{"id":13416275,"url":"https://github.com/falcosecurity/falco","last_synced_at":"2026-05-25T20:04:19.565Z","repository":{"id":37318719,"uuid":"49986046","full_name":"falcosecurity/falco","owner":"falcosecurity","description":"Cloud Native Runtime Security","archived":false,"fork":false,"pushed_at":"2026-01-14T15:42:58.000Z","size":21384,"stargazers_count":8568,"open_issues_count":67,"forks_count":975,"subscribers_count":122,"default_branch":"master","last_synced_at":"2026-01-14T23:43:08.860Z","etag":null,"topics":["cloud-native","cncf","cncf-project","containers","ebpf","falco","hacktoberfest","kubernetes","runtime-security","security"],"latest_commit_sha":null,"homepage":"https://falco.org","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/falcosecurity.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"Contributing.md","funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":"audits/SECURITY_AUDIT_2019_07.pdf","citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2016-01-19T21:58:12.000Z","updated_at":"2026-01-14T20:40:25.000Z","dependencies_parsed_at":"2025-12-12T15:05:16.920Z","dependency_job_id":null,"html_url":"https://github.com/falcosecurity/falco","commit_stats":{"total_commits":3407,"total_committers":206,"mean_commits":"16.538834951456312","dds":0.8567654828294687,"last_synced_commit":"03285f41408bf88ef60fbf550440a8455b4678e1"},"previous_names":["draios/falco"],"tags_count":180,"template":false,"template_full_name":null,"purl":"pkg:github/falcosecurity/falco","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/falcosecurity%2Ffalco","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/falcosecurity%2Ffalco/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/falcosecurity%2Ffalco/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/falcosecurity%2Ffalco/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/falcosecurity","download_url":"https://codeload.github.com/falcosecurity/falco/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/falcosecurity%2Ffalco/sbom","scorecard":{"id":391790,"data":{"date":"2025-08-18T00:10:03Z","repo":{"name":"github.com/falcosecurity/falco","commit":"6adc54c92f00c7dd535323bba2bf9f02acf6eb14"},"scorecard":{"version":"v4.13.1","commit":"49c0eed3a423f00c872b5c3c9f1bbca9e8aae799"},"score":7.6,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"7 out of 7 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":5,"reason":"badge detected: passing","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#code-review"}},{"name":"Contributors","score":10,"reason":"36 different organizations found -- score normalized to 10","details":["Info: contributors work for apple,argoproj,aurora,bpftools,chainguard-dev,check-spelling,cncf,confcon,coreos,cosi-project,coveo,datadog,draios,draios (sysdig),falcosecurity,falcosecurity-retire,freebsd-docker,garnercorp,github,idiap,iovisor,jenkinsci,kong,krateoplatformops,kubicorn,liqotech,netgroup-polito,nivenly,pcns-falco,peaklyio,safety bits,safetybitsio,seqeralabs,suse,sysdig,wolfi-dev"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: tool 'Dependabot' is used: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)","Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)","Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no PythonAtherisFuzzer integration found: Follow the steps in https://github.com/google/atheris to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no CLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no CppLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no SwiftLibFuzzer integration found: Follow the steps in https://google.github.io/oss-fuzz/getting-started/new-project-guide/swift-lang/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no RustCargoFuzzer integration found: Follow the steps in https://rust-fuzz.github.io/book/cargo-fuzz.html to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no JavaJazzerFuzzer integration found: Follow the steps in https://github.com/CodeIntelligenceTesting/jazzer to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)","Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project:\nQuickCheck: https://hackage.haskell.org/package/QuickCheck\nhedgehog: https://hedgehog.qa/\nvalidity: https://github.com/NorfairKing/validity\nsmallcheck: https://hackage.haskell.org/package/smallcheck\nhspec: https://hspec.github.io/\ntasty: https://hackage.haskell.org/package/tasty (High effort)","Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)","Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: License file found in expected location: LICENSE:1","Info: FSF or OSI recognized license: LICENSE:1"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#license"}},{"name":"Maintained","score":10,"reason":"30 