Merge branch 'main' into staging

deployments/aws/ecs/locals.tf

@@ -31,29 +31,30 @@ locals {
 
   api_env = [
     for k, v in merge({
-      LOG_LEVEL                                     = var.log_level
-      RUN_MIGRATIONS                                = "true"
-      TEMPORAL__CLIENT_RPC_TIMEOUT                  = var.temporal_client_rpc_timeout
-      TEMPORAL__CLUSTER_NAMESPACE                   = local.temporal_namespace
-      TEMPORAL__CLUSTER_QUEUE                       = local.temporal_cluster_queue
-      TEMPORAL__CLUSTER_URL                         = local.temporal_cluster_url
-      TEMPORAL__MTLS_ENABLED                        = var.temporal_mtls_enabled
-      TEMPORAL__MTLS_CERT__ARN                      = local.temporal_mtls_cert_arn
-      TEMPORAL__API_KEY__ARN                        = local.temporal_api_key_arn
-      TRACECAT__ALLOW_ORIGINS                       = local.allow_origins
-      TRACECAT__API_ROOT_PATH                       = "/api"
-      TRACECAT__API_URL                             = local.internal_api_url
-      TRACECAT__APP_ENV                             = var.tracecat_app_env
-      TRACECAT__AUTH_ALLOWED_DOMAINS                = var.auth_allowed_domains
-      TRACECAT__AUTH_TYPES                          = var.auth_types
-      TRACECAT__SETTING_OVERRIDE_SAML_ENABLED       = var.setting_override_saml_enabled
-      TRACECAT__SETTING_OVERRIDE_BASIC_AUTH_ENABLED = var.setting_override_basic_auth_enabled
-      TRACECAT__DB_ENDPOINT                         = local.core_db_hostname
-      TRACECAT__EXECUTOR_URL                        = local.internal_executor_url
-      TRACECAT__PUBLIC_API_URL                      = local.public_api_url
-      TRACECAT__PUBLIC_APP_URL                      = local.public_app_url
-      TRACECAT__REMOTE_REPOSITORY_PACKAGE_NAME      = var.remote_repository_package_name
-      TRACECAT__REMOTE_REPOSITORY_URL               = var.remote_repository_url
+      LOG_LEVEL                                       = var.log_level
+      RUN_MIGRATIONS                                  = "true"
+      TEMPORAL__CLIENT_RPC_TIMEOUT                    = var.temporal_client_rpc_timeout
+      TEMPORAL__CLUSTER_NAMESPACE                     = local.temporal_namespace
+      TEMPORAL__CLUSTER_QUEUE                         = local.temporal_cluster_queue
+      TEMPORAL__CLUSTER_URL                           = local.temporal_cluster_url
+      TEMPORAL__MTLS_ENABLED                          = var.temporal_mtls_enabled
+      TEMPORAL__MTLS_CERT__ARN                        = local.temporal_mtls_cert_arn
+      TEMPORAL__API_KEY__ARN                          = local.temporal_api_key_arn
+      TRACECAT__ALLOW_ORIGINS                         = local.allow_origins
+      TRACECAT__API_ROOT_PATH                         = "/api"
+      TRACECAT__API_URL                               = local.internal_api_url
+      TRACECAT__APP_ENV                               = var.tracecat_app_env
+      TRACECAT__AUTH_ALLOWED_DOMAINS                  = var.auth_allowed_domains
+      TRACECAT__AUTH_TYPES                            = var.auth_types
+      TRACECAT__SETTING_OVERRIDE_SAML_ENABLED         = var.setting_override_saml_enabled
+      TRACECAT__SETTING_OVERRIDE_OAUTH_GOOGLE_ENABLED = var.setting_override_oauth_google_enabled
+      TRACECAT__SETTING_OVERRIDE_BASIC_AUTH_ENABLED   = var.setting_override_basic_auth_enabled
+      TRACECAT__DB_ENDPOINT                           = local.core_db_hostname
+      TRACECAT__EXECUTOR_URL                          = local.internal_executor_url
+      TRACECAT__PUBLIC_API_URL                        = local.public_api_url
+      TRACECAT__PUBLIC_APP_URL                        = local.public_app_url
+      TRACECAT__REMOTE_REPOSITORY_PACKAGE_NAME        = var.remote_repository_package_name
+      TRACECAT__REMOTE_REPOSITORY_URL                 = var.remote_repository_url
     }, local.tracecat_db_configs) :
     { name = k, value = tostring(v) }
   ]

deployments/aws/ecs/variables.tf

@@ -71,7 +71,6 @@ variable "auth_types" {
   default = "google_oauth,saml"
 }
 
-
 variable "auth_allowed_domains" {
   type        = string
   description = "Comma separated list of allowed domains for authentication (e.g. `acme.com,acme.ai`)"
@@ -83,6 +82,12 @@ variable "setting_override_saml_enabled" {
   default     = null
 }
 
