DEVOPSdigest

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of Falco, a cloud native security tool designed for Linux systems and the de facto Kubernetes threat detection engine.

Falco was created and open sourced in 2016 by Sysdig and became the first runtime security project accepted into the CNCF Sandbox in 2018 and, subsequently, the Incubator in April 2020. Since then, Falco has added maintainers from Amazon, Apple, IBM, Red Hat, and more. The project has also seen a 400% increase in active contributors since moving to incubation and now has hundreds active code contributors.

The project has over 30 public, self-declared adopters, including organizations like Cisco, Shopify, Skyscanner, and Vinted. Since moving to incubation, it has seen a 526% increase in total downloads, with a 135% increase in average monthly downloads.

“Real time visibility into the security of cloud native deployments is invaluable at scale,” Chris Aniszczyk, CTO of CNCF. “Falco is helping to push advancements in the open source cloud native runtime security space with eBPF, and we look forward to seeing the progress in this area as the project continues to grow.”

Falco employs custom rules on kernel events to provide real-time alerts and helps users gain visibility into abnormal behavior, potential security threats, and compliance violations, contributing to comprehensive runtime security. In the past few years, maintainers have dedicated time to improving engineering processes and refactoring the Falco code base, including improved test suites and a new Kernel testing framework, increased quality checks, and new features like a new eBPF probe and integration with new first-party data sources.

“The conclusion that led to Falco’s development and contribution to CNCF is that runtime security must be widely accessible and seamlessly integrated across cloud native infrastructure – you need prevention in the cloud, but threat detection is just as important,” said Loris Degioanni, Creator of Falco and CTO and Founder of Sysdig. “The support Falco has received underscores the reality that you can’t prevent everything, security teams need defense in depth, even in the cloud. I am grateful for the incredible Falco community and for surpassing this milestone within CNCF, but the Falco community has never seen graduation as the end goal — rather, just the beginning of expanding Falco use cases through its plugin system.”

To officially graduate from incubating status, the Falco project underwent a due diligence process with the CNCF Technical Oversight Committee (TOC), completed a third-party security audit, and supported the process of allowing CNCF projects to include GPL-licensed Linux kernel modules alongside the eBPF code. Graduation validates Falco’s growth, maturity, and future outlook and cements the project’s leadership in the runtime security space.