7 changed files with 14 additions and 11 deletions
--- a/.github/FALCO_VERSIONS
+++ b/.github/FALCO_VERSIONS
@ -1,4 +1 @@
 master
-0.41.2
-0.41.1
-0.41.0
--- a/.github/workflows/pages.yaml
+++ b/.github/workflows/pages.yaml
@ -22,7 +22,7 @@ jobs:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      - name: Install uv
-        uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v5
+        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5

      - name: Generate updated inventory
        run: |
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -58,7 +58,7 @@ jobs:

      # Create a signature of the rules artifact as OCI artifact
      - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.9.0
+        uses: sigstore/cosign-installer@v3.8.2

      - name: Login with cosign
        run: cosign login $OCI_REGISTRY --username ${{ github.repository_owner }} --password ${{ secrets.GITHUB_TOKEN }}
--- a/3
+++ b/3
@ -5,7 +5,7 @@ approvers:
  - fededp
  - andreagit97
  - lucaguerra
-  - ekoops
+  - incertum
 reviewers:
  - leodido
  - kaizhe
@ -13,4 +13,3 @@ reviewers:
  - loresuso
 emeritus_approvers:
  - kaizhe
-  - incertum
--- a/rules/falco-incubating_rules.yaml
+++ b/rules/falco-incubating_rules.yaml
@ -296,7 +296,9 @@

 - macro: container_started
  condition: >
-     (spawned_process and proc.vpid=1 and container)
+    ((evt.type = container or
+     (spawned_process and proc.vpid=1)) and
+     container.image.repository != incomplete)

 - list: cron_binaries
  items: [anacron, cron, crond, crontab]
@ -608,6 +610,7 @@
    seen as more suspicious, prompting a closer inspection.
  condition: >
    container_started 
+    and container
    and container.privileged=true
    and not falco_privileged_containers
    and not user_privileged_containers
@ -637,6 +640,7 @@
    raise suspicion, prompting closer scrutiny.
  condition: >
    container_started 
+    and container
    and excessively_capable_container
    and not falco_privileged_containers
    and not user_privileged_containers
--- a/rules/falco-sandbox_rules.yaml
+++ b/rules/falco-sandbox_rules.yaml
@ -327,7 +327,9 @@

 - macro: container_started
  condition: >
-    (spawned_process and proc.vpid=1 and container)
+    ((evt.type = container or
+     (spawned_process and proc.vpid=1)) and
+     container.image.repository != incomplete)

 # Possible scripts run by sshkit
 - list: sshkit_script_binaries
@ -1263,6 +1265,7 @@
    varies based on your environment.
  condition: >
    container_started 
+    and container
    and sensitive_mount
    and not falco_sensitive_mount_containers
    and not user_sensitive_mount_containers
@ -1289,6 +1292,7 @@
    this can be challenging to manage.
  condition: > 
    container_started 
+    and container 
    and not allowed_containers
  output: Container started and not in allowed list | evt_type=%evt.type user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
  priority: WARNING
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -363,8 +363,7 @@
    iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd,
    vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update,
    pam-auth-update, pam-config, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport,
-    scxcimservera, adclient, rtvscand, cockpit-session, userhelper, ossec-syscheckd,
-    sshd-session
+    scxcimservera, adclient, rtvscand, cockpit-session, userhelper, ossec-syscheckd
    ]

 # Add conditions to this macro (probably in a separate file,