KubeCon + CloudNativeCon Amsterdam | March 30 – April 2 | Best Pricing Ends February 2 | Learn more

TOC Votes to Move Falco into CNCF Incubator

Today, the Cloud Native Computing Foundation (CNCF) Technical Oversight Committee (TOC) voted to accept Falco as an incubation-level hosted project.

Falco, which entered the CNCF Sandbox in October 2018, is an open source Kubernetes runtime security project. It provides intrusion and abnormality detection for cloud native platforms such as Kubernetes, Mesosphere, and Cloud Foundry. 

Given the opaque nature of containers, organizations require deeper insight into container activities. The Falco project was created by Sysdig to better understand container behavior, and to share these insights with organizations, allowing them to protect their container platforms from possible malicious activity. 

“Runtime security is a critical piece in a cloud-native security story and essential for anyone taking cloud-native security seriously,” said Kris Nova, Chief Open Source Advocate at Sysdig. “Access control and policy enforcement are important prevention techniques, but runtime security is needed to detect threats that evade preventions.” 

By leveraging open source Linux kernel instrumentation, Falco gains deep insight into system behavior. The rules engine can then detect abnormal activity in applications, containers, the underlying host, and the container platform. In the event of unexpected behavior at runtime, Falco detects and alerts, reducing the risk of a security incident. It can send these alerts via Slack, Fluentd, NATS, and more. 

Main Falco Features:

  • Strengthen security – Create security rules driven by a context-rich and flexible engine to define unexpected application behavior.
  • Reduce riskImmediately respond to policy violation alerts by plugging Falco into your current security response workflows and processes.
  • Leverage up-to-date rulesAlert using community-sourced detections of malicious activity and CVE exploits.

Notable Milestones:

  • 257% increase in downloads
  • 8.5 million downloads 
  • 100 percent increase in commits year-over-year
  • 64 committers
  • More than 2000 GitHub stars
  • 55 contributors, including engineers from Frame.io, Shopify, Snap, and Booz Allen Hamilton 

Since joining the CNCF sandbox, the Falco community has focused on making the project easier to adopt. Project maintainers have implemented a governance model, which sets guidelines and standards for both contributors and maintainers to ensure the project’s compliance and health. Falco was also made available in the Google marketplace. The Falco community also created an operator that is available in the OperatorHub.io.

“Runtime container security tools like Falco provide the visibility necessary for development teams to feel safe plugging them into their stack,” said Chris Aniszczyk, CTO/COO of the Cloud Native Computing Foundation. “During its time in the Sandbox, Falco has seen impressive growth and end user adoption, and we look forward to seeing the advancements the community continues to make.” 

While in the Incubator, Falco will focus on moving to an API-first architecture, which enables the community to begin developing integrations with other tools, including Prometheus, Envoy, and Kubernetes.

As a CNCF hosted project, joining incubating technologies like OpenTracing, gRPC, CNI, Notary, NATS, Linkerd, Helm, Rook, Harbor, etcd, OPA, and CRI-O, Falco is part of a neutral foundation aligned with its technical interests, as well as the larger Linux Foundation, which provides governance, marketing support, and community outreach.

Every CNCF project has an associated maturity level: sandbox, incubating, or graduated project. For more information on what qualifies a technology for each level, please visit the CNCF Graduation Criteria v.1.3.

To get started with Falco, visit its Falco GitHub page. To get involved, attend the weekly office hours calls to discuss feature work, open issues, and repository planning.

Learn more about Falco, visit www.falco.org.