Skip to content

Feat: Add support for local files and merged rule format#1

Open
kumo-rn5s wants to merge 3 commits intoIssif:mainfrom
kumo-rn5s:feature/support-local-and-merged-rules
Open

Feat: Add support for local files and merged rule format#1
kumo-rn5s wants to merge 3 commits intoIssif:mainfrom
kumo-rn5s:feature/support-local-and-merged-rules

Conversation

@kumo-rn5s
Copy link

@kumo-rn5s kumo-rn5s commented Aug 18, 2025

Purpose

I wanted to visualize my heavily customized Falco rules (with many overrides) in the browser alongside official rules. This enhancement allows exploring custom rule configurations in the same unified dashboard as the official rules.

This change is primarily something I wanted for my own use. If you find it useful, please consider merging this PR. (If it's not needed, feel free to just close it without hesitation)

Key Features

Local File Support

  • Support any local path format: ./relative/path.yaml, custom/rules.yaml, /absolute/path/rules.yaml
  • Automatic detection: URLs (http/https) are downloaded, everything else is treated as local files
  • No configuration changes needed - works with existing registry.yaml

Merged Rules Format Support

  • Auto-detects merged rule files (with info sections) vs standard Falco rules
  • Parses the special structure from falco -L output automatically
  • Perfect for viewing your actual running Falco configuration with all customizations

Usage

View your customized rules:

# Extract your actual running configuration
  falco -L 2>/dev/null | yq -P > my_custom_rules.yaml
  # Add to registry.yaml
  rules_files:
    - "./my_custom_rules.yaml"                  # Your customized rules
    - "https://github.com/falco.../rules.yaml" # Official rules for comparison

My rules: (Attach/Exec Pod is info level by default)
image

@kumo-rn5s
Add support for local files and merged rule format
a7f61ec 
- Support both local files and URL downloads in registry.yaml
- Add parser for merge rules yaml special structure
- Fix 404 image references in index.html

Signed-off-by: ishikawa_kumo <firosstuart@gmail.com>
@Issif
Copy link
Owner

Issif commented Aug 18, 2025

Hi,

I never considered this usage, I'm glad if you find this "app" useful. I didn't review your changes yet, here's some comments first:

  • I don't see the condition of the rule in your screenshot, is it normal?
  • How do you know this is vanilla or customized rule?
  • The explorer show the rules for all level of maturity, if you want to display both the incubating and stable rules, for example, your overwrites will be applied to both (cause they have same macros, rule names, etc), is that a wanted behavior?

Don't also hesitate to add a section in the readme to explain to people how to use the local version

@kumo-rn5s
fix: add missing condition field for rules
a21197f 
Signed-off-by: ishikawa_kumo <firosstuart@gmail.com>
@kumo-rn5s
fix: maturity merging problem
a1ca025 
Signed-off-by: ishikawa_kumo <firosstuart@gmail.com>
@kumo-rn5s
Copy link
Author

kumo-rn5s commented Aug 19, 2025

Hi,

I don't see the condition of the rule in your screenshot, is it normal?

No, this was a bug. The condition field was missing for merged format rules. This has been fixed in the recent commits

image

How do you know this is vanilla or customized rule?

My goal was to explore the actual Falco rules running in our current environment, which includes our customizations.
When using Falco rule overrides, the override completely replaces the original rule - only the override version remains active.
If you load both the original rules and override rules into the explorer, you'll see duplicate rule entries (one original + one override) which can be confusing.

image

So, for my goal, it's not a problem to distinguish vanilla rules from custom rules, as the vanilla rules have been overridden.

your overwrites will be applied to both (cause they have same macros, rule names, etc), is that a wanted behavior?

You're absolutely right - this is a real problem. When you run falco -L without specifying individual rule files, it merges ALL maturity levels together into one output. Since the explorer determines maturity from filename/URI, everything gets mixed up and loses proper maturity classification.

I discovered that extracting rules by maturity level separately using falco -L -r <specific_rule_file>could fix this problem.

# Extract stable rules
falco -L -r /etc/falco/falco_rules.yaml -r /etc/falco/rules.d/falco_rules_override.yaml 2>/dev/null | yq -P > stable_rules.yaml

# Extract incubating rules  
falco -L -r /etc/falco/incubating_rules.yaml  -r /etc/falco/rules.d/incubating_rules_override.yaml 2>/dev/null | yq -P > incubating_rules.yaml

# Extract sandbox rules
falco -L -r /etc/falco/falco-sandbox_rules.yaml  -r /etc/falco/rules.d/sandbox_rules_override.yaml 2>/dev/null | yq -P > sandbox_rules.yaml

Now it works well.
image

@Issif
Copy link
Owner

Issif commented Aug 19, 2025

I see. Our usages are a little bit different, my online version of the explorer allows people to see what available rules they can use, yours is there to have a better view of the loaded rules in a running falco instance. Both are legit, just didn't think about yours before. Nice idea.

I'll try to find some time to review your proposal in the upcoming days. Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kumo-rn5s @Issif