feat: add pre commit

.github/scripts/rules_overview_generator.py

@@ -53,7 +53,7 @@ def rules_to_df(rules_dir):
                                 else:
                                     item['mitre_ttp'].append('[{}]({}{})'.format(i, BASE_MITRE_URL_TECHNIQUE, i.replace('.', '/')))
                             else:
-                                item['extra_tags'].append(i) 
+                                item['extra_tags'].append(i)
                         item['workload'].sort()
                         item['mitre_phase'].sort()
                         item['mitre_ttp'].sort()
@@ -63,7 +63,7 @@ def rules_to_df(rules_dir):
                         item['extra_tags_list'] = item['extra_tags']
                         item['compliance_pci_dss_list'] = item['compliance_pci_dss']
                         item['compliance_nist_list'] = item['compliance_nist']
-                        item['enabled'] = (item['enabled'] if 'enabled' in item else True) 
+                        item['enabled'] = (item['enabled'] if 'enabled' in item else True)
                         l.append([', '.join(item[x]) if x in ['maturity', 'workload', 'mitre_phase', 'mitre_ttp', 'compliance_pci_dss', 'compliance_nist', 'extra_tags'] else item[x] for x in COLUMNS])
 
     if not l:
@@ -100,23 +100,23 @@ def print_markdown(df):
     print('This document provides an extensive overview of community-contributed syscall and container event-based rules. It offers resources for learning about these rules, promoting successful adoption, and driving future enhancements.\n')
     print('\n[Stable Falco Rules](#stable-falco-rules) | [Incubating Falco Rules](#incubating-falco-rules) | [Sandbox Falco Rules](#sandbox-falco-rules) | [Deprecated Falco Rules](#deprecated-falco-rules) | [Falco Rules Stats](#falco-rules-stats)\n')
     print('\nThe tables below can be scrolled to the right.\n')
-    
+
     print('\n## Stable Falco Rules\n')
     print('\n{} stable Falco rules ({:.2f}% of rules) are included in the Falco release package:\n'.format(len(df_stable), (100.0 * len(df_stable) / n_rules)))
     print(df_stable.to_markdown(index=False))
-    
+
     print('\n## Incubating Falco Rules\n')
     print('\n{} incubating Falco rules ({:.2f}% of rules):\n'.format(len(df_incubating), (100.0 * len(df_incubating) / n_rules)))
     print(df_incubating.to_markdown(index=False))
-    
+
     print('\n## Sandbox Falco Rules\n')
     print('\n{} sandbox Falco rules ({:.2f}% of rules):\n'.format(len(df_sandbox), (100.0 * len(df_sandbox) / n_rules)))
     print(df_sandbox.to_markdown(index=False))
-    
+
     print('\n## Deprecated Falco Rules\n')
     print('\n{} deprecated Falco rules ({:.2f}% of rules):\n'.format(len(df_deprecated), (100.0 * len(df_deprecated) / n_rules)))
     print(df_deprecated.to_markdown(index=False))
-    
+
     print('\n# Falco Rules Stats\n')
     print('\n### Falco rules per workload type:\n')
     df1 = df.groupby('workload').agg(rule_count=('workload', 'count'))
@@ -135,7 +135,7 @@ def print_markdown(df):
     df2['<div style=\"width:450px\">rules</div>'] = df2['rule'].apply(lambda x: x[0])
     df2['<div style=\"width:100px\">percentage</div>'] = df2['rule'].apply(lambda x: round((100.0 * x[1] / n_rules), 2)).astype(str) + '%'
     print(df2.drop('rule', axis=1).to_markdown(index=True))
-    
+
     print('\n### Compliance-related Falco rules:\n')
     df3 = df
     df3['compliance_tag'] = df['compliance_pci_dss_list'] + df['compliance_nist_list']
@@ -149,11 +149,11 @@ def print_markdown(df):
     # df3['percentage'] = df3['rule'].apply(lambda x: round((100.0 * x[1] / n_rules), 2)).astype(str) + '%'
     print(df3.drop('rule', axis=1).to_markdown(index=True))
 
-    
+
 if __name__ == '__main__':
     args_parsed = arg_parser()
     rules_dir = args_parsed.rules_dir
-    
+
     if not rules_dir or not os.path.isdir(rules_dir):
         sys.exit('No valid rules directory provided via --rules_dir arg, exiting ...')
 

