overmindtech · carabasdaniel · Jun 4, 2026 · May 28, 2026 · May 28, 2026 · May 28, 2026
diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
@@ -40,7 +40,7 @@ jobs:
           project: xnsnw3m20t
 
       - name: Build and push container
-        uses: depot/build-push-action@v1.17.0
+        uses: depot/build-push-action@v1.18.0
         id: build
         with:
           project: xnsnw3m20t

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -63,7 +63,7 @@ jobs:
         uses: goreleaser/goreleaser-action@v7
         with:
           # renovate: datasource=github-releases depName=goreleaser/goreleaser
-          version: "v2.15.4"
+          version: "v2.16.0"
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/aws-source/adapters/lambda-function.go b/aws-source/adapters/lambda-function.go
@@ -27,7 +27,6 @@ type FunctionDetails struct {
 // FunctionGetFunc Gets the details of a specific lambda function
 func functionGetFunc(ctx context.Context, client LambdaClient, scope string, input *lambda.GetFunctionInput) (*sdp.Item, error) {
 	out, err := client.GetFunction(ctx, input)
-
 	if err != nil {
 		return nil, err
 	}
@@ -108,14 +107,21 @@ func functionGetFunc(ctx context.Context, client LambdaClient, scope string, inp
 		}
 	}
 
-	attributes, err := ToAttributesWithExclude(function, "resultMetadata")
+	// Environment variables often contain secrets; extract links before redacting.
+	var envVars map[string]string
+	if function.Configuration != nil && function.Configuration.Environment != nil {
+		envVars = function.Configuration.Environment.Variables
+		configCopy := *function.Configuration
+		configCopy.Environment = nil
+		function.Configuration = &configCopy
+	}
 
+	attributes, err := ToAttributesWithExclude(function, "resultMetadata")
 	if err != nil {
 		return nil, err
 	}
 
 	err = attributes.Set("Name", *out.Configuration.FunctionName)
-
 	if err != nil {
 		return nil, err
 	}
@@ -218,9 +224,9 @@ func functionGetFunc(ctx context.Context, client LambdaClient, scope string, inp
 			}
 		}
 
-		if function.Configuration.Environment != nil {
+		if envVars != nil {
 			// Automatically extract links from the environment variables
-			newQueries, err := sdp.ExtractLinksFrom(function.Configuration.Environment.Variables)
+			newQueries, err := sdp.ExtractLinksFrom(envVars)
 			if err == nil {
 				item.LinkedItemQueries = append(item.LinkedItemQueries, newQueries...)
 			}
@@ -449,7 +455,6 @@ func ExtractLinksFromPolicy(policy *PolicyDocument) []*sdp.LinkedItemQuery {
 		if scope == "" {
 			// If we don't have a scope set then extract it from the target ARN
 			parsedARN, err := ParseARN(statement.Condition.ArnLike.AWSSourceArn)
-
 			if err != nil {
 				continue
 			}
@@ -473,7 +478,6 @@ func ExtractLinksFromPolicy(policy *PolicyDocument) []*sdp.LinkedItemQuery {
 // GetEventLinkedItem Gets the linked item request for a given destination ARN
 func GetEventLinkedItem(destinationARN string) (*sdp.LinkedItemQuery, error) {
 	parsed, err := ParseARN(destinationARN)
-
 	if err != nil {
 		return nil, err
 	}
@@ -532,7 +536,7 @@ func NewLambdaFunctionAdapter(client LambdaClient, accountID string, region stri
 		ListInput:       &lambda.ListFunctionsInput{},
 		GetFunc:         functionGetFunc,
 		AdapterMetadata: lambdaFunctionAdapterMetadata,
-		cache:        cache,
+		cache:           cache,
 		GetInputMapper: func(scope, query string) *lambda.GetFunctionInput {
 			return &lambda.GetFunctionInput{
 				FunctionName: &query,

diff --git a/aws-source/adapters/lambda-function_test.go b/aws-source/adapters/lambda-function_test.go
@@ -2,6 +2,8 @@ package adapters
 
 import (
 	"context"
+	"encoding/json"
+	"strings"
 	"testing"
 	"time"
 
@@ -169,9 +171,39 @@ func (t *TestLambdaClient) GetPolicy(ctx context.Context, params *lambda.GetPoli
 	}, nil
 }
 
