feat(detectors): add CEL support to YAML detectors #5147
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull request overview
This PR introduces Common Expression Language (CEL) support to YAML detectors, enabling dynamic runtime conditions and field extraction without requiring Go code. The major changes include:
- CEL integration for conditions and field extraction
- Shared lists feature for reusable value collections
- Datastore access functions for querying system state
- String utility functions for path and text manipulation
Reviewed changes
Copilot reviewed 25 out of 26 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/detectors/yaml/cel_env.go | Core CEL environment setup with macros for simplified syntax (getData/hasData) |
| pkg/detectors/yaml/cel_datastores.go | Datastore functions for accessing process, container, system, kernel, DNS, and syscall information |
| pkg/detectors/yaml/cel_strings.go | String utility functions (split, join, trim, replace, upper, lower, basename, dirname) |
| pkg/detectors/yaml/detector.go | Updated detector to compile and evaluate CEL expressions with timeout and cost limits |
| pkg/detectors/yaml/schema.go | Added Conditions field and renamed ExtractFieldSpec to FieldSpec |
| pkg/detectors/yaml/validator.go | Enhanced validation to compile CEL expressions and removed legacy extraction path validation |
| pkg/detectors/yaml/list_loader.go | List loading from {dir}/lists/ subdirectory with uppercase snake_case naming |
| pkg/detectors/yaml/loader.go | Integrated list loading into detector directory loading |
| pkg/detectors/yaml/extractor.go | Deleted legacy field extractor (replaced by CEL) |
| tests/integration/yaml_detector_test.go | Updated tests to use getData() syntax instead of data.field |
| examples/detectors/yaml/*.yaml | Updated example detectors to use CEL expressions |
| docs/docs/detectors/yaml-detectors.md | Comprehensive documentation for CEL features, shared lists, and datastore functions |
yanivagman
force-pushed
the
yaml_detectors_cel_support
branch
2 times, most recently
from
8cf7067 to
3007f1f
Compare
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #5147 +/- ##
==========================================
+ Coverage 33.51% 36.65% +3.13%
==========================================
Files 250 262 +12
Lines 28908 31401 +2493
==========================================
+ Hits 9688 11509 +1821
- Misses 18609 19096 +487
- Partials 611 796 +185
🚀 New features to boost your workflow:
|
yanivagman
force-pushed
the
yaml_detectors_cel_support
branch
2 times, most recently
from
8a61428 to
0413c0b
Compare
Collaborator
josedonizetti
left a comment
josedonizetti
left a comment
There was a problem hiding this comment.
first pass, still testing
yanivagman
force-pushed
the
yaml_detectors_cel_support
branch
2 times, most recently
from
2bc10a1 to
b89f3ca
Compare
- Add Common Expression Language (CEL) for dynamic conditions and field extraction - Support short form (field names) and long form (CEL expressions) for output fields - Add helper functions: getData(), getDataInt(), getDataUInt(), hasData() - Rename extract_fields -> fields, source -> expression for clarity - Update all existing YAML detectors to use CEL syntax - Add comprehensive documentation for CEL features - All unit tests pass (38.3% coverage) - YAML detectors load successfully with CEL compilation Breaking changes: - YAML schema: extract_fields -> fields, source -> expression - Field extraction now uses CEL expressions instead of JSONPath-like paths
Implements CEL global list variables to share common lists (e.g., shell
binaries, sensitive paths) across YAML detectors. Lists are defined in
{detector-dir}/lists/ subdirectory and exposed as CEL variables.
- Add list schema and loader with validation (uppercase snake_case names)
- Register lists as CEL variables (list<string>) in environment
- Pass lists to CEL evaluation context at runtime
- Add comprehensive unit and integration tests (16 new tests)
- Add example shell_binaries list and detector
- Update documentation with usage examples
Lists are compiled into CEL at load time for zero runtime overhead and
compile-time type safety.
Expose all core datastores (Process, Container, System, Kernel, DNS, Syscall) as namespaced CEL functions for use in YAML detector conditions and outputs. Key changes: - Add datastores.Registry field to YAMLDetector, rebuild CEL env in Init() - Implement 12 datastore functions: process.get/getAncestry/getChildren, container.get/getByName, system.info, kernel.resolveSymbol/getSymbolAddress, dns.getResponse, syscall.getName/getId - Add comprehensive test coverage with mock datastores - Update documentation with examples and usage patterns Functions return null for not-found entities, handle time.Time conversion, and integrate seamlessly with existing CEL expressions.
Add 8 string utility functions for YAML detectors:
- split(str, delimiter) - Split string into list
- join(list, delimiter) - Join list into string
- trim(str) - Remove leading/trailing whitespace
- replace(str, old, new) - Replace all occurrences
- upper(str) - Convert to uppercase
- lower(str) - Convert to lowercase
- basename(path) - Get filename from path
- dirname(path) - Get directory from path
Functions are available in both conditions and output expressions.
All functions handle CEL's various list representations ([]string, []interface{}, []ref.Val).
Includes comprehensive unit tests and documentation updates.
…ory structure - Add required 'type' field to all YAML detector and list files - Support flat directory structure (detectors and lists in same dir) - Remove lists/ subdirectory requirement for K8s ConfigMap deployment - Add type field validation in loader and validator - Rewrite LoadFromDirectory with clean three-pass design - Update all examples, tests, and documentation BREAKING CHANGE: All YAML detector files must include 'type: detector' at the top. All list files must include 'type: string_list'. Lists are no longer in a subdirectory but in the same directory as detectors.
yanivagman
force-pushed
the
yaml_detectors_cel_support
branch
from
b89f3ca to
b0dfd12
Compare
Replace /usr/bin/cat with /usr/bin/true for positive test case and /usr/bin/id with /usr/bin/false for negative test case to avoid interference from background processes that may execute common utilities. Add 200ms delay before buffer clear to ensure all events from test 1 have arrived, preventing race conditions where late events cause false positives in the negative assertion.
yanivagman
force-pushed
the
yaml_detectors_cel_support
branch
from
b0dfd12 to
caa3c91
Compare
josedonizetti
approved these changes
Jan 8, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduces Common Expression Language (CEL) for dynamic conditions and field extraction in YAML detectors, enabling powerful declarative detection without writing Go code.
Features:
CEL Expressions
Shared Lists
Datastore Access
kernel.resolveSymbol(), dns.getResponse(), syscall.getName(), etc.
String Utilities
basename(), dirname()
Example:
conditions:
output:
fields:
- name: shell_path
expression: getData("pathname")