.github/workflows/registry.yaml

@@ -21,7 +21,7 @@ jobs:
       - name: Build registry artifact tool
         working-directory: build/registry
         run: go build -o rules-registry ./...
-      
+
       - name: Test registry artifact tool
         working-directory: build/registry
         run: go test ./... -cover

.github/workflows/yaml-lint.yaml

@@ -1,19 +1,19 @@
 name: Yamllint Github Actions
-on: 
+on:
   pull_request:
-    branches: 
+    branches:
       - main
 
-jobs: 
-  lintFalcoRules: 
+jobs:
+  lintFalcoRules:
     name: Yamllint
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
         uses: actions/checkout@v6
       - name: yaml-lint
         uses: ibiqlik/action-yamllint@v3
-        with: 
+        with:
           file_or_dir: rules/*.yaml
         env:
           YAMLLINT_CONFIG_FILE: .github/workflows/.yamllint

.gitignore

@@ -193,4 +193,3 @@ cython_debug/
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 .idea/
 .run/
-

.pre-commit-config.yaml

@@ -0,0 +1,25 @@
+---
+fail_fast: false
+minimum_pre_commit_version: '0'
+default_install_hook_types: ["pre-commit", "prepare-commit-msg"]
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: check-added-large-files
+      - id: check-yaml
+      - id: check-case-conflict
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+  - repo: local
+    hooks:
+      - id: dco-hook-local
+        name: DCO hook local
+        entry: ./tools/local_hooks/dco-pre-commit-msg.sh
+        language: unsupported_script
+        stages: [prepare-commit-msg]
+  - repo: https://github.com/adrienverge/yamllint.git
+    rev: v1.38.0
+    hooks:
+      - id: yamllint
+        args: [--format, parsable, --strict, -c=.github/workflows/.yamllint]

CONTRIBUTING.md

@@ -15,7 +15,7 @@ All rules must be licensed under the [Apache 2.0 License](./LICENSE).
 
 # Rules Maturity Framework
 
-The rules maturity framework was established following this [proposal](proposals/20230605-rules-adoption-management-maturity-framework.md). 
+The rules maturity framework was established following this [proposal](proposals/20230605-rules-adoption-management-maturity-framework.md).
 
 At a high level, The Falco Project maintains community-contributed syscall and container event-based [rules](https://github.com/falcosecurity/rules/blob/main/rules/), with `maturity_stable` tagged rules being included in the Falco release package. Other maturity-level rules are released separately, requiring explicit installation and possible customization for effective. In essence, there are now dedicated rule files for each maturity level.
 
@@ -48,15 +48,15 @@ Special note regarding *plugins* rules: The rules for different Falco [plugins](
 The levels:
 
 - **maturity_stable** indicates that the rule has undergone thorough evaluation by experts with hands-on production experience. These experts have determined that the rules embody best practices and exhibit optimal robustness, making it more difficult for attackers to bypass Falco. These rules are highly relevant for addressing broader threats and are recommended for customization to specific environments if necessary. They primarily focus on universal system-level detections, such as generic reverse shells or container escapes, which establish a solid baseline for threat detection across diverse industries. This inherent bias against including more application-specific detections is due to their potential lack of broad relevance or applicability. However, to mitigate this bias, the maintainers reserve the right to make judgments on a case-by-case basis.
-- **maturity_incubating** indicates that the rules address relevant threats, provide a certain level of robustness guarantee, and adhere to best practices in rule writing. Furthermore, it signifies that the rules have been identified by experts as catering to more specific use cases, which may or may not be relevant for each adopter. This category is expected to include a larger number of application-specific rules.   
+- **maturity_incubating** indicates that the rules address relevant threats, provide a certain level of robustness guarantee, and adhere to best practices in rule writing. Furthermore, it signifies that the rules have been identified by experts as catering to more specific use cases, which may or may not be relevant for each adopter. This category is expected to include a larger number of application-specific rules.
 - **maturity_sandbox** indicates that the rule is in an experimental stage. The potential for broader usefulness and relevance of "sandbox" rules is currently being assessed. These rules can serve as inspiration and adhere to the minimum acceptance criteria for rules.
 - **maturity_deprecated** indicates that, upon re-assessment, the rule was deemed less applicable to the broader community. Each adopter needs to determine the relevance of these rules on their own. They are kept as examples but are no longer actively supported or tuned by The Falco Project.
 
 In summary, the rules maturity tag reflects the robustness, relevance, applicability, and stability of each predefined rule in the [falcosecurity/rules](https://github.com/falcosecurity/rules/blob/main/rules/) repository. It serves as general guidance to determine which rules may provide the highest return on investment.
 
 ## Justification of Rules Maturity Framework for Falco Adoption
 
-A rules maturity framework has been introduced for Falco users to facilitate the adoption of non-custom rules more effectively. This framework ensures a smooth transition for adopters, whether they use rules generically or for specific use cases. A smooth adoption process is defined by making it easy for adopters to understand each rule and also gain an understanding of not just what the rule is doing, but also how beneficial it can be under various circumstances. 
+A rules maturity framework has been introduced for Falco users to facilitate the adoption of non-custom rules more effectively. This framework ensures a smooth transition for adopters, whether they use rules generically or for specific use cases. A smooth adoption process is defined by making it easy for adopters to understand each rule and also gain an understanding of not just what the rule is doing, but also how beneficial it can be under various circumstances.
 Additionally, due to this framework, adopters should find themselves with a clearer understanding of which rules can likely be adopted as-is versus which rules may require significant engineering efforts to evaluate and adopt.
 