+variable "setting_override_oauth_google_enabled" {
+  type        = string
+  description = "Override the Google OAuth setting"
+  default     = null
+}
+
 variable "setting_override_basic_auth_enabled" {
   type        = string
   description = "Override the basic auth setting"
@@ -103,7 +108,7 @@ variable "tracecat_ui_image" {
 
 variable "tracecat_image_tag" {
   type    = string
-  default = "0.22.1"
+  default = "0.22.2"
 }
 
 variable "temporal_server_image" {

deployments/aws/main.tf

@@ -74,10 +74,11 @@ module "ecs" {
   tracecat_signing_secret_arn    = var.tracecat_signing_secret_arn
 
   # Authentication
-  auth_types                          = var.auth_types
-  auth_allowed_domains                = var.auth_allowed_domains
-  setting_override_saml_enabled       = var.setting_override_saml_enabled
-  setting_override_basic_auth_enabled = var.setting_override_basic_auth_enabled
+  auth_types                            = var.auth_types
+  auth_allowed_domains                  = var.auth_allowed_domains
+  setting_override_saml_enabled         = var.setting_override_saml_enabled
+  setting_override_oauth_google_enabled = var.setting_override_oauth_google_enabled
+  setting_override_basic_auth_enabled   = var.setting_override_basic_auth_enabled
 
   # OAuth
   oauth_client_id_arn     = var.oauth_client_id_arn

deployments/aws/variables.tf

@@ -50,6 +50,12 @@ variable "setting_override_saml_enabled" {
   default     = null
 }
 
+variable "setting_override_oauth_google_enabled" {
+  type        = string
+  description = "Override the Google OAuth setting"
+  default     = null
+}
+
 variable "setting_override_basic_auth_enabled" {
   type        = string
   description = "Override the basic auth setting"
@@ -71,7 +77,7 @@ variable "tracecat_ui_image" {
 
 variable "tracecat_image_tag" {
   type    = string
-  default = "0.22.1"
+  default = "0.22.2"
 }
 
 variable "temporal_server_image" {

docker-compose.yml

@@ -14,7 +14,7 @@ services:
       - ./Caddyfile:/etc/caddy/Caddyfile
 
   api:
-    image: ghcr.io/tracecathq/tracecat:${TRACECAT__IMAGE_TAG:-0.22.1}
+    image: ghcr.io/tracecathq/tracecat:${TRACECAT__IMAGE_TAG:-0.22.2}
     container_name: api
     restart: unless-stopped
     networks:
@@ -67,7 +67,7 @@ services:
       - executor
 
   worker:
-    image: ghcr.io/tracecathq/tracecat:${TRACECAT__IMAGE_TAG:-0.22.1}
+    image: ghcr.io/tracecathq/tracecat:${TRACECAT__IMAGE_TAG:-0.22.2}
     restart: unless-stopped
     networks:
       - core
@@ -97,7 +97,7 @@ services:
     command: ["python", "tracecat/dsl/worker.py"]
 
   executor:
-    image: ghcr.io/tracecathq/tracecat:${TRACECAT__IMAGE_TAG:-0.22.1}
+    image: ghcr.io/tracecathq/tracecat:${TRACECAT__IMAGE_TAG:-0.22.2}
     restart: unless-stopped
     networks:
       - core
@@ -137,7 +137,7 @@ services:
       ]
 
   ui:
-    image: ghcr.io/tracecathq/tracecat-ui:${TRACECAT__IMAGE_TAG:-0.22.1}
+    image: ghcr.io/tracecathq/tracecat-ui:${TRACECAT__IMAGE_TAG:-0.22.2}
     container_name: ui
     restart: unless-stopped
     networks:
@@ -194,9 +194,19 @@ services:
     depends_on:
       - temporal_postgres_db
 
+  # ollama:
+  #   image: ollama/ollama:${OLLAMA__VERSION}
+  #   ports:
+  #     - 11434:11434
+  #   networks:
+  #     - core
+  #   volumes:
+  #     - ollama:/root/.ollama
+
 volumes:
   core-db:
   temporal-db:
+  # ollama:
 
 networks:
   core:

docs/platform/secrets.mdx

@@ -28,7 +28,7 @@ Pre-built integrations require a specific secret name and required keys.
 For example, the VirusTotal integration requires a secret with the name `virustotal` and the key `VIRUSTOTAL_API_KEY`.
 
