From cb2439d7574c2b9c0971db5b7a8c8ec839429ddd Mon Sep 17 00:00:00 2001
From: bgeesaman <bradgeesaman+github@gmail.com>
Date: Thu, 10 Sep 2020 15:45:55 -0400
Subject: [PATCH] Append Slash to Sensitive Mount Path startswith

Make L#1932 equivalent to L#1898

Signed-off-by: Brad Geesaman <bradgeesaman+github@gmail.com>
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 085c766b..5bdbac5b 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1929,7 +1929,7 @@
   condition: (user_trusted_containers or
               container.image.repository in (trusted_images) or
               container.image.repository in (falco_sensitive_mount_images) or
-              container.image.repository startswith quay.io/sysdig)
+              container.image.repository startswith quay.io/sysdig/)
 
 # These container images are allowed to run with hostnetwork=true
 - list: falco_hostnetwork_images