From 8585f3e8480093c179291cc836fcd91a1126fe99 Mon Sep 17 00:00:00 2001
From: jnathangreeg <jonathang@armosec.io>
Date: Fri, 23 Jan 2026 10:39:02 +0100
Subject: [PATCH 1/3] feat: add ECS support to RuntimeAlert with new details
 struct and platform detection

---
 armotypes/runtimeincidents.go | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/armotypes/runtimeincidents.go b/armotypes/runtimeincidents.go
index 71b71c5..0e36a2e 100644
--- a/armotypes/runtimeincidents.go
+++ b/armotypes/runtimeincidents.go
@@ -31,6 +31,7 @@ const (
 	AlertSourcePlatformK8s
 	AlertSourcePlatformEC2
 	AlertSourcePlatformCloud
+	AlertSourcePlatformECS
 )
 
 type ProfileType int
@@ -261,6 +262,21 @@ type RuntimeAlertK8sDetails struct {
 	WorkloadUID       string            `json:"workloadUID,omitempty" bson:"workloadUID,omitempty"`
 }
 
+type RuntimeAlertECSDetails struct {
+	ClusterARN        string `json:"clusterArn,omitempty" bson:"clusterArn,omitempty"`
+	ClusterName       string `json:"ecsClusterName,omitempty" bson:"ecsClusterName,omitempty"`
+	ServiceName       string `json:"serviceName,omitempty" bson:"serviceName,omitempty"`
+	TaskARN           string `json:"taskArn,omitempty" bson:"taskArn,omitempty"`
+	TaskFamily        string `json:"taskFamily,omitempty" bson:"taskFamily,omitempty"`
+	TaskDefinitionARN string `json:"taskDefinitionArn,omitempty" bson:"taskDefinitionArn,omitempty"`
+	ContainerName     string `json:"ecsContainerName,omitempty" bson:"ecsContainerName,omitempty"`
+	ContainerARN      string `json:"containerArn,omitempty" bson:"containerArn,omitempty"`
+	ContainerID       string `json:"ecsContainerID,omitempty" bson:"ecsContainerID,omitempty"`
+	LaunchType        string `json:"launchType,omitempty" bson:"launchType,omitempty"` // EC2 or FARGATE
+	Image             string `json:"ecsImage,omitempty" bson:"ecsImage,omitempty"`
+	ImageDigest       string `json:"ecsImageDigest,omitempty" bson:"ecsImageDigest,omitempty"`
+}
+
 type NetworkScanAlert struct {
 	Domain    string   `json:"domain,omitempty" bson:"domain,omitempty"`
 	Addresses []string `json:"addresses,omitempty" bson:"addresses,omitempty"`
@@ -272,6 +288,7 @@ type RuntimeAlert struct {
 	MalwareAlert           `json:",inline" bson:"inline"`
 	AdmissionAlert         `json:",inline" bson:"inline"`
 	RuntimeAlertK8sDetails `json:",inline" bson:"inline"`
+	RuntimeAlertECSDetails `json:",inline" bson:"inline"`
 	cdr.CdrAlert           `json:"cdrevent,omitempty" bson:"cdrevent"`
 	HttpRuleAlert          `json:",inline" bson:"inline"`
 	NetworkScanAlert       `json:"networkscan,inline" bson:"networkscan"`
@@ -296,6 +313,10 @@ func (ra *RuntimeAlert) GetAlertSourcePlatform() AlertSourcePlatform {
 		return AlertSourcePlatformK8s
 	}
 
+	if ra.TaskARN != "" || ra.ClusterARN != "" {
+		return AlertSourcePlatformECS
+	}
+
 	return AlertSourcePlatformEC2
 }
 
@@ -312,14 +333,14 @@ func (ra *RuntimeAlert) Validate() error {
 			"WorkloadName":      ra.WorkloadName,
 			"PodNamespace":      ra.PodNamespace,
 			"PodName":           ra.PodName,
-			"ContainerName":     ra.ContainerName,
+			"ContainerName":     ra.RuntimeAlertK8sDetails.ContainerName,
 		}
 		for fieldName, fieldValue := range requiredFields {
 			if fieldValue == "" {
 				return fmt.Errorf("%s is required", fieldName)
 			}
 		}
-	case AlertSourcePlatformEC2, AlertSourcePlatformCloud, AlertSourcePlatformUnknown:
+	case AlertSourcePlatformEC2, AlertSourcePlatformCloud, AlertSourcePlatformUnknown, AlertSourcePlatformECS:
 		return nil
 	}
 

