Feature/detectors

.githooks/pre-commit

@@ -0,0 +1,18 @@
+#!/bin/sh
+set -e
+
+echo "🐕 Stackdog pre-commit: running cargo fmt..."
+cargo fmt --all -- --check || {
+    echo "❌ cargo fmt failed. Run 'cargo fmt --all' to fix."
+    exit 1
+}
+
+echo "🐕 Stackdog pre-commit: running cargo clippy..."
+cargo clippy 2>&1
+CLIPPY_EXIT=$?
+if [ $CLIPPY_EXIT -ne 0 ]; then
+    echo "❌ cargo clippy failed to compile. Fix errors before committing."
+    exit 1
+fi
+
+echo "✅ Pre-commit checks passed."

.github/workflows/codacy-analysis.yml

@@ -21,7 +21,7 @@ jobs:
     steps:
       # Checkout the repository to the GitHub Actions runner
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
       - name: Run Codacy Analysis CLI
@@ -41,6 +41,6 @@ jobs:
 
       # Upload the SARIF file generated in the previous step
       - name: Upload SARIF results file
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: results.sarif

.github/workflows/docker.yml

@@ -2,161 +2,100 @@
 
 on:
   push:
-    branches:
-      - master
-      - testing
+    branches: [main, dev]
   pull_request:
-    branches:
-      - master
+    branches: [main, dev]
 
 jobs:
-  cicd-linux-docker:
-    name: Cargo and npm build
-    #runs-on: ubuntu-latest
-    runs-on: [self-hosted, linux]
+  build:
+    name: Build & Test
+    runs-on: ubuntu-latest
     steps:
-      - name: Checkout sources
-        uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
-      - name: Install stable toolchain
-        uses: actions-rs/toolchain@v1
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: stable
-          profile: minimal
-          override: true
           components: rustfmt, clippy
+          targets: x86_64-unknown-linux-musl
 
-      - name: Cache cargo registry
-        uses: actions/cache@v2.1.6
-        with:
-          path: ~/.cargo/registry
-          key: docker-registry-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: |
-            docker-registry-
-            docker-
-
-      - name: Cache cargo index
-        uses: actions/cache@v2.1.6
-        with:
-          path: ~/.cargo/git
-          key: docker-index-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: |
-            docker-index-
-            docker-
+      - name: Cache Rust dependencies
+        uses: Swatinem/rust-cache@v2
+
+      - name: Install cross
+        run: cargo install cross --git https://github.com/cross-rs/cross
 
       - name: Generate Secret Key
-        run: |
-          head -c16 /dev/urandom > src/secret.key
+        run: head -c16 /dev/urandom > src/secret.key
 
-      - name: Cache cargo build
-        uses: actions/cache@v2.1.6
-        with:
-          path: target
-          key: docker-build-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: |
-            docker-build-
-            docker-
-
-      - name: Cargo check
-        uses: actions-rs/cargo@v1
-        with:
-          command: check
+      - name: Check
+        run: cargo check
 
-      - name: Cargo test
-        if: ${{ always() }}
-        uses: actions-rs/cargo@v1
-        with:
-          command: test
+      - name: Format check
+        run: cargo fmt --all -- --check
 
-      - name: Rustfmt
-        uses: actions-rs/toolchain@v1
-        with:
-          toolchain: stable
-          profile: minimal
-          override: true
-          components: rustfmt
-          command: fmt
-          args: --all -- --check
-
-      - name: Rustfmt
-        uses: actions-rs/toolchain@v1
-        with:
-          toolchain: stable
-          profile: minimal
-          override: true
-          components: clippy
-          command: clippy
-          args: -- -D warnings
-
-      - name: Run cargo build
-        uses: actions-rs/cargo@v1
-        with:
-          command: build
-          args: --release
+      - name: Clippy
+        run: cargo clippy -- -D warnings
+
+      - name: Test
+        run: cargo test
+
+      - name: Build static release
+        env:
+          CARGO_TARGET_DIR: target-cross
+        run: cross build --release --target x86_64-unknown-linux-musl
 
-      - name: npm install, build, and test
+      - name: Build frontend
         working-directory: ./web
         run: |
-          npm install
+          if [ -f package-lock.json ]; then
+            npm ci
+          else
+            npm install
+          fi
           npm run build
-      #   npm test
 
-      - name: Archive production artifacts
-        uses: actions/upload-artifact@v2
-        with:
-          name: dist-without-markdown
-          path: |
-            web/dist
-            !web/dist/**/*.md
-
-#      - name: Archive code coverage results
-#        uses: actions/upload-artifact@v2
-#        with:
-#          name: code-coverage-report
-#          path: output/test/code-coverage.html
-      - name: Display structure of downloaded files
-        run: ls -R web/dist
-
-      - name: Copy app files and zip
+      - name: Package app
         run: |
           mkdir -p app/stackdog/dist
-          cp target/release/stackdog app/stackdog
-          cp -a web/dist/. app/stackdog
+          cp target-cross/x86_64-unknown-linux-musl/release/stackdog app/stackdog/
+          cp -a web/dist/. app/stackdog/
           cp docker/prod/Dockerfile app/Dockerfile
-          cd app
-          touch .env
-          tar -czvf ../app.tar.gz .
-          cd ..
+          touch app/.env
+          tar -czf app.tar.gz -C app .
 
