fix(.github/workflow): upgrade (no more available) systemd-rpm-macros package

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

.circleci/config.yml

@@ -1,232 +0,0 @@
-version: 2.1
-jobs:
-  "build-arm64":
-    machine:
-      enabled: true
-      image: ubuntu-2204:2022.10.2
-    resource_class: arm.large
-    steps:
-
-      # Install dependencies to build the modern BPF probe skeleton.
-      - run:
-          name: Install deps ⛓️
-          command: |
-            sudo apt update
-            sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libelf-dev
-            sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-            sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-            git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch
-            cd bpftool
-            git submodule update --init
-            cd src && sudo make install
-
-      # Path to the source code
-      - checkout:
-          path: /tmp/source-arm64/falco
-
-      # Build the skeleton
-      - run:
-          name: Build modern BPF skeleton 🐝
-          command: |
-            mkdir -p /tmp/source-arm64/falco/skeleton-build
-            cd /tmp/source-arm64/falco/skeleton-build && cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ../
-            make ProbeSkeleton
-
-      # Build the Falco packages (tar, deb, rpm) inside the centos7 builder.
-      # This dockerfile returns as output:
-      # - the build directory. (under /tmp/${DEST_BUILD_DIR})
-      # - the 3 packages: tar, deb, rpm. (under /tmp/packages)
-      - run:
-          name: Build Falco packages 🏗️
-          command: |
-            FALCO_VERSION=$(cat /tmp/source-arm64/falco/skeleton-build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            DOCKER_BUILDKIT=1 docker build -f /tmp/source-arm64/falco/docker/builder/modern-falco-builder.Dockerfile --output type=local,dest=/tmp --build-arg CMAKE_OPTIONS="-DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DFALCO_ETC_DIR=/etc/falco -DBUILD_FALCO_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir -DBUILD_DRIVER=Off -DBUILD_BPF=Off -DFALCO_VERSION=${FALCO_VERSION}" --build-arg DEST_BUILD_DIR=/build-arm64/release /tmp/source-arm64/falco
-
-      - store_artifacts:
-          path: /tmp/packages
-          destination: /packages
-
-      - persist_to_workspace:
-          root: /tmp
-          paths:
-            - build-arm64/release
-            - source-arm64
-
-  # Build a statically linked Falco release binary using musl
-  # This build is 100% static, there are no host dependencies
-  "build-musl":
-    docker:
-      - image: alpine:3.17
-    resource_class: large
-    steps:
-      - checkout:
-          path: /source-static/falco
-      - run:
-          name: Update base image
-          command: apk update
-      - run:
-          name: Install build dependencies
-          command: apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
-      - run:
-          name: Prepare project
-          command: |
-            mkdir -p /build-static/release
-            cd /build-static/release
-            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
-      - run:
-          name: Build
-          command: |
-            cd /build-static/release
-            make -j6 all
-      - run:
-          name: Package
-          command: |
-            cd /build-static/release
-            make -j6 package
-      - run:
-          name: Prepare artifacts
-          command: |
-            mkdir -p /tmp/packages
-            cp /build-static/release/*.tar.gz /tmp/packages
-      - store_artifacts:
-          path: /tmp/packages
-          destination: /packages
-      - persist_to_workspace:
-          root: /
-          paths:
-            - build-static/release
-            - source-static
-
-  # This build is static, dependencies are bundled in the Falco binary
-  "build-centos7":
-    machine:
-      enabled: true
-      image: ubuntu-2204:2022.10.2
-    resource_class: large
-    steps:
-
-      # Install dependencies to build the modern BPF probe skeleton.
-      - run:
-          name: Install deps ⛓️
-          command: |
-            sudo apt update
-            sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libelf-dev
-            sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-            sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-            git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch
-            cd bpftool
-            git submodule update --init
-            cd src && sudo make install
-
-      # Path for the source code
-      - checkout:
-          path: /tmp/source/falco
-
-      - run:
-          name: Build modern BPF skeleton 🐝
-          command: |
-            mkdir -p /tmp/source/falco/skeleton-build
-            cd /tmp/source/falco/skeleton-build && cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ../
-            make ProbeSkeleton
-
-      # Build the Falco packages (tar, deb, rpm) inside the centos7 builder.
-      # This dockerfile returns as output:
-      # - the build directory. (under /tmp/${DEST_BUILD_DIR})
-      # - the 3 packages: tar, deb, rpm. (under /tmp/packages)
-      - run:
-          name: Build Falco packages 🏗️
-          command: |
-            FALCO_VERSION=$(cat /tmp/source/falco/skeleton-build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            DOCKER_BUILDKIT=1 docker build -f /tmp/source/falco/docker/builder/modern-falco-builder.Dockerfile --output type=local,dest=/tmp --build-arg CMAKE_OPTIONS="-DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DFALCO_ETC_DIR=/etc/falco -DBUILD_FALCO_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir -DBUILD_DRIVER=Off -DBUILD_BPF=Off -DFALCO_VERSION=${FALCO_VERSION}" --build-arg DEST_BUILD_DIR=/build/release /tmp/source/falco
-
-      - store_artifacts:
-          path: /tmp/packages
-          destination: /packages
-
-      - persist_to_workspace:
-          root: /tmp
-          paths:
-            - build/release
-            - source
-
-  # Execute integration tests based on the build results coming from the "build-centos7" job
-  "tests-integration":
-    docker:
-      - image: falcosecurity/falco-tester:latest
-        environment:
-          SOURCE_DIR: "/source"
-          BUILD_DIR: "/build"
-          BUILD_TYPE: "release"
-    steps:
-      - setup_remote_docker
-      - attach_workspace:
-          at: /
-      - run:
-          name: Execute integration tests
-          command: /usr/bin/entrypoint test
-      - store_test_results:
-          path: /build/release/integration-tests-xunit
-  "tests-integration-static":
-    docker:
-      - image: falcosecurity/falco-tester:latest
-        environment:
-          SOURCE_DIR: "/source-static"
-          BUILD_DIR: "/build-static"
-          BUILD_TYPE: "release"
-          SKIP_PACKAGES_TESTS: "true"
-          SKIP_PLUGINS_TESTS: "true"
-    steps:
-      - setup_remote_docker
-      - attach_workspace:
-          at: /
-      - run:
-          name: Execute integration tests
-          command: /usr/bin/entrypoint test
-      - store_test_results:
-          path: /build-static/release/integration-tests-xunit
-  # Execute integration tests based on the build results coming from the "build-arm64" job
-  "tests-integration-arm64":
-    machine:
-      enabled: true
-      image: ubuntu-2004:202101-01
-    resource_class: arm.medium
-    steps:
-      - attach_workspace:
-          at: /tmp
-      - run:
-          name: Execute integration tests
-          command: |
-            docker run -e BUILD_TYPE="release" -e BUILD_DIR="/build" -e SOURCE_DIR="/source" -it -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
-              falcosecurity/falco-tester:latest \
-              test
-      - store_test_results:
-          path: /tmp/build-arm64/release/integration-tests-xunit
-  "tests-driver-loader-integration":
-    machine:
-      image: ubuntu-2004:202107-02
-    steps:
-      - attach_workspace:
-          at: /tmp/ws
-      - run:
-          name: Execute driver-loader integration tests
-          command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
-
-workflows:
-  version: 2.1
-  build_and_test:
-    jobs:
-      - "build-musl"
-      - "build-arm64"
-      - "build-centos7"
-      - "tests-integration":
-          requires:
-            - "build-centos7"
-      - "tests-integration-arm64":
-          requires:
-            - "build-arm64"
-      - "tests-integration-static":
-          requires:
-            - "build-musl"
-      - "tests-driver-loader-integration":
-          requires:
-            - "build-centos7"

