[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP

The full list of commands accepted by this bot can be found here.

The pull request process is described here

/milestone 0.42.0

CI build-dev is failing because it uses yaml-cpp from the system that is too old and does not support as<std::unoredered_map<>>: jbeder/yaml-cpp#932
I think we should actually enforce the bundle yaml-cpp for that CI (that yaml-cpp version is also hit by jbeder/yaml-cpp#1318 and jbeder/yaml-cpp#1319)

EDIT: fixed by porting the code to use a std::map.

Example rule output with:

static_fields:
  foo: bar
  foo2: ${HOME}

👇

11:01:07.833224783: Notice A shell was spawned in a container with an attached terminal | evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/usr/bin/bash parent=containerd-shim command=bash terminal=34816 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=0f361b374116 container_name=compassionate_antonelli container_image_repository=ubuntu container_image_tag=24.04 k8s_pod_name=<NA> k8s_ns_name=<NA> static_foo2=/root static_foo=bar

Relevant PRs have been merged in libs master; once #3592 is merged i will rebase this one and get it ready.