 Different integrations may require different required and optional keys.
-For example, Tracecat's AWS integration is configured with the following secret with optional keys:
+For example, Tracecat's AWS integration is configured with the following secret with optional keys, but with `optional=False` meaning at least one of the keys must be provided:
 
 ```python
 aws_secret = RegistrySecret(
@@ -44,6 +44,7 @@ aws_secret = RegistrySecret(
         # Profile-based authentication
         "AWS_PROFILE_NAME",
     ]
+    optional=False
 )
 ```
 

docs/self-hosting/authentication/google.mdx

@@ -9,7 +9,7 @@ In your `.env` file, make sure you have the following value set.
 
 ```bash
 TRACECAT__AUTH_TYPES=google_oauth
-TRACECAT__SETTING_OVERRIDE_GOOGLE_OAUTH_ENABLED=true
+TRACECAT__SETTING_OVERRIDE_OAUTH_GOOGLE_ENABLED=true
 ```
 
 ## Prerequisites

docs/self-hosting/deployment-options/docker-compose.mdx

@@ -50,10 +50,10 @@ Use the commands listed below to download the required configuration files
 
 ```bash
 # 1. Download the env.sh installation script
-curl -o env.sh https://raw.githubusercontent.com/TracecatHQ/tracecat/0.22.1/env.sh
+curl -o env.sh https://raw.githubusercontent.com/TracecatHQ/tracecat/0.22.2/env.sh
 
 # 2. Download the .env.example template file (env.sh needs this to generate your .env file)
-curl -o .env.example https://raw.githubusercontent.com/TracecatHQ/tracecat/0.22.1/.env.example
+curl -o .env.example https://raw.githubusercontent.com/TracecatHQ/tracecat/0.22.2/.env.example
 
 # 3. Make the env.sh script executable and run it
 chmod +x env.sh && ./env.sh
@@ -91,13 +91,13 @@ Tracecat uses Caddy as a reverse proxy.
 You'll need to download the following `Caddyfile` to configure this service.
 
 ```bash
-curl -o Caddyfile https://raw.githubusercontent.com/TracecatHQ/tracecat/0.22.1/Caddyfile
+curl -o Caddyfile https://raw.githubusercontent.com/TracecatHQ/tracecat/0.22.2/Caddyfile
 ```
 
 ## Download Docker Compose File
 
