Donate Falco Talon to Falcosecurity org [Incubation level]

[Issif]

Repository: https://github.com/falco-talon/falco-talon

Motivation

We all consider Falco as one of the best runtime security tools in the world, it has much more integrations with 3rd parties than any other project in the field (thanks to Falcosidekick), it can also collect and analyze any stream of events with its plugins. But since the beginning, the adopters ask for a key feature: the reaction.

With the integrations of well known FaaS in Falcosidekick, we started a series of blog posts to show how to create from scratch what we call a "response engine". All these systems are modular, flexible, robust, but they all require a lot of developments, to deal with the Falco payload format, the errors, the retries, the authentication to the API (AWS, Kubernetes Control Plane), the logs, the metrics, etc. Not all users and companies have the skills and/or the budgets to deal with that.

This is exactly to answer these needs, we designed and created Falco Talon, of which the first version is officially out.

Falco Talon, is a tailor made response engine, specifically crafted to work with Falco. The end users just have to write rules to correlated Falco events with actions to perform. The actions use "actionners", on catalog bundles, to respond in the best possible way.

To know more about the project, a whole website with its docs has been created: https://docs.falco-talon.org

From the beginning, the UX has been developed to be close to the Falco's. The rules files are yaml files, the rules can be overridden, action blocks can be re-used among the rules, like are the macros for Falco.

The project has been introduced to the community, in the Slack channel, and in the weekly community call, a few months ago. In the past months, some users already tested it and we gave talks at some events to show its features. It helped a lot the development by collecting really useful feedback.

The Docker images of the project have been pulled almost 100k times, showing a growing interest in the project:

With the release of the first GA version, to benefit of the traction of the falcosecurity organization, of poiana to manage the issues/PRs, to publish the helm chart of Talon with the other (and allow to set ip as a dependency for an easy install), and because the project is well advanced, I'm proposing to donate the Falco Talon project to the falcosecurity org at the Incubation level.

Edit: we will be 2 owners at the beginning:

• myself [@Issif ]
• Igor Eulalio [@IgorEulalio]

Thanks

[nigel-falco]

+1

[IgorEulalio]

+1

[leogr]

Big +1 from me!

[leogr]

cc @falcosecurity/core-maintainers

[FedeDP]

+1 from me! Thanks @Issif!

[LucaGuerra]

+1 🚀

[xinity]

GO FOR IT GO GO GO ! ! ! ! ! !

[Andreagit97]

+1 from me!

[cpanato]

+1 awesome

[bgsilvait]

+1 for the response!

[loresuso]

+1 from my side!

[leogr]

Since we all agree on this, I guess it's time to proceed! :partying_face:

I will take care of the transfer /assign

[Issif]

I'll prepare the talon's repo for the OWNERS, etc next week. Thank you for your support folks :heart:

[leogr]

Update:

• as discussed with @Issif , I volunteered to be a maintainer. This will prevent the project from being blocked in case other maintainers are unavailable
• we will proceed with the transfer of the repo shortly
• after the transfer, we will migrate charts and docker images, too

[cpanato]

can help as well