[github plugin] split the field github.repo

.github/workflows/ci.yaml

@@ -39,8 +39,8 @@ jobs:
     uses: ./.github/workflows/reusable_validate_plugins.yaml
     with:
       plugin: ${{ matrix.plugin }}
-      falcoctl-version: 0.7.3
-      falco-image: falcosecurity/falco-no-driver:0.37.1
+      falcoctl-version: 0.10.0
+      falco-image: falcosecurity/falco-no-driver:0.38.2
       plugins-artifact: plugins-x86_64-${{ github.event.number }}.tar.gz
       rules-checker: ./rules-checker
       arch: x86_64
@@ -55,7 +55,7 @@ jobs:
     uses: ./.github/workflows/reusable_suggest_rules_version.yaml
     with:
       plugin: ${{ matrix.plugin }}
-      falco-image: falcosecurity/falco-no-driver:0.37.1
+      falco-image: falcosecurity/falco-no-driver:0.38.2
       plugins-artifact: plugins-x86_64-${{ github.event.number }}.tar.gz
       rules-checker: ./rules-checker
       arch: x86_64

.github/workflows/main.yaml

@@ -39,8 +39,8 @@ jobs:
     uses: ./.github/workflows/reusable_validate_plugins.yaml
     with:
       plugin: ${{ matrix.plugin }}
-      falcoctl-version: 0.7.3
-      falco-image: falcosecurity/falco-no-driver:0.37.1
+      falcoctl-version: 0.10.0
+      falco-image: falcosecurity/falco-no-driver:0.38.2
       plugins-artifact: plugins-x86_64-dev.tar.gz
       rules-checker: ./rules-checker
       arch: x86_64

.github/workflows/release.yml

@@ -49,8 +49,8 @@ jobs:
     uses: ./.github/workflows/reusable_validate_plugins.yaml
     with:
       plugin: ${{ needs.extract-info.outputs.package }}
-      falcoctl-version: 0.7.3
-      falco-image: falcosecurity/falco-no-driver:0.37.1
+      falcoctl-version: 0.10.0
+      falco-image: falcosecurity/falco-no-driver:0.38.2
       plugins-artifact: plugins-x86_64-stable.tar.gz
       rules-checker: ./rules-checker
       arch: x86_64

.github/workflows/reusable_suggest_rules_version.yaml

@@ -114,7 +114,7 @@ jobs:
           cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT-${{ inputs.job-index }}
 
       - name: Upload PR info as artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         if: steps.compare.outputs.comment_file != ''
         with:
           name: pr-${{ inputs.job-index }}
@@ -149,7 +149,7 @@ jobs:
           echo ""
 
       - name: Upload PR info as artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: pr
           path: pr/

README.md

@@ -83,8 +83,7 @@ These comments and the text between them should not be edited by hand -->
 | [k8smeta](https://github.com/falcosecurity/plugins/tree/main/plugins/k8smeta) | **Field Extraction** <br/> `syscall` | Enriche Falco syscall flow with Kubernetes Metadata  <br/><br/> Authors: [The Falco Authors](https://falco.org/community) <br/> License: Apache-2.0 |
 | [k8saudit-gke](https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit-gke) | **Event Sourcing** <br/>ID: 16 <br/>`k8s_audit` <br/>**Field Extraction** <br/> `k8s_audit` | Read Kubernetes Audit Events from GKE Clusters  <br/><br/> Authors: [The Falco Authors](https://falco.org/community) <br/> License: Apache-2.0 |
 | [journald](https://github.com/gnosek/falco-journald-plugin) | **Event Sourcing** <br/>ID: 17 <br/>`journal` <br/>**Field Extraction** <br/> `journal` | Read Journald events into Falco  <br/><br/> Authors: [Grzegorz Nosek](https://github.com/gnosek/falco-journald-plugin) <br/> License: Apache-2.0 |
-| [kafka](https://github.com/falcosecurity/plugins/tree/main/plugins/kafka) | **Event Sourcing** <br/>ID: 18 <br/>`kafka` | Read events from Kafka topics into Falco
-  <br/><br/> Authors: [Hunter Madison](https://falco.org/community) <br/> License: Apache-2.0 |
+| [kafka](https://github.com/falcosecurity/plugins/tree/main/plugins/kafka) | **Event Sourcing** <br/>ID: 18 <br/>`kafka` | Read events from Kafka topics into Falco  <br/><br/> Authors: [Hunter Madison](https://falco.org/community) <br/> License: Apache-2.0 |
 | [gitlab](https://github.com/an1245/falco-plugin-gitlab) | **Event Sourcing** <br/>ID: 19 <br/>`gitlab` <br/>**Field Extraction** <br/> `gitlab` | Falco plugin providing basic runtime threat detection and auditing logging for GitLab  <br/><br/> Authors: [Andy](https://github.com/an1245/falco-plugin-gitlab/issues) <br/> License: Apache-2.0 |
 | [keycloak](https://github.com/mattiaforc/falco-keycloak-plugin) | **Event Sourcing** <br/>ID: 20 <br/>`keycloak` <br/>**Field Extraction** <br/> `keycloak` | Falco plugin for sourcing and extracting Keycloak user/admin events  <br/><br/> Authors: [Mattia Forcellese](https://github.com/mattiaforc/falco-keycloak-plugin/issues) <br/> License: Apache-2.0 |
 

