Falco Knowledge Base for AI Agents.

Falco is the Cloud Native Runtime Security tool, part of the CNCF.

Information in this repository corresponds to Falco version 0.44.x (released May 26, 2026).

Read the Getting Started guide for setup instructions and usage examples.

NOTE: This project is cumbersome and opinionated on purpose: it is optimized for accuracy, not for speed or resource consumption. Agents working with it re-read guidelines, consult the index before searching, and verify claims against the pinned sources — expect more tool calls and tokens in exchange for answers you can trust and verify. It has been mainly tested with Claude, but works nicely with Codex as well.

See AGENTS.md for detailed guidance on working with this repository.

After cloning, initialize the git submodules to populate the refs/ data sources:

make init

This is only needed if you want to access the original source repositories (e.g., to verify sources, create new digests, or run the Ingest workflow). The knowledge base content (digests/, specs/, skills/, agents/) works without submodules.

Data sources for the current era.

• falcosecurity/ - Official Falco GitHub organization (git submodules)
  • .github/ - Default community health files, contributing guidelines
  • charts/ - Helm charts for Kubernetes deployment
  • client-go/ - Go gRPC client for Falco outputs (DEPRECATED)
  • community/ - Community coordination, meeting notes
  • contrib/ - Community experiments (OUTDATED, UNTESTED)
  • dbg-go/ - Drivers Build Grid orchestration tool (Infra)
  • deploy-kubernetes/ - Pre-rendered Kubernetes manifests
  • driverkit/ - CLI tool for building kernel modules and eBPF probes
  • event-generator/ - Testing tool to generate suspect actions detected by Falco
  • evolution/ - Governance, repository map, maintainers
  • falco/ - Main Falco repository (binary, engine, outputs)
  • falco-actions/ - GitHub Actions for CI/CD security (Sandbox, Experimental)
  • falco-lsp/ - Language Server Protocol and VS Code extension for Falco rules (Incubating)
  • falco-operator/ - Kubernetes Operator for Falco (Incubating)
  • falco-playground/ - Browser-based rule validation using Falco Wasm (Sandbox, Experimental, Falco 0.37.1)
  • falco-website/ - Source for falco.org
  • falcoctl/ - Official CLI tool for Falco
  • falcosidekick/ - Fan-out daemon for Falco events (70+ outputs)
  • falcosidekick-ui/ - Web UI for Falcosidekick events (Incubating)
  • falco-talon/ - Response Engine for Falco events (Incubating, Experimental)
  • flycheck-falco-rules/ - Emacs Flycheck for Falco rules (OUTDATED)
  • k8s-metacollector/ - Centralized Kubernetes metadata collector for Falco
  • kernel-crawler/ - Kernel version discovery for driver building (Infra)
  • kernel-testing/ - Driver testing across kernels using Firecracker microVMs (Infra)
  • libs/ - Core libraries (libscap, libsinsp) and drivers
  • plugin-sdk-cpp/ - C++ header-only SDK for building Falco plugins
  • plugin-sdk-go/ - Go SDK for building Falco plugins
  • plugin-sdk-rs/ - Rust SDK for building Falco plugins
  • falco-rustlings/ - Interactive Rustlings exercises for Rust SDK learning
  • pigeon/ - GitHub Actions secrets/variables management (Infra)
  • plugins/ - Plugin registry and official plugins monorepo
  • prempti/ - Falco-powered policy and visibility layer for AI coding agents (Sandbox, Experimental)
  • rules/ - Official Falco detection rules
  • testing/ - Regression test suite for Falco and its ecosystem
  • syscalls-bumper/ - Syscall table automation for libs (Infra)
  • test-infra/ - Test infrastructure, Prow CI/CD, Drivers Build Grid (Infra)
• cncf/ - CNCF Foundation references
  • foundation/ - CNCF Foundation policies, charter, and governance
• falco-binary-report.md - Static analysis of local Falco binary installation
• proposals/ - Cross-repository proposals (unmerged PRs, WIP)
  • multi-thread-falco/ - Multi-thread Falco initiative (3 proposals, post-0.43, not implemented)

AI-optimized summaries of reference materials.

