Merge branch 'main' into main

.github/workflows/docker.yml

@@ -20,7 +20,7 @@ jobs:
       packages: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -37,7 +37,7 @@ jobs:
             *.actions.githubusercontent.com:443
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
         with:
           fetch-depth: 0
 

.github/workflows/docs.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -28,7 +28,7 @@ jobs:
             pypi.org:443
             *.actions.githubusercontent.com:443
 
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
           python-version: 3.x

.github/workflows/release.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -35,11 +35,11 @@ jobs:
             golang.org:443
 
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
         with:
           fetch-depth: 0
       - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
         with:
           go-version: 1.19
       - name: Run GoReleaser

.github/workflows/scorecards.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v3.0.0
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # tag=v3.0.0
         with:
           persist-credentials: false
 
@@ -57,6 +57,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c
+        uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13
         with:
           sarif_file: results.sarif

.github/workflows/static-analysis.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -30,11 +30,11 @@ jobs:
             *.actions.githubusercontent.com:443
             objects.githubusercontent.com:443
             go.dev:443
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
         with:
           fetch-depth: 1
       - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
         with:
           go-version: 1.19
       - uses: dominikh/staticcheck-action@fe1dd0c3658873b46f8c9bb3291096a617310ca6

.github/workflows/terraform-lint.yml

@@ -17,15 +17,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6  # tag:v2.8.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7  # tag:v2.10.1
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag:v2.5.0
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # tag:v2.5.0
         with:
           fetch-depth: 1
 
-      - uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd 
 
       - name: Lint Terraform
         run: terraform fmt -recursive -check

.github/workflows/test.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
         with:
           egress-policy: block
           allowed-endpoints:
@@ -29,10 +29,10 @@ jobs:
             api.github.com:443
             *.actions.githubusercontent.com:443
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
 
       - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
         with:
           go-version: 1.19
 
@@ -43,7 +43,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
         with:
           egress-policy: block
           allowed-endpoints:
@@ -56,7 +56,7 @@ jobs:
             storage.googleapis.com:443
             *.actions.githubusercontent.com:443
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
 
       - name: Build local Docker image
         run: docker build .

Dockerfile

@@ -6,7 +6,7 @@ WORKDIR /build
 ADD . /build
 RUN make BUILD_VERSION=${VERSION}
 
-FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 AS runner
+FROM alpine:3.20.3@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d AS runner
 LABEL org.opencontainers.image.source="https://github.com/DataDog/stratus-red-team/"
 COPY --from=builder /build/bin/stratus /stratus
 RUN apk add --update git # git is needed for Terraform to download external modules at runtime

Formula/stratus-red-team.rb

@@ -5,13 +5,13 @@
 class StratusRedTeam < Formula
   desc ""
   homepage "https://stratus-red-team.cloud"
-  version "2.16.0"
+  version "2.17.0"
   license "Apache-2.0"
 
   on_macos do
-    if Hardware::CPU.arm?
-      url "https://github.com/DataDog/stratus-red-team/releases/download/v2.16.0/stratus-red-team_Darwin_arm64.tar.gz"
-      sha256 "2d8275f49ab13f282ac874d724e7cfbb2ddbf5da7f49c4c6c0a51a1664113112"
+    on_intel do
+      url "https://github.com/DataDog/stratus-red-team/releases/download/v2.17.0/stratus-red-team_Darwin_x86_64.tar.gz"
+      sha256 "f24458d03e8a6d205fa8192a5d86ae298ebbb52c9dd3e12fa00828b6c5b52018"
 
       def install
         bin.install "stratus"
@@ -20,9 +20,9 @@ def install
         generate_completions_from_executable(bin/"stratus", "completion", shells: [:bash, :fish, :zsh], base_name: "stratus")
       end
     end
-    if Hardware::CPU.intel?
-      url "https://github.com/DataDog/stratus-red-team/releases/download/v2.16.0/stratus-red-team_Darwin_x86_64.tar.gz"
-      sha256 "9fa5702f552352d91f3bd1cbdc83608bc60c4980431c9872fe6f61eff77bb053"
+    on_arm do
+      url "https://github.com/DataDog/stratus-red-team/releases/download/v2.17.0/stratus-red-team_Darwin_arm64.tar.gz"
+      sha256 "4c9fa3ade611c76ebc551b305a67562b501bcbbbd28a91d3797a6b3587e5fbc1"
 
       def install
         bin.install "stratus"
@@ -34,26 +34,30 @@ def install
   end
 
   on_linux do
-    if Hardware::CPU.intel?
-      url "https://github.com/DataDog/stratus-red-team/releases/download/v2.16.0/stratus-red-team_Linux_x86_64.tar.gz"
-      sha256 "4cb16f43b10ed9c59f3772b8d4276045fd1c55ad4cb4699095b0d9fbd11bd0f9"
+    on_intel do
+      if Hardware::CPU.is_64_bit?
+        url "https://github.com/DataDog/stratus-red-team/releases/download/v2.17.0/stratus-red-team_Linux_x86_64.tar.gz"
+        sha256 "cc34035ac11e263bc747d3ff84c5231a6fa6ae30b99bb17d670722f35fa96bf4"
 
-      def install
-        bin.install "stratus"
+        def install
+          bin.install "stratus"
 
-        # Install shell completions
-        generate_completions_from_executable(bin/"stratus", "completion", shells: [:bash, :fish, :zsh], base_name: "stratus")
+          # Install shell completions
+          generate_completions_from_executable(bin/"stratus", "completion", shells: [:bash, :fish, :zsh], base_name: "stratus")
+        end
       end
     end
-    if Hardware::CPU.arm? && Hardware::CPU.is_64_bit?
-      url "https://github.com/DataDog/stratus-red-team/releases/download/v2.16.0/stratus-red-team_Linux_arm64.tar.gz"
-      sha256 "c3aeb7474148887102ef987ad7c21aa95f305875fb82a09a97ee6e900a3c669a"
+    on_arm do
+      if Hardware::CPU.is_64_bit?
+        url "https://github.com/DataDog/stratus-red-team/releases/download/v2.17.0/stratus-red-team_Linux_arm64.tar.gz"
+        sha256 "da87085cd04959c260e0eb0eb38de55bc572501a2cf09f0b166a9d031afdeb66"
 
-      def install
-        bin.install "stratus"
+        def install
+          bin.install "stratus"
 
-        # Install shell completions
-        generate_completions_from_executable(bin/"stratus", "completion", shells: [:bash, :fish, :zsh], base_name: "stratus")
+          # Install shell completions
+          generate_completions_from_executable(bin/"stratus", "completion", shells: [:bash, :fish, :zsh], base_name: "stratus")
+        end
       end
     end
   end