Anchore
Container security and compliance platform for scanning container images and software supply chains
Open-Source Projects
Discover top open-source software, updated regularly with real-world adoption signals.
Discover top open-source software, updated regularly with real-world adoption signals.
Real-time kernel monitoring for cloud-native Linux security
Falco continuously watches Linux kernel events and container activity, applying customizable rules to detect abnormal behavior and threats, with metadata enrichment for Kubernetes and SIEM integration.
Falco is a runtime security agent that monitors Linux kernel syscalls and container events in real time. By applying a flexible, user‑defined rule set, it flags suspicious activity, from privilege escalations to unexpected network connections. The engine enriches alerts with metadata from container runtimes and Kubernetes, enabling precise context for incident response.
Falco can be deployed via Helm charts or the falcoctl CLI, fitting seamlessly into cloud‑native pipelines. Collected events can be streamed to SIEMs, data lakes, or processed by external plugins, allowing integration with existing security tooling. The project’s modular repositories—core libraries, official rules, plugins, and deployment charts—support focused development and easy contribution.
Designed for production use, Falco is a CNCF graduated project trusted by many organizations to provide continuous threat detection across bare‑metal, VM, and containerized environments.
When teams consider Falco, these hosted platforms usually appear on the same shortlist.
Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.
Detect container escape attempts
Falco alerts when a process inside a container tries to access host resources, enabling immediate containment.
Monitor privileged system calls
Security analysts receive real‑time notifications of suspicious syscalls, such as `execve` of unexpected binaries.
Feed security events to a SIEM
Falco streams enriched alerts to a SIEM platform, supporting correlation with other telemetry.
Enforce compliance policies in Kubernetes
Custom rules validate pod configurations and runtime behavior against regulatory standards.
C++ provides low‑level control, deterministic memory management, and high throughput needed for kernel event processing, which Go's runtime cannot guarantee.
Falco supports eBPF and modern BPF probes as alternatives to traditional kernel modules, but some functionality may be limited.
Plugins are compiled as shared libraries and loaded at runtime; they can extend Falco with custom output sinks or enrichment sources.
Yes, Falco provides fully static builds, though static binaries cannot use the dynamic plugin system.
Falco can be installed via Helm charts, the falcoctl CLI, or manually using container images and docker‑compose for demo environments.
Project at a glance
ActiveLast synced 4 days ago
