Falco Rule Integration Test #30
Comments
|
I was already thinking about something similar, and I really like your proposal. Thank you! |
|
/assign |
|
Hey @Krishan-Sharma and @natchaphon-r After thinking a little on this topic, I would like to create a simple interface that allows other components to hooks into the Moreover, be also aware that we're changing the way gRPC is communicating, that was needed to solve some issues we encountered the current gRPC implementation. This improvement should be released on the next Falco version. That being said, please don't stop your contribution. We can cooperate on this, feel free to contact me on Slack, open PRs and so on. I'm happy to help :) Thanks. |
|
Update: I experimented a bit in this branch and I have found some issues that should be solved shortly. If someone is working on this pls contact me on Slack. |
|
Hey @leogr , I'll sync up with you on Slack. |
Motivation
The accuracy of anomaly detection with Falco heavily depends on Falco rules. Providing an integration test framework or example to validate a Falco alert given an event generated by this project would enable automated Falco rule testing and give users higher confidence when updating new Falco version, deploying new rules, reusing rules in a different OS/kernel.
Feature
User can use the framework to write an integration test that utilizes event-generator to trigger Falco rule alerts, captures these alerts using Falco client-go, and validates alert strings (ex. containerName should not be empty, alert text should contain a certain string, etc.)
Alternatives
Manual testing with event-generator
The text was updated successfully, but these errors were encountered: