adaptive export config

.github/workflows/trivy_fs.yaml

@@ -23,7 +23,9 @@ jobs:
       security-events: write
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
-    - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0  # v0.29.0
+    # v0.36.0 released 2026-04-22 (post-incident). Internally SHA-pins
+    # setup-trivy@3fb12ec = Aqua's safe v0.2.6 per GHSA-69fq-xp46-6x23.
+    - uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25  # v0.36.0
       with:
         scan-type: 'fs'
         ignore-unfixed: true

.gitignore

@@ -68,6 +68,7 @@ skaffold_build/
 
 # Hide generated .deb files
 *.deb
+*.local
 
 compile_commands.json
 clang_tidy.log

k8s/vizier/bootstrap/adaptive_export_deployment.yaml

@@ -18,17 +18,12 @@ spec:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
+            # The beta.kubernetes.io/os label has been deprecated since
+            # k8s v1.14; every modern kubelet sets kubernetes.io/os. The
+            # single term below is enough — kept both ORed terms in the
+            # past for pre-1.14 compatibility.
             - matchExpressions:
               - key: kubernetes.io/os
-                operator: Exists
-              - key: kubernetes.io/os
-                operator: In
-                values:
-                - linux
-            - matchExpressions:
-              - key: beta.kubernetes.io/os
-                operator: Exists
-              - key: beta.kubernetes.io/os
                 operator: In
                 values:
                 - linux
@@ -57,6 +52,31 @@ spec:
           value: "10"
         - name: DETECTION_LOOKBACK_SEC
           value: "30"
+        # EXPORT_MODE controls the reconcile behaviour:
+        #   auto    - detection drives on/off (default)
+        #   always  - plugin always enabled (bypass detection)
+        #   never   - plugin always disabled and ch-* scripts purged
+        - name: EXPORT_MODE
+          value: "auto"
+        # Number of consecutive empty detection ticks before auto-disable fires.
+        - name: EXPORT_QUIET_TICKS
+          value: "6"
+        # Optional overrides for the ClickHouse PxL scripts. When unset they are
+        # parsed from CLICKHOUSE_DSN. Individual fields win over the parsed DSN.
+        # Defaults below match soc/tree/clickhouse-lab (forensic-soc-db CHI,
+        # ingest_writer user, forensic_db database).
+        - name: KUBESCAPE_TABLE
+          value: "kubescape_logs"
+        # - name: CLICKHOUSE_HOST
+        #   value: "clickhouse-forensic-soc-db.clickhouse.svc.cluster.local"
+        # - name: CLICKHOUSE_PORT
+        #   value: "9000"
+        # - name: CLICKHOUSE_USER
+        #   value: "ingest_writer"
+        # - name: CLICKHOUSE_PASSWORD
+        #   value: "changeme-ingest"
+        # - name: CLICKHOUSE_DATABASE
+        #   value: "forensic_db"
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:

k8s/vizier/bootstrap/adaptive_export_secrets.yaml

@@ -7,5 +7,8 @@ type: Opaque
 stringData:
   # Replace with your actual Pixie API key from https://work.withpixie.ai
   pixie-api-key: "PIXIE_API_KEY_PLACEHOLDER"
-  # Replace with your ClickHouse DSN: clickhouse://user:password@host:port/database
-  clickhouse-dsn: "otelcollector:otelcollectorpass@hyperdx-hdx-oss-v2-clickhouse.click.svc.cluster.local:9000/default"
+  # ClickHouse DSN matches soc/tree/clickhouse-lab (CHI "forensic-soc-db",
+  # ingest_writer user with INSERT rights into the forensic_db database).
+  # Format: user:password@host:port/database
+  clickhouse-dsn: >-
+    ingest_writer:changeme-ingest@clickhouse-forensic-soc-db.clickhouse.svc.cluster.local:9000/forensic_db

src/stirling/source_connectors/socket_tracer/testing/container_images/BUILD.bazel

@@ -24,29 +24,29 @@ package(default_visibility = [
 
 # Generate all Go container library permutations for supported Go versions.
 go_container_libraries(
-    container_type = "grpc_server",
     bazel_sdk_versions = pl_all_supported_go_sdk_versions,
+    container_type = "grpc_server",
     prebuilt_container_versions = pl_go_test_versions,
 )
 
 # Stirling test cases usually test server side tracing. Therefore
 # we only need to provide the bazel SDK versions for the client containers.
 go_container_libraries(
-    container_type = "grpc_client",
     bazel_sdk_versions = pl_all_supported_go_sdk_versions,
+    container_type = "grpc_client",
 )
 
 go_container_libraries(
-    container_type = "tls_server",
     bazel_sdk_versions = pl_all_supported_go_sdk_versions,
+    container_type = "tls_server",
     prebuilt_container_versions = pl_go_test_versions,
 )
 
 # Stirling test cases usually test server side tracing. Therefore
 # we only need to provide the bazel SDK versions for the client containers.
 go_container_libraries(
-    container_type = "tls_client",
     bazel_sdk_versions = pl_all_supported_go_sdk_versions,
+    container_type = "tls_client",
 )
 
 pl_cc_test_library(