fix rules for image-based gadgets

[matthyx]

Note

Migrate all rules and tests to a unified event.* schema, generate a combined CRD, and update Go/tooling/dependencies.

• Rules/CRD:
  • Migrate all rule YAMLs to unified event.* fields (uniqueId, ruleExpression, eventType), add isTriggerAlert and MITRE metadata.
  • Add/refresh many rule definitions and generate consolidated rules-crd.yaml.
• Tests:
  • Refactor to use utils.StructEvent instead of gadget-specific types; align assertions with new message/ID formats.
• CI:
  • Set Go toolchain via GOTOOLCHAIN=go1.25.0+auto and add steps to generate and upload Rules CRD artifact.
• Dependencies/Build:
  • Bump to Go 1.25 and update numerous modules; switch inspektor-gadget to a replacement fork.
• Docs:
  • Update README to reflect new field names and schema conventions.

^{Written by Cursor Bugbot for commit 6adb258. This will update automatically on new commits. Configure here.}

[cursor]

Bug: Container Name Missing in Cache

The ContainerInfo struct's Name field is commented out in rule_test.go's object cache setup. This prevents the container name from being properly set, leaving the cached container with an empty name. As a result, container matching may fail during rule evaluation.

 

[cursor]

Bug: Network Event Struct Mismatch Causes CEL Errors

Network event tests define DstEndpoint as a nested eventtypes.L3Endpoint struct, but the YAML rules expect event.dstAddr as a direct string field. This structural mismatch causes type errors during CEL rule evaluation.

Additional Locations (3)

• pkg/rules/r0011-unexpected-egress-network-traffic/rule_test.go#L30-L31
• pkg/rules/r0011-unexpected-egress-network-traffic/rule_test.go#L150-L151
• pkg/rules/r1009-crypto-mining-related-port/rule_test.go#L30-L31

 

[cursor]

Bug: Trailing Underscore in Unique ID Expression

The uniqueId expression for the R1004 rule includes an extra + '_' at the end, causing generated unique IDs to have an unnecessary trailing underscore.

Additional Locations (1)

• pkg/rules/r1004-exec-from-mount/exec-from-mount.yaml#L15-L16

 

[cursor]

This PR is being reviewed by Cursor Bugbot

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Bug: Refactoring Left Container Name Uninitialized

The Name field initialization is commented out in the ContainerInfo struct, leaving an empty struct in the array. This appears to be incomplete refactoring where the developer commented out the old field access pattern but didn't replace it with the new one. The container name should be set to tt.event.Container to properly initialize the test data.

 

[cursor]

Bug: Broad Token Path Check Bypasses Security

The rule changed from checking if any of the 4 specific service account directory prefixes were accessed to checking if any path ending with /token was accessed. This creates a security bypass: if the application profile contains any file ending with /token (like /tmp/myapp/token), it will whitelist access to the actual service account token at /run/secrets/kubernetes.io/serviceaccount/token. The old logic was more secure by specifically checking for service account directory prefixes rather than any path with the /token suffix.