-func TestFunctionGetFunc(t *testing.T) {
+func TestFunctionGetFuncRedactsEnvironmentVariables(t *testing.T) {
 	item, err := functionGetFunc(context.Background(), &TestLambdaClient{}, "foo", &lambda.GetFunctionInput{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	attrMap := item.GetAttributes().GetAttrStruct().AsMap()
+	config, ok := attrMap["Configuration"].(map[string]any)
+	if !ok {
+		t.Fatalf("expected Configuration in attributes, got %T", attrMap["Configuration"])
+	}
+
+	if env, ok := config["Environment"].(map[string]any); ok {
+		if _, hasVariables := env["Variables"]; hasVariables {
+			t.Errorf("expected Configuration.Environment.Variables to be redacted, got %v", env["Variables"])
+		}
+	}
 
+	// Ensure env var names and values do not appear anywhere in attributes.
+	attrJSON, err := json.Marshal(attrMap)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, secret := range []string{"sns_arn", "aws-controltower-AggregateSecurityNotifications"} {
+		if strings.Contains(string(attrJSON), secret) {
+			t.Errorf("expected attributes not to contain %q, got %s", secret, attrJSON)
+		}
+	}
+}
+
+func TestFunctionGetFunc(t *testing.T) {
+	item, err := functionGetFunc(context.Background(), &TestLambdaClient{}, "foo", &lambda.GetFunctionInput{})
 	if err != nil {
 		t.Error(err)
 	}