 ```bash
-curl -o docker-compose.yml https://raw.githubusercontent.com/TracecatHQ/tracecat/0.22.1/docker-compose.yml
+curl -o docker-compose.yml https://raw.githubusercontent.com/TracecatHQ/tracecat/0.22.2/docker-compose.yml
 ```
 
 ## Start Tracecat

docs/self-hosting/deployment-options/ollama.mdx

@@ -33,10 +33,30 @@ Supported models:
         TRACECAT__PRELOAD_OSS_MODELS=llama3.2
         ```
     </Step>
+    <Step title="Configure the Ollama service">
+        Uncomment out the `ollama` service and `ollama` volume at the bottom of the `docker-compose.yml` file.
+
+        ```yaml
+        ollama:
+          image: ollama/ollama:${OLLAMA__VERSION}
+          ports:
+            - 11434:11434
+          networks:
+            - core
+          volumes:
+            - ollama:/root/.ollama
+
+        volumes:
+            core-db:
+            temporal-db:
+            ollama:
+        ```
+
+    </Step>
     <Step title="Deploy">
         Deploy Tracecat with the Ollama docker compose extension:
         ```bash
-        docker compose up -f docker-compose.yml -f docker-compose.ollama.yml up -d
+        docker compose up -d
         ```
     </Step>
     <Step title="AI Action">

docs/tutorials/updating.mdx

@@ -23,8 +23,8 @@ description: Learn how to safely update versions and run data migrations.
     version.
 
     ```
-    curl -o env-migration.sh https://raw.githubusercontent.com/TracecatHQ/tracecat/0.22.1/env-migration.sh
-    curl -o .env.example https://raw.githubusercontent.com/TracecatHQ/tracecat/0.22.1/.env.example
+    curl -o env-migration.sh https://raw.githubusercontent.com/TracecatHQ/tracecat/0.22.2/env-migration.sh
+    curl -o .env.example https://raw.githubusercontent.com/TracecatHQ/tracecat/0.22.2/.env.example
     ```
 
   </Step>
@@ -41,7 +41,7 @@ description: Learn how to safely update versions and run data migrations.
     Download the latest Docker Compose file.
 
     ```
-    curl -o docker-compose.yml https://raw.githubusercontent.com/TracecatHQ/tracecat/0.22.1/docker-compose.yml
+    curl -o docker-compose.yml https://raw.githubusercontent.com/TracecatHQ/tracecat/0.22.2/docker-compose.yml
     ```
 
   </Step>

pyproject.toml

@@ -53,6 +53,7 @@ dependencies = [
     "sqlmodel==0.0.18",
     "temporalio==1.6.0",
     "tenacity==8.3.0",
+    "tomli>=2.2.1",
     "uv==0.4.10",
     "uvicorn==0.29.0",
     "virtualenv==20.27.0",

registry/tracecat_registry/_internal/registry.py

@@ -98,7 +98,7 @@ def decorator_register(fn: Callable[P, R]) -> Callable[P, R]:
                 "include_in_schema": include_in_schema,
                 "namespace": namespace,
                 "description": description,
-                "secrets": secrets,
+                "secrets": [s.model_dump() for s in secrets] if secrets else None,
             },
         )
         return fn

registry/tracecat_registry/base/core/llm.py

@@ -14,6 +14,7 @@
 llm_secret = RegistrySecret(
     name="llm",
     optional_keys=["OPENAI_API_KEY"],
+    optional=True,
 )
 """OpenAI secret.
 

registry/tracecat_registry/integrations/ansible.py

@@ -17,6 +17,7 @@
         "ANSIBLE_SSH_KEY",
         "ANSIBLE_PASSWORDS",
     ],
+    optional=True,
 )
 """Ansible Runner secret.
 - name: `ansible`

registry/tracecat_registry/integrations/boto3.py

@@ -21,6 +21,7 @@
         "AWS_ROLE_ARN",
         "AWS_ROLE_SESSION_NAME",
     ],
+    optional=False,
 )
 """AWS secret.
 

registry/tracecat_registry/integrations/s3.py

@@ -21,6 +21,7 @@
         "AWS_ROLE_ARN",
         "AWS_ROLE_SESSION_NAME",
     ],
+    optional=False,
 )
 """AWS secret.
 

registry/tracecat_registry/templates/threat_intel/virustotal/search_domain.yml

@@ -0,0 +1,25 @@
+type: action
+definition:
+  title: Search Domain with VirusTotal
+  description: Get threat intel report for a domain from VirusTotal.
+  display_group: VirusTotal
+  doc_url: https://docs.virustotal.com/reference/domain-info
+  author: ragan4u
+  namespace: integrations.virustotal
+  name: search_domain
+  secrets:
+    - name: virustotal
+      keys: ["VIRUSTOTAL_API_KEY"]
+  expects:
+    domain:
+      type: str
+      description: The domain to search
+  steps:
+    - ref: search_domain
+      action: core.http_request
+      args:
+        url: https://www.virustotal.com/api/v3/domains/${{ FN.strip(FN.to_base64url(inputs.domain), "=") }}
+        method: GET
+        headers:
+          x-apikey: ${{ SECRETS.virustotal.VIRUSTOTAL_API_KEY }}
+  returns: ${{ steps.search_domain.result }}

registry/tracecat_registry/templates/wazuh/clear_rootcheck.yml

@@ -5,6 +5,8 @@ definition:
   title: Clear Wazuh Rootcheck Results
   description: Clears all previous rootcheck scan results from Wazuh agents to reset the status.
   display_group: Wazuh
+  doc_url: https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.rootcheck_controller.delete_rootcheck
+  author: bouddha-fr
   secrets:
     - name: wazuh
       keys:

registry/tracecat_registry/templates/wazuh/get_auth_token.yml

@@ -5,6 +5,8 @@ definition:
   title: Generate Wazuh API Token
   description: Authenticate with the Wazuh API and retrieve a token.
   display_group: Wazuh
+  doc_url: https://documentation.wazuh.com/current/user-manual/api/reference.html#tag/Security
+  author: bouddha-fr
   secrets:
     - name: wazuh_wui
       keys:

registry/tracecat_registry/templates/wazuh/get_last_rootcheck_scan.yml

@@ -5,6 +5,8 @@ definition:
   title: Get Last Wazuh Rootcheck Scan
   description: Retrieves the latest rootcheck scan results from Wazuh agents for analysis.
   display_group: Wazuh
+  doc_url: https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.rootcheck_controller.get_last_scan_agent
+  author: bouddha-fr
   secrets:
     - name: wazuh
       keys: