criteo-forks · jmbass · Sep 24, 2025 · Aug 25, 2025 · Aug 25, 2025 · Aug 26, 2025
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,16 +1,19 @@
 # detection-rules code owners
-# POC: Elastic Security Intelligence and Analytics Team
+
+## POC: Elastic Threat Research & Detection Engineering
 
 tests/**/*.py     @mikaayenson @eric-forte-elastic @traut
 detection_rules/  @mikaayenson @eric-forte-elastic @traut
 tests/            @mikaayenson @eric-forte-elastic @traut
 lib/              @mikaayenson @eric-forte-elastic @traut
 hunting/**/*.py          @mikaayenson @eric-forte-elastic @traut
 
-# skip rta-mapping to avoid the spam
+## skip rta-mapping to avoid the spam
+
 detection_rules/etc/packages.yaml @mikaayenson @eric-forte-elastic @traut
 detection_rules/etc/*.json        @mikaayenson @eric-forte-elastic @traut
 detection_rules/etc/*/*           @mikaayenson @eric-forte-elastic @traut
 
-# exclude files from code owners
+## exclude files from code owners
+
 detection_rules/etc/non-ecs-schema.json
diff --git a/.github/workflows/add-guidelines.yml b/.github/workflows/add-guidelines.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
       - name: Set environment variable for early exit control
         id: check_label
@@ -47,14 +47,14 @@ jobs:
 
       - name: Fail if no relevant labels are found
         if: env.GUIDELINES_FILE == ''
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             core.setFailed('No appropriate GitHub label found in the PR. Failing the job.')
 
       - name: Add Guidelines Comment
         if: env.CONTINUE_JOB == 'true' && (github.event.action == 'opened' || github.event.action == 'labeled')
-        uses: mshick/add-pr-comment@v2
+        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2
         with:
           message-path: ${{ env.GUIDELINES_FILE }}
           repo-token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -21,7 +21,7 @@ jobs:
       github.event.pull_request.state == 'open' && !github.event.pull_request.draft
     steps:
       - name: 'Apply default "backport: auto" label'
-        uses: actions/github-script@v4
+        uses: actions/github-script@10b53a9ec6c222bb4ce97aa6bd2b5f739696b536 # v4
         if: |
           !contains(github.event.pull_request.labels.*.name, 'backport: auto') &&
           !contains(github.event.pull_request.labels.*.name, 'backport: skip')
@@ -34,7 +34,7 @@ jobs:
               labels: ['backport: auto']
             })
       - name: 'Remove "backport: auto" if "backport: skip" is set'
-        uses: actions/github-script@v4
+        uses: actions/github-script@10b53a9ec6c222bb4ce97aa6bd2b5f739696b536 # v4
         if: |
           contains(github.event.pull_request.labels.*.name, 'backport: auto') &&
           contains(github.event.pull_request.labels.*.name, 'backport: skip')
@@ -65,7 +65,7 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           token: ${{ secrets.WRITE_TRADEBOT_DETECTION_RULES_TOKEN }}
           ref: main
@@ -91,7 +91,7 @@ jobs:
           git reset --soft HEAD^
 
       - name: Setup Python 3.12
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.12'
 
@@ -159,7 +159,7 @@ jobs:
           git push
 
       - name: "Notify slack on failure"
-        uses: craftech-io/slack-action@v1
+        uses: craftech-io/slack-action@fb1d4e50375d7758efb90fa0564734bae931f84f # v1
         with:
           slack_webhook_url: ${{ secrets.EXTERNAL_SLACK_DETECTION_RULES_URL }}
           status: failure

diff --git a/.github/workflows/branch-status-checks.yml b/.github/workflows/branch-status-checks.yml
@@ -18,14 +18,14 @@ jobs:
     steps:
     - name: Get Backport Status
       id: get_backport_status
-      uses: fjogeleit/http-request-action@v1
+      uses: fjogeleit/http-request-action@bf78da14118941f7e940279dd58f67e863cbeff6 # v1
       with:
         url: "https://api.github.com/repos/elastic/detection-rules/actions/workflows/pythonpackage.yml/runs?per_page=1&branch=${{matrix.target_branch}}"
         method: 'GET'
         bearerToken: ${{ secrets.READ_ELASTIC_DETECTION_RULES_ORG_TOKEN }}
 
     - name: Check Backport Status
-      uses: actions/github-script@v6
+      uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
       with:
         script: |
           const workflow_status = ${{ toJSON(fromJSON(steps.get_backport_status.outputs.response).workflow_runs[0].status) }}

diff --git a/.github/workflows/code-checks.yml b/.github/workflows/code-checks.yml
@@ -17,12 +17,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
       with:
         fetch-depth: 1
 
     - name: Set up Python 3.13
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       with:
         python-version: '3.13'
 

diff --git a/.github/workflows/community.yml b/.github/workflows/community.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check if member of elastic org
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
         id: membership
         with:
           github-token: ${{ secrets.READ_ELASTIC_DETECTION_RULES_ORG_TOKEN }}
@@ -40,7 +40,7 @@ jobs:
 
 
       - name: Add label for community members
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
         if: ${{ steps.membership.outputs.result == 'notMember' }}
         with:
           script: |

diff --git a/.github/workflows/get-target-branches.yml b/.github/workflows/get-target-branches.yml
@@ -14,10 +14,10 @@ jobs:
     outputs:
       matrix: ${{ steps.get-branch-list.outputs.matrix }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
       - name: Set up Python 3.12
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.12'
 

diff --git a/.github/workflows/kibana-mitre-update.yml b/.github/workflows/kibana-mitre-update.yml
@@ -14,7 +14,7 @@ jobs:
       KIBANA_ISSUE_NUMBER: 166152  # Define the Kibana issue number as a variable
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
       - name: Get MITRE Attack changed files
         id: changed-attack-files

diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml
@@ -14,20 +14,20 @@ jobs:
 
     steps:
       - name: Validate the source branch
-        uses: actions/github-script@v3
+        uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3
         with:
           script: |
             if ('refs/heads/main' !== '${{github.event.ref}}') {
               core.setFailed('Forbidden branch, expected "main"')
             }
 
