Skip to content
Falco: Container Native Runtime Security
C++ CMake Lua Shell Python Dockerfile Other
Branch: dev
Clone or download
LoganSteinberg and leodido Fix typo
Signed-off-by: Logan <>
Latest commit 19f69f4 Sep 18, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github docs: update the PR template with better areas Sep 16, 2019
cmake/modules new: cmake modules for git revision description Jul 26, 2019
cpack/debian Add ability to read rules files from directories (#348) Apr 6, 2018
docker docs: specify labels that apply to each area Sep 16, 2019
examples docs: specify labels that apply to each area Sep 16, 2019
integrations docs: specify labels that apply to each area Sep 16, 2019
rules docs: specify labels that apply to each area Sep 16, 2019
scripts fix(scripts/jenkins): ensure to pull docker images (falco builder and… Jul 26, 2019
test docs: specify labels that apply to each area Sep 16, 2019
tests docs: specify labels that apply to each area Sep 16, 2019
userspace docs: specify labels that apply to each area Sep 16, 2019
.clang-format chore: clang format following the current style Jul 3, 2019
.cmake-format new: cmake format file Jul 8, 2019
.gitignore fix: ignore build files generated by the regression tests Aug 13, 2019
.luacheckrc new: luacheck basic config Jul 10, 2019
.travis.yml chore: moving travis build script in scripts directory Jul 26, 2019
.yamllint.conf new: YAML lint configuration Jul 10, 2019 Fix typo Sep 18, 2019 docs: update changelog Sep 13, 2019
CMakeCPackOptions.cmake update: revert formatting Jul 2, 2019
CMakeLists.txt new: download all dependencies over https Aug 17, 2019 docs: markdown code of conduct Sep 13, 2019 docs: markdown code of conduct Sep 13, 2019
COPYING Change license to Apache 2.0 (#419) Sep 20, 2018 docs: markdown governance Sep 13, 2019
MAINTAINERS docs: add lorenzo and leonardo as maintainers May 24, 2019
OWNERS new: add @kris-nova to owners Aug 13, 2019 fix: office hours are bi-weekly Aug 21, 2019
falco.yaml Change log timestamp to ISO8601 w/ timezone (#518) Apr 9, 2019


Latest release

v0.17.0 Read the change log

Dev Branch: Build Status
Master Branch: Build Status
CII Best Practices: CII Best Practices

Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by sysdig’s system call capture infrastructure, Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.

Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the Falco CNCF project proposal.

What kind of behaviors can Falco detect?

Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:

  • A shell is running inside a container.
  • A container is running in privileged mode, or is mounting a sensitive path, such as /proc, from the host.
  • A server process is spawning a child process of an unexpected type.
  • Unexpected read of a sensitive file, such as /etc/shadow.
  • A non-device file is written to /dev.
  • A standard system binary, such as ls, is making an outbound network connection.

Installing Falco

A comprehensive installation guide for Falco is available in the documentation website.

How do you compare Falco with other security tools?

One of the questions we often get when we talk about Falco is “How does Falco differ from other Linux security tools such as SELinux, AppArmor, Auditd, etc.?”. We wrote a blog post comparing Falco with other tools.


See Falco Documentation to quickly get started using Falco.

Join the Community

  • Join the mailing list for news and a Google calendar invite for our Falco open source meetings. Note: this is the only way to get a calendar invite for our open meetings.
  • Website for Falco.
  • Join our Public Slack channel for open source Sysdig and Falco announcements and discussions.

Office hours

Falco has bi-weekly office hour style meetings where we plan our work on the project. You can get a Google calendar invite by joining the mailing list. It will automatically be sent.

Wednesdays at 8am Pacific on Zoom.

License Terms

Falco is licensed to you under the Apache 2.0 open source license.


See the

You can’t perform that action at this time.