osquery

What's Changed

Features

• Add process memory scanning capability to yara table by @brian-mckinney in https://github.com/osquery/osquery/pull/8782
• Split yara tables into yara_process and yara_file by @brian-mckinney in https://github.com/osquery/osquery/pull/8835
• Add Windows process_open_handles table by @brian-mckinney in https://github.com/osquery/osquery/pull/8795
• Add secureboot_certificates table for Linux by @zwass in https://github.com/osquery/osquery/pull/8844
• Extend python_packages and npm_packages to cover modern package managers by @ariary in https://github.com/osquery/osquery/pull/8801
• Add level filtering to the unified_log table by @directionless in https://github.com/osquery/osquery/pull/8788
• Disallow newlines in curl custom headers by @directionless in https://github.com/osquery/osquery/pull/8787
• Supplement LaunchServices with directory scanning in apps table (#8789) by @getvictor in https://github.com/osquery/osquery/pull/8790
• Command line flags for query input and output by @directionless in https://github.com/osquery/osquery/pull/8786
• New header-based authentication mechanism for remote APIs by @juan-fdz-hawa in https://github.com/osquery/osquery/pull/8805
• Add recursion to npm_packages by @directionless in https://github.com/osquery/osquery/pull/8809
• Make profile.py performance thresholds configurable via CLI flags by @stefanamaerz in https://github.com/osquery/osquery/pull/8841
• Add ROOT\default to WMI tables by @directionless in https://github.com/osquery/osquery/pull/8810

Build & Dependencies

• Update expat to 2.7.4 to fix CVE-2026-25210 by @Sampriti2803 in https://github.com/osquery/osquery/pull/8794
• Fix GCC 15 compatibility by @carlsmedstad in https://github.com/osquery/osquery/pull/8837

Fixes

• Fix macOS keychain corruption when accessing non-SSV keychain files by copying to temporary files first by @lucasmrod in https://github.com/osquery/osquery/pull/8840
• Fix incorrect example queries in table specs by @edwardsb in https://github.com/osquery/osquery/pull/8791
• Improve network_name detection on macOS wifi_status table by @lucasmrod in https://github.com/osquery/osquery/pull/8781
• Fix a bug in apt_sources parsing by @directionless in https://github.com/osquery/osquery/pull/8785
• Add NOCASE and VERSION collation to various columns by @directionless in https://github.com/osquery/osquery/pull/8813
• Increase the limit on systemd unit iteration by @directionless in https://github.com/osquery/osquery/pull/8802
• Fix format string vulnerability in shell.cpp disconnect_socket() by @directionless in https://github.com/osquery/osquery/pull/8824
• Fix saving file times in file carves by @zwass in https://github.com/osquery/osquery/pull/8819
• Fix empty results from office_mru table by @thierryfranzetti in https://github.com/osquery/osquery/pull/8838
• Fix multiple security vulnerabilities in smc_keys.cpp by @directionless in https://github.com/osquery/osquery/pull/8820
• Fix gatekeeper table on macOS 15+ by @thierryfranzetti in https://github.com/osquery/osquery/pull/8831
• Fix container bounds checking vulnerabilities by @directionless in https://github.com/osquery/osquery/pull/8825
• Reduce noisy logs from chrome_extensions by @lucasmrod in https://github.com/osquery/osquery/pull/8792

New Contributors

• @edwardsb made their first contribution in https://github.com/osquery/osquery/pull/8791
• @Sampriti2803 made their first contribution in https://github.com/osquery/osquery/pull/8794
• @ariary made their first contribution in https://github.com/osquery/osquery/pull/8801
• @juan-fdz-hawa made their first contribution in https://github.com/osquery/osquery/pull/8805
• @thierryfranzetti made their first contribution in https://github.com/osquery/osquery/pull/8838
• @stefanamaerz made their first contribution in https://github.com/osquery/osquery/pull/8841

Full Changelog: https://github.com/osquery/osquery/compare/5.22.1...5.23.0