plugins/github/CHANGELOG.md

@@ -111,4 +111,3 @@
 
 * [`86b4bc3`](https://github.com/falcosecurity/plugins/commit/86b4bc33) chore(plugins/github): apply suggestions from review
 
-

plugins/github/README.md

@@ -10,11 +10,12 @@ The plugin works by installing a webhook on one or more repositories. It then re
 
 ## Usage
 
-### Prerequisites 
-* You will need a github token for your account, which you can get at <https://github.com/settings/tokens>. The token needs, at a minimum, full repo scope, to be able to enumerate the user's repositories and install/remove webhooks. Therefore, in the token creation page, make sure `repo` (and its childs) are checked under `Select scopes`. The token can go in one of these two places:
-    * in a file called `github.token` in `~/.ghplugin` (or in the directory pointed by the `SecretsDir` init parameter)
-    * in an environment variable called GITHUB_PLUGIN_TOKEN
-* The machine where the plugin is running needs a public address and an open firewall that allows either port 80 (for HTTP) or port 443 (for https)
+### Prerequisites
+
+- You will need a github token for your account, which you can get at <https://github.com/settings/tokens>. The token needs, at a minimum, full repo scope, to be able to enumerate the user's repositories and install/remove webhooks. Therefore, in the token creation page, make sure `repo` (and its childs) are checked under `Select scopes`. The token can go in one of these two places:
+  - in a file called `github.token` in `~/.ghplugin` (or in the directory pointed by the `SecretsDir` init parameter)
+  - in an environment variable called GITHUB_PLUGIN_TOKEN
+- The machine where the plugin is running needs a public address and an open firewall that allows either port 80 (for HTTP) or port 443 (for https)
 
 If you want to use https (**highly recommended**), name your key and certificate `server.key` and `server.crt` and put them in `~/.ghplugin` (or in the directory pointed by the `SecretsDir` init parameter). The plugin will pick them up, validate them and start an https server. If the key and certificate are not valid, the plugin will cause falco to exit with an error.
 
@@ -35,22 +36,25 @@ Finally, specifying `*` as open argument will cause the plugin to instrument all
 ### Falco configuration examples
 
 Instrument three specific repositories:
+
 ```yaml
-  - name: github
-    library_path: libgithub.so
-    init_config: '{"useHTTPs":true, "websocketServerURL" :"http://foo.ngrok.io"}'
-    open_params: 'falcosecurity/falco, falcosecurity/libs, falcosecurity/test-infra'
+- name: github
+  library_path: libgithub.so
+  init_config: '{"useHTTPs":true, "websocketServerURL" :"http://foo.ngrok.io"}'
+  open_params: "falcosecurity/falco, falcosecurity/libs, falcosecurity/test-infra"
 ```
 
 Instrument all of the user's repositores:
+
 ```yaml
-  - name: github
-    library_path: libgithub.so
-    init_config: '{"websocketServerURL" :"http://foo.ngrok.io"}'
-    open_params: '*'
+- name: github
+  library_path: libgithub.so
+  init_config: '{"websocketServerURL" :"http://foo.ngrok.io"}'
+  open_params: "*"
 ```
 
 ## Webhook lifecycle
+
 The plugin creates a webhook for each of the instrumented repository using the token specified as the first open argument. Each webhook is configured with a unique, automatically generated secret. This allows the plugin to reject messages that don't come from the righful github webhooks.
 