From 88330ce9b618aeee361c7f97619242e9e007cf15 Mon Sep 17 00:00:00 2001
From: jnathangreeg <jonathang@armosec.io>
Date: Fri, 23 Jan 2026 10:52:10 +0100
Subject: [PATCH 2/3] feat: enhance RuntimeAlertECSDetails struct with
 ContainerInstance and AvailabilityZone fields

---
 armotypes/runtimeincidents.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/armotypes/runtimeincidents.go b/armotypes/runtimeincidents.go
index 0e36a2e..e603662 100644
--- a/armotypes/runtimeincidents.go
+++ b/armotypes/runtimeincidents.go
@@ -272,7 +272,9 @@ type RuntimeAlertECSDetails struct {
 	ContainerName     string `json:"ecsContainerName,omitempty" bson:"ecsContainerName,omitempty"`
 	ContainerARN      string `json:"containerArn,omitempty" bson:"containerArn,omitempty"`
 	ContainerID       string `json:"ecsContainerID,omitempty" bson:"ecsContainerID,omitempty"`
-	LaunchType        string `json:"launchType,omitempty" bson:"launchType,omitempty"` // EC2 or FARGATE
+	ContainerInstance string `json:"containerInstance,omitempty" bson:"containerInstance,omitempty"` // EC2 instance ID (EC2 launch type only)
+	LaunchType        string `json:"launchType,omitempty" bson:"launchType,omitempty"`               // EC2 or FARGATE
+	AvailabilityZone  string `json:"availabilityZone,omitempty" bson:"availabilityZone,omitempty"`
 	Image             string `json:"ecsImage,omitempty" bson:"ecsImage,omitempty"`
 	ImageDigest       string `json:"ecsImageDigest,omitempty" bson:"ecsImageDigest,omitempty"`
 }

From b31711c0da30f90e12f2d679dfedb69548b06d67 Mon Sep 17 00:00:00 2001
From: jnathangreeg <jonathang@armosec.io>
Date: Fri, 23 Jan 2026 11:05:31 +0100
Subject: [PATCH 3/3] refactor: rename fields in RuntimeAlertECSDetails struct
 for consistency and clarity

---
 armotypes/runtimeincidents.go | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/armotypes/runtimeincidents.go b/armotypes/runtimeincidents.go
index e603662..8f84108 100644
--- a/armotypes/runtimeincidents.go
+++ b/armotypes/runtimeincidents.go
@@ -264,19 +264,19 @@ type RuntimeAlertK8sDetails struct {
 
 type RuntimeAlertECSDetails struct {
 	ClusterARN        string `json:"clusterArn,omitempty" bson:"clusterArn,omitempty"`
-	ClusterName       string `json:"ecsClusterName,omitempty" bson:"ecsClusterName,omitempty"`
-	ServiceName       string `json:"serviceName,omitempty" bson:"serviceName,omitempty"`
+	ECSClusterName    string `json:"ecsClusterName,omitempty" bson:"ecsClusterName,omitempty"`
+	ServiceName        string `json:"serviceName,omitempty" bson:"serviceName,omitempty"`
 	TaskARN           string `json:"taskArn,omitempty" bson:"taskArn,omitempty"`
 	TaskFamily        string `json:"taskFamily,omitempty" bson:"taskFamily,omitempty"`
 	TaskDefinitionARN string `json:"taskDefinitionArn,omitempty" bson:"taskDefinitionArn,omitempty"`
-	ContainerName     string `json:"ecsContainerName,omitempty" bson:"ecsContainerName,omitempty"`
+	ECSContainerName  string `json:"ecsContainerName,omitempty" bson:"ecsContainerName,omitempty"`
 	ContainerARN      string `json:"containerArn,omitempty" bson:"containerArn,omitempty"`
-	ContainerID       string `json:"ecsContainerID,omitempty" bson:"ecsContainerID,omitempty"`
+	ECSContainerID    string `json:"ecsContainerID,omitempty" bson:"ecsContainerID,omitempty"`
 	ContainerInstance string `json:"containerInstance,omitempty" bson:"containerInstance,omitempty"` // EC2 instance ID (EC2 launch type only)
 	LaunchType        string `json:"launchType,omitempty" bson:"launchType,omitempty"`               // EC2 or FARGATE
 	AvailabilityZone  string `json:"availabilityZone,omitempty" bson:"availabilityZone,omitempty"`
-	Image             string `json:"ecsImage,omitempty" bson:"ecsImage,omitempty"`
-	ImageDigest       string `json:"ecsImageDigest,omitempty" bson:"ecsImageDigest,omitempty"`
+	ECSImage          string `json:"ecsImage,omitempty" bson:"ecsImage,omitempty"`
+	ECSImageDigest    string `json:"ecsImageDigest,omitempty" bson:"ecsImageDigest,omitempty"`
 }
 
 type NetworkScanAlert struct {