.clang-format

@@ -1,16 +1,36 @@
----
 Language: Cpp
-BasedOnStyle: LLVM
-AccessModifierOffset: -8
-BreakBeforeBraces: Allman
+BasedOnStyle: Google
+AccessModifierOffset: -4
+BreakBeforeBraces: Attach
+AllowAllArgumentsOnNextLine: false
+AllowAllConstructorInitializersOnNextLine: false
+AllowAllParametersOfDeclarationOnNextLine: false
+AllowShortFunctionsOnASingleLine: Inline
+AllowShortIfStatementsOnASingleLine: Never
+AllowShortLoopsOnASingleLine: false
+BinPackArguments: false
+BinPackParameters: false
+ColumnLimit: 100
+DerivePointerBinding: false
+IndentCaseLabels: false
+IndentWidth: 4
+SpaceAfterTemplateKeyword: false
+TabWidth: 4
+UseTab: ForIndentation
 BreakConstructorInitializers: AfterColon
-ColumnLimit: 0
 ConstructorInitializerIndentWidth: 8
 ContinuationIndentWidth: 8
 DerivePointerAlignment: true
-IndentWidth: 8
-SortIncludes: false
-SpaceAfterTemplateKeyword: false
+SortIncludes: Never
 SpaceBeforeCtorInitializerColon: false
 SpaceBeforeParens: Never
-UseTab: Always
+InsertNewlineAtEOF: true
+---
+Language: Proto
+DisableFormat: true
+---
+Language: JavaScript
+DisableFormat: true
+---
+Language: Java
+DisableFormat: true

.clang-format-ignore

@@ -0,0 +1,3 @@
+# These files contain some JSON schema definitions that are not C++ code
+userspace/falco/config_json_schema.h
+userspace/engine/rule_json_schema.h

.cmake-format

@@ -1,119 +0,0 @@
-# --------------------------
-# General Formatting Options
-# --------------------------
-# How wide to allow formatted cmake files
-line_width = 120
-
-# How many spaces to tab for indent
-tab_size = 2
-
-# If arg lists are longer than this, break them always
-max_subargs_per_line = 3
-
-# If true, separate flow control names from their parentheses with a space
-separate_ctrl_name_with_space = False
-
-# If true, separate function names from parentheses with a space
-separate_fn_name_with_space = False
-
-# If a statement is wrapped to more than one line, than dangle the closing
-# parenthesis on it's own line
-dangle_parens = False
-
-# If the statement spelling length (including space and parenthesis is larger
-# than the tab width by more than this among, then force reject un-nested
-# layouts.
-max_prefix_chars = 2
-
-# If a candidate layout is wrapped horizontally but it exceeds this many lines,
-# then reject the layout.
-max_lines_hwrap = 2
-
-# What style line endings to use in the output.
-line_ending = 'unix'
-
-# Format command names consistently as 'lower' or 'upper' case
-command_case = 'canonical'
-
-# Format keywords consistently as 'lower' or 'upper' case
-keyword_case = 'unchanged'
-
-# Specify structure for custom cmake functions
-additional_commands = {
-  "pkg_find": {
-    "kwargs": {
-      "PKG": "*"
-    }
-  }
-}
-
-# A list of command names which should always be wrapped
-always_wrap = []
-
-# Specify the order of wrapping algorithms during successive reflow attempts
-algorithm_order = [0, 1, 2, 3, 4]
-
-# If true, the argument lists which are known to be sortable will be sorted
-# lexicographically
-enable_sort = True
-
-# If true, the parsers may infer whether or not an argument list is sortable
-# (without annotation).
-autosort = False
-
-# If a comment line starts with at least this many consecutive hash characters,
-# then don't lstrip() them off. This allows for lazy hash rulers where the first
-# hash char is not separated by space
-hashruler_min_length = 10
-
-# A dictionary containing any per-command configuration overrides. Currently
-# only `command_case` is supported.
-per_command = {}
-
-
-# --------------------------
-# Comment Formatting Options
-# --------------------------
-# What character to use for bulleted lists
-bullet_char = '*'
-
-# What character to use as punctuation after numerals in an enumerated list
-enum_char = '.'
-
-# enable comment markup parsing and reflow
-enable_markup = True
-
-# If comment markup is enabled, don't reflow the first comment block in each
-# listfile. Use this to preserve formatting of your copyright/license
-# statements.
-first_comment_is_literal = False
-
-# If comment markup is enabled, don't reflow any comment block which matches
-# this (regex) pattern. Default is `None` (disabled).
-literal_comment_pattern = None
-
-# Regular expression to match preformat fences in comments
-# default=r'^\s*([`~]{3}[`~]*)(.*)$'
-fence_pattern = '^\\s*([`~]{3}[`~]*)(.*)$'
-
-# Regular expression to match rulers in comments
-# default=r'^\s*[^\w\s]{3}.*[^\w\s]{3}$'
-ruler_pattern = '^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$'
-
-# If true, then insert a space between the first hash char and remaining hash
-# chars in a hash ruler, and normalize it's length to fill the column
-canonicalize_hashrulers = True
-
-
-# ---------------------------------
-# Miscellaneous Options
-# ---------------------------------
-# If true, emit the unicode byte-order mark (BOM) at the start of the file
-emit_byteorder_mark = False
-
-# Specify the encoding of the input file. Defaults to utf-8.
-input_encoding = 'utf-8'
-
-# Specify the encoding of the output file. Defaults to utf-8. Note that cmake
-# only claims to support utf-8 so be careful when using anything else
-output_encoding = 'utf-8'