 All of the webhooks are deleted when the plugin event source gets closed (i.e. when Falco reloads or stops).
@@ -63,7 +67,8 @@ All of the webhooks are deleted when the plugin event source gets closed (i.e. w
 | `github.type`                         | `string` | None | Message type, e.g. 'star' or 'repository'.                                                                                                                                                                            |
 | `github.action`                       | `string` | None | The github event action. This field typically qualifies the github.type field. For example, a message of type 'star' can have action 'created' or 'deleted'.                                                          |
 | `github.user`                         | `string` | None | Name of the user that triggered the event.                                                                                                                                                                            |
-| `github.repo`                         | `string` | None | Name of the git repository where the event occurred. Github Webhook payloads contain the repository property when the event occurs from activity in a repository.                                                     |
+| `github.repo.url`                     | `string` | None | URL of the git repository where the event occurred. Github Webhook payloads contain the repository property when the event occurs from activity in a repository.                                                      |
+| `github.repo.name`                    | `string` | None | Name of the git repository where the event occurred. Github Webhook payloads contain the repository property when the event occurs from activity in a repository.                                                     |
 | `github.org`                          | `string` | None | Name of the organization the git repository belongs to.                                                                                                                                                               |
 | `github.owner`                        | `string` | None | Name of the repository's owner.                                                                                                                                                                                       |
 | `github.repo.public`                  | `string` | None | 'true' if the repository affected by the action is public. 'false' otherwise.                                                                                                                                         |

plugins/github/pkg/github/extract.go

@@ -20,6 +20,7 @@ package github
 import (
 	"fmt"
 	"io/ioutil"
+	"strings"
 
 	"github.com/falcosecurity/plugin-sdk-go/pkg/sdk"
 	"github.com/valyala/fastjson"
@@ -31,7 +32,9 @@ func (p *Plugin) Fields() []sdk.FieldEntry {
 		{Type: "string", Name: "github.type", Display: "Message Type", Desc: "Message type, e.g. 'star' or 'repository'."},
 		{Type: "string", Name: "github.action", Display: "Action Type", Desc: "The github event action. This field typically qualifies the github.type field. For example, a message of type 'star' can have action 'created' or 'deleted'."},
 		{Type: "string", Name: "github.user", Display: "User", Desc: "Name of the user that triggered the event."},
-		{Type: "string", Name: "github.repo", Display: "Repository", Desc: "Name of the git repository where the event occurred. Github Webhook payloads contain the repository property when the event occurs from activity in a repository."},
+		{Type: "string", Name: "github.repo", Display: "Repository", Desc: "(deprecated) URL of the git repository where the event occurred. Github Webhook payloads contain the repository property when the event occurs from activity in a repository."},
+		{Type: "string", Name: "github.repo.url", Display: "Repository URL", Desc: "URL of the git repository where the event occurred. Github Webhook payloads contain the repository property when the event occurs from activity in a repository."},
+		{Type: "string", Name: "github.repo.name", Display: "Repository Name", Desc: "Name of the git repository where the event occurred. Github Webhook payloads contain the repository property when the event occurs from activity in a repository."},
 		{Type: "string", Name: "github.org", Display: "Organization", Desc: "Name of the organization the git repository belongs to."},
 		{Type: "string", Name: "github.owner", Display: "Owner", Desc: "Name of the repository's owner."},
 		{Type: "string", Name: "github.repo.public", Display: "Public", Desc: "'true' if the repository affected by the action is public. 'false' otherwise."},
@@ -116,6 +119,11 @@ func getfieldStr(jdata *fastjson.Value, field string) (bool, string) {
 		res = string(jdata.Get("sender", "login").GetStringBytes())
 	case "github.repo":
 		res = string(jdata.Get("repository", "html_url").GetStringBytes())
+	case "github.repo.url":
+		res = string(jdata.Get("repository", "html_url").GetStringBytes())
+	case "github.repo.name":
+		res = string(jdata.Get("repository", "html_url").GetStringBytes())
+		res = strings.TrimPrefix(res, "https://github.com/")
 	case "github.org":
 		res = string(jdata.Get("organization", "login").GetStringBytes())
 	case "github.owner":

plugins/github/pkg/github/github.go

@@ -39,7 +39,7 @@ const (
 	PluginName                = "github"
 	PluginDescription         = "Reads github webhook events, by listening on a socket or by reading events from disk"
 	PluginContact             = "github.com/falcosecurity/plugins"
-	PluginVersion             = "0.7.5"
+	PluginVersion             = "0.8.0"
 	PluginEventSource         = "github"
 	ExtractEventSource        = "github"
 )