Skip incomplete container info for container start (#570)

* Skip incomplete container info for container start In the container_started macro, ensure that the container metadata is complete after either the container event (very unlikely) or after the exec of the first process into the container (very likely now that container metadata fetches are async). When using these rules with older falco versions, this macro will still work as the synchronous container metadata fetch will result in a repository that isn't "incomplete". * Update test traces to have full container info Some test trace files used for regression tests didn't have full container info, and once we started looking for those fields, the tests stopped working. So update the traces, and event counts to match.
2025-06-28 15:47:25 +00:00 · 2019-04-02 15:12:31 -07:00 · 2019-04-02 15:12:31 -07:00 · 19327e0e85
commit 19327e0e85
parent 91954d61ce
2 changed files with 6 additions and 3 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -338,7 +338,10 @@
  condition: container.id != host

 - macro: container_started
-  condition: (evt.type = container or (evt.type=execve and evt.dir=< and proc.vpid=1))
+  condition: >
+    ((evt.type = container or
+     (evt.type=execve and evt.dir=< and proc.vpid=1)) and
+     container.image.repository != incomplete)

 - macro: interactive
  condition: >
--- a/test/falco_traces.yaml.in
+++ b/test/falco_traces.yaml.in
@ -34,14 +34,14 @@ traces: !mux
    detect: True
    detect_level: INFO
    detect_counts:
-      - "Launch Privileged Container": 1
+      - "Launch Privileged Container": 2

  container-sensitive-mount:
    trace_file: traces-positive/container-sensitive-mount.scap
    detect: True
    detect_level: INFO
    detect_counts:
-      - "Launch Sensitive Mount Container": 1
+      - "Launch Sensitive Mount Container": 2

  create-files-below-dev:
    trace_file: traces-positive/create-files-below-dev.scap