.cmake-format.json

@@ -0,0 +1,254 @@
+{
+	"_help_format": "Options affecting formatting.",
+	"format": {
+		"_help_disable": [
+			"Disable formatting entirely, making cmake-format a no-op"
+		],
+		"disable": false,
+		"_help_line_width": [
+			"How wide to allow formatted cmake files"
+		],
+		"line_width": 100,
+		"_help_tab_size": [
+			"How many spaces to tab for indent"
+		],
+		"tab_size": 4,
+		"_help_use_tabchars": [
+			"If true, lines are indented using tab characters (utf-8",
+			"0x09) instead of <tab_size> space characters (utf-8 0x20).",
+			"In cases where the layout would require a fractional tab",
+			"character, the behavior of the  fractional indentation is",
+			"governed by <fractional_tab_policy>"
+		],
+		"use_tabchars": true,
+		"_help_fractional_tab_policy": [
+			"If <use_tabchars> is True, then the value of this variable",
+			"indicates how fractional indentions are handled during",
+			"whitespace replacement. If set to 'use-space', fractional",
+			"indentation is left as spaces (utf-8 0x20). If set to",
+			"`round-up` fractional indentation is replaced with a single",
+			"tab character (utf-8 0x09) effectively shifting the column",
+			"to the next tabstop"
+		],
+		"fractional_tab_policy": "use-space",
+		"_help_max_subgroups_hwrap": [
+			"If an argument group contains more than this many sub-groups",
+			"(parg or kwarg groups) then force it to a vertical layout."
+		],
+		"max_subgroups_hwrap": 2,
+		"_help_max_pargs_hwrap": [
+			"If a positional argument group contains more than this many",
+			"arguments, then force it to a vertical layout."
+		],
+		"max_pargs_hwrap": 6,
+		"_help_max_rows_cmdline": [
+			"If a cmdline positional group consumes more than this many",
+			"lines without nesting, then invalidate the layout (and nest)"
+		],
+		"max_rows_cmdline": 2,
+		"_help_separate_ctrl_name_with_space": [
+			"If true, separate flow control names from their parentheses",
+			"with a space"
+		],
+		"separate_ctrl_name_with_space": false,
+		"_help_separate_fn_name_with_space": [
+			"If true, separate function names from parentheses with a",
+			"space"
+		],
+		"separate_fn_name_with_space": false,
+		"_help_dangle_parens": [
+			"If a statement is wrapped to more than one line, than dangle",
+			"the closing parenthesis on its own line."
+		],
+		"dangle_parens": true,
+		"_help_dangle_align": [
+			"If the trailing parenthesis must be 'dangled' on its on",
+			"line, then align it to this reference: `prefix`: the start",
+			"of the statement,  `prefix-indent`: the start of the",
+			"statement, plus one indentation  level, `child`: align to",
+			"the column of the arguments"
+		],
+		"dangle_align": "prefix",
+		"_help_min_prefix_chars": [
+			"If the statement spelling length (including space and",
+			"parenthesis) is smaller than this amount, then force reject",
+			"nested layouts."
+		],
+		"min_prefix_chars": 4,
+		"_help_max_prefix_chars": [
+			"If the statement spelling length (including space and",
+			"parenthesis) is larger than the tab width by more than this",
+			"amount, then force reject un-nested layouts."
+		],
+		"max_prefix_chars": 10,
+		"_help_max_lines_hwrap": [
+			"If a candidate layout is wrapped horizontally but it exceeds",
+			"this many lines, then reject the layout."
+		],
+		"max_lines_hwrap": 2,
+		"_help_line_ending": [
+			"What style line endings to use in the output."
+		],
+		"line_ending": "unix",
+		"_help_command_case": [
+			"Format command names consistently as 'lower' or 'upper' case"
+		],
+		"command_case": "canonical",
+		"_help_keyword_case": [
+			"Format keywords consistently as 'lower' or 'upper' case"
+		],
+		"keyword_case": "unchanged",
+		"_help_always_wrap": [
+			"A list of command names which should always be wrapped"
+		],
+		"always_wrap": [],
+		"_help_enable_sort": [
+			"If true, the argument lists which are known to be sortable",
+			"will be sorted lexicographicall"
+		],
+		"enable_sort": true,
+		"_help_autosort": [
+			"If true, the parsers may infer whether or not an argument",
+			"list is sortable (without annotation)."
+		],
+		"autosort": false,
+		"_help_require_valid_layout": [
+			"By default, if cmake-format cannot successfully fit",
+			"everything into the desired linewidth it will apply the",
+			"last, most agresive attempt that it made. If this flag is",
+			"True, however, cmake-format will print error, exit with non-",
+			"zero status code, and write-out nothing"
+		],
+		"require_valid_layout": false,
+		"_help_layout_passes": [
+			"A dictionary mapping layout nodes to a list of wrap",
+			"decisions. See the documentation for more information."
+		],
+		"layout_passes": {}
+	},
+	"_help_markup": "Options affecting comment reflow and formatting.",
+	"markup": {
+		"_help_bullet_char": [
+			"What character to use for bulleted lists"
+		],
+		"bullet_char": "*",
+		"_help_enum_char": [
+			"What character to use as punctuation after numerals in an",
+			"enumerated list"
+		],
+		"enum_char": ".",
+		"_help_first_comment_is_literal": [
+			"If comment markup is enabled, don't reflow the first comment",
+			"block in each listfile. Use this to preserve formatting of",
+			"your copyright/license statements."
+		],
+		"first_comment_is_literal": false,
+		"_help_literal_comment_pattern": [
+			"If comment markup is enabled, don't reflow any comment block",
+			"which matches this (regex) pattern. Default is `None`",
+			"(disabled)."
+		],
+		"literal_comment_pattern": null,
+		"_help_fence_pattern": [
+			"Regular expression to match preformat fences in comments",
+			"default= ``r'^\\s*([`~]{3}[`~]*)(.*)$'``"
+		],
+		"fence_pattern": "^\\s*([`~]{3}[`~]*)(.*)$",
+		"_help_ruler_pattern": [
+			"Regular expression to match rulers in comments default=",
+			"``r'^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$'``"
+		],
+		"ruler_pattern": "^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$",
+		"_help_explicit_trailing_pattern": [
+			"If a comment line matches starts with this pattern then it",
+			"is explicitly a trailing comment for the preceding",
+			"argument. Default is '#<'"
+		],
+		"explicit_trailing_pattern": "#<",
+		"_help_hashruler_min_length": [
+			"If a comment line starts with at least this many consecutive",
+			"hash characters, then don't lstrip() them off. This allows",
+			"for lazy hash rulers where the first hash char is not",
+			"separated by space"
+		],
+		"hashruler_min_length": 10,
+		"_help_canonicalize_hashrulers": [
+			"If true, then insert a space between the first hash char and",
+			"remaining hash chars in a hash ruler, and normalize its",
+			"length to fill the column"
+		],
+		"canonicalize_hashrulers": true,
+		"_help_enable_markup": [
+			"enable comment markup parsing and reflow"
+		],
+		"enable_markup": true
+	},
+	"_help_lint": "Options affecting the linter",
+	"lint": {
+		"_help_disabled_codes": [
+			"a list of lint codes to disable"
+		],
+		"disabled_codes": [],
+		"_help_function_pattern": [
+			"regular expression pattern describing valid function names"
+		],
+		"function_pattern": "[0-9a-z_]+",
+		"_help_macro_pattern": [
+			"regular expression pattern describing valid macro names"
+		],
+		"macro_pattern": "[0-9A-Z_]+",
+		"_help_global_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"variables with global (cache) scope"
+		],
+		"global_var_pattern": "[A-Z][0-9A-Z_]+",
+		"_help_internal_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"variables with global scope (but internal semantic)"
+		],
+		"internal_var_pattern": "_[A-Z][0-9A-Z_]+",
+		"_help_local_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"variables with local scope"
+		],
+		"local_var_pattern": "[a-z][a-z0-9_]+",
+		"_help_private_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"privatedirectory variables"
+		],
+		"private_var_pattern": "_[0-9a-z_]+",
+		"_help_public_var_pattern": [
+			"regular expression pattern describing valid names for public",
+			"directory variables"
+		],
+		"public_var_pattern": "[A-Z][0-9A-Z_]+",
+		"_help_argument_var_pattern": [
+			"regular expression pattern describing valid names for",
+			"function/macro arguments and loop variables."
+		],
+		"argument_var_pattern": "[a-z][a-z0-9_]+",
+		"_help_keyword_pattern": [
+			"regular expression pattern describing valid names for",
+			"keywords used in functions or macros"
+		],
+		"keyword_pattern": "[A-Z][0-9A-Z_]+",
+		"_help_max_conditionals_custom_parser": [
+			"In the heuristic for C0201, how many conditionals to match",
+			"within a loop in before considering the loop a parser."
+		],
+		"max_conditionals_custom_parser": 2,
+		"_help_min_statement_spacing": [
+			"Require at least this many newlines between statements"
+		],
+		"min_statement_spacing": 1,
+		"_help_max_statement_spacing": [
+			"Require no more than this many newlines between statements"
+		],
+		"max_statement_spacing": 2,
+		"max_returns": 6,
+		"max_branches": 12,
+		"max_arguments": 5,
+		"max_localvars": 15,
+		"max_statements": 50
+	}
+}

.dockerignore

@@ -0,0 +1,3 @@
+*
+!config/
+!docker/

.git-blame-ignore-revs

@@ -0,0 +1,2 @@
+# This commit formatted the Falco code for the first time.
+50b98b30e588eadce641136da85bc94a60eb6a3d

.github/release_template.md

@@ -0,0 +1,21 @@
+[![LIBS](https://img.shields.io/badge/LIBS-LIBSVER-yellow)](https://github.com/falcosecurity/libs/releases/tag/LIBSVER)
+[![DRIVER](https://img.shields.io/badge/DRIVER-DRIVERVER-yellow)](https://github.com/falcosecurity/libs/releases/tag/DRIVERVER)
+
+| Packages | Download                                                                                                                                               |
+| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| rpm-x86_64      | [![rpm](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpmFALCOBUCKET/falco-FALCOVER-x86_64.rpm)        |
+| deb-x86_64      | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-x86_64.deb) |
+| tgz-x86_64      | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/x86_64/falco-FALCOVER-x86_64.tar.gz) |
+| tgz-static-x86_64      | [![tgz-static](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/x86_64/falco-FALCOVER-static-x86_64.tar.gz) |
+| rpm-aarch64      | [![rpm](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpmFALCOBUCKET/falco-FALCOVER-aarch64.rpm)        |
+| deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-aarch64.deb) |
+| tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/aarch64/falco-FALCOVER-aarch64.tar.gz) |
+
+| Images                                                                    |
+|---------------------------------------------------------------------------|
+| `docker pull docker.io/falcosecurity/falco:FALCOVER`                      |
+| `docker pull public.ecr.aws/falcosecurity/falco:FALCOVER`                 |
+| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER`        |
+| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER-buster` |
+| `docker pull docker.io/falcosecurity/falco:FALCOVER-debian`               |
+

