falco icon indicating copy to clipboard operation
falco copied to clipboard
verified publisher icon falcosecurity

Collecting all the labels from the containers

Open Issif opened this issue 1 year ago • 0 comments

Motivation

Having available as fields all labels from the running containers, ie container.labels[].

These labels are really useful to get more context. For example, for the runners of CI like Gitlab Runners, the fields are filled with information which allow to do the correlation with the job, the project, etc. Having these fields will allow to integrate more Falco in the Supply Chain Security:

			"com.gitlab.gitlab-runner.job.before_sha":  "",
			"com.gitlab.gitlab-runner.job.id":          "0",
			"com.gitlab.gitlab-runner.job.ref":         "",
			"com.gitlab.gitlab-runner.job.sha":         "",
			"com.gitlab.gitlab-runner.job.url":         "/-/jobs/0",
			"com.gitlab.gitlab-runner.managed":         "true",
			"com.gitlab.gitlab-runner.pipeline.id":     "",
			"com.gitlab.gitlab-runner.project.id":      "0",
			"com.gitlab.gitlab-runner.runner.id":       "",
			"com.gitlab.gitlab-runner.runner.local_id": "0",
			"com.gitlab.gitlab-runner.type":            "build",
			"my.custom.label":                          "my.custom.value",

Feature

Having the fields container.labels[] containing all the labels of the pod where the suspicious action happened.

Alternatives

n/a

Additional context

Issif avatar Sep 26 '24 14:09 Issif