eliferjunior/falco
.claude/skills/ts-falco/SKILL.md
Expert guidance for Falco, the CNCF runtime security tool that detects anomalous behavior in containers and Kubernetes clusters using system call monitoring. Helps developers set up Falco for detecting shell spawns in containers, unexpected network connections, file access violations, and privilege escalation — all in real-time with zero application changes.
tools
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add eliferjunior/Claude falcoInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 1:37 AM14.8s1 file scanned
SKILL.md
- name:
- falco
- description:
- Expert guidance for Falco, the CNCF runtime security tool that detects anomalous behavior in containers and Kubernetes clusters using system call monitoring. Helps developers set up Falco for detecting shell spawns in containers, unexpected network connections, file access violations, and privilege escalation — all in real-time with zero application changes.
- license:
- Apache-2.0
- compatibility:
- No special requirements
- author:
- terminal-skills
- version:
- 1.0.0
- category:
- devops
Falco — Runtime Threat Detection
Overview
Falco, the CNCF runtime security tool that detects anomalous behavior in containers and Kubernetes clusters using system call monitoring. Helps developers set up Falco for detecting shell spawns in containers, unexpected network connections, file access violations, and privilege escalation — all in real-time with zero application changes.
Instructions
Deployment
# Helm install on Kubernetes
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco \
--namespace falco --create-namespace \
--set driver.kind=modern_ebpf \
--set falcosidekick.enabled=true \
--set falcosidekick.config.slack.webhookurl="${SLACK_WEBHOOK}"
# Docker (single host)
docker run --rm -i -t \
--privileged \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /proc:/host/proc:ro \
falcosecurity/falco:latest
Custom Rules
# falco_rules.local.yaml — Custom detection rules
# Detect shell spawned inside a container
- rule: Shell Spawned in Container
desc: A shell (bash, sh, zsh) was started inside a container
condition: >
spawned_process and container and
proc.name in (bash, sh, zsh, ash, dash) and
not proc.pname in (cron, supervisord, entrypoint.sh)
output: >
Shell spawned in container
(user=%user.name container=%container.name image=%container.image.repository
shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)
priority: WARNING
tags: [container, shell, mitre_execution]
# Detect sensitive file access
- rule: Read Sensitive File
desc: A process read a sensitive file (passwords, keys, tokens)
condition: >
open_read and container and
fd.name in (/etc/shadow, /etc/passwd, /root/.ssh/id_rsa,
/var/run/secrets/kubernetes.io/serviceaccount/token)
output: >
Sensitive file read (user=%user.name file=%fd.name container=%container.name
image=%container.image.repository command=%proc.cmdline)
priority: ERROR
tags: [filesystem, mitre_credential_access]
# Detect outbound connection to unexpected destinations
- rule: Unexpected Outbound Connection
desc: Container making outbound connection to non-allowlisted IP
condition: >
outbound and container and
not fd.sip in (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and
not fd.sport in (53, 443, 80) and
not container.image.repository in (allowed_outbound_images)
output: >
Unexpected outbound connection
(container=%container.name image=%container.image.repository
connection=%fd.name user=%user.name command=%proc.cmdline)
priority: WARNING
tags: [network, mitre_exfiltration]
# Detect crypto mining
- rule: Crypto Mining Detected
desc: Process connecting to known mining pool or running mining binary
condition: >
spawned_process and container and
(proc.name in (xmrig, minerd, cpuminer, ethminer) or
proc.cmdline contains "stratum+tcp://" or
proc.cmdline contains "pool.minexmr")
output: >
Crypto mining activity detected
(container=%container.name image=%container.image.repository
command=%proc.cmdline user=%user.name)
priority: CRITICAL
tags: [crypto, mitre_resource_hijacking]
# Detect privilege escalation
- rule: Privilege Escalation via setuid
desc: Process changed to root via setuid binary
condition: >
spawned_process and container and
user.uid != 0 and proc.uid = 0 and
not proc.name in (sudo, su, ping)
output: >
Privilege escalation detected
(user=%user.name container=%container.name command=%proc.cmdline)
priority: CRITICAL
tags: [users, mitre_privilege_escalation]
# Lists referenced by rules
- list: allowed_outbound_images
items: [nginx, envoyproxy/envoy, haproxy]
Falcosidekick Integration
# Falcosidekick routes Falco alerts to 50+ outputs
# values.yaml for Helm
falcosidekick:
enabled: true
config:
slack:
webhookurl: "https://hooks.slack.com/services/xxx"
minimumpriority: "warning"
messageformat: |
*{{ .Priority }}* — {{ .Rule }}
{{ .Output }}
Container: {{ index .OutputFields "container.name" }}
Image: {{ index .OutputFields "container.image.repository" }}
pagerduty:
routingKey: "xxx"
minimumpriority: "critical"
# Forward to SIEM
elasticsearch:
hostPort: "https://es.example.com:9200"
index: "falco-alerts"
minimumpriority: "warning"
Installation
# Helm (Kubernetes — recommended)
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco -n falco --create-namespace
# Linux package
curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg
apt-get install falco
Examples
Example 1: Setting up Falco for a microservices project
User request:
I have a Node.js API and a React frontend running in Docker. Set up Falco for monitoring/deployment.
The agent creates the necessary configuration files based on patterns like # Helm install on Kubernetes, sets up the integration with the existing Docker setup, configures appropriate defaults for a Node.js + React stack, and provides verification commands to confirm everything is working.
Example 2: Troubleshooting custom rules issues
User request:
Falco is showing errors in our custom rules. Here are the logs: [error output]
The agent analyzes the error output, identifies the root cause by cross-referencing with common Falco issues, applies the fix (updating configuration, adjusting resource limits, or correcting syntax), and verifies the resolution with appropriate health checks.
Guidelines
- eBPF driver — Use
modern_ebpfdriver for best performance and compatibility; no kernel module compilation needed - Start with default rules — Falco ships with 100+ rules; enable them first, then add custom rules for your environment
- Allowlists over blocklists — Define what's expected (allowed images, allowed processes); flag everything else as anomalous
- Falcosidekick for routing — Route alerts to Slack, PagerDuty, SIEM; Falcosidekick supports 50+ outputs
- Priority levels — Use CRITICAL for active attacks, ERROR for policy violations, WARNING for suspicious activity
- MITRE ATT&CK tags — Tag rules with MITRE tactics; helps incident response teams understand the attack stage
- Tune for noise — Expect noise initially; add exceptions for known-good processes (health checks, init scripts)
- Combine with admission control — Falco detects at runtime; pair with OPA/Kyverno for preventive controls at deploy time
Related Skills
eliferjunior/fireworks-ai
development
VerifiedTrustedCommunity
Expert guidance for Fireworks AI, the platform for running open-source LLMs (Llama, Mixtral, Qwen, etc.) with enterprise-grade speed and reliability. Helps developers integrate Fireworks' inference API, fine-tune models, and deploy custom model endpoints with function calling and structured output support.
SKILL.mdUpdated Apr 17, 2026
eliferjunior/firecrawl
development
VerifiedTrustedCommunity
Convert any website into clean, structured data with Firecrawl — API-first web scraping service. Use when someone asks to "turn a website into markdown", "scrape website for LLM", "Firecrawl", "extract website content as clean text", "crawl and convert to structured data", or "scrape website for RAG". Covers single-page scraping, full-site crawling, structured extraction, and LLM-ready output.
SKILL.mdUpdated Apr 16, 2026
eliferjunior/firebase
tools
VerifiedTrustedCommunity
Expert guidance for Firebase, Google's platform for building and scaling web and mobile applications. Helps developers set up authentication, Firestore/Realtime Database, Cloud Functions, hosting, storage, and analytics using Firebase's SDK and CLI.
SKILL.mdUpdated Apr 16, 2026
eliferjunior/file-upload-processor
development
VerifiedTrustedCommunity
When the user needs to build file upload functionality for a web application. Use when the user mentions "file upload," "image upload," "upload endpoint," "multipart upload," "presigned URL," "S3 upload," "file validation," "upload to cloud storage," or "accept user files." Handles upload endpoints, file validation (type, size, magic bytes), cloud storage integration, and upload status tracking. For image/video processing after upload, see media-transcoder.
SKILL.mdUpdated Apr 16, 2026