.github/workflows/bump-libs.yaml

@@ -0,0 +1,63 @@
+---
+name: Bump Libs
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '30 6 * * 1' # on each monday 6:30
+
+# Checks if any concurrent jobs is running for kernels CI and eventually cancel it.
+concurrency:
+  group: bump-libs-ci
+  cancel-in-progress: true
+
+jobs:
+  bump-libs:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Download libs master tar.gz
+        run: |
+          wget https://github.com/falcosecurity/libs/archive/refs/heads/master.tar.gz
+
+      - name: Store libs hash and shasum
+        id: store
+        run: |
+          gunzip -c master.tar.gz > master.tar
+          commit=$(cat master.tar | git get-tar-commit-id)
+          echo "COMMIT=$commit" >> "$GITHUB_OUTPUT"
+          wget https://github.com/falcosecurity/libs/archive/$commit.tar.gz
+          echo "SHASUM=$(sha256sum $commit.tar.gz | awk '{print $1}')" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          path: falco
+
+      - name: Bump libs version and hash
+        run: |
+          cd falco
+          sed -i -E '45s/FALCOSECURITY_LIBS_VERSION "(.+)"/FALCOSECURITY_LIBS_VERSION "${{ steps.store.outputs.COMMIT }}"/' cmake/modules/falcosecurity-libs.cmake
+          sed -i -E '47s/"SHA256=(.+)"/"SHA256=${{ steps.store.outputs.SHASUM }}"/' cmake/modules/falcosecurity-libs.cmake
+          sed -i -E '38s/DRIVER_VERSION "(.+)"/DRIVER_VERSION "${{ steps.store.outputs.COMMIT }}"/' cmake/modules/driver.cmake
+          sed -i -E '40s/"SHA256=(.+)"/"SHA256=${{ steps.store.outputs.SHASUM }}"/' cmake/modules/driver.cmake
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+        with:
+          path: falco
+          signoff: true
+          base: master
+          branch: update/libs
+          title: 'update(cmake): update libs and driver to latest master'
+          body: |
+            This PR updates libs and driver to latest commit.
+            /kind release
+            /area build
+            ```release-note
+            NONE
+            ```
+          commit-message: 'update(cmake): update libs and driver to latest master.'
+          token: ${{ secrets.GITHUB_TOKEN }}	  

.github/workflows/ci.yml

@@ -1,7 +1,9 @@
 name: CI Build
 on:
   pull_request:
-    branches: [master]
+    branches:
+      - master
+      - release/*
   workflow_dispatch:
 
 # Checks if any concurrent jobs under the same pull request or branch are being executed
@@ -10,105 +12,146 @@ concurrency:
   group: ${{ github.head_ref || github.run_id }}
   cancel-in-progress: true  
 
+permissions:  
+  contents: read
+  
 jobs:
-  build-minimal:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
+  fetch-version:
+    uses: ./.github/workflows/reusable_fetch_version.yaml
+
+  build-dev-packages-x86_64:
+    needs: [fetch-version]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: x86_64
+      version: ${{ needs.fetch-version.outputs.version }}
+      enable_debug: true
+      enable_sanitizers: true
+      use_mimalloc: true
+
+  build-dev-packages-arm64:
+    needs: [fetch-version]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: aarch64
+      version: ${{ needs.fetch-version.outputs.version }}
+      enable_debug: true
+      use_mimalloc: true
+
+  test-dev-packages:
+    needs: [fetch-version, build-dev-packages-x86_64]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    # See https://github.com/falcosecurity/falco/pull/3482
+    # Since musl build does not support dynamically loaded plugins,
+    # many tests would fail (the ones using `container.foo` fields).
+    # Disable tests on static builds for now.
+#    strategy:
+#      fail-fast: false
+#      matrix:
+#        static: ["static", ""]
+    with:
+      arch: x86_64
+#      sanitizers: ${{ matrix.static == '' && true || false }}
+      sanitizers: true
+#      static: ${{ matrix.static != '' && true || false }}
+      version: ${{ needs.fetch-version.outputs.version }}
+
+  test-dev-packages-arm64:
+    needs: [fetch-version, build-dev-packages-arm64]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    with:
+      arch: aarch64
+      version: ${{ needs.fetch-version.outputs.version }}
+
+  build-dev-minimal:
+    uses: ./.github/workflows/reusable_build_dev.yaml
+    with:
+      arch: x86_64
+      git_ref: ${{ github.event.pull_request.head.sha }}
+      minimal: true
+      build_type: Debug
+
+  build-dev-minimal-arm64:
+    uses: ./.github/workflows/reusable_build_dev.yaml
+    with:
+      arch: aarch64
+      git_ref: ${{ github.event.pull_request.head.sha }}
+      minimal: true
+      build_type: Debug
+
+  # builds using system deps, checking out the PR's code
+  # note: this also runs a command that generates an output of form: "<engine_version> <some_hash>",
+  # of which <some_hash> is computed by hashing in order the following:
+  # - Driver schema version supported by the built-in falcosecurity/libs
+  # - The supported event types usable in Falco rules (evt.type=xxx)
+  # - The supported rules fields with their name, type, and description
+  build-dev:
+    uses: ./.github/workflows/reusable_build_dev.yaml
+    with:
+      arch: x86_64
+      git_ref: ${{ github.event.pull_request.head.sha }}
+      minimal: false
+      sanitizers: true
+      build_type: Debug
+      cmd: "echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Engine:' | awk '{print $2}') $(echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Schema version:' | awk '{print $3}') $(build/userspace/falco/falco -c ./falco.yaml --list --markdown | grep '^`' | sort) $(build/userspace/falco/falco -c ./falco.yaml --list-events | sort) | sha256sum)"
+
+  # checks the falco engine checksum for consistency
+  check-engine-checksum:
+    runs-on: ubuntu-latest
+    needs: [build-dev]
+    steps:    
+      - name: Checkout PR head ref
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
 
-      - name: Update base image
-        run: sudo apt update -y
-
-      - name: Install build dependencies
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install libjq-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
-
-      - name: Prepare project
+      - name: Check Engine checksum
         run: |
-          mkdir build-minimal
-          pushd build-minimal
-          cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DBUILD_FALCO_UNIT_TESTS=On ..
-          popd
+          prev_hash=$(grep CHECKSUM "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
+          cur_hash=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 2)
+          
+          echo "encoded checksum: $prev_hash"
+          echo "current checksum: $cur_hash"
+          if [ $prev_hash != $cur_hash ]; then
+            echo "current engine checksum differs from the one encoded in userspace/engine/falco_engine_version.h"
+            exit 1
+          else
+            echo "current and encoded engine checksum are matching"
+          fi
 
-      - name: Build
-        run: |
-          pushd build-minimal
-          make -j4 all
-          popd
-
-      - name: Run unit tests
-        run: |
-          pushd build-minimal
-          sudo ./unit_tests/falco_unit_tests 
-          popd
-
-  build-ubuntu-focal:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
+  # checks the falco engine version and enforce bumping when necessary
+  check-engine-version:
+    runs-on: ubuntu-latest
+    needs: [build-dev]
+    steps:    
+      - name: Checkout base ref
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
+          ref: ${{ github.base_ref }}
 