       - name: Checkout detection-rules
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           fetch-depth: 0
 
       - name: Set up Python 3.12
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.12'
 
@@ -62,7 +62,7 @@ jobs:
 
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672 # v3
         with:
           assignees: '${{github.actor}}'
           delete-branch: true
@@ -78,7 +78,7 @@ jobs:
           labels: "backport: auto"
 
       - name: Archive production artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: release-files
           path: |

diff --git a/.github/workflows/manual-backport.yml b/.github/workflows/manual-backport.yml
@@ -19,7 +19,7 @@ jobs:
     steps:
 
       - name: Checkout detection-rules
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           token: ${{ secrets.WRITE_TRADEBOT_DETECTION_RULES_TOKEN }}
           fetch-depth: 0
@@ -46,7 +46,7 @@ jobs:
           git reset --soft HEAD^
 
       - name: Setup Python 3.12
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.12'
 
@@ -79,7 +79,7 @@ jobs:
           ./detection_rules/etc/commit-and-push.sh $TARGET_BRANCH $COMMIT_SHA
 
       - name: "Notify slack on failure"
-        uses: craftech-io/slack-action@v1
+        uses: craftech-io/slack-action@fb1d4e50375d7758efb90fa0564734bae931f84f # v1
         with:
           slack_webhook_url: ${{ secrets.READ_DETECTION_RULES_SLACK_WEBHOOK_TOKEN }}
           status: failure

diff --git a/.github/workflows/pythonpackage.yml b/.github/workflows/pythonpackage.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
       with:
         fetch-depth: 1
 
@@ -21,7 +21,7 @@ jobs:
         git fetch origin main:refs/remotes/origin/main
 
     - name: Set up Python 3.13
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       with:
         python-version: '3.13'
 
@@ -48,7 +48,7 @@ jobs:
         python -m detection_rules dev build-release $GENERATE_NAVIGATOR_FILES
 
     - name: Archive production artifacts for branch builds
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       if: |
         github.event_name == 'push'
       with:

diff --git a/.github/workflows/release-docs.yml b/.github/workflows/release-docs.yml
@@ -23,13 +23,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout detection-rules
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           path: detection-rules
           fetch-depth: 0
 
       - name: Checkout elastic/security-docs
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           token: ${{ secrets.WRITE_SECURITY_DOCS_DETECTION_RULES_TOKEN }}
           repository: "elastic/security-docs"
@@ -38,7 +38,7 @@ jobs:
           ref: ${{ github.event.inputs.target_branch }}
 
       - name: Set up Python 3.12
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.12'
 

diff --git a/.github/workflows/release-fleet.yml b/.github/workflows/release-fleet.yml
@@ -39,14 +39,14 @@ jobs:
       runs-on: ubuntu-latest
       steps:
         - name: Validate the source branch
-          uses: actions/github-script@v3
+          uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3
           with:
             script: |
               if ('refs/heads/main' === '${{github.ref}}') {
                 core.setFailed('Forbidden branch')
               }
         - name: Checkout detection-rules
-          uses: actions/checkout@v4
+          uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
           with:
             path: detection-rules
             fetch-depth: 0
@@ -66,15 +66,15 @@ jobs:
             git checkout $COMMIT_HASH
 
         - name: Checkout elastic/integrations
-          uses: actions/checkout@v4
+          uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
           with:
             token: ${{ secrets.WRITE_INTEGRATIONS_DETECTION_RULES_TOKEN }}
             repository: ${{github.event.inputs.target_repo}}
             path: integrations
             fetch-depth: 0
 
         - name: Set up Python 3.12
-          uses: actions/setup-python@v5
+          uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
           with:
             python-version: '3.12'
 
@@ -123,7 +123,7 @@ jobs:
             git config --global user.name "tradebot-elastic"
 
         - name: Setup go
-          uses: actions/setup-go@v3
+          uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3
           with:
             go-version: '^1.20.1'
             check-latest: true
@@ -149,7 +149,7 @@ jobs:
               $DRAFT_ARGS
 
         - name: Archive production artifacts
-          uses: actions/upload-artifact@v4
+          uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
           with:
             name: release-files
             path: |

diff --git a/.github/workflows/version-code-and-release.yml b/.github/workflows/version-code-and-release.yml
@@ -27,7 +27,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Ensure PR has Version Bump Label
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -44,7 +44,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           fetch-depth: 0
 
@@ -75,7 +75,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           fetch-depth: 0
 

diff --git a/catalog-info.yaml b/catalog-info.yaml
@@ -0,0 +1,18 @@
+# Declare a Backstage Component that represents your application.
+---
+# yaml-language-server: $schema=https://json.schemastore.org/catalog-info.json
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: detection-rules
+  description: Elastic detection rules Behavioral Protection
+  annotations:
+    backstage.io/source-location: "url:https://github.com/elastic/detection-rules/"
+    github.com/project-slug: "elastic/detection-rules"
+    github.com/team-slug: "elastic/threat-research-and-detection-engineering"
+    buildkite.com/project-slug: "elastic/detection-rules"
+
+spec:
+  type: rules
+  owner: group:threat-research-and-detection-engineering
+  lifecycle: production