New attack technique: Invoke Bedrock Model (#581)

* New attack technique: Invoke Bedrock Model * Generate docs * Use context.Background() instead of context.TODO() * Simplify error handling logic * Rename wrapper to be a package-visible struct only * added detection recommendations * fixed detection * fixed detection * fixed detection * autogenerate docs * Added call to GetFoundationModelAvailability * Updated docs, including the Permiso article * Add Permiso ref * Error handling and avoid using context.TODO() * Autogen docs * Added calls to ListFoundationModelAgreementOffers, CreateFoundationModelAgreement, PutFoundationModelEntitlement * changed idempotent to false * Autogen docs * Rework Bedrock attack * autogenerate docs * only create use-case and model agreement once per account * Update docs * Update docs and refactor signature functions * Better error descriptions and remove incorrect status code check * Refactor methods inside a struct * Add detonation logs * Revert unnecessary Go version changes * Use go 1.21 in CI * Fix CI * Fix base Docker image * Make final Stratus binary smaller by removing debug symbols * Upgrade staticcheck * Attempt using staticcheck 2023.1.4 * Install the appropriate Go version for staticcheck * allow raw.githubusercontent.com network call in staticcheck CI * Fix SAST findings --------- Co-authored-by: Christophe Tafani-Dereeper <christophe.tafanidereeper@datadoghq.com>
DataDog · Oct 17, 2024 · 8caa192 · 8caa192
1 parent 49c50c4
commit 8caa192
Show file tree

Hide file tree

Showing 19 changed files with 1,949 additions and 32 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -32,6 +32,7 @@ jobs:
             pkg-containers.githubusercontent.com:443
             production.cloudflare.docker.com:443
             proxy.golang.org:443
+            sum.golang.org:443            
             registry-1.docker.io:443
             storage.googleapis.com:443
             *.actions.githubusercontent.com:443

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -41,7 +41,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
         with:
-          go-version: 1.19
+          go-version: 1.21
       - name: Run GoReleaser
         timeout-minutes: 60
         uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0

diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
@@ -27,18 +27,15 @@ jobs:
             storage.googleapis.com:443
             sum.golang.org:443
             golang.org:443
+            sum.golang.org:443
             *.actions.githubusercontent.com:443
             objects.githubusercontent.com:443
+            raw.githubusercontent.com:443
             go.dev:443
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
         with:
           fetch-depth: 1
-      - name: Set up Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
-        with:
-          go-version: 1.19
       - uses: dominikh/staticcheck-action@fe1dd0c3658873b46f8c9bb3291096a617310ca6
         with:
-          version: "2022.1"
-          install-go: false
+          install-go: true
           working-directory: "./v2"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -26,6 +26,7 @@ jobs:
             objects.githubusercontent.com:443
             go.dev:443
             golang.org:443
+            sum.golang.org:443
             api.github.com:443
             *.actions.githubusercontent.com:443
       - name: Checkout repository
@@ -34,7 +35,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
         with:
-          go-version: 1.19
+          go-version: 1.21
 
       - name: Run unit tests
         run: make test

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.20.4-alpine3.16@sha256:6469405d7297f82d56195c90a3270b0806ef4bd897aa0628477d9959ab97a577 AS builder
+FROM golang:1.21.13-alpine3.20@sha256:2414035b086e3c42b99654c8b26e6f5b1b1598080d65fd03c7f499552ff4dc94 AS builder
 ARG VERSION=dev-snapshot
 RUN mkdir /build
 RUN apk add --update make

diff --git a/Makefile b/Makefile
@@ -10,7 +10,7 @@ export GO111MODULE=on
 BIN_DIR := $(ROOT_DIR)/bin
 
 # Define go flags
-GOFLAGS := -ldflags="-X main.BuildVersion=$(BUILD_VERSION)"
+GOFLAGS := -ldflags="-X main.BuildVersion=$(BUILD_VERSION) -w"
 
 .PHONY: build docs test thirdparty-licenses mocks
 
@@ -44,4 +44,4 @@ mocks:
 	@cd v2 && mockery --name=StateManager --dir internal/state --output internal/state/mocks
 	@cd v2 && mockery --name=TerraformManager --dir pkg/stratus/runner --output pkg/stratus/runner/mocks
 	@cd v2 && mockery --name=FileSystem --structname FileSystemMock --dir internal/state --output internal/state/mocks
-	@echo "Mocks generated successfully."
+	@echo "Mocks generated successfully."
diff --git a/README.md b/README.md
@@ -33,7 +33,7 @@ See the documentation at **[stratus-red-team.cloud](https://stratus-red-team.clo
 
 ### Direct install
 
-Requires Go 1.19+
+Requires Go 1.21+
 
 ```
 go install -v github.com/datadog/stratus-red-team/v2/cmd/stratus@latest