-      - name: Update base image
-        run: sudo apt update -y
-
-      - name: Install build dependencies
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
-
-      - name: Prepare project
+      - name: Check Engine version
         run: |
-          mkdir build
-          pushd build
-          cmake -DBUILD_BPF=On -DCMAKE_BUILD_TYPE=Release -DBUILD_FALCO_UNIT_TESTS=On ..
-          popd
+          base_hash=$(grep CHECKSUM "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
+          base_engine_ver_major=$(grep ENGINE_VERSION_MAJOR "./userspace/engine/falco_engine_version.h" | head -n 1 | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')
+          base_engine_ver_minor=$(grep ENGINE_VERSION_MINOR "./userspace/engine/falco_engine_version.h" | head -n 1 | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')
+          base_engine_ver_patch=$(grep ENGINE_VERSION_PATCH "./userspace/engine/falco_engine_version.h" | head -n 1 | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')
+          base_engine_ver="${base_engine_ver_major}.${base_engine_ver_minor}.${base_engine_ver_patch}"
 
-      - name: Build
-        run: |
-          pushd build
-          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
-          popd
+          cur_hash=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 2)
+          cur_engine_ver=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 1)
 
-      - name: Run unit tests
-        run: |
-          pushd build
-          sudo ./unit_tests/falco_unit_tests 
-          popd
-
-  build-ubuntu-focal-debug:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Update base image
-        run: sudo apt update -y
-
-      - name: Install build dependencies
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
-
-      - name: Prepare project
-        run: |
-          mkdir build
-          pushd build
-          cmake -DCMAKE_BUILD_TYPE=Debug -DBUILD_BPF=On -DBUILD_FALCO_UNIT_TESTS=On ..
-          popd
-
-      - name: Build
-        run: |
-          pushd build
-          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
-          popd
-
-      - name: Run unit tests
-        run: |
-          pushd build
-          sudo ./unit_tests/falco_unit_tests 
-          popd
+          echo "baseref checksum: $base_hash"
+          echo "baseref engine version: $base_engine_ver"
+          echo "headref checksum: $cur_hash"
+          echo "headref engine version: $cur_engine_ver"
+          if [ "$base_hash" != "$cur_hash" ]; then
+              echo "engine checksum for baseref and headref differ"
+              if [ "$base_engine_ver" == "$cur_engine_ver" ]; then
+                  echo "engine version must be bumped"
+                  exit 1
+              else
+                  echo "engine version for baseref and headref differ too, so no bump is required"
+              fi
+          fi

.github/workflows/codeql.yaml

@@ -18,10 +18,13 @@ on:
     # The branches below must be a subset of the branches above
     branches: [ "master" ]
 
+permissions:  
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     permissions:
       actions: read
       contents: read
@@ -36,19 +39,19 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       with:
         fetch-depth: 0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
-        
+
         # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
@@ -56,20 +59,15 @@ jobs:
       run: sudo apt update -y
 
     - name: Install build dependencies
-      run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
+      run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libc-ares-dev libprotobuf-dev protobuf-compiler libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
 
     - name: Prepare project
       run: |
-          mkdir build
-          pushd build
-          cmake -DBUILD_BPF=On ..
-          popd
+          cmake -B build -S . -DBUILD_BPF=On -DBUILD_FALCO_MODERN_BPF=Off -DUSE_BUNDLED_DEPS=Off -DUSE_BUNDLED_NLOHMANN_JSON=On -DUSE_BUNDLED_CXXOPTS=On -DUSE_BUNDLED_CPPHTTPLIB=On
 
     - name: Build
       run: |
-          pushd build
-          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
-          popd
+          KERNELDIR=/lib/modules/$(uname -r)/build cmake --build build -j4
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5

.github/workflows/codespell.yml

@@ -1,12 +1,16 @@
 name: Codespell
 on:
   pull_request:
+    
+permissions:  
+  contents: read
+
 jobs:
   codespell:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - uses: codespell-project/actions-codespell@master
+    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+    - uses: codespell-project/actions-codespell@94259cd8be02ad2903ba34a22d9c13de21a74461 # v2.0
       with:
         skip: .git
         ignore_words_file: .codespellignore

.github/workflows/engine-version-weakcheck.yaml

@@ -0,0 +1,44 @@
+# NOTE: it is UNSAFE to run ANY kind of script when using the pull_request_target trigger!
+# DO NOT TOUCH THIS FILE UNLESS THE TRIGGER IS CHANGED.
+# See warning in https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
+
+name: Engine version checks (weak)
+on:
+  pull_request_target:
+    paths:
+      - 'userspace/engine/*.cpp'
+      - 'userspace/engine/*.h'
+
+permissions:  
+  contents: read
+
+jobs:
+  paths-filter:
+    runs-on: ubuntu-latest
+    outputs:
+      engine_version_changed: ${{ steps.filter.outputs.engine_version }}
+    steps:
+    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+    - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
+      id: filter
+      with:
+        filters: |
+          engine_version:
+            - 'userspace/engine/falco_engine_version.h'
+
+  check-engine-version-weak:
+    runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: write
+    needs: paths-filter
+    if: needs.paths-filter.outputs.engine_version_changed == 'false'
+    steps:
+      - name: Check driver Falco engine version
+        uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1
+        with:
+          message: |
+            This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.
+
+            Please double check **userspace/engine/falco_engine_version.h** file. See [versioning for FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/RELEASE.md#falco-repo-this-repo).
+
+            /hold

.github/workflows/format.yaml

@@ -0,0 +1,38 @@
+name: Format code
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+      - "release/**"
+
+jobs:
+  format:
+    name: format code 🐲
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository 🎉
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Install deps ⛓️
+        run: |
+          sudo apt update -y
+          sudo apt install -y --no-install-recommends ca-certificates pip git
+          pip install pre-commit
+
+      - name: Run pre-commit ©️
+        run: |
+          pre-commit run --all-files
+
+      - name: Generate the git-diff 🚒
+        if: failure()
+        run: git diff > format_diff.patch
+
+      - name: Upload the git diff artifact 📦
+        if: failure()
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: format_diff.patch
+          path: ./format_diff.patch

.github/workflows/images_bumper.yml

@@ -1,64 +0,0 @@
-name: Builder and Tester Images Bumper
-
-on:
-  push:
-    branches: [master]
-
-jobs:
-  paths-filter:
-    runs-on: ubuntu-latest
-    outputs:
-      builder_changed: ${{ steps.filter.outputs.builder }}
-      tester_changed: ${{ steps.filter.outputs.tester }}
-    steps:
-    - uses: actions/checkout@v2
-    - uses: dorny/paths-filter@v2
-      id: filter
-      with:
-        filters: |
-          builder:
-            - 'docker/builder/**'
-          tester:
-            - 'docker/tester/**'
-
-  update-builder-tester-images:
-    runs-on: ubuntu-22.04
-    needs: paths-filter
-    if: needs.paths-filter.outputs.builder_changed == 'true' || needs.paths-filter.outputs.tester_changed == 'true'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_SECRET }}
-          
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-        with:
-          platforms: 'amd64,arm64'
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      
-      - name: Build and push new builder image
-        if: needs.paths-filter.outputs.builder_changed == 'true'
-        uses: docker/build-push-action@v3
-        with:
-          context: docker/builder
-          platforms: linux/amd64,linux/arm64
-          tags: latest
-          push: true
-
-      - name: Build and push new tester image
-        if: needs.paths-filter.outputs.tester_changed == 'true'
-        uses: docker/build-push-action@v3
-        with:
-          context: docker/tester
-          platforms: linux/amd64,linux/arm64
-          tags: latest
-          push: true

.github/workflows/insecure-api.yaml

@@ -0,0 +1,29 @@
+name: Insecure API check
+on:
+  pull_request:
+    branches:
+      - master
+      - 'release/**'
+      - 'maintainers/**'
+
+permissions:  
+  contents: read
+
+jobs:
+  insecure-api:
+    name: check-insecure-api
+    runs-on: ubuntu-latest
+    container:
+      image: semgrep/semgrep:1.85.0@sha256:b4c2272e0a2e59ca551ff96d3bbae657bd2b7356e339af557b27a96d9e751544
+    steps:
+      - name: Checkout Falco ⤵️
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+      - name: Scan PR for insecure API usage 🕵️
+        run: |
+          semgrep scan \
+            --error \
+            --metrics=off \
+            --baseline-commit ${{ github.event.pull_request.base.sha }} \
+            --config=./semgrep

