Falco
Apache-2.0๐ฆ Container Security ยท C++
Falco is a cloud-native runtime security tool originally created by Sysdig and now a CNCF graduated project. It monitors system calls in real-time using eBPF or a kernel module to detect abnormal behavior, intrusions, and data theft in containers, Kubernetes clusters, and Linux hosts. Falco ships with a comprehensive rule set covering the MITRE ATT&CK framework, detecting events like shell spawning in containers, unauthorized process execution, sensitive file access, network connections to suspicious destinations, and privilege escalation attempts. Rules are written in a human-readable YAML format and can be customized to match any organization's security requirements. Falco integrates with Kubernetes admission controllers to enforce security policies at deploy time, and its output can be routed to Slack, PagerDuty, SIEM systems, or any webhook endpoint for alerting.
Installation
Helm (Kubernetes)
$ helm repo add falcosecurity https://falcosecurity.github.io/charts && helm install falco falcosecurity/falcoapt (Debian/Ubuntu)
$ curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg && sudo apt install falcoDocker
$ docker run --rm -i -t --privileged falcosecurity/falcoUse Cases
- Detecting shell spawning and unauthorized process execution inside containers
- Monitoring for sensitive file access and credential theft on Kubernetes nodes
- Alerting on network connections to known malicious destinations from pods
- Enforcing runtime security policies across container orchestration environments
- Detecting privilege escalation attempts and container escape techniques
Tags
Details
- Category
- ๐ฆ Container Security
- Language
- C++
- Repository
- falcosecurity/falco
- License
- Apache-2.0
- Platforms
- ๐งlinux
Links
Alternatives & Comparisons
Trivy
GoComprehensive vulnerability scanner for containers, filesystems, git repos, and Kubernetes with SBOM generation.
Compare Falco vs TrivyGrype
GoVulnerability scanner for container images and filesystems that matches installed packages against known CVEs.
Compare Falco vs Grypekube-hunter
PythonKubernetes penetration testing tool. Hunts for security weaknesses in Kubernetes clusters from inside or outside the network.
Compare Falco vs kube-hunterCDK
GoContainer escape and exploitation toolkit. Zero-dependency binary for container pentesting with escape exploits and post-exploitation tools.
Compare Falco vs CDKDeepce
ShellDocker enumeration and privilege escalation. Discover Docker containers, check for misconfigurations, and find escape paths.
Compare Falco vs DeepceMore in Container Security
kube-hunter
PythonKubernetes penetration testing tool. Hunts for security weaknesses in Kubernetes clusters from inside or outside the network.
CDK
GoContainer escape and exploitation toolkit. Zero-dependency binary for container pentesting with escape exploits and post-exploitation tools.
Deepce
ShellDocker enumeration and privilege escalation. Discover Docker containers, check for misconfigurations, and find escape paths.
Dockle
GoContainer image linter. Checks Docker images for security best practices, CIS benchmarks, and Dockerfile misconfigurations.
Syft
GoSoftware Bill of Materials generator. Creates SBOMs from container images and filesystems in SPDX and CycloneDX formats.