An open API service indexing awesome lists of open source software.

https://github.com/falcosecurity/plugins

Falco plugins registry
https://github.com/falcosecurity/plugins

falco falco-plugins plugin registry

Last synced: about 2 months ago
JSON representation

Falco plugins registry

Awesome Lists containing this project

README

        

# Plugins

[![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable) [![License](https://img.shields.io/github/license/falcosecurity/rules?style=for-the-badge)](./LICENSE)

This repository is the central hub for the Falco Plugin ecosystem. It serves two main purposes:

- **Be a registry:** A comprehensive catalog of plugins recognized by The Falco Project, regardless of where their source code is hosted.
- **Monorepo for Falcosecurity plugins:** Official plugins hosted and maintained by The Falco Project, with robust release and distribution processes.

For more information about the plugin system’s architecture and concepts, please see the [official documentation](https://falco.org/docs/plugins).

---

## Plugin Registry

The registry contains metadata and information about every plugin known and recognized by the Falcosecurity organization. It lists plugins hosted either in this repository or in other repositories. These plugins are developed for Falco and made available to the community.

> Check out the [Registering a Plugin](./docs/registering-a-plugin.md) to know how to add your plugin to this registry.

### Registered Plugins

The tables below list all the plugins currently registered. The tables are automatically generated from the [registry.yaml](./registry.yaml) file.

| Name | Capabilities | Description
| --- | --- | --- |
| plugin-id-zero-value | **Event Sourcing**
ID: 0
`` | This ID is reserved for particular purposes and cannot be registered. A plugin author should not use this ID unless specified by the documentation.

Authors: N/A
License: N/A |
| test | **Event Sourcing**
ID: 999
`test` | This ID is reserved for source plugin development. Any plugin author can use this ID, but authors can expect events from other developers with this ID. After development is complete, the author should request an actual ID

Authors: N/A
License: N/A |
| [k8saudit](https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit) | **Event Sourcing**
ID: 1
`k8s_audit`
**Field Extraction**
`k8s_audit` | Read Kubernetes Audit Events and monitor Kubernetes Clusters

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [cloudtrail](https://github.com/falcosecurity/plugins/tree/main/plugins/cloudtrail) | **Event Sourcing**
ID: 2
`aws_cloudtrail`
**Field Extraction**
`aws_cloudtrail` | Reads Cloudtrail JSON logs from files/S3 and injects as events

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [json](https://github.com/falcosecurity/plugins/tree/main/plugins/json) | **Field Extraction**
*All Sources* | Extract values from any JSON payload

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [dummy](https://github.com/falcosecurity/plugins/tree/main/plugins/dummy) | **Event Sourcing**
ID: 3
`dummy`
**Field Extraction**
`dummy` | Reference plugin used to document interface

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [dummy_c](https://github.com/falcosecurity/plugins/tree/main/plugins/dummy_c) | **Event Sourcing**
ID: 4
`dummy_c`
**Field Extraction**
`dummy_c` | Like dummy, but written in C++

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [docker](https://github.com/Issif/docker-plugin) | **Event Sourcing**
ID: 5
`docker`
**Field Extraction**
`docker` | Docker Events

Authors: [Thomas Labarussias](https://github.com/Issif)
License: Apache-2.0 |
| [seccompagent](https://github.com/kinvolk/seccompagent) | **Event Sourcing**
ID: 6
`seccompagent`
**Field Extraction**
`seccompagent` | Seccomp Agent Events

Authors: [Alban Crequy](https://github.com/kinvolk/seccompagent)
License: Apache-2.0 |
| [okta](https://github.com/falcosecurity/plugins/tree/main/plugins/okta) | **Event Sourcing**
ID: 7
`okta`
**Field Extraction**
`okta` | Okta Log Events

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [github](https://github.com/falcosecurity/plugins/tree/main/plugins/github) | **Event Sourcing**
ID: 8
`github`
**Field Extraction**
`github` | Github Webhook Events

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [k8saudit-eks](https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit-eks) | **Event Sourcing**
ID: 9
`k8s_audit`
**Field Extraction**
`k8s_audit` | Read Kubernetes Audit Events from AWS EKS Clusters

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [nomad](https://github.com/albertollamaso/nomad-plugin/tree/main) | **Event Sourcing**
ID: 10
`nomad`
**Field Extraction**
`nomad` | Read Hashicorp Nomad Events Stream

Authors: [Alberto Llamas](https://github.com/albertollamaso/nomad-plugin/issues)
License: Apache-2.0 |
| [dnscollector](https://github.com/SysdigDan/dnscollector-falco-plugin) | **Event Sourcing**
ID: 11
`dnscollector`
**Field Extraction**
`dnscollector` | DNS Collector Events

Authors: [Daniel Moloney](https://github.com/SysdigDan/dnscollector-falco-plugin/issues)
License: Apache-2.0 |
| [gcpaudit](https://github.com/falcosecurity/plugins/tree/main/plugins/gcpaudit) | **Event Sourcing**
ID: 12
`gcp_auditlog`
**Field Extraction**
`gcp_auditlog` | Read GCP Audit Logs

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [syslogsrv](https://github.com/nabokihms/syslogsrv-falco-plugin/tree/main/plugins/syslogsrv) | **Event Sourcing**
ID: 13
`syslogsrv`
**Field Extraction**
`syslogsrv` | Syslog Server Events

Authors: [Maksim Nabokikh](https://github.com/nabokihms/syslogsrv-falco-plugin/issues)
License: Apache-2.0 |
| [salesforce](https://github.com/an1245/falco-plugin-salesforce/) | **Event Sourcing**
ID: 14
`salesforce`
**Field Extraction**
`salesforce` | Falco plugin providing basic runtime threat detection and auditing logging for Salesforce

Authors: [Andy](https://github.com/an1245/falco-plugin-salesforce/issues)
License: Apache-2.0 |
| [box](https://github.com/an1245/falco-plugin-box/) | **Event Sourcing**
ID: 15
`box`
**Field Extraction**
`box` | Falco plugin providing basic runtime threat detection and auditing logging for Box

Authors: [Andy](https://github.com/an1245/falco-plugin-box/issues)
License: Apache-2.0 |
| [k8smeta](https://github.com/falcosecurity/plugins/tree/main/plugins/k8smeta) | **Field Extraction**
`syscall` | Enriche Falco syscall flow with Kubernetes Metadata

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [k8saudit-gke](https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit-gke) | **Event Sourcing**
ID: 16
`k8s_audit`
**Field Extraction**
`k8s_audit` | Read Kubernetes Audit Events from GKE Clusters

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [journald](https://github.com/gnosek/falco-journald-plugin) | **Event Sourcing**
ID: 17
`journal`
**Field Extraction**
`journal` | Read Journald events into Falco

Authors: [Grzegorz Nosek](https://github.com/gnosek/falco-journald-plugin)
License: Apache-2.0 |
| [kafka](https://github.com/falcosecurity/plugins/tree/main/plugins/kafka) | **Event Sourcing**
ID: 18
`kafka` | Read events from Kafka topics into Falco

Authors: [Hunter Madison](https://falco.org/community)
License: Apache-2.0 |
| [gitlab](https://github.com/an1245/falco-plugin-gitlab) | **Event Sourcing**
ID: 19
`gitlab`
**Field Extraction**
`gitlab` | Falco plugin providing basic runtime threat detection and auditing logging for GitLab

Authors: [Andy](https://github.com/an1245/falco-plugin-gitlab/issues)
License: Apache-2.0 |
| [keycloak](https://github.com/mattiaforc/falco-keycloak-plugin) | **Event Sourcing**
ID: 20
`keycloak`
**Field Extraction**
`keycloak` | Falco plugin for sourcing and extracting Keycloak user/admin events

Authors: [Mattia Forcellese](https://github.com/mattiaforc/falco-keycloak-plugin/issues)
License: Apache-2.0 |
| [k8saudit-aks](https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit-aks) | **Event Sourcing**
ID: 21
`k8s_audit`
**Field Extraction**
`k8s_audit` | Read Kubernetes Audit Events from Azure AKS Clusters

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [k8saudit-ovh](https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit-ovh) | **Event Sourcing**
ID: 22
`k8s_audit`
**Field Extraction**
`k8s_audit` | Read Kubernetes Audit Events from OVHcloud MKS Clusters

Authors: [Aurélie Vache](https://falco.org/community)
License: Apache-2.0 |
| [dummy_rs](https://github.com/falcosecurity/plugins/tree/main/plugins/dummy_rs) | **Event Sourcing**
ID: 23
`dummy_rs`
**Field Extraction**
`dummy_rs` | Like dummy, but written in Rust

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [container](https://github.com/falcosecurity/plugins/tree/main/plugins/container) | **Field Extraction**
`syscall` | Enriche Falco syscall flow with Container Metadata

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [krsi](https://github.com/falcosecurity/plugins/tree/main/plugins/krsi) | **Field Extraction**
`syscall` | Security (KRSI) events support for Falco

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [collector](https://github.com/falcosecurity/plugins/tree/main/plugins/collector) | **Event Sourcing**
ID: 24
`collector` | Generic collector to ingest raw payloads into Falco

Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |

## Falcosecurity Plugins

Along with the registry, this repository hosts the official plugins maintained by the Falcosecurity organization. Each plugin is an independent project with its own directory in the [plugins folder](https://github.com/falcosecurity/plugins/tree/main/plugins).

The `main` branch reflects the latest development state, and plugins are released on a regular basis. Development builds are published automatically when a Pull Request is merged into `main`, while stable builds are released only when a new tag is created. You can find all published artifacts at [download.falco.org](https://download.falco.org/?prefix=plugins). For details on the release process, please see our [Release Process](./release.md).

The instructions below explain how to install and apply only to plugins from this repository.

### Installing Plugins

Plugins hosted in this repository are built and distributed through Falco's official channels. You can easily install them using either [falcoctl](https://github.com/falcosecurity/falcoctl) or the [Falco Helm chart](https://github.com/falcosecurity/charts/tree/master/charts/falco).

#### Using falcoctl

1. **Install falcoctl:** If you haven't already, follow the [falcoctl installation guide](https://github.com/falcosecurity/falcoctl?tab=readme-ov-file#installation).
2. **Install a Plugin:** Execute the following command, replacing `` with the name of the plugin you wish to install:
```bash
falcoctl index update falcosecurity
falcoctl artifact install
```
> Depending on your environment, you may need to run the above commands with `sudo`.
3. Configure Falco to load the plugin as described in the [plugin's documentation](https://falco.org/docs/concepts/plugins/usage/#loading-plugins-in-falco).

#### Using the Falco Helm Chart

When installing Falco using the Helm chart, you can instruct the chart to install a specific plugin by setting the `falcoctl.config.artifact.install.refs` value and then adding the relevant plugin configuration under `falco`.

The Helm charts provides a preset [values-k8saudit.yaml](https://github.com/falcosecurity/charts/blob/master/charts/falco/values-k8saudit.yaml) file that can be used to install the `k8saudit` plugin or as example for installing other plugins.

## Contributing

If you want to help and wish to contribute, please review our [contribution guidelines](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md). Code contributions are always encouraged and welcome!

If you wish to contribute a plugin to The Falco Project, simply open a Pull Request to add your plugin to the `/plugins` folder and [update the registry accordingly](./docs/registering-a-plugin.md). Note that to be hosted in this repository, plugins must be licensed under the [Apache 2.0 License](./LICENSE).

### Enforcing coding style and repo policies locally

This repository supports enforcing coding style and policies locally through the `pre-commit` framework. `pre-commit`
allows to automatically install `git-hooks` that will be executed at every new commit. The following is the list of
`git-hooks` defined in `.pre-commit-config.yaml` (notice that some of them only target files written in a specific
language):
1. the `rust-fmt` hook - a `pre-commit` git hook running `rust fmt` on the staged changes
2. the `dco` hook - a `pre-commit-msg` git hook running adding the `DCO` on the commit if not present

The following steps describe how to install these hooks.

##### Step 1

Install `pre-commit` framework following the [official documentation](https://pre-commit.com/#installation).

> __Please note__: you have to follow only the "Installation" section.

#### Step 2

Install `pre-commit` git hooks:
```bash
pre-commit install --hook-type pre-commit --hook-type prepare-commit-msg --overwrite
```

## License

This project is licensed to you under the [Apache 2.0 Open Source License](./LICENSE).