.github/workflows/master.yaml

@@ -6,40 +6,11 @@ on:
 # Checks if any concurrent jobs is running for master CI and eventually cancel it
 concurrency:
   group: ci-master
-  cancel-in-progress: true  
+  cancel-in-progress: true
 
 jobs:
-  # We need to use an ubuntu-latest to fetch Falco version because
-  # Falco version is computed by some cmake scripts that do git sorceries
-  # to get the current version.
-  # But centos7 jobs have a git version too old and actions/checkout does not 
-  # fully clone the repo, but uses http rest api instead.
   fetch-version:
-    runs-on: ubuntu-latest
-    # Map the job outputs to step outputs
-    outputs:
-      version: ${{ steps.store_version.outputs.version }}  
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          
-      - name: Install build dependencies
-        run: |
-          sudo apt update 
-          sudo apt install -y cmake build-essential
-      
-      - name: Configure project
-        run: |
-          mkdir build && cd build
-          cmake -DUSE_BUNDLED_DEPS=On ..
-          
-      - name: Load and store Falco version output
-        id: store_version
-        run: |
-          FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-          echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT     
+    uses: ./.github/workflows/reusable_fetch_version.yaml 
 
   build-dev-packages:
     needs: [fetch-version]
@@ -56,9 +27,32 @@ jobs:
       arch: aarch64
       version: ${{ needs.fetch-version.outputs.version }}
     secrets: inherit
-    
+
+  test-dev-packages:
+    needs: [fetch-version, build-dev-packages]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    # See https://github.com/falcosecurity/falco/pull/3482
+    # Since musl build does not support dynamically loaded plugins,
+    # many tests would fail (the ones using `container.foo` fields).
+    # Disable tests on static builds for now.
+#    strategy:
+#      fail-fast: false
+#      matrix:
+#        static: ["static", ""]
+    with:
+      arch: x86_64
+#      static: ${{ matrix.static != '' && true || false }}
+      version: ${{ needs.fetch-version.outputs.version }}
+  
+  test-dev-packages-arm64:
+    needs: [fetch-version, build-dev-packages-arm64]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    with:
+      arch: aarch64
+      version: ${{ needs.fetch-version.outputs.version }}
+
   publish-dev-packages:
-    needs: [fetch-version, build-dev-packages, build-dev-packages-arm64]
+    needs: [fetch-version, test-dev-packages, test-dev-packages-arm64]
     uses: ./.github/workflows/reusable_publish_packages.yaml
     with:
       bucket_suffix: '-dev'

.github/workflows/release.yaml

@@ -6,17 +6,17 @@ on:
 # Checks if any concurrent jobs is running for release CI and eventually cancel it.
 concurrency:
   group: ci-release
-  cancel-in-progress: true  
+  cancel-in-progress: true
 
 jobs:
   release-settings:
     runs-on: ubuntu-latest
     outputs:
-      is_latest: ${{ steps.get_settings.outputs.is_latest }} 
+      is_latest: ${{ steps.get_settings.outputs.is_latest }}
       bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
     steps:
       - name: Get latest release
-        uses: rez0n/actions-github-release@v2.0
+        uses: rez0n/actions-github-release@27a57820ee808f8fd940c8a9d1f7188f854aa2b5 # v2.0
         id: latest_release
         env:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -56,6 +56,7 @@ jobs:
     with:
       arch: x86_64
       version: ${{ github.event.release.tag_name }}
+      use_jemalloc: true
     secrets: inherit
 
   build-packages-arm64:
@@ -64,16 +65,40 @@ jobs:
     with:
       arch: aarch64
       version: ${{ github.event.release.tag_name }}
+      use_jemalloc: true
     secrets: inherit
-    
+
+  test-packages:
+    needs: [release-settings, build-packages]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    # See https://github.com/falcosecurity/falco/pull/3482
+    # Since musl build does not support dynamically loaded plugins,
+    # many tests would fail (the ones using `container.foo` fields).
+    # Disable tests on static builds for now.
+#    strategy:
+#      fail-fast: false
+#      matrix:
+#        static: ["static", ""]
+    with:
+      arch: x86_64
+#      static: ${{ matrix.static != '' && true || false }}
+      version: ${{ github.event.release.tag_name }}
+
+  test-packages-arm64:
+    needs: [release-settings, build-packages-arm64]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    with:
+      arch: aarch64
+      version: ${{ github.event.release.tag_name }}
+
   publish-packages:
-    needs: [release-settings, build-packages, build-packages-arm64]
+    needs: [release-settings, test-packages, test-packages-arm64]
     uses: ./.github/workflows/reusable_publish_packages.yaml
     with:
       bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
       version: ${{ github.event.release.tag_name }}
     secrets: inherit
-  
+
   # Both build-docker and its arm64 counterpart require build-packages because they use its output
   build-docker:
     needs: [release-settings, build-packages, publish-packages]
@@ -84,7 +109,7 @@ jobs:
       version: ${{ github.event.release.tag_name }}
       tag: ${{ github.event.release.tag_name }}
     secrets: inherit
-    
+
   build-docker-arm64:
     needs: [release-settings, build-packages, publish-packages]
     uses: ./.github/workflows/reusable_build_docker.yaml
@@ -103,3 +128,66 @@ jobs:
       is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
       tag: ${{ github.event.release.tag_name }}
       sign: true
+
+  release-body:
+    needs: [release-settings, publish-docker]
+    if: ${{ needs.release-settings.outputs.is_latest == 'true' }} # only for latest releases
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      - name: Extract LIBS and DRIVER versions
+        run: |
+          cp .github/release_template.md release-body.md
+          LIBS_VERS=$(cat cmake/modules/falcosecurity-libs.cmake | grep 'set(FALCOSECURITY_LIBS_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*')
+          DRIVER_VERS=$(cat cmake/modules/driver.cmake | grep 'set(DRIVER_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*+driver')
+          sed -i s/LIBSVER/$LIBS_VERS/g release-body.md
+          sed -i s/DRIVERVER/$DRIVER_VERS/g release-body.md
+
+      - name: Append release matrixes
+        run: |
+          sed -i s/FALCOBUCKET/${{ needs.release-settings.outputs.bucket_suffix }}/g release-body.md
+          sed -i s/FALCOVER/${{ github.event.release.tag_name }}/g release-body.md
+
+      - name: Generate release notes
+        uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
+        with:
+          milestone: ${{ github.event.release.tag_name }}
+          output: ./notes.md
+
+      - name: Merge release notes to pre existent body
+        run: cat notes.md >> release-body.md
+
+      - name: Attach release creator to release body
+        run: |
+          echo "" >> release-body.md
+          echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
+
+      - name: Download debug symbols for Falco x86_64
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: falco-${{ github.event.release.tag_name }}-x86_64.debug
+
+      - name: Rename x86_64 debug symbols
+        run: mv falco.debug falco-x86_64.debug
+
+      - name: Download debug symbols for Falco aarch64
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: falco-${{ github.event.release.tag_name }}-aarch64.debug
+
+      - name: Rename aarch64 debug symbols
+        run: mv falco.debug falco-aarch64.debug
+
+      - name: Release
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        with:
+          body_path: ./release-body.md
+          tag_name: ${{ github.event.release.tag_name }}
+          name: ${{ github.event.release.name }}
+          files: |
+            falco-x86_64.debug
+            falco-aarch64.debug

