo.url repo_owner=%github.owner org=%github.org user=%github.user) priority: INFO source: github tags: [github] @@ -105,7 +105,7 @@ - rule: Add Collaborator to Repository desc: Detect the addition of a collaborator to a repository condition: github.type=member and github.action=added - output: A collaborator was added to a repository (repository=%github.repo repo_owner=%github.owner org=%github.org user=%github.user collaborator=%github.collaborator.name role=%github.collaborator.role) + output: A collaborator was added to a repository (repository_name=%github.repo.name repository_url=%github.repo.url repo_owner=%github.owner org=%github.org user=%github.user collaborator=%github.collaborator.name role=%github.collaborator.role) priority: INFO source: github tags: [github] @@ -113,7 +113,7 @@ - rule: Remove Collaborator from Repository desc: Detect the removal of a collaborator from a repository condition: github.type=member and github.action=removed - output: A collaborator was removed from a repository (repository=%github.repo repo_owner=%github.owner org=%github.org user=%github.user collaborator=%github.collaborator.name) + output: A collaborator was removed from a repository (repository_name=%github.repo.name repository_url=%github.repo.url repo_owner=%github.owner org=%github.org user=%github.user collaborator=%github.collaborator.name) priority: INFO source: github tags: [github] @@ -121,7 +121,7 @@ - rule: Secret pushed into a public repository desc: A secret (AWS keys, github token...) was committed into a public repository condition: github.type=push and github.diff.has_secrets = true and github.repo.public=true - output: One or more secrets were pushed into a private repository (repository=%github.repo repo_owner=%github.owner org=%github.org user=%github.user secret_types=%github.diff.committed_secrets.desc file=%github.diff.committed_secrets.files line=%github.diff.committed_secrets.lines url=%github.diff.committed_secrets.links) + output: One or more secrets were pushed into a private repository (repository_name=%github.repo.name repository_url=%github.repo.url repo_owner=%github.owner org=%github.org user=%github.user secret_types=%github.diff.committed_secrets.desc file=%github.diff.committed_secrets.files line=%github.diff.committed_secrets.lines url=%github.diff.committed_secrets.links) priority: CRITICAL source: github tags: [github] @@ -129,7 +129,7 @@ - rule: Secret pushed into a private repository desc: A secret (AWS keys, github token...) was committed into a private repository condition: github.type=push and github.diff.has_secrets = true and github.repo.public=false - output: One or more secrets were pushed into a private repository (repository=%github.repo repo_owner=%github.owner org=%github.org user=%github.user secret_types=%github.diff.committed_secrets.desc file=%github.diff.committed_secrets.files line=%github.diff.committed_secrets.lines url=%github.diff.committed_secrets.links) + output: One or more secrets were pushed into a private repository (repository_name=%github.repo.name repository_url=%github.repo.url repo_owner=%github.owner org=%github.org user=%github.user secret_types=%github.diff.committed_secrets.desc file=%github.diff.committed_secrets.files line=%github.diff.committed_secrets.lines url=%github.diff.committed_secrets.links) priority: CRITICAL source: github tags: [github] @@ -137,7 +137,7 @@ - rule: Github action with miners desc: a github action containing crypto miners was executed condition: github.type=workflow_run and github.action=requested and github.workflow.has_miners=true - output: a github action containing crypto miners was executed (repository=%github.repo repo_owner=%github.owner org=%github.org user=%github.user file=%github.workflow.filename) + output: a github action containing crypto miners was executed (repository_name=%github.repo.name repository_url=%github.repo.url repo_owner=%github.owner org=%github.org user=%github.user file=%github.workflow.filename) priority: CRITICAL source: github tags: [github] diff --git a/registry.yaml b/registry.yaml index 5caa1131..ceb4218d 100644 --- a/registry.yaml +++ b/registry.yaml @@ -452,8 +452,7 @@ plugins: extraction: supported: true - name: kafka - description: | - Read events from Kafka topics into Falco + description: Read events from Kafka topics into Falco authors: Hunter Madison contact: https://falco.org/community maintainers: