{"id":15190173,"url":"https://github.com/moolen/secco","last_synced_at":"2026-02-04T15:01:37.621Z","repository":{"id":78060091,"uuid":"252391381","full_name":"moolen/secco","owner":"moolen","description":":shield: auto-generate seccomp profiles for Kubernetes","archived":false,"fork":false,"pushed_at":"2020-04-06T19:26:35.000Z","size":54,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-04-14T19:12:58.477Z","etag":null,"topics":["ebpf","kubernetes","seccomp","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/moolen.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-04-02T07:57:49.000Z","updated_at":"2024-06-19T07:55:08.735Z","dependencies_parsed_at":"2023-02-24T11:30:31.442Z","dependency_job_id":null,"html_url":"https://github.com/moolen/secco","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/moolen/secco","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moolen%2Fsecco","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moolen%2Fsecco/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moolen%2Fsecco/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moolen%2Fsecco/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/moolen","download_url":"https://codeload.github.com/moolen/secco/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moolen%2Fsecco/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261685834,"owners_count":23194174,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","kubernetes","seccomp","security"],"created_at":"2024-09-27T20:05:36.762Z","updated_at":"2026-02-04T15:01:32.540Z","avatar_url":"https://github.com/moolen.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Secco [Poc]\n\ntrace syscalls of a specific container\n\n## Prerequisites\n* kinda [recent kernel version](https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md)\n* kernel headers\n* libbcc installed [see here](https://github.com/iovisor/bcc/blob/master/INSTALL.md)\n* seccomp dev lib `libseccomp-dev`\n\n## Running\n```sh\n# run in different shell\n$ docker run -it alpine:3.10\n[alpine] $\n\n$ make binary\n$ docker ps\nCONTAINER ID [...]\n79f589ed1d8c [...]\n$ sudo ./bin/secco --id 79f589ed1d8c\n\n# inside container\n[alpine] $ apk add curl\n\n# stop secco and see syscalls\nmap[access:3 arch_prctl:8 bind:1 brk:3234 chroot:2 close:381 connect:3 dup2:4 execve:9 exit_group:5 fallocate:3 fchdir:2 fchmod:1 fchownat:20 fcntl:41 flock:1 fork:5 fstat:161 fstatfs:1 getcwd:4 getdents64:13 geteuid:2 getpid:4 getppid:3 getsockname:1 gettid:5 getuid:5 ioctl:11 lseek:12 lstat:152 madvise:4 mkdirat:5 mmap:27 mprotect:20 munmap:7 newfstatat:98 open:329 openat:52 poll:53 read:1967 readlink:2 recvfrom:3 rename:1 renameat:61 rt_sigaction:35 rt_sigprocmask:23 rt_sigreturn:2 sendfile:149 sendto:26 set_tid_address:8 setpgid:2 setsockopt:10 socket:4 stat:9 statfs:1 symlink:456 symlinkat:2 umask:4 uname:3 unlinkat:22 utimensat:17 vfork:1 wait4:14 write:239 writev:57]\n```\n\n## Use-cases\n\n#### Profiling Applications\nAs a Developer i want to capture a seccomp profile of my application before it goes to production\n\nAssumptions:\n* We run on kubernetes, of course\n* a developer deploys a Pod to a staging environment for integration. This is the target environment for testing\n* There is a need for a base-profile which should be extended\n* We can not capture all syscalls, (e.g. solisten)\n\n#### Securing Applications\nAs a Security/Operations person i want to run workloads securely using seccomp profiles. However, there is no standard of synchronizing/delivering seccomp profiles to the nodes running the workloads.\n\nAvailable APIs:\n* PodSecurityPolicy: enforces a set of security policies on Pods\n* Seccom Profiles at Container an Pod level using annotations. [This is not yet GA](https://github.com/kubernetes/enhancements/pull/1148).\n\n```yaml\nannotations:\n  seccomp.security.alpha.kubernetes.io/pod: \"localhost/profile.json\"\n```\n\n```yaml\nannotations:\n  container.security.alpha.kubernetes.io/\u003ccontainer-name\u003e: \"localhost/profile.json\"\n```\n\n## PoC Proposal\nSatellite DAEMONSET\n* runs a GRPC Service\n  * to start/stop a seccomp profiler (returns a json response)\n    * (?) can we lock down read/wrote calls to specific directories?\n  * to sync seccomp profiles on from core component\n  * for later: run \"enforcer\" for oci runtime to check what is actually running\n\ncore/ui component\n* UI: start/stop profiler to create seccomp profile from an existing/running pod\n* create a minimum viable BASE seccomp profile (general purpose)\n  * a user should be able to extend a certain base profile\n* migrate existing profiles\n* push profiles to satellites\n\nWebhook (optional)\n* mutate pods to add seccomp annotation based on label matching configured in UI\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoolen%2Fsecco","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmoolen%2Fsecco","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoolen%2Fsecco/lists"}