.github/workflows/reusable_build_dev.yaml

@@ -0,0 +1,93 @@
+# This is a reusable workflow used by the master CI
+on:
+  workflow_call:
+    outputs:
+      cmdout:
+        description: "Post-build command output"
+        value: ${{ jobs.build-and-test.outputs.cmdout }}
+    inputs:
+      arch:
+        description: x86_64 or aarch64
+        required: true
+        type: string
+      minimal:
+        description: Minimal build
+        required: true
+        type: boolean
+      sanitizers:
+        description: Enable sanitizer support
+        required: false
+        default: false
+        type: boolean
+      build_type:
+        description: One of 'Debug' or 'Release'
+        required: true
+        type: string
+      git_ref:
+        description: Git ref used for checking out the code
+        required: true
+        type: string
+      cmd:
+        description: If defined, this command is executed after a successful build and its output is set in the `cmdout` output
+        required: false
+        default: ''
+        type: string
+
+permissions: 
+  contents: read
+
+jobs:
+  build-and-test:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
+    outputs:
+      cmdout: ${{ steps.run_cmd.outputs.out }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.git_ref }}
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libelf-dev libyaml-cpp-dev cmake build-essential git -y
+
+      - name: Install build dependencies (non-minimal)
+        if: inputs.minimal != true
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libc-ares-dev libprotobuf-dev protobuf-compiler libgrpc++-dev protobuf-compiler-grpc rpm libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm -y
+
+      - name: Prepare project
+        run: |
+          cmake -B build -S .\
+            -DBUILD_FALCO_UNIT_TESTS=On \
+            -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
+            -DBUILD_FALCO_MODERN_BPF=Off \
+            -DBUILD_BPF=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
+            -DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
+            -DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \
+            -DUSE_ASAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \
+            -DUSE_UBSAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \
+            -DUSE_BUNDLED_DEPS=Off \
+            -DUSE_BUNDLED_NLOHMANN_JSON=On \
+            -DUSE_BUNDLED_CXXOPTS=On \
+            -DUSE_BUNDLED_CPPHTTPLIB=On \
+
+      - name: Build
+        run: |
+          KERNELDIR=/lib/modules/$(uname -r)/build cmake --build build -j4
+
+      - name: Run unit tests
+        run: |
+          pushd build
+          sudo ./unit_tests/falco_unit_tests
+          popd
+
+      - name: Run command
+        id: run_cmd
+        if: inputs.cmd != ''
+        run: |
+          OUT=$(${{ inputs.cmd }})
+          echo "out=${OUT}" >> $GITHUB_OUTPUT

.github/workflows/reusable_build_docker.yaml

@@ -20,54 +20,70 @@ on:
         required: true
         type: string
 
-# Here we just build all docker images as tarballs, 
+# Here we just build all docker images as tarballs,
 # then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
-# In this way, we don't need to publish any arch specific image, 
+# In this way, we don't need to publish any arch specific image,
 # and this "build" workflow is actually only building images.
+
+permissions:
+  contents: read
+
 jobs:
   build-docker:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
     env:
       TARGETARCH: ${{ (inputs.arch == 'aarch64' && 'arm64') || 'amd64' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
-        
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-          
-      - name: Build no-driver image
-        run: |
-          cd ${{ github.workspace }}/docker/no-driver/
-          docker build -t docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} \
-            --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
-            --build-arg FALCO_VERSION=${{ inputs.version }} \
-            --build-arg TARGETARCH=${TARGETARCH} \
-            .
-            docker save docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-no-driver-${{ inputs.arch }}.tar
-            
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
       - name: Build falco image
         run: |
-          cd ${{ github.workspace }}/docker/falco/
-          docker build -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} \
-            --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
+          docker build -f docker/falco/Dockerfile -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} \
+            --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
             --build-arg FALCO_VERSION=${{ inputs.version }} \
+            --build-arg FALCO_COMMIT_SHA=${{ github.sha }} \
             --build-arg TARGETARCH=${TARGETARCH} \
             .
             docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-${{ inputs.arch }}.tar
 
+      - name: Build falco-debian image
+        run: |
+          docker build -f docker/falco-debian/Dockerfile -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian \
+            --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
+            --build-arg FALCO_VERSION=${{ inputs.version }} \
+            --build-arg FALCO_COMMIT_SHA=${{ github.sha }} \
+            --build-arg TARGETARCH=${TARGETARCH} \
+            .
+            docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian --output /tmp/falco-${{ inputs.arch }}-debian.tar
+
       - name: Build falco-driver-loader image
         run: |
-          cd ${{ github.workspace }}/docker/driver-loader/
-          docker build -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} \
+          docker build -f docker/driver-loader/Dockerfile -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} \
             --build-arg FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ inputs.tag }} \
+            --build-arg FALCO_VERSION=${{ inputs.version }} \
+            --build-arg FALCO_COMMIT_SHA=${{ github.sha }} \
             --build-arg TARGETARCH=${TARGETARCH} \
             .
             docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-${{ inputs.arch }}.tar
-            
+
+      - name: Build falco-driver-loader-buster image
+        run: |
+          docker build -f docker/driver-loader-buster/Dockerfile -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster \
+            --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
+            --build-arg FALCO_VERSION=${{ inputs.version }} \
+            --build-arg FALCO_COMMIT_SHA=${{ github.sha }} \
+            --build-arg TARGETARCH=${TARGETARCH} \
+            .
+            docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster --output /tmp/falco-driver-loader-${{ inputs.arch }}-buster.tar
+
       - name: Upload images tarballs
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: falco-images
+          name: falco-images-${{ inputs.arch }}
           path: /tmp/falco-*.tar
+          retention-days: 1

.github/workflows/reusable_build_packages.yaml

@@ -10,112 +10,236 @@ on:
         description: The Falco version to use when building packages
         required: true
         type: string
+      enable_debug:
+        description: Also create a debug build
+        required: false
+        type: boolean
+        default: false
+      enable_sanitizers:
+        description: Also create a sanitizer build
+        required: false
+        type: boolean
+        default: false
+      use_jemalloc:
+        description: Use jemalloc memory allocator
+        required: false
+        type: boolean
+        default: false
+      use_mimalloc:
+        description: Use mimalloc memory allocator
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
 
 jobs:
   build-modern-bpf-skeleton:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
-    container: fedora:latest
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
+    container: fedora:41
     steps:
       # Always install deps before invoking checkout action, to properly perform a full clone.
       - name: Install build dependencies
         run: |
-          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
-    
+          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
 
       - name: Build modern BPF skeleton
         run: |
-          mkdir skeleton-build && cd skeleton-build
-          cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off -DFALCO_VERSION=${{ inputs.version }} ..
-          make ProbeSkeleton -j6
-          
+          cmake -B skeleton-build -S . \
+                -DUSE_BUNDLED_DEPS=ON -DCREATE_TEST_TARGETS=Off -DFALCO_VERSION=${{ inputs.version }}
+          cmake --build skeleton-build --target ProbeSkeleton -j6
+
       - name: Upload skeleton
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: bpf_probe_${{ inputs.arch }}.skel.h
           path: skeleton-build/skel_dir/bpf_probe.skel.h
-          
-  build-packages:
+          retention-days: 1
+
+  build-packages-release:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
     needs: [build-modern-bpf-skeleton]
-    container: centos:7
     steps:
       # Always install deps before invoking checkout action, to properly perform a full clone.
-      - name: Install build dependencies
+      - name: Install build deps
         run: |
-          yum -y install centos-release-scl
-          yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
-          source /opt/rh/devtoolset-9/enable
-          yum install -y wget git make m4 rpm-build
-    
+          sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm alien
+
+      - name: Install systemd rpm macros
+        run: |
+          wget https://www.rpmfind.net/linux/centos-stream/9-stream/BaseOS/${{ inputs.arch }}/os/Packages/systemd-rpm-macros-252-59.el9.noarch.rpm
+          sudo alien -d -i systemd-rpm-macros-252-59.el9.noarch.rpm
+
       - name: Checkout
-        uses: actions/checkout@v3
-    
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
       - name: Download skeleton
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: bpf_probe_${{ inputs.arch }}.skel.h
           path: /tmp
-          
-      - name: Install updated cmake
-        run: |
-          curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz
-          gzip -d /tmp/cmake.tar.gz
-          tar -xpf /tmp/cmake.tar --directory=/tmp
-          cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr
-          rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)
-    
+
+      - name: Install zig
+        if: inputs.sanitizers == false
+        uses: falcosecurity/libs/.github/actions/install-zig@master
+
       - name: Prepare project
         run: |
-          mkdir build && cd build
-          source /opt/rh/devtoolset-9/enable
-          cmake \
-              -DCMAKE_BUILD_TYPE=Release \
+          cmake -B build -S . \
+              -DCMAKE_BUILD_TYPE=RelWithDebInfo \
               -DUSE_BUNDLED_DEPS=On \
               -DFALCO_ETC_DIR=/etc/falco \
-              -DBUILD_FALCO_MODERN_BPF=ON \
               -DMODERN_BPF_SKEL_DIR=/tmp \
               -DBUILD_DRIVER=Off \
               -DBUILD_BPF=Off \
-              -DFALCO_VERSION=${{ inputs.version }} \
-              ..
-              
+              -DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
+              -DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
+              -DFALCO_VERSION=${{ inputs.version }}
+
       - name: Build project
         run: |
-          cd build
-          source /opt/rh/devtoolset-9/enable
-          make falco -j6
-      
+          cmake --build build --target falco -j6
+
       - name: Build packages
         run: |
-          cd build
-          source /opt/rh/devtoolset-9/enable
-          make package
+          cmake --build build --target package
 