commit(s) out of 30 and 12 issue activity out of 30 found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"no published package detected","details":["Warn: no GitHub/GitLab publishing workflow detected"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":-1,"reason":"internal error: error parsing shell code: docker/driver-loader-buster/Dockerfile:1:5: unclosed here-document 'EOF'","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: all commits (30) are checked with a SAST tool","Info: SAST tool detected: CodeQL"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/falcosecurity/.github/SECURITY.md:1","Info: Found linked content: github.com/falcosecurity/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/falcosecurity/.github/SECURITY.md:1","Info: Found text in security policy: github.com/falcosecurity/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":0,"reason":"0 out of 5 artifacts are signed or have provenance","details":["Warn: release artifact 0.41.3 does not have provenance: https://api.github.com/repos/falcosecurity/falco/releases/229053101","Warn: release artifact 0.41.3 not signed: https://api.github.com/repos/falcosecurity/falco/releases/229053101","Warn: release artifact 0.41.2 does not have provenance: https://api.github.com/repos/falcosecurity/falco/releases/225821046","Warn: release artifact 0.41.2 not signed: https://api.github.com/repos/falcosecurity/falco/releases/225821046","Warn: release artifact 0.41.1 does not have provenance: https://api.github.com/repos/falcosecurity/falco/releases/223286115","Warn: release artifact 0.41.1 not signed: https://api.github.com/repos/falcosecurity/falco/releases/223286115","Warn: release artifact 0.41.0 does not have provenance: https://api.github.com/repos/falcosecurity/falco/releases/221749271","Warn: release artifact 0.41.0 not signed: https://api.github.com/repos/falcosecurity/falco/releases/221749271","Warn: release artifact 0.40.0 does not have provenance: https://api.github.com/repos/falcosecurity/falco/releases/197092169","Warn: release artifact 0.40.0 not signed: https://api.github.com/repos/falcosecurity/falco/releases/197092169"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/bump-libs.yaml:1: Visit https://app.stepsecurity.io/secureworkflow/falcosecurity/falco/bump-libs.yaml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/bump-libs.yaml:18: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:16","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yaml:22","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yaml:29","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yaml:30","Info: topLevel 'contents' permission set to 'read': .github/workflows/codespell.yml:6","Info: topLevel 'contents' permission set to 'read': .github/workflows/engine-version-weakcheck.yaml:13","Warn: no topLevel permission defined: .github/workflows/format.yaml:1: Visit https://app.stepsecurity.io/secureworkflow/falcosecurity/falco/format.yaml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/insecure-api.yaml:10","Warn: no topLevel permission defined: .github/workflows/master.yaml:1: Visit https://app.stepsecurity.io/secureworkflow/falcosecurity/falco/master.yaml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)","Warn: no topLevel permission defined: .github/workflows/release.yaml:1: Visit https://app.stepsecurity.io/secureworkflow/falcosecurity/falco/release.yaml/master?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yaml:136: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/reusable_build_dev.yaml:37","Info: topLevel 'contents' permission set to 'read': .github/workflows/reusable_build_docker.yaml:29","Info: topLevel 'contents' permission set to 'read': .github/workflows/reusable_build_packages.yaml:35","Info: topLevel 'contents' permission set to 'read': .github/workflows/reusable_fetch_version.yaml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/reusable_publish_docker.yaml:21","Info: jobLevel 'contents' permission set to 'read': .github/workflows/reusable_publish_docker.yaml:30","Info: topLevel 'contents' permission set to 'read': .github/workflows/reusable_publish_packages.yaml:17","Info: topLevel 'contents' permission set to 'read': .github/workflows/reusable_test_packages.yaml:25","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yaml:24","Info: topLevel 'contents' permission set to 'read': .github/workflows/staticanalysis.yaml:5"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"no vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-18T17:59:40.136Z","repository_id":37318719,"created_at":"2025-08-18T17:59:40.136Z","updated_at":"2025-08-18T17:59:40.136Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28534148,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-18T00:39:45.795Z","status":"online","status_checked_at":"2026-01-18T02:00:07.578Z","response_time":98,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-native","cncf","cncf-project","containers","ebpf","falco","hacktoberfest","kubernetes","runtime-security","security"],"created_at":"2024-07-30T21:00:56.302Z","updated_at":"2026-05-25T20:04:19.558Z","avatar_url":"https://github.com/falcosecurity.png","language":"C++","funding_links":[],"categories":["Tools","Container Operations","C++","Containers","Container Tools","\u003ca name=\"cpp\"\u003e\u003c/a\u003eC++","Container","2 Defensive","Kubernetes","Tools and Libraries","Repositories / Tools","Инструменты","Container Security Scanners","Compliance, Governance, and Safety for AI Ops","Security","Security \u0026 Compliance","Security and Supply Chain","security","一、核心工具集（按场景分类）","语音识别与合成_其他","Application Recommendation","工具：覆盖攻防全流程的实用利器","Defensive (D3FEND-aligned lifecycle)","0x02 工具 :hammer_and_wrench:","Official projects","Companion Tools","Container and Kubernetes Security","Open Source Projects","Container Security","🔐 Supply Chain \u0026 Runtime Security"],"sub_categories":["Kubernetes","Security","MultiCloud Governance","2.7 Tools","Kubernetes runtime security","Security and Compliance","Detection","Defending","Container Runtime","Monitoring","Reverse Proxy","Streaming Operations","10. 安全与合规（防护风险）","资源传输下载","🔒 Cybersecurity","4. 运行时监控（实时发现异常行为）","🛡️ Detection Engineering","2 云原生工具","Repositories","Container and Runtime","Runtime Security","Image Distribution \u0026 Caching"],"readme":"# Falco\n\n[![Latest release](https://img.shields.io/github/v/release/falcosecurity/falco?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![Supported Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![License](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING) [![Docs](https://img.shields.io/badge/docs-latest-green.svg?style=for-the-badge)](https://falco.org/docs)\n\n[![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable)  [![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/falcosecurity/falco?label=openssf%20scorecard\u0026style=for-the-badge)](https://scorecard.dev/viewer/?uri=github.com/falcosecurity/falco)  [![OpenSSF Best Practices](https://img.shields.io/cii/summary/2317?label=OpenSSF%20Best%20Practices\u0026style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317)\n\n[![Falco](https://falco.org/img/brand/falco-horizontal-color.svg)](https://falco.org)\n\n[Falco](https://falco.org/) is a cloud native runtime security tool for Linux operating systems. It is designed to detect and alert on abnormal behavior and potential security threats in real-time.\n\nAt its core, Falco is a kernel monitoring and detection agent that observes events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems.\n\nFalco, originally created by [Sysdig](https://sysdig.com), is a **graduated project** under the [Cloud Native Computing Foundation](https://cncf.io) (CNCF) used in production by various [organisations](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md).\n\nFor detailed technical information and insights into the cyber threats that Falco can detect, visit the official [Falco](https://falco.org/) website.\n\nFor comprehensive information on the latest updates and changes to the project, please refer to the [Change Log](CHANGELOG.md).\n\n## The Falco Project\n\nThe Falco Project codebase is maintained under the [falcosecurity GitHub organization](https://github.com/falcosecurity). The primary repository, [falcosecurity/falco](https://github.com/falcosecurity/falco), holds the source code for the Falco binary, while other sub-projects are hosted in dedicated repositories. This approach of isolating components into specialized repositories enhances modularity and focused development. Notable [core repositories](https://github.com/falcosecurity/evolution?tab=readme-ov-file#core) include:\n\n- [falcosecurity/libs](https://github.com/falcosecurity/libs): This repository hosts Falco's core libraries, which constitute the majority of the binary’s source code and provide essential features, such as kernel drivers.\n- [falcosecurity/rules](https://github.com/falcosecurity/rules): It contains the official ruleset for Falco, offering pre-defined detection rules for various security threats and abnormal behaviors.\n- [falcosecurity/plugins](https://github.com/falcosecurity/plugins): This repository supports integration with external services through plugins that extend Falco's capabilities beyond syscalls and container events, with plans for evolving specialized functionalities in future releases.