v0.22.0

⚡️ Release notes and discussion: https://github.com/aquasecurity/tracee/discussions/4272 ⚡️

Docker Image

• docker pull docker.io/aquasec/tracee:0.22.0

Docker Images (per architecture)

• docker pull docker.io/aquasec/tracee:x86_64-0.22.0
• docker pull docker.io/aquasec/tracee:aarch64-0.22.0

What's Changed

• Fix release action by @geyslan in #4136
• fix(ci): dev tag is the latest snapshot by @geyslan in #4137
• chore(ci): use dev tag for docker image building by @geyslan in #4138
• chore: install last version of golang by @rscampos in #4139
• chore: golang binary move to tmp by @rscampos in #4140
• fix(ci): make release rule to have prerequisites by @geyslan in #4141
• Create Makefile format-pr rule by @geyslan in #4142
• Bumps to fix cve-2024-24790 by @geyslan in #4143
• fix(build): mv gh release logic to release rule by @geyslan in #4145
• feat(events): add security_task_setrlimit by @OriGlassman in #4148
• fix(build): fix release build by @geyslan in #4150
• Added event containing full payload for all packets by @oshaked1 in #4122
• Fix Integration Tests by @geyslan in #4157
• chore(logger): safe guard before locking by @geyslan in #4160
• chore: rem logger and errfmt as deps from env pkg by @geyslan in #4129
• chore: make dependencies manager a singleton by @geyslan in #4161
• fix: generic kubernetes containerd path pattern by @NDStrahilevitz in #4155
• Tidying Policy Manager by @geyslan in #4165
• fix(events): ftrace_hook: address tabs in input lines by @OriGlassman in #4110
• fix(pipeline): add ebpf caps in stack addres query by @NDStrahilevitz in #4169
• fix(tests): remove named pipe if it exists by @geyslan in #4171
• feat(events): create tracee_info event by @rscampos in #4166
• Fix deps deadlock by @geyslan in #4173
• Policies tidying more by @geyslan in #4168
• Caps concurrency fix by @geyslan in #4175
• Fix(events): don't remove fork excess args by @rscampos in #4167
• fix(proctree): fix clock type differences by @rscampos in #4117
• feat(caps): base ebpf capabilities by @NDStrahilevitz in #4178
• chore(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 by @dependabot in #4180
• Packet capture context by @oshaked1 in #4072
• chore: introduce eventFlags to policy manager by @geyslan in #4179
• chore(cap): check if cap is supported before set/unset by @rscampos in #4185
• fix(build): add the include to 3rdparty libbpf during libbpfgo compilation by @rscampos in #4186
• chore(build): trigger tracee tests on Makefile changes by @rscampos in #4187
• chore: use libbpfgo to check bpf helper func by @rscampos in #4184
• chore(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 in /api by @dependabot in #4188
• fix: inner error inside check for ebpf func by @rscampos in #4189
• feat(ebpf): configurable pipeline channel size by @NDStrahilevitz in #4182
• chore(ebpf): optimize filldir64 program by @NDStrahilevitz in #4183
• fix(controlplane): filter unnecessary enriches by @NDStrahilevitz in #4193
• feat(ebpf): add security_settime64 by @OriGlassman in #4201
• fix: Ensure correct event dependency for process_execute_failed by @yanivagman in #4203
• fix: Prevent loading syscall-specific BPF programs for non-syscall events by @yanivagman in #4202
• feat(ebpf): add prev_comm for sched_process_exec by @OriGlassman in #4206
• chore: release bpf object memory by @rscampos in #4209
• chore(deps): bump github.com/docker/docker from 26.1.3+incompatible to 26.1.4+incompatible by @dependabot in #4215
• fix: necessary to Init engine before Start by @rscampos in #4222
• fix: TRACE_RET_FUNC macro by @yanivagman in #4216
• chore(parsers): optimize ParseMmapProt by @geyslan in #4200
• improve flag parsing performance by @geyslan in #4197
• fix: set engine to nil - sig benchmark by @rscampos in #4234
• chore(sig): define signature metadata statically by @rscampos in #4237
• chore(deps): bump github.com/docker/docker from 26.1.4+incompatible to 26.1.5+incompatible by @dependabot in #4240
• feat(ebpf): use bpf_task_pt_regs when available by @OriGlassman in #4238
• feat: add syscall helper macros by @yanivagman in #4243
• feat(ebpf): make security_socket_setsockopt not rely on sys_enter/exit by @OriGlassman in #4224
• remove e2e tests for kernels 5.4 and 4.18 on ARM by @OriGlassman in #4247
• fix(ebpf): use correct syscall id for compat by @OriGlassman in #4245
• feat(ebpf): make security_file_open not rely on sys_enter/exit by @OriGlassman in #4226
• feat(ebpf): remove sys_enter/exit dependency from security_socket_con… by @OriGlassman in #4220
• feat(ebpf): make security_socket_accept not rely on sys_enter/exit by @OriGlassman in #4213
• feat(ebpf): make mem_prot_alert not rely on sys_enter/exit by @OriGlassman in #4227
• feat(ebpf): make security_socket_bind not rely on sys_enter/exit by @OriGlassman in #4225
• feat(ebpf): make set_fs_pwd not rely on sys_enter/exit by @OriGlassman in #4228
• chore: pin go tools versions by @geyslan in #4251
• perf: benchmark improve sig GetMetadata by @rscampos in #4223
• chore: update AMI matrix images by @rscampos in #4250
• Improve save_args_to_submit_buf by @geyslan in #4217
• feat(ebpf): add path&ctime to module_load event by @OriGlassman in #4235
• fix(ebpf): fix compilation warning sockfd_addr by @OriGlassman in #4254
• process_execute_failed: don't rely on sys_enter by @oshaked1 in #4259
• Generic syscall kprobes by @yanivagman in #4256
• Proctree improvements (RSS/Performance) by @geyslan in #4261
• optimize parser options check by @geyslan in #4199
• Changelog optimization by @geyslan in #4242
• fix: improve performance of readStringVarFromBuff by @geyslan in #4194
• improve flag parsing performance continuation by @geyslan in #4198
• fix(build): parallel build (libbpf wise) by @geyslan in #4196
• Provide manual files in release image/archive by @geyslan in #4230
• fix(build): cyclic dependency in makefile by @geyslan in #4262
• chore: remove leftover from #4262 by @geyslan in #4265
• chore(k8s): prepare v0.22.0 release by @rscampos in #4267

Full Changelog: v0.21.0...v0.22.0