 The rules maturity framework aligns with the [status](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#status) levels used within The Falco Project repositories, namely "Stable", "Incubating", "Sandbox" and "Deprecated".

LICENSE

@@ -199,4 +199,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.

README.md

@@ -1,8 +1,8 @@
 # Falco Rules
 
-[![Latest release](https://img.shields.io/github/v/release/falcosecurity/rules?label=Latest%20Rules%20Release&style=for-the-badge)](https://github.com/falcosecurity/rules/releases/latest) [![Compatible Falco release](https://img.shields.io/github/v/release/falcosecurity/falco?label=Compatible%20Falco%20Release&style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) 
+[![Latest release](https://img.shields.io/github/v/release/falcosecurity/rules?label=Latest%20Rules%20Release&style=for-the-badge)](https://github.com/falcosecurity/rules/releases/latest) [![Compatible Falco release](https://img.shields.io/github/v/release/falcosecurity/falco?label=Compatible%20Falco%20Release&style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest)
 
-[![Docs](https://img.shields.io/badge/docs-latest-green.svg?style=for-the-badge)](https://falco.org/docs/rules)  [![Rules Overview](https://img.shields.io/badge/docs-latest-green.svg?label=Rules%20Overview&style=for-the-badge)](https://falcosecurity.github.io/rules/) [![Style Guide](https://img.shields.io/badge/docs-latest-green.svg?label=Style%20Guide&style=for-the-badge)](https://falco.org/docs/rules/style-guide/) 
+[![Docs](https://img.shields.io/badge/docs-latest-green.svg?style=for-the-badge)](https://falco.org/docs/rules)  [![Rules Overview](https://img.shields.io/badge/docs-latest-green.svg?label=Rules%20Overview&style=for-the-badge)](https://falcosecurity.github.io/rules/) [![Style Guide](https://img.shields.io/badge/docs-latest-green.svg?label=Style%20Guide&style=for-the-badge)](https://falco.org/docs/rules/style-guide/)
 
 [![Supported Fields](https://img.shields.io/badge/docs-latest-green.svg?label=Supported%20Fields&style=for-the-badge)](https://falco.org/docs/reference/rules/supported-fields/) [![Supported EVT ARG Fields](https://img.shields.io/badge/docs-latest-green.svg?label=Supported%20Evt%20Arg%20Fields&style=for-the-badge)](https://github.com/falcosecurity/libs/blob/master/driver/event_table.c)
 
@@ -50,7 +50,7 @@ Rules tell [Falco](https://github.com/falcosecurity/falco) what to do. These rul
 
 ## Falco Rules Files Registry
 
-The Falco Rules Files Registry contains metadata and information about rules files distributed by The Falco Project. The registry serves as an additional method of making the rules files available to the community, complementing the process of retrieving the rules files from this repository. 
+The Falco Rules Files Registry contains metadata and information about rules files distributed by The Falco Project. The registry serves as an additional method of making the rules files available to the community, complementing the process of retrieving the rules files from this repository.
 
 Note: _Currently, the registry includes only rules for the syscall call data source; for other data sources see the [Plugins](https://github.com/falcosecurity/plugins) repository._
 

RELEASE.md

@@ -40,7 +40,7 @@ Patches on an already-released ruleset can anytime on a per-need basis. Assuming
 
 ## Versioning a ruleset
 
-The version of the official Falco rulesets is compatible with [SemVer](https://semver.org/) and must be meaningful towards the changes in its structure and contents. To define a new version `x.y.z` for a given ruleset, consider the following guidelines. 
+The version of the official Falco rulesets is compatible with [SemVer](https://semver.org/) and must be meaningful towards the changes in its structure and contents. To define a new version `x.y.z` for a given ruleset, consider the following guidelines.
 
 Our automation will detect most of the following criteria and suggest a summary with all the changes relative to each of the three versioning categories (patch, minor, major). This provides a changelog and valuable suggestion on the next version to be assigned to each ruleset. However, be mindful that the versioning process cannot totally automated and always requires human attention (e.g. we can't automatically detect subtle semantic changes in rules). The automated jobs will use the versions of Falco defined in `./github/FALCO_VERSIONS` for validating and checking rulesets. The versions must be line-separated and ordered from the most recent to the least recent. Any [published container image tag](https://hub.docker.com/r/falcosecurity/falco/tags) is a valid Falco version entry, including `master`, `latest`, and any other stable release tag (e.g. `0.35.0`). `master` indicates the most recent dev version of Falco built from mainline, and can be used for using a not-yet-published version of Falco in case we want to run the CI with a new in-development feature.