fix: dockerhub auto update description

.github/workflows/release.yml

@@ -47,6 +47,24 @@
       registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
       registry-password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+  update-docker-readme:
+    needs: [build-docker-image]
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Docker Hub Description
+        uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5.0.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          repository: digintlab/opencti-connector
+          readme-filepath: ./DOCKERHUB.md
+
   sign-image:
     needs: [build-docker-image]
     runs-on: ubuntu-latest

DOCKERHUB.md

@@ -2,85 +2,111 @@
 
 An [OpenCTI](https://github.com/OpenCTI-Platform/OpenCTI) external-import connector that ingests ransomware and data-leak announcements from the [Double Extortion Platform (DEP)](https://doubleextortion.com/) and converts them into STIX 2.1 entities.
 
-> **Requires OpenCTI ≥ 6.8.13** — A valid DEP subscription (username, password, and API key) is needed.
+> **Requires OpenCTI >= 6.8.13** and valid DEP credentials: username, password, API key, and Cognito client ID.
 
 ---
 
 ## What it does
 
 - Authenticates against the DEP AWS Cognito identity provider
-- Polls the DEP REST API on a configurable interval and maps each announcement to an OpenCTI **Report** by default, or an **Incident** when `DEP_PRIMARY_OBJECT=incident`
-- Creates **Organization** identities for victim companies
-- Optionally creates **Sector** identities and links victims via a `part-of` relationship
+- Polls the DEP REST API on a configurable interval
+- Models each DEP announcement as an OpenCTI **Report** by default, or an **Incident** when `DEP_PRIMARY_OBJECT=incident`
+- Creates **Organization** identities for victims
+- Optionally creates **Sector** identities, **Intrusion Sets**, and **Country** locations
 - Optionally generates **Indicators** for victim domains and leak hash identifiers
-- Links generated indicators to the victim with `related-to`
-- Attaches announcement-type labels (e.g. `dep:announcement-type:pii`) to the primary object
-- Maintains connector state with a configurable overlap window to capture late DEP updates
+- Adds announcement-type labels such as `dep:announcement-type:pii`
+- Maintains connector state with an overlap window to catch late DEP updates
 
 ---
 
 ## Quick start
 
-    docker run --rm \
-      -e OPENCTI_URL=https://your-opencti \
-      -e OPENCTI_TOKEN=your-token \
-      -e DEP_USERNAME=your-username \
-      -e DEP_PASSWORD=your-password \
-      -e DEP_API_KEY=your-api-key \
-      -e DEP_CLIENT_ID=your-cognito-client-id \
-      opencti/connector-digintlab-dep:latest
+The simplest way to run the connector is to mount a `config.yml` file at `/app/config.yml`:
+
+```bash
+docker run --rm \
+  -v "$(pwd)/config.yml:/app/config.yml:ro" \
+  opencti/connector-digintlab-dep:rolling
+```
+
+Environment variables override values from `config.yml`. A minimal env-only example is:
+
+```bash
+docker run --rm \
+  -e OPENCTI_URL=https://your-opencti \
+  -e OPENCTI_TOKEN=your-token \
+  -e CONNECTOR_ID=change-me \
+  -e CONNECTOR_TYPE=EXTERNAL_IMPORT \
+  -e CONNECTOR_NAME="DEP Connector" \
+  -e CONNECTOR_SCOPE=report,incident,identity,indicator \
+  -e DEP_USERNAME=your-username \
+  -e DEP_PASSWORD=your-password \
+  -e DEP_API_KEY=your-api-key \
+  -e DEP_CLIENT_ID=your-cognito-client-id \
+  opencti/connector-digintlab-dep:rolling
+```
 
 ---
 
 ## Configuration
 
-All values can be set via environment variables (which take precedence) or via a mounted `config.yml`.
+The connector loads configuration from `OPENCTI_CONFIG_FILE` when set, otherwise from `/app/config.yml`. Environment variables take precedence over YAML values.
 
 ### Required
 
-| Environment variable | Description                  |
-| -------------------- | ---------------------------- |
-| `OPENCTI_URL`        | URL of your OpenCTI platform |
-| `OPENCTI_TOKEN`      | OpenCTI API token            |
-| `DEP_USERNAME`       | DEP portal username          |
-| `DEP_PASSWORD`       | DEP portal password          |
-| `DEP_API_KEY`        | API key issued by DEP        |
-| `DEP_CLIENT_ID`      | AWS Cognito App Client ID    |
+| Environment variable | Description |
+| -------------------- | ----------- |
+| `OPENCTI_URL` | URL of your OpenCTI platform |
+| `OPENCTI_TOKEN` | OpenCTI API token |
+| `CONNECTOR_ID` | Unique connector identifier |
+| `CONNECTOR_TYPE` | Connector type, typically `EXTERNAL_IMPORT` |
+| `CONNECTOR_NAME` | Connector display name |
+| `CONNECTOR_SCOPE` | Connector scope, typically `report,incident,identity,indicator` |
+| `DEP_USERNAME` | DEP portal username |
+| `DEP_PASSWORD` | DEP portal password |
+| `DEP_API_KEY` | API key issued by DEP |
+| `DEP_CLIENT_ID` | AWS Cognito App Client ID |
 