-      - name: Upload app archive for Docker job
-        uses: actions/upload-artifact@v2.2.2
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
         with:
-          name: artifact-linux-docker
+          name: app-archive
           path: app.tar.gz
+          retention-days: 1
 
-  cicd-docker:
-    name: CICD Docker
-    #runs-on: ubuntu-latest
-    runs-on: [self-hosted, linux]
-    needs: cicd-linux-docker
+  docker:
+    name: Docker Build & Push
+    runs-on: ubuntu-latest
+    needs: build
     steps:
-      - name: Download app archive
-        uses: actions/download-artifact@v2
+      - name: Download build artifact
+        uses: actions/download-artifact@v4
         with:
-          name: artifact-linux-docker
+          name: app-archive
 
-      - name: Extract app archive
-        run: tar -zxvf app.tar.gz
+      - name: Extract archive
+        run: tar -xzf app.tar.gz
 
-      - name: Display structure of downloaded files
-        run: ls -R
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
-      - name: Docker build and publish
-        uses: docker/build-push-action@v1
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-          repository: trydirect/stackdog
-          add_git_labels: true
-          tag_with_ref: true
-          #no-cache: true
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: trydirect/stackdog:latest

.github/workflows/release.yml

@@ -18,9 +18,9 @@ jobs:
     strategy:
       matrix:
         include:
-          - target: x86_64-unknown-linux-gnu
+          - target: x86_64-unknown-linux-musl
             artifact: stackdog-linux-x86_64
-          - target: aarch64-unknown-linux-gnu
+          - target: aarch64-unknown-linux-musl
             artifact: stackdog-linux-aarch64
 
     steps:
@@ -36,12 +36,14 @@ jobs:
         run: cargo install cross --git https://github.com/cross-rs/cross
 
       - name: Build release binary
+        env:
+          CARGO_TARGET_DIR: target-cross
         run: cross build --release --target ${{ matrix.target }}
 
       - name: Package
         run: |
           mkdir -p dist
-          cp target/${{ matrix.target }}/release/stackdog dist/stackdog
+          cp target-cross/${{ matrix.target }}/release/stackdog dist/stackdog
           cd dist
           tar czf ${{ matrix.artifact }}.tar.gz stackdog
           sha256sum ${{ matrix.artifact }}.tar.gz > ${{ matrix.artifact }}.tar.gz.sha256

.gitignore

@@ -33,4 +33,7 @@ Cargo.lock
 # End of https://www.gitignore.io/api/rust,code
 
 .idea
+*.db
 docs/tasks/
+web/node_modules/
+web/dist/

CHANGELOG.md

@@ -7,8 +7,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.2.2] - 2026-04-07
+
+### Fixed
+
+- **CLI startup robustness** — `.env` loading is now non-fatal.
+  - `stackdog --help` and other commands no longer panic when `.env` is missing or contains malformed lines.
+  - Stackdog now logs a warning and continues with existing environment variables.
+
+- **Installer release resolution** — `install.sh` now handles missing `/releases/latest` responses gracefully.
+  - Falls back to the most recent release entry when no stable "latest" release is available.
+  - Improves error messaging and updates install examples to use the `main` branch script URL.
+
 ### Added
 
+- **Expanded detector framework** with additional log-driven detection coverage.
+  - Reverse shell, sensitive file access, cloud metadata / SSRF, exfiltration chain, and secret leakage detectors.
+  - file integrity monitoring with SQLite-backed baselines via `STACKDOG_FIM_PATHS`.
+  - configuration assessment via `STACKDOG_SCA_PATHS`.
+  - package inventory heuristics via `STACKDOG_PACKAGE_INVENTORY_PATHS`.
+  - Docker posture audits for privileged mode, host namespaces, dangerous capabilities, Docker socket mounts, and writable sensitive mounts.
+
+- **Improved syslog ingestion**
+  - RFC3164 and RFC5424 parsing in file-based log ingestion for cleaner timestamps and normalized message bodies.
+
 #### Log Sniffing & Analysis (`stackdog sniff`)
 - **CLI Subcommands** — Multi-mode binary with `stackdog serve` and `stackdog sniff`
   - `--once` flag for single-pass mode
@@ -66,6 +88,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Refactored `main.rs` to dispatch `serve`/`sniff` subcommands via clap
 - Added `events`, `rules`, `alerting`, `models` modules to binary crate
 - Updated `.env.sample` with `STACKDOG_LOG_SOURCES`, `STACKDOG_AI_*` config vars
+- Version metadata updated to `0.2.2` across Cargo, the web package manifest, and current release documentation.
 
 ### Testing
 

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "stackdog"
-version = "0.2.0"
+version = "0.2.2"
 authors = ["Vasili Pascal <info@try.direct>"]
 edition = "2021"
 description = "Security platform for Docker containers and Linux servers"
@@ -48,13 +48,15 @@ r2d2 = "0.8"
 bollard = "0.16"
 
 # HTTP client (for LLM API)
-reqwest = { version = "0.12", features = ["json", "blocking"] }
+reqwest = { version = "0.12", default-features = false, features = ["json", "blocking", "rustls-tls"] }
+sha2 = "0.10"
 
 # Compression
 zstd = "0.13"
 
 # Stream utilities
 futures-util = "0.3"
+lettre = { version = "0.11", default-features = false, features = ["tokio1", "tokio1-rustls-tls", "builder", "smtp-transport"] }
 
 # eBPF (Linux only)
 [target.'cfg(target_os = "linux")'.dependencies]
@@ -78,6 +80,8 @@ ebpf = []
 # Testing
 tokio-test = "0.4"
 tempfile = "3"
+actix-test = "0.1"
+awc = "3"
 
 # Benchmarking
 criterion = { version = "0.5", features = ["html_reports"] }

DEVELOPMENT.md

@@ -1,7 +1,7 @@
 # Stackdog Security - Development Plan
 
-**Last Updated:** 2026-03-13  
-**Current Version:** 0.2.0  
+**Last Updated:** 2026-04-07  
+**Current Version:** 0.2.2  
 **Status:** Phase 2 In Progress
 
 ## Project Vision