{"id":15176742,"url":"https://github.com/dentrax/falco-gpt","last_synced_at":"2025-10-26T13:31:38.969Z","repository":{"id":152874943,"uuid":"627084041","full_name":"Dentrax/falco-gpt","owner":"Dentrax","description":"AI-generated remediations for Falco audit events","archived":false,"fork":false,"pushed_at":"2023-09-07T06:57:33.000Z","size":789,"stargazers_count":69,"open_issues_count":0,"forks_count":4,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-01-31T19:28:18.617Z","etag":null,"topics":["audit-log","chatgpt","devops","falco","golang","kubernetes","openai","sre","sysdig","threat-hunting","tooling"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Dentrax.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2023-04-12T18:47:42.000Z","updated_at":"2024-09-13T09:45:15.000Z","dependencies_parsed_at":"2024-01-14T04:07:41.709Z","dependency_job_id":null,"html_url":"https://github.com/Dentrax/falco-gpt","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dentrax%2Ffalco-gpt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dentrax%2Ffalco-gpt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dentrax%2Ffalco-gpt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dentrax%2Ffalco-gpt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Dentrax","download_url":"https://codeload.github.com/Dentrax/falco-gpt/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238337485,"owners_count":19455318,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit-log","chatgpt","devops","falco","golang","kubernetes","openai","sre","sysdig","threat-hunting","tooling"],"created_at":"2024-09-27T13:41:30.440Z","updated_at":"2025-10-26T13:31:33.438Z","avatar_url":"https://github.com/Dentrax.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\u003ca href=\"https://github.com/Dentrax/falco-gpt\" target=\"_blank\"\u003e\u003cimg height=\"128\" src=\"https://raw.githubusercontent.com/cncf/artwork/b4216a91b2c1976c2e7fd25f62ee4d3b2126b4a6/projects/falco/icon/color/falco-icon-color.png\"\u003e\u003c/a\u003e\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003efalco-gpt\u003c/h1\u003e\n\n\u003cdiv align=\"center\"\u003e\n \u003cstrong\u003e\n   falco-gpt is an OpenAI powered tool to generate remediation actions for Falco audit events\n \u003c/strong\u003e\n\u003c/div\u003e\n\n\u003cbr /\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://opensource.org/licenses/MIT\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-MIT-blue.svg?style=flat-square\" alt=\"MIT\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/Dentrax/falco-gpt/releases/latest\"\u003e\u003cimg src=\"https://img.shields.io/github/release/Dentrax/falco-gpt.svg?style=flat-square\" alt=\"GitHub release\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://goreportcard.com/report/github.com/Dentrax/falco-gpt\"\u003e\u003cimg src=\"https://goreportcard.com/badge/github.com/Dentrax/falco-gpt?style=flat-square\" alt=\"Go Report\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cbr /\u003e\n\n`falco-gpt` is an OpenAI powered tool to generate remediation actions for Falco audit events. It is a simple HTTP server\nthat listens for Falco audit events and pushes them to an internal NATS server acting like a queue. The queue is then\nprocessed by a goroutine that sends the audit events to OpenAI API by applying rate limiting and retries. The generated\nremediation actions are then sent to Slack via a BOT in a thread.\n\n# Screenshots\n\n![output-slack-4](./.res/output-slack-5.png)\n\n# Features\n\n* OpenAI powered\n* Async processing\n* Resiliency with retries\n* Rate limiting (queries per hour)\n* Custom prompt template\n* Limitation: Only Slack support for demo purposes\n\n# High Level Overview\n\n```bash\n                              +------------------------------------------------------+\n                              |                                                      |\n                              |                                        +----------+  |\n                              |                             +---------\u003e|          |  |\n                              |                             |          |  OpenAI  |  |\n+-------------+               | +-------------+       +-----+-------+  |    API   |  |\n|             |               | |             |       |  Retryable  |\u003c-+          |  |\n|    falco    |  Send audits  | |  falco-gpt  |Push To| Rate-Limited|  +----------+  |\n|  instances  +--------------\u003e| | HTTP Server +------\u003e|    Async    |                |\n|(http_output)|    [POST]     | |   (:8080)   |Buffer |    Queue    |  +----------+  |\n|             |               | |             |       |  Processor  |  |          |  |\n+-------------+               | +-------------+       +------+------+  |  Slack   |  |\n                              |                              |         |   BOT    |  |\n                              |                              +--------\u003e|          |  |\n                              |                                        +----------+  |\n                              |                                                      |\n                              +------------------------------------------------------+\n```\n\n# Installation\n\n## Prerequisites\n\n1. Export the following environment variables:\n\n- [OPENAI_TOKEN](https://platform.openai.com/account/api-keys)\n- [SLACK_TOKEN](https://api.slack.com/authentication/token-types#bot)\n\n2. [Falco](https://falco.org/docs/getting-started/installation/) with `http_output` enabled:\n\n```bash\nhelm upgrade --install falco falcosecurity/falco --namespace falco --create-namespace \\\n  --set falco.json_output=true \\\n  --set falco.http_output.enabled=true \\\n  --set falco.http_output.url=http://falco-gpt:8080\n```\n\n## Build\n\n### Build with [go](https://golang.org/)\n\n```bash\ngo build .\n```\n\n### Build with [ko](https://github.com/ko-build/ko/)\n\n```bash\nKO_DOCKER_REPO=\u003cREGISTRY\u003e LDFLAGS=\"-s -w\" ko publish -B --platform=linux/amd64 --tags latest --push=true .\n````\n\n## Deployment\n\nContainer Image:\n```bash\nfurkanturkal/falco-gpt:latest\n```\n\n### Kubernetes\n\n```bash\nenvsubst \u003c deployment.yaml | kubectl apply -n falco -f -\n```\n\n# Usage\n\n```bash\n$ go run . \u003cFLAGS\u003e\n\n  -channel string\n        Slack channel\n  -ignore-older int\n        Ignore events in queue older than X hour(s) (default 1)\n  -min-priority string\n        minimum priority to analyse (default \"warning\")\n  -model string\n        Backend AI model (default \"gpt-3.5-turbo\")\n  -port int\n        port to listen on (default 8080)\n  -qph int\n        max queries per HOUR to OpenAI (default 10)\n  -template-file string\n        path custom template file to use for the ChatGPT\n```\n\n# Disclaimer\n\nYour audit log payloads will be sent to OpenAI to generate remediation actions. This project currently does not\nanonymize the audit log payloads. Please be aware of this when using this tool if you are concerned about your sensitive\ndata. Use at your own risk. By using this tool, you agree that you are solely responsible for any and all consequences;\nand\nthat the author(s) of this tool are not liable for any damages or losses of any kind.\n\n# License\n\n*falco-gpt* was created by [Furkan 'Dentrax' Türkal](https://twitter.com/furkanturkaI)\n\nThe base project code is licensed under [MIT](https://opensource.org/licenses/MIT) unless otherwise specified. Please\nsee the **[LICENSE](https://github.com/Dentrax/falco-gpt/blob/main/LICENSE)** file for more information.\n\n\u003ckbd\u003eBest Regards\u003c/kbd\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdentrax%2Ffalco-gpt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdentrax%2Ffalco-gpt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdentrax%2Ffalco-gpt/lists"}