\n- [falcosecurity/falcoctl](https://github.com/falcosecurity/falcoctl): A command-line utility designed for managing and interacting with Falco.\n- [falcosecurity/charts](https://github.com/falcosecurity/charts): This repository publishes Helm charts for deploying Falco and its ecosystem. The Falco chart source lives in [`chart/falco`](chart/falco).\n\nFor further insights into our repositories and additional details about our governance model, please visit the official hub of The Falco Project: [falcosecurity/evolution](https://github.com/falcosecurity/evolution).\n\n## Getting Started with Falco\n\nIf you're new to Falco, begin your journey with our [Getting Started](https://falco.org/docs/getting-started/) guide. For production deployments, please refer to our comprehensive [Setup](https://falco.org/docs/setup/) documentation.\n\nAs final recommendations before deploying Falco, verify environment compatibility, define your detection goals, optimize performance, choose the appropriate build, and plan for SIEM or data lake integration to ensure effective incident response.\n\n### Demo Environment\n\nA demo environment is provided via a docker-compose file that can be started on a docker host which includes falco, falcosidekick, falcosidekick-ui and its required redis database. For more information see the [docker-compose section](docker/docker-compose/)\n\n## Join the Community\n\nTo get involved with the Falco Project please visit the [Community](https://github.com/falcosecurity/community) repository to find more information and ways to get involved.\n\nIf you have any questions about Falco or contributing, do not hesitate to file an issue or contact the Falco maintainers and community members for assistance.\n\nHow to reach out?\n\n - Join the [#falco](https://kubernetes.slack.com/messages/falco) channel on the [Kubernetes Slack](https://slack.k8s.io).\n - Join the [Falco mailing list](https://lists.cncf.io/g/cncf-falco-dev).\n - File an [issue](https://github.com/falcosecurity/falco/issues) or make feature requests.\n\n## Commitment to Falco's Own Security\n\nFull reports of various security audits can be found [here](./audits/).\n\nIn addition, you can refer to the [falco](https://github.com/falcosecurity/falco/security) and [libs](https://github.com/falcosecurity/libs/security) security sections for detailed updates on security advisories and policies.\n\nTo report security vulnerabilities, please follow the community process outlined in the documentation found [here](https://github.com/falcosecurity/.github/blob/main/SECURITY.md).\n\n## Building\n\nFor comprehensive, step-by-step instructions on building Falco from source, please refer to the [official documentation](https://falco.org/docs/developer-guide/source/).\n\n## Testing\n\n\u003cdetails\u003e\n\t\u003csummary\u003eExpand Testing Instructions\u003c/summary\u003e\n\nFalco's [Build Falco from source](https://falco.org/docs/developer-guide/source/) is the go-to resource to understand how to build Falco from source. In addition, the [falcosecurity/libs](https://github.com/falcosecurity/libs) repository offers additional valuable information about tests and debugging of Falco's underlying libraries and kernel drivers.\n\nHere's an example of a `cmake` command that will enable everything you need for all unit tests of this repository:\n\n```bash\ncmake \\\n-DUSE_BUNDLED_DEPS=ON \\\n-DBUILD_DRIVER=ON \\\n-DBUILD_FALCO_MODERN_BPF=ON \\\n-DCREATE_TEST_TARGETS=ON \\\n-DBUILD_FALCO_UNIT_TESTS=ON ..;\n```\n\nBuild and run the unit test suite:\n\n```bash\nnproc=$(grep processor /proc/cpuinfo | tail -n 1 | awk '{print $3}');\nmake -j$(($nproc-1)) falco_unit_tests;\n# Run the tests\nsudo ./unit_tests/falco_unit_tests;\n```\n\nOptionally, build the driver of your choice and test run the Falco binary to perform manual tests.\n\nLastly, The Falco Project has moved its Falco regression tests to [falcosecurity/testing](https://github.com/falcosecurity/testing).\n\n\n\u003c/details\u003e\n\n\u003c/br\u003e\n\n ## How to Contribute\n\nPlease refer to the [Contributing](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) guide and the [Code of Conduct](https://github.com/falcosecurity/evolution/blob/main/CODE_OF_CONDUCT.md) for more information on how to contribute.\n\n## FAQs\n\n### Why is Falco in C++ rather than Go or {language}?\n\n\u003cdetails\u003e\n\t\u003csummary\u003eExpand Information\u003c/summary\u003e\n\n1. The first lines of code at the base of Falco were written some time ago, where Go didn't yet have the same level of maturity and adoption as today.