Open
Conversation
Host scanning now uses globs to only get inodes for the specific files
matching the globs.
Prefix map is populated with the longest prefix for each glob
e.g. /etc/**/*.conf -> /etc/
/home/user/.ssh/id_{rsa,dsa} -> /home/user/.ssh/id_
Kernel captures events based on inode first and then prefix match (this
behavior is unchanged) and then userspace does a glob match on the path
and host_path.
Molter73
reviewed
Feb 23, 2026
Contributor
Molter73
left a comment
There was a problem hiding this comment.
Awesome! Thanks for tackling this!!
fact/src/bpf/mod.rs
Outdated
| let mut new_paths = Vec::with_capacity(paths_config.len()); | ||
| let mut builder = GlobSetBuilder::new(); | ||
| for p in paths_config.iter() { | ||
| builder.add(Glob::new(&p.to_string_lossy())?); |
Contributor
There was a problem hiding this comment.
We probably want to hard fail if a configured path is wrong, if we change the string at this point we might not match the strings configured by a user and we will not report things in there.
Molter73
reviewed
Feb 23, 2026
Contributor
Molter73
left a comment
There was a problem hiding this comment.
Changes look good, can we add at least one integration test with globs? Just to make sure it is working, we can always expand later.
Contributor
|
/retest |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Host scanning now uses globs to only get inodes for the specific files matching the globs.
Prefix map is populated with the longest prefix for each glob e.g. /etc/**/*.conf -> /etc/
/home/user/.ssh/id_{rsa,dsa} -> /home/user/.ssh/id_
Kernel captures events based on inode first and then prefix match (this behavior is unchanged) and then userspace does a glob match on the path and host_path.
Somewhat relies on a chain of PRs in the main repo (in merge order):
stackrox/stackrox#19057
stackrox/stackrox#19063
stackrox/stackrox#19089
Checklist
Automated testing
If any of these don't apply, please comment below.
Testing Performed
TODO(replace-me)
Use this space to explain how you tested your PR, or, if you didn't test it, why you did not do so. (Valid reasons include "CI is sufficient" or "No testable changes")
In addition to reviewing your code, reviewers must also review your testing instructions, and make sure they are sufficient.
For more details, ref the Confluence page about this section.