• falcosecurity/ - Digests for falcosecurity repositories
  • .github.md - Contributing guidelines, security policy, code review
  • charts.md - Helm charts, deployment patterns, configuration
  • client-go.md - Go gRPC client (DEPRECATED as of 0.43)
  • community.md - Community calls, blog guidelines, appreciation program
  • contrib.md - Community experiments (OUTDATED, UNTESTED, historical only)
  • dbg-go.md - Drivers Build Grid orchestration, config generation, S3 publishing (Infra)
  • deploy-kubernetes.md - Rendered manifests, pod structure, volumes
  • driverkit.md - Driver build tool, targets, builder images
  • event-generator.md - Testing tool, rule validation, benchmarking
  • evolution.md - Repository map, governance, maintainers, licensing
  • falco-actions.md - GitHub Actions for CI/CD security (Sandbox, real use case example)
  • falco-lsp.md - LSP, CLI tool (falco-lang), VS Code extension for Falco rules (Incubating)
  • falco-operator.md - Kubernetes Operator, 5 CRDs (Falco, Component, Rulesfile, Plugin, Config), artifact management, reference protection (Incubating)
  • falco-playground.md - Browser-based rule validation, Falco Wasm proof-of-concept (Sandbox, Falco 0.37.1)
  • falco/ - 6 digests (~115KB total)
    • README.md - Overview and navigation
    • architecture.md - Application lifecycle, event flow, libs integration
    • rule-language.md - Complete rule language specification
    • configuration.md - Full configuration reference
    • outputs.md - Alert output channels and formatting
    • cli-reference.md - CLI options and introspection
    • proposals.md - Design proposals, adoption/deprecation, roadmap
  • falco-website/ - 5 digests (~120KB total)
    • docs.md - Core documentation
    • blog.md - Blog posts (with era markers)
    • about.md - Use cases, FAQ, ecosystem
    • data.md - Adopters, features, config reference
    • community.md - Community info
  • falcoctl.md - CLI tool, OCI artifacts, driver management
  • falcosidekick/ - 1 digest
    • README.md - Overview, architecture, Falco integration
    • outputs.md - Complete output reference (70+ integrations)
  • falcosidekick-ui.md - Web UI for event visualization (Incubating, limited curation)
  • falco-talon.md - Response Engine for automated threat response (Incubating, Experimental)
  • flycheck-falco-rules.md - Emacs Flycheck plugin (OUTDATED, Oct 2023)
  • k8s-metacollector.md - Centralized K8s metadata streaming service
  • kernel-crawler.md - Kernel version discovery for driver building (Infra)
  • kernel-testing.md - Driver testing across kernels with Firecracker microVMs (Infra)
  • libs/ - 11 digests (~206KB total)
    • README.md - Overview and navigation
    • proposals-and-architecture.md - Design proposals, versioning, roadmap
    • architecture.md - Component relationships, event flow
    • kernel-instrumentation.md - Syscall hooks, kmod vs eBPF, data flow
    • modern-bpf.md - Modern eBPF driver (DEFAULT), CO-RE
    • libscap.md - System capture library
    • libsinsp.md - System inspection library
    • filtering.md - Filter language, operators, filterchecks
    • state-management.md - State tables, plugin state API
    • scap-file-format.md - .scap capture file format
    • plugin-framework.md - Plugin API
    • api-reference.md - Event types, flags
  • plugin-sdk-cpp.md - C++ header-only plugin SDK, mixin architecture, state tables
  • plugin-sdk-go.md - Plugin SDK, interfaces, event handling
  • plugin-sdk-rs.md - Rust plugin SDK, traits, strongly-typed events
  • falco-rustlings.md - Interactive Rustlings exercises, Sandbox status (January 2025)
  • prempti.md - Falco-powered policy and visibility layer for AI coding agents (Sandbox, Experimental Preview, Falco 0.43.0)
  • plugins/ - 5 digests (~115KB total)
    • ../plugins.md - Plugin registry, key plugins overview, OCI distribution
    • container.md - Container plugin architecture and implementation
    • json.md - JSON extractor plugin for parsing JSON event payloads
    • k8saudit.md - K8s Audit plugin for Kubernetes audit event monitoring
    • k8smeta.md - K8s metadata enrichment plugin (gRPC client for k8s-metacollector)
  • pigeon.md - GitHub Actions secrets/variables management from 1Password (Infra)
  • rules.md - Detection rules, maturity framework, versioning
  • testing.md - Regression test suite, test harness, CI integration
  • syscalls-bumper.md - Syscall table automation for libs (Infra)
  • test-infra/ - 5 digests (~165KB total)
    • README.md - Overview and navigation
    • prow-infrastructure.md - Prow components, AWS EKS, deployment, images, tools
    • prow-config.md - Configuration reference, plugins, Tide, branch protection
    • prow-jobs.md - Job catalog and build system
    • github-org-management.md - org.yaml, Peribolos, Poiana bot, teams
    • drivers-build-grid.md - DBG architecture, driver distribution
• cncf/ - Digests for CNCF Foundation references
  • foundation.md - CNCF IP policy, allowed licenses, container image guidance, copyright notices
• falco-binary-report.md - Static analysis of Falco binary (versions, dependencies, GLIBC, plugins)
• proposals/ - Cross-repository proposal digests
  • multi-thread-falco.md - Multi-thread Falco initiative (post-0.43, not implemented, 3 proposals)

Implementation-focused technical specifications (24 specs).

• README.md - Navigation hub, component map, reading order, dependency graph
• architecture-overview.md - System architecture, event pipeline, threading model
• kernel-instrumentation.md - Modern eBPF, kmod, syscall capture, event model
• libscap.md - System capture library, engine vtable, ring buffers, statistics
• libsinsp.md - Event parsing, state tables, thread/FD tracking, plugin integration
• filter-engine.md - Filter language, AST, operators, transformers, complete field reference
• rule-engine.md - Rule YAML schema, compilation pipeline, exceptions, ruleset management
• configuration.md - Config system, merging, all keys with types/defaults/maturity
• output-system.md - Alert channels, async queue, formatting, timeout handling
• plugin-system.md - Plugin API, five capabilities, lifecycle, state tables, official plugins
• metrics-and-observability.md - Internal metrics, stats, Prometheus, health monitoring
• application-lifecycle.md - App actions, startup/teardown, signal handling, hot reload
• cli-interface.md - CLI flags, introspection commands, exit codes
• falcoctl.md - Artifact/driver management, OCI distribution, Kubernetes integration
• build-system.md - CMake structure, dependencies, feature flags
• kubernetes-deployment.md - Helm charts, DaemonSet/Deployment, pod architecture, RBAC
• rules-content.md - Detection rules, maturity framework, tuning patterns, release process
• falcosidekick.md - Fan-out daemon, FalcoPayload data model, 70+ output integrations
• falco-operator.md - Kubernetes Operator, 5 CRDs, instance lifecycle and artifact management
• falco-lsp.md - Language Server, CLI tool (falco-lang), VS Code extension for Falco rules
• falco-talon.md - Response Engine, actionners, automated threat response in Kubernetes
• driver-distribution.md - Pre-built driver pipeline, kernel-crawler, driverkit, S3 distribution
• ci-cd-infrastructure.md - Prow components, AWS EKS, Tide merge automation, Pigeon secrets
• ci-cd-jobs.md - Prow job catalog, GitHub org management, OWNERS workflow
• ci-cd-github-actions.md - Falco Actions for CI/CD security, testing regression suite

AI agent skills following agentskills.io specification.

• falco-cli/ - Use Falco CLI for validation, introspection, and binary analysis without daemon mode
• falco-dev/ - Develop, build, test, and debug Falco core components using a devcontainer
• falco-rules-author/ - Author, validate, test, and iteratively tune Falco detection rules with Docker-based feedback loops
• falco-triage/ - Triage GitHub issues and PRs across falcosecurity repositories with knowledge-base-backed analysis
• falco-reviewer/ - Review PRs across falcosecurity repositories as a ghost writer for Falco maintainers, with security review and breaking change analysis

Clone this repository (skip if already cloned):

git clone https://github.com/leogr/falco-expert.git

Install individual skills by symlinking each skill directory:

mkdir -p ~/.claude/skills
ln -s "$(cd falco-expert && pwd)/skills/falco-cli" ~/.claude/skills/falco-cli
ln -s "$(cd falco-expert && pwd)/skills/falco-dev" ~/.claude/skills/falco-dev
ln -s "$(cd falco-expert && pwd)/skills/falco-rules-author" ~/.claude/skills/falco-rules-author
ln -s "$(cd falco-expert && pwd)/skills/falco-triage" ~/.claude/skills/falco-triage
ln -s "$(cd falco-expert && pwd)/skills/falco-reviewer" ~/.claude/skills/falco-reviewer

Pre-built AI agents powered by this knowledge base.

• falco-expert.md - Comprehensive Falco expert agent for Claude Code

Clone this repository (skip if already cloned):

git clone https://github.com/leogr/falco-expert.git

Install the falco-expert agent:

mkdir -p ~/.claude/agents
ln -s "$(cd falco-expert && pwd)/agents/falco-expert.md" ~/.claude/agents/falco-expert.md

Allow Claude Code to read the knowledge base without prompting (recommended for background agent execution). Add this to your ~/.claude/settings.json:

{
  "permissions": {
    "allow": [
      "Read(//<absolute-path-to-falco-expert>/**)"
    ]
  }
}

Replace <absolute-path-to-falco-expert> with the output of cd falco-expert && pwd. Note the // prefix for absolute paths.

Verify by running /agents in Claude Code.

Note: The agent already includes all five skills. Installing skills separately is only needed if you want to use them without the agent.

Predefined procedures for common operations.