\n2. The Falco execution model is sequential and mono-thread due to the statefulness requirements of the tool, and so most of the concurrency-related selling points of the Go runtime would not be leveraged at all.\n3. The Falco code deals with very low-level programming in many places, and we all know that interfacing Go with C is possible but brings tons of complexity and tradeoffs to the table.\n4. As a security tool meant to consume a crazy high throughput of events per second, Falco needs to squeeze performance in all hot paths at runtime and requires deep control on memory allocation, which the Go runtime can't provide (there's also garbage collection involved).\n5. Although Go didn't suit the engineering requirements of the core of Falco, we still thought that it could be a good candidate for writing Falco extensions through the plugin system. This is the main reason we gave special attention and high priority to the development of the plugin-sdk-go.\n6. Go is not a requirement for having statically-linked binaries. In fact, we provide fully-static Falco builds since few years. The only issue with those is that the plugin system can't be supported with the current dynamic library model we currently have.\n7. The plugin system has been envisioned to support multiple languages, so on our end maintaining a C-compatible codebase is the best strategy to ensure maximum cross-language compatibility.\n8. In general, plugins have GLIBC requirements/dependencies because they have low-level C bindings required for dynamic loading. A potential solution for the future could be to also support plugin to be statically-linked at compilation time and so released as bundled in the Falco binary. Although no work started yet in this direction, this would solve most issues you reported and would provide a totally-static binary too. Of course, this would not be compatible with dynamic loading anymore, but it may be a viable solution for our static-build flavor of Falco.\n9. Memory safety is definitely a concern and we try our best to keep an high level of quality even though C++ is quite error prone. For instance, we try to use smart pointers whenever possible, we build the libraries with an address sanitizer in our CI, we run Falco through Valgrind before each release, and have ways to stress-test it to detect performance regressions or weird memory usage (e.g. https://github.com/falcosecurity/event-generator). On top of that, we also have third parties auditing the codebase by time to time. None of this make a perfect safety standpoint of course, but we try to maximize our odds. Go would definitely make our life easier from this perspective, however the tradeoffs never made it worth it so far due to the points above.\n10. The C++ codebase of falcosecurity/libs, which is at the core of Falco, is quite large and complex. Porting all that code to another language would be a major effort requiring lots of development resource and with an high chance of failure and regression. As such, our approach so far has been to choose refactors and code polishing instead, up until we'll reach an optimal level of stability, quality, and modularity, on that portion of code. This would allow further developments to be smoother and more feasibile in the future.\n\n\u003c/details\u003e\n\u003c/br\u003e\n\n### What's next for Falco?\n\nStay updated with Falco's evolving capabilities by exploring the [Falco Roadmap](https://github.com/orgs/falcosecurity/projects/5), which provides insights into the features currently under development and planned for future releases.\n\n## License\n\nFalco is licensed to you under the [Apache 2.0](./COPYING) open source license.\n\n## Resources\n\n - [Governance](https://github.com/falcosecurity/evolution/blob/main/GOVERNANCE.md)\n - [Code Of Conduct](https://github.com/falcosecurity/evolution/blob/main/CODE_OF_CONDUCT.md)\n - [Maintainers Guidelines](https://github.com/falcosecurity/evolution/blob/main/MAINTAINERS_GUIDELINES.md)\n - [Maintainers List](https://github.com/falcosecurity/evolution/blob/main/MAINTAINERS.md)\n - [Repositories Guidelines](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md)\n - [Repositories List](https://github.com/falcosecurity/evolution/blob/main/README.md#repositories)\n - [Adopters List](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md)\n - [Release Process](RELEASE.md)\n - [Setup documentation](https://falco.org/docs/setup/)\n - [Troubleshooting](https://falco.org/docs/troubleshooting/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffalcosecurity%2Ffalco","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffalcosecurity%2Ffalco","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffalcosecurity%2Ffalco/lists"}