diff --git a/aws-source/module/provider/.github/workflows/release.yml b/aws-source/module/provider/.github/workflows/release.yml
@@ -46,7 +46,7 @@ jobs:
         uses: goreleaser/goreleaser-action@v7
         with:
           # renovate: datasource=github-releases depName=goreleaser/goreleaser
-          version: "v2.15.4"
+          version: "v2.16.0"
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/go.mod b/go.mod
@@ -24,12 +24,12 @@ require (
 	cloud.google.com/go/auth v0.20.0
 	cloud.google.com/go/auth/oauth2adapt v0.2.8
 	cloud.google.com/go/bigquery v1.77.0
-	cloud.google.com/go/bigtable v1.47.0
+	cloud.google.com/go/bigtable v1.48.0
 	cloud.google.com/go/certificatemanager v1.14.0
-	cloud.google.com/go/compute v1.63.0
+	cloud.google.com/go/compute v1.64.0
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	cloud.google.com/go/container v1.52.0
-	cloud.google.com/go/dataplex v1.34.0
+	cloud.google.com/go/dataplex v1.35.0
 	cloud.google.com/go/dataproc/v2 v2.22.0
 	cloud.google.com/go/eventarc v1.23.0
 	cloud.google.com/go/filestore v1.15.0
@@ -51,7 +51,7 @@ require (
 	connectrpc.com/connect v1.20.0 // v1.19.0 was faulty, wait until it is above this version
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.1
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.3
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/batch/armbatch/v4 v4.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v7 v7.3.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v3 v3.4.0
@@ -65,40 +65,40 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/postgresql/armpostgresqlflexibleservers/v5 v5.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/v2 v2.1.0
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/sql/armsql/v2 v2.0.0-beta.7
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/sql/armsql/v2 v2.0.0-beta.8
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage/v3 v3.0.0
 	github.com/Masterminds/semver/v3 v3.5.0
 	github.com/MrAlias/otel-schema-utils v0.4.0-alpha
 	github.com/auth0/go-jwt-middleware/v3 v3.2.0
-	github.com/aws/aws-sdk-go-v2 v1.41.7
-	github.com/aws/aws-sdk-go-v2/config v1.32.17
-	github.com/aws/aws-sdk-go-v2/credentials v1.19.16
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.23
-	github.com/aws/aws-sdk-go-v2/service/apigateway v1.40.0
-	github.com/aws/aws-sdk-go-v2/service/autoscaling v1.66.2
-	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.64.0
-	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.57.0
-	github.com/aws/aws-sdk-go-v2/service/directconnect v1.38.17
-	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.57.3
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.303.0
-	github.com/aws/aws-sdk-go-v2/service/ecs v1.80.0
-	github.com/aws/aws-sdk-go-v2/service/efs v1.41.16
-	github.com/aws/aws-sdk-go-v2/service/eks v1.84.0
-	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.25
-	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.12
-	github.com/aws/aws-sdk-go-v2/service/iam v1.53.10
-	github.com/aws/aws-sdk-go-v2/service/kms v1.52.0
-	github.com/aws/aws-sdk-go-v2/service/lambda v1.90.1
-	github.com/aws/aws-sdk-go-v2/service/networkfirewall v1.60.1
-	github.com/aws/aws-sdk-go-v2/service/networkmanager v1.42.0
-	github.com/aws/aws-sdk-go-v2/service/rds v1.118.2
-	github.com/aws/aws-sdk-go-v2/service/route53 v1.62.7
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.101.0
-	github.com/aws/aws-sdk-go-v2/service/sns v1.39.17
-	github.com/aws/aws-sdk-go-v2/service/sqs v1.42.27
-	github.com/aws/aws-sdk-go-v2/service/ssm v1.68.6
-	github.com/aws/aws-sdk-go-v2/service/sts v1.42.1
-	github.com/aws/smithy-go v1.25.1
+	github.com/aws/aws-sdk-go-v2 v1.41.8
+	github.com/aws/aws-sdk-go-v2/config v1.32.19
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.18
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.24
+	github.com/aws/aws-sdk-go-v2/service/apigateway v1.40.1
+	github.com/aws/aws-sdk-go-v2/service/autoscaling v1.66.3
+	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.64.1
+	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.57.1
+	github.com/aws/aws-sdk-go-v2/service/directconnect v1.38.18
+	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.57.5
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.304.1
+	github.com/aws/aws-sdk-go-v2/service/ecs v1.81.1
+	github.com/aws/aws-sdk-go-v2/service/efs v1.41.17
+	github.com/aws/aws-sdk-go-v2/service/eks v1.84.1
+	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.33.26
+	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.54.13
+	github.com/aws/aws-sdk-go-v2/service/iam v1.53.11
+	github.com/aws/aws-sdk-go-v2/service/kms v1.52.1
+	github.com/aws/aws-sdk-go-v2/service/lambda v1.90.2
+	github.com/aws/aws-sdk-go-v2/service/networkfirewall v1.61.1
+	github.com/aws/aws-sdk-go-v2/service/networkmanager v1.42.1
+	github.com/aws/aws-sdk-go-v2/service/rds v1.118.3
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.62.8
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.102.1
+	github.com/aws/aws-sdk-go-v2/service/sns v1.39.18
+	github.com/aws/aws-sdk-go-v2/service/sqs v1.42.28
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.68.7
+	github.com/aws/aws-sdk-go-v2/service/sts v1.42.2
+	github.com/aws/smithy-go v1.26.0
 	github.com/cenkalti/backoff/v5 v5.0.3
 	github.com/charmbracelet/glamour v0.10.0
 	github.com/coder/websocket v1.8.14
@@ -159,8 +159,8 @@ require (
 	golang.org/x/sync v0.20.0
 	golang.org/x/text v0.37.0
 	gonum.org/v1/gonum v0.17.0
-	google.golang.org/api v0.280.0
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260519071638-aa98bba5eb94
+	google.golang.org/api v0.282.0
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260526163538-3dc84a4a5aaa
 	google.golang.org/grpc v1.81.1
 	google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af
 	gopkg.in/ini.v1 v1.67.2
@@ -178,15 +178,13 @@ require (
 	atomicgo.dev/schedule v0.1.0 // indirect
 	cel.dev/expr v0.25.1 // indirect
 	cloud.google.com/go v0.123.0 // indirect
-	cloud.google.com/go/longrunning v0.9.0 // indirect
+	cloud.google.com/go/longrunning v1.0.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/v3 v3.0.1 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.7.0 // indirect
 	github.com/BurntSushi/toml v1.4.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.56.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.56.0 // indirect
 	github.com/ProtonMail/go-crypto v1.4.1 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/alecthomas/chroma/v2 v2.16.0 // indirect
@@ -197,17 +195,17 @@ require (
 	github.com/apache/arrow/go/v15 v15.0.2 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.24 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.24 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.25 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.11.23 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.23 // indirect
-	github.com/aws/aws-sdk-go-v2/service/signin v1.0.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.30.17 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.21 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.12.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.24 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.24 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.1.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.18 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.36.1 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
@@ -249,7 +247,7 @@ require (
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-tpm v0.9.8 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.15 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.16 // indirect
 	github.com/gookit/color v1.6.0 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
@@ -350,7 +348,7 @@ require (
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260526163538-3dc84a4a5aaa // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	k8s.io/klog/v2 v2.140.0 // indirect