Merge branch 'falcosecurity:main' into feat/cloudtrail-ssm-request-params

Zaulao · web-flow · commit 34e68d42d9b8 · 2026-02-12T07:44:56.000-03:00
diff --git a/plugins/container/CHANGELOG.md b/plugins/container/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## v0.6.3
+
+* [`9a3ee4c`](https://github.com/falcosecurity/plugins/commit/9a3ee4c) fix(plugins/container): correct image parsing with registry port
+
+
 ## v0.6.2
 
 * [`bff3406`](https://github.com/falcosecurity/plugins/commit/bff3406) perf(container): cache cgroup path to container ID resolution results
diff --git a/plugins/container/CMakeLists.txt b/plugins/container/CMakeLists.txt
@@ -9,7 +9,7 @@ list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
 # project metadata
 project(
         container
-        VERSION 0.6.2
+        VERSION 0.6.3
         DESCRIPTION "Falco container metadata enrichment Plugin"
         LANGUAGES CXX)
 
diff --git a/plugins/gcpaudit/README.md b/plugins/gcpaudit/README.md
@@ -87,33 +87,33 @@ For more details about what Cloud logging log queries, see the [GCP official doc
 # Supported Fields
 
 <!-- README-PLUGIN-FIELDS -->
-|             NAME              |   TYPE   | ARG  |                   DESCRIPTION                   |
-|-------------------------------|----------|------|-------------------------------------------------|
-| `gcp.user`                    | `string` | None | GCP principal email who committed the action    |
-| `gcp.callerIP`                | `string` | None | GCP principal caller IP                         |
-| `gcp.userAgent`               | `string` | None | GCP principal caller useragent                  |
-| `gcp.authorizationInfo`       | `string` | None | GCP authorization information affected resource |
-| `gcp.serviceName`             | `string` | None | GCP API service name                            |
-| `gcp.policyDelta`             | `string` | None | GCP service resource access policy              |
-| `gcp.request`                 | `string` | None | GCP API raw request                             |
-| `gcp.methodName`              | `string` | None | GCP API service method executed                 |
-| `gcp.cloudfunctions.function` | `string` | None | GCF name                                        |
-| `gcp.cloudsql.databaseId`     | `string` | None | GCP SQL database ID                             |
-| `gcp.compute.instanceId`      | `string` | None | GCE instance ID                                 |
-| `gcp.compute.networkId`       | `string` | None | GCP network ID                                  |
-| `gcp.compute.subnetwork`      | `string` | None | GCP subnetwork name                             |
-| `gcp.compute.subnetworkId`    | `string` | None | GCP subnetwork ID                               |
-| `gcp.dns.zone`                | `string` | None | GCP DNS zoned                                   |
-| `gcp.iam.serviceAccount`      | `string` | None | GCP service account                             |
-| `gcp.iam.serviceAccountId`    | `string` | None | GCP IAM unique ID                               |
-| `gcp.location`                | `string` | None | GCP region                                      |
-| `gcp.logging.sink`            | `string` | None | GCP logging sink                                |
-| `gcp.projectId`               | `string` | None | GCP project ID                                  |
-| `gcp.resourceName`            | `string` | None | GCP resource name                               |
-| `gcp.resourceType`            | `string` | None | GCP resource type                               |
-| `gcp.resourceLabels`          | `string` | None | GCP resource labels                             |
-| `gcp.storage.bucket`          | `string` | None | GCP bucket name                                 |
-| `gcp.time`                    | `string` | None | Timestamp of the event in RFC3339 format        |
+|             NAME              |   TYPE   | ARG  |               DESCRIPTION                |
+|-------------------------------|----------|------|------------------------------------------|
+| `gcp.user`                    | `string` | None | GCP principal, actor of the action       |
+| `gcp.callerIP`                | `string` | None | Actor's IP                               |
+| `gcp.userAgent`               | `string` | None | Actor's User Agent                       |
+| `gcp.authorizationInfo`       | `string` | None | GCP authorization (JSON)                 |
+| `gcp.serviceName`             | `string` | None | GCP API service name                     |
+| `gcp.policyDelta`             | `string` | None | GCP service resource access policy delta |
+| `gcp.request`                 | `string` | None | GCP API raw request (JSON)               |
+| `gcp.methodName`              | `string` | None | GCP API service method executed          |
+| `gcp.cloudfunctions.function` | `string` | None | GCF name                                 |
+| `gcp.cloudsql.databaseId`     | `string` | None | GCP SQL database ID                      |
+| `gcp.compute.instanceId`      | `string` | None | GCE instance ID                          |
+| `gcp.compute.networkId`       | `string` | None | GCP network ID                           |
+| `gcp.compute.subnetwork`      | `string` | None | GCP subnetwork name                      |
+| `gcp.compute.subnetworkId`    | `string` | None | GCP subnetwork ID                        |
+| `gcp.dns.zone`                | `string` | None | GCP DNS zone                             |
+| `gcp.iam.serviceAccount`      | `string` | None | GCP service account                      |
+| `gcp.iam.serviceAccountId`    | `string` | None | GCP IAM unique ID                        |
+| `gcp.location`                | `string` | None | GCP region                               |
+| `gcp.logging.sink`            | `string` | None | GCP logging sink                         |
+| `gcp.projectId`               | `string` | None | GCP project ID                           |
+| `gcp.resourceName`            | `string` | None | GCP resource name                        |
+| `gcp.resourceType`            | `string` | None | GCP resource type                        |
+| `gcp.resourceLabels`          | `string` | None | GCP resource labels (JSON)               |
+| `gcp.storage.bucket`          | `string` | None | GCP bucket name                          |
+| `gcp.time`                    | `string` | None | Timestamp of the event in RFC3339 format |
 <!-- /README-PLUGIN-FIELDS -->
 
