atomic_svc: heal a missing enterprise-attack.json even when repo is up to date#68
Merged
Conversation
…date The startup refresh only ran 'git reset --hard' when the ART checkout was behind upstream, so a deleted enterprise-attack.json was NOT restored when the repo was already at the latest commit. The plugin then imported every ability under the 'redcanary-unknown' tactic instead of its real ATT&CK tactic. Restore the STIX (and any other deleted tracked file) via 'git checkout' from the local object store whenever it is found missing after the fetch/update step. This needs no network, so it also heals an offline checkout. Verified: deleting only enterprise-attack.json (repo present, up to date) now restores it on boot and re-imports 1754 abilities across all 15 tactics rather than collapsing them into redcanary-unknown. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
PR #67 added a startup refresh, but it only ran
git reset --hardwhen the ART checkout was behind upstream. Ifenterprise-attack.jsonwas deleted while the repo was already at the latest commit, the refresh returned early and the STIX was never restored. The plugin then fell back to importing every ability under theredcanary-unknowntactic instead of its real ATT&CK tactic.Fix
After the fetch/update step, if
atomic_red_team/enterprise-attack.jsonis missing, restore it withgit checkout -- <path>from the local object store. This needs no network, so it also heals an offline checkout, and it covers any other deleted tracked file too.Testing (live server)
enterprise-attack.json(repo present + up to date), restart:redcanary-unknown(1 tactic dir).🤖 Generated with Claude Code