This repository is the central hub for the Falco Plugin ecosystem. It serves two main purposes:
- Be a registry: A comprehensive catalog of plugins recognized by The Falco Project, regardless of where their source code is hosted.
- Monorepo for Falcosecurity plugins: Official plugins hosted and maintained by The Falco Project, with robust release and distribution processes.
For more information about the plugin system’s architecture and concepts, please see the official documentation.
The registry contains metadata and information about every plugin known and recognized by the Falcosecurity organization. It lists plugins hosted either in this repository or in other repositories. These plugins are developed for Falco and made available to the community.
Check out the Registering a Plugin to know how to add your plugin to this registry.
The tables below list all the plugins currently registered. The tables are automatically generated from the registry.yaml file.
| Name | Capabilities | Description |
|---|---|---|
| plugin-id-zero-value | Event Sourcing ID: 0 `` |
This ID is reserved for particular purposes and cannot be registered. A plugin author should not use this ID unless specified by the documentation. Authors: N/A License: N/A |
| test | Event Sourcing ID: 999 test |
This ID is reserved for source plugin development. Any plugin author can use this ID, but authors can expect events from other developers with this ID. After development is complete, the author should request an actual ID Authors: N/A License: N/A |
| k8saudit | Event Sourcing ID: 1 k8s_audit Field Extraction k8s_audit |
Read Kubernetes Audit Events and monitor Kubernetes Clusters Authors: The Falco Authors License: Apache-2.0 |
| cloudtrail | Event Sourcing ID: 2 aws_cloudtrail Field Extraction aws_cloudtrail |
Reads Cloudtrail JSON logs from files/S3 and injects as events Authors: The Falco Authors License: Apache-2.0 |
| json | Field Extraction All Sources |
Extract values from any JSON payload Authors: The Falco Authors License: Apache-2.0 |
| dummy | Event Sourcing ID: 3 dummy Field Extraction dummy |
Reference plugin used to document interface Authors: The Falco Authors License: Apache-2.0 |
| dummy_c | Event Sourcing ID: 4 dummy_c Field Extraction dummy_c |
Like dummy, but written in C++ Authors: The Falco Authors License: Apache-2.0 |
| docker | Event Sourcing ID: 5 docker Field Extraction docker |
Docker Events Authors: Thomas Labarussias License: Apache-2.0 |
| seccompagent | Event Sourcing ID: 6 seccompagent Field Extraction seccompagent |
Seccomp Agent Events Authors: Alban Crequy License: Apache-2.0 |
| okta | Event Sourcing ID: 7 okta Field Extraction okta |
Okta Log Events Authors: The Falco Authors License: Apache-2.0 |
| github | Event Sourcing ID: 8 github Field Extraction github |
Github Webhook Events Authors: The Falco Authors License: Apache-2.0 |
| k8saudit-eks | Event Sourcing ID: 9 k8s_audit Field Extraction k8s_audit |
Read Kubernetes Audit Events from AWS EKS Clusters Authors: The Falco Authors License: Apache-2.0 |
| nomad | Event Sourcing ID: 10 nomad Field Extraction nomad |
Read Hashicorp Nomad Events Stream Authors: Alberto Llamas License: Apache-2.0 |
| dnscollector | Event Sourcing ID: 11 dnscollector Field Extraction dnscollector |
DNS Collector Events Authors: Daniel Moloney License: Apache-2.0 |
| gcpaudit | Event Sourcing ID: 12 gcp_auditlog Field Extraction gcp_auditlog |
Read GCP Audit Logs Authors: The Falco Authors License: Apache-2.0 |
| syslogsrv | Event Sourcing ID: 13 syslogsrv Field Extraction syslogsrv |
Syslog Server Events Authors: Maksim Nabokikh License: Apache-2.0 |
| salesforce | Event Sourcing ID: 14 salesforce Field Extraction salesforce |
Falco plugin providing basic runtime threat detection and auditing logging for Salesforce Authors: Andy License: Apache-2.0 |
| box | Event Sourcing ID: 15 box Field Extraction box |
Falco plugin providing basic runtime threat detection and auditing logging for Box Authors: Andy License: Apache-2.0 |
| k8smeta | Field Extraction syscall |
Enriche Falco syscall flow with Kubernetes Metadata Authors: The Falco Authors License: Apache-2.0 |
| k8saudit-gke | Event Sourcing ID: 16 k8s_audit Field Extraction k8s_audit |
Read Kubernetes Audit Events from GKE Clusters Authors: The Falco Authors License: Apache-2.0 |
| journald | Event Sourcing ID: 17 journal Field Extraction journal |
Read Journald events into Falco Authors: Grzegorz Nosek License: Apache-2.0 |
| kafka | Event Sourcing ID: 18 kafka |
Read events from Kafka topics into Falco Authors: Hunter Madison License: Apache-2.0 |
| gitlab | Event Sourcing ID: 19 gitlab Field Extraction gitlab |
Falco plugin providing basic runtime threat detection and auditing logging for GitLab Authors: Andy License: Apache-2.0 |
| keycloak | Event Sourcing ID: 20 keycloak Field Extraction keycloak |
Falco plugin for sourcing and extracting Keycloak user/admin events Authors: Mattia Forcellese License: Apache-2.0 |
| k8saudit-aks | Event Sourcing ID: 21 k8s_audit Field Extraction k8s_audit |
Read Kubernetes Audit Events from AWS AKS Clusters Authors: The Falco Authors License: Apache-2.0 |
| k8saudit-ovh | Event Sourcing ID: 22 k8s_audit Field Extraction k8s_audit |
Read Kubernetes Audit Events from OVHcloud MKS Clusters Authors: Aurélie Vache License: Apache-2.0 |
| dummy_rs | Event Sourcing ID: 23 dummy_rs Field Extraction dummy_rs |
Like dummy, but written in Rust Authors: The Falco Authors License: Apache-2.0 |
| container | Field Extraction syscall |
Enriche Falco syscall flow with Container Metadata Authors: The Falco Authors License: Apache-2.0 |
Along with the registry, this repository hosts the official plugins maintained by the Falcosecurity organization. Each plugin is an independent project with its own directory in the plugins folder.
The main branch reflects the latest development state, and plugins are released on a regular basis. Development builds are published automatically when a Pull Request is merged into main, while stable builds are released only when a new tag is created. You can find all published artifacts at download.falco.org. For details on the release process, please see our Release Process.
The instructions below explain how to install and apply only to plugins from this repository.
Plugins hosted in this repository are built and distributed through Falco's official channels. You can easily install them using either falcoctl or the Falco Helm chart.
- Install falcoctl: If you haven't already, follow the falcoctl installation guide.
- Install a Plugin: Execute the following command, replacing
<plugin-name>with the name of the plugin you wish to install:falcoctl index update falcosecurity falcoctl artifact install <plugin-name>
Depending on your environment, you may need to run the above commands with
sudo. - Configure Falco to load the plugin as described in the plugin's documentation.
When installing Falco using the Helm chart, you can instruct the chart to install a specific plugin by setting the falcoctl.config.artifact.install.refs value and then adding the relevant plugin configuration under falco.
The Helm charts provides a preset values-k8saudit.yaml file that can be used to install the k8saudit plugin or as example for installing other plugins.
If you want to help and wish to contribute, please review our contribution guidelines. Code contributions are always encouraged and welcome!
If you wish to contribute a plugin to The Falco Project, simply open a Pull Request to add your plugin to the /plugins folder and update the registry accordingly. Note that to be hosted in this repository, plugins must be licensed under the Apache 2.0 License.
This project is licensed to you under the Apache 2.0 Open Source License.