 # Development
diff --git a/plugins/gcpaudit/pkg/gcpaudit/extract.go b/plugins/gcpaudit/pkg/gcpaudit/extract.go
@@ -27,29 +27,29 @@ import (
 
 func (p *Plugin) Fields() []sdk.FieldEntry {
 	return []sdk.FieldEntry{
-		{Type: "string", Name: "gcp.user", Display: "User", Desc: "GCP principal email who committed the action"},
-		{Type: "string", Name: "gcp.callerIP", Display: "Caller IP", Desc: "GCP principal caller IP"},
-		{Type: "string", Name: "gcp.userAgent", Display: "User Agent", Desc: "GCP principal caller useragent"},
-		{Type: "string", Name: "gcp.authorizationInfo", Display: "Authorization Info", Desc: "GCP authorization information affected resource"},
+		{Type: "string", Name: "gcp.user", Display: "User", Desc: "GCP principal, actor of the action"},
+		{Type: "string", Name: "gcp.callerIP", Display: "Caller IP", Desc: "Actor's IP"},
+		{Type: "string", Name: "gcp.userAgent", Display: "User Agent", Desc: "Actor's User Agent"},
+		{Type: "string", Name: "gcp.authorizationInfo", Display: "Authorization Info", Desc: "GCP authorization (JSON)"},
 		{Type: "string", Name: "gcp.serviceName", Display: "Service Name", Desc: "GCP API service name"},
-		{Type: "string", Name: "gcp.policyDelta", Display: "Policy", Desc: "GCP service resource access policy"},
-		{Type: "string", Name: "gcp.request", Display: "Request", Desc: "GCP API raw request"},
+		{Type: "string", Name: "gcp.policyDelta", Display: "Policy", Desc: "GCP service resource access policy delta"},
+		{Type: "string", Name: "gcp.request", Display: "Request", Desc: "GCP API raw request (JSON)"},
 		{Type: "string", Name: "gcp.methodName", Display: "Method", Desc: "GCP API service method executed"},
 		{Type: "string", Name: "gcp.cloudfunctions.function", Display: "Function Name", Desc: "GCF name"},
 		{Type: "string", Name: "gcp.cloudsql.databaseId", Display: "Database ID", Desc: "GCP SQL database ID"},
 		{Type: "string", Name: "gcp.compute.instanceId", Display: "Instance ID", Desc: "GCE instance ID"},
 		{Type: "string", Name: "gcp.compute.networkId", Display: "Network ID", Desc: "GCP network ID"},
 		{Type: "string", Name: "gcp.compute.subnetwork", Display: "Subnetwork Name", Desc: "GCP subnetwork name"},
 		{Type: "string", Name: "gcp.compute.subnetworkId", Display: "Subnetwork ID", Desc: "GCP subnetwork ID"},
-		{Type: "string", Name: "gcp.dns.zone", Display: "DNS Zone", Desc: "GCP DNS zoned"},
+		{Type: "string", Name: "gcp.dns.zone", Display: "DNS Zone", Desc: "GCP DNS zone"},
 		{Type: "string", Name: "gcp.iam.serviceAccount", Display: "Service Account", Desc: "GCP service account"},
 		{Type: "string", Name: "gcp.iam.serviceAccountId", Display: "Service Account ID", Desc: "GCP IAM unique ID"},
 		{Type: "string", Name: "gcp.location", Display: "Location", Desc: "GCP region"},
 		{Type: "string", Name: "gcp.logging.sink", Display: "Sink", Desc: "GCP logging sink"},
 		{Type: "string", Name: "gcp.projectId", Display: "Project ID", Desc: "GCP project ID"},
 		{Type: "string", Name: "gcp.resourceName", Display: "Resource Name", Desc: "GCP resource name"},
 		{Type: "string", Name: "gcp.resourceType", Display: "Resource Type", Desc: "GCP resource type"},
-		{Type: "string", Name: "gcp.resourceLabels", Display: "Resource Labels", Desc: "GCP resource labels"},
+		{Type: "string", Name: "gcp.resourceLabels", Display: "Resource Labels", Desc: "GCP resource labels (JSON)"},
 		{Type: "string", Name: "gcp.storage.bucket", Display: "Bucket Name", Desc: "GCP bucket name"},
 		{Type: "string", Name: "gcp.time", Display: "Timestamp of the event", Desc: "Timestamp of the event in RFC3339 format"},
 	}
diff --git a/plugins/okta/pkg/okta/okta.go b/plugins/okta/pkg/okta/okta.go
@@ -375,6 +375,10 @@ func (oktaPlugin *Plugin) Extract(req sdk.ExtractRequest, evt sdk.EventReader) e
 		req.SetValue(data.SecurityContext.Domain)
 	case "okta.security.isproxy":
 		req.SetValue(data.SecurityContext.IsProxy)
+	case "okta.target.displayName":
+		if len(data.Target) > 0 {
+			req.SetValue(data.Target[0].DisplayName)
+		}
 	case "okta.target.user.id":
 		for _, i := range data.Target {
 			if i.Type == "User" {