 ### Optional
 
-| Environment variable           | Default                                                   | Description                                           |
-| ------------------------------ | --------------------------------------------------------- | ----------------------------------------------------- |
-| `CONNECTOR_RUN_INTERVAL`       | `3600`                                                    | Polling interval in seconds                           |
-| `DEP_CONFIDENCE`               | `70`                                                      | Confidence score on generated STIX objects            |
-| `DEP_LOOKBACK_DAYS`            | `7`                                                       | Days to look back on first run                        |
-| `DEP_OVERLAP_HOURS`            | `72`                                                      | Overlap hours from previous run to catch late updates |
-| `DEP_DSET`                     | `ext`                                                     | Dataset to query (e.g. `ext`, `sanctions`)            |
-| `DEP_PRIMARY_OBJECT`           | `report`                                                  | Primary STIX object to emit: `report` or `incident`   |
-| `DEP_EXTENDED_RESULTS`         | `true`                                                    | Request extended leak information                     |
-| `DEP_ENABLE_SITE_INDICATOR`    | `true`                                                    | Create a domain indicator per victim                  |
-| `DEP_ENABLE_HASH_INDICATOR`    | `true`                                                    | Create a hash indicator when a hash is provided       |
-| `DEP_SKIP_EMPTY_VICTIM`        | `true`                                                    | Skip items where victim name is empty or n/a          |
-| `DEP_CREATE_SECTOR_IDENTITIES` | `true`                                                    | Create sector identities and link victims             |
-| `DEP_LOGIN_ENDPOINT`           | `https://cognito-idp.eu-west-1.amazonaws.com/`            | Cognito login endpoint                                |
-| `DEP_API_ENDPOINT`             | `https://api.eu-ep1.doubleextortion.com/v1/dbtr/privlist` | DEP REST endpoint                                     |
+| Environment variable | Default | Description |
+| -------------------- | ------- | ----------- |
+| `CONNECTOR_RUN_INTERVAL` | `3600` | Polling interval in seconds |
+| `DEP_CONFIDENCE` | `70` | Confidence score on generated STIX objects |
+| `DEP_LOOKBACK_DAYS` | `7` | Days to look back on first run |
+| `DEP_OVERLAP_HOURS` | `72` | Overlap hours from previous run to catch late updates |
+| `DEP_DSET` | `ext` | DEP dataset to query |
+| `DEP_PRIMARY_OBJECT` | `report` | Primary STIX object to emit: `report` or `incident` |
+| `DEP_EXTENDED_RESULTS` | `true` | Request extended DEP results |
+| `DEP_ENABLE_SITE_INDICATOR` | `true` | Create a domain indicator per victim |
+| `DEP_ENABLE_HASH_INDICATOR` | `true` | Create a hash indicator when a hash is provided |
+| `DEP_SKIP_EMPTY_VICTIM` | `true` | Skip items where victim name is empty, `n/a`, or `none` |
+| `DEP_CREATE_SECTOR_IDENTITIES` | `true` | Create sector identities and link victims with `part-of` |
+| `DEP_CREATE_INTRUSION_SETS` | `true` | Create intrusion sets from DEP actor values |
+| `DEP_CREATE_COUNTRY_LOCATIONS` | `true` | Create country locations and link victims with `located-at` |
+| `DEP_LOGIN_ENDPOINT` | `https://cognito-idp.eu-west-1.amazonaws.com/` | Cognito login endpoint |
+| `DEP_API_ENDPOINT` | `https://api.eu-ep1.doubleextortion.com/v1/dbtr/privlist` | DEP REST endpoint |
 
 ---
 
 ## Docker Compose
 
-A full `docker-compose.yml` (including a local OpenCTI stack) is available in the [source repository](https://github.com/DigintLab/opencti-connector).
-
-    dep-connector:
-      image: opencti/connector-digintlab-dep:latest
-      environment:
-        - OPENCTI_URL=http://opencti:8080
-        - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
-        - DEP_USERNAME=${DEP_USERNAME}
-        - DEP_PASSWORD=${DEP_PASSWORD}
-        - DEP_API_KEY=${DEP_API_KEY}
-        - DEP_CLIENT_ID=${DEP_CLIENT_ID}
-      restart: always
+A full `docker-compose.yml` with a local OpenCTI stack is available in the [source repository](https://github.com/DigintLab/opencti-connector).
+
+```yaml
+dep-connector:
+  image: opencti/connector-digintlab-dep:rolling
+  restart: always
+  volumes:
+    - ./config.yml:/app/config.yml:ro
+  environment:
+    - OPENCTI_URL=http://opencti:8080
+    - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
+    - DEP_USERNAME=${DEP_USERNAME}
+    - DEP_PASSWORD=${DEP_PASSWORD}
+    - DEP_API_KEY=${DEP_API_KEY}
+    - DEP_CLIENT_ID=${DEP_CLIENT_ID}
+```
 
 ---