       - name: Upload Falco tar.gz package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz
           path: |
             ${{ github.workspace }}/build/falco-*.tar.gz
-            
+
       - name: Upload Falco deb package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb
           path: |
             ${{ github.workspace }}/build/falco-*.deb
-      
+
       - name: Upload Falco rpm package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm
           path: |
             ${{ github.workspace }}/build/falco-*.rpm
-            
+
+      - name: Upload Falco debug symbols
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}.debug
+          path: |
+            ${{ github.workspace }}/build/userspace/falco/falco.debug
+
+  build-packages-debug:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
+    if: ${{ inputs.enable_debug == true }}
+    needs: [build-modern-bpf-skeleton]
+    steps:
+      # Always install deps before invoking checkout action, to properly perform a full clone.
+      - name: Install build deps
+        run: |
+          sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm
+
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      - name: Download skeleton
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: bpf_probe_${{ inputs.arch }}.skel.h
+          path: /tmp
+
+      - name: Install zig
+        if: inputs.sanitizers == false
+        uses: falcosecurity/libs/.github/actions/install-zig@master
+
+      - name: Prepare project
+        run: |
+          cmake -B build -S . \
+              -DCMAKE_BUILD_TYPE=Debug \
+              -DUSE_BUNDLED_DEPS=On \
+              -DFALCO_ETC_DIR=/etc/falco \
+              -DMODERN_BPF_SKEL_DIR=/tmp \
+              -DBUILD_DRIVER=Off \
+              -DBUILD_BPF=Off \
+              -DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
+              -DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
+              -DFALCO_VERSION=${{ inputs.version }}
+
+      - name: Build project
+        run: |
+          cmake --build build --target falco -j6
+
+      - name: Build packages
+        run: |
+          cmake --build build --target package
+
+      - name: Upload Falco tar.gz package
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}-debug.tar.gz
+          path: |
+            ${{ github.workspace }}/build/falco-*.tar.gz
+
+  build-packages-sanitizers:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
+    if: ${{ inputs.enable_sanitizers == true }}
+    needs: [build-modern-bpf-skeleton]
+    steps:
+      # Always install deps before invoking checkout action, to properly perform a full clone.
+      - name: Install build deps
+        run: |
+          sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm
+
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      - name: Download skeleton
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: bpf_probe_${{ inputs.arch }}.skel.h
+          path: /tmp
+
+      - name: Prepare project
+        # Jemalloc and ASAN don't play very well together.
+        run: |
+          cmake -B build -S . \
+              -DCMAKE_BUILD_TYPE=Debug \
+              -DUSE_BUNDLED_DEPS=On \
+              -DFALCO_ETC_DIR=/etc/falco \
+              -DMODERN_BPF_SKEL_DIR=/tmp \
+              -DBUILD_DRIVER=Off \
+              -DBUILD_BPF=Off \
+              -DUSE_JEMALLOC=Off \
+              -DUSE_MIMALLOC=Off \
+              -DUSE_ASAN=On \
+              -DFALCO_VERSION=${{ inputs.version }}
+
+      - name: Build project
+        run: |
+          cmake --build build --target falco -j6
+
+      - name: Build packages
+        run: |
+          cmake --build build --target package
+
+      - name: Upload Falco tar.gz package
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}-sanitizers.tar.gz
+          path: |
+            ${{ github.workspace }}/build/falco-*.tar.gz
+
   build-musl-package:
     # x86_64 only for now
     if: ${{ inputs.arch == 'x86_64' }}
@@ -125,36 +249,164 @@ jobs:
       # Always install deps before invoking checkout action, to properly perform a full clone.
       - name: Install build dependencies
         run: |
-          apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
-    
+          apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils clang llvm
+          git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
+          cd bpftool
+          git submodule update --init
+          cd src && make install
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
-          
+
       - name: Prepare project
         run: |
-          mkdir build && cd build
-          cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco ../ -DFALCO_VERSION=${{ inputs.version }}
-          
+          cmake -B build -S . \
+                -DCMAKE_BUILD_TYPE=Release \
+                -DCPACK_GENERATOR=TGZ \
+                -DBUILD_BPF=Off -DBUILD_DRIVER=Off \
+                -DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
+                -DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
+                -DUSE_BUNDLED_DEPS=On \
+                -DMUSL_OPTIMIZED_BUILD=On \
+                -DFALCO_ETC_DIR=/etc/falco \
+                -DFALCO_VERSION=${{ inputs.version }}
+
       - name: Build project
         run: |
-          cd build
-          make -j6 all
-      
+          cmake --build build -j6
+
       - name: Build packages
         run: |
-          cd build
-          make -j6 package
+          cmake --build build -j6 --target package
 
       - name: Rename static package
         run: |
           cd build
-          mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz 
-          
+          mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz
+
       - name: Upload Falco static package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: falco-${{ inputs.version }}-static-x86_64.tar.gz
           path: |
             ${{ github.workspace }}/build/falco-${{ inputs.version }}-static-x86_64.tar.gz
+
+  build-wasm-package:
+    if: ${{ inputs.arch == 'x86_64' }}
+    runs-on: ubuntu-22.04
+    steps:
+      # Always install deps before invoking checkout action, to properly perform a full clone.
+      - name: Install build dependencies
+        run: |
+          sudo apt update
+          sudo DEBIAN_FRONTEND=noninteractive apt install cmake build-essential git emscripten -y
+
+      - name: Select node version
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        with:
+          node-version: 14
+
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Prepare project
+        run: |
+          emcmake cmake -B build -S . \
+            -DCMAKE_BUILD_TYPE=Release \
+            -DUSE_BUNDLED_DEPS=On \
+            -DFALCO_ETC_DIR=/etc/falco \
+            -DBUILD_FALCO_UNIT_TESTS=On \
+            -DFALCO_VERSION=${{ inputs.version }}
+
+      - name: Build project
+        run: |
+          cd build
+          emmake make -j6 all
+
+      - name: Run unit Tests
+        run: |
+          cd build
+          node ./unit_tests/falco_unit_tests.js
+
+      - name: Build packages
+        run: |
+          cd build
+          emmake make -j6 package
+
+      - name: Upload Falco WASM package
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: falco-${{ inputs.version }}-wasm.tar.gz
+          path: |
+            ${{ github.workspace }}/build/falco-${{ inputs.version }}-wasm.tar.gz
+
+  build-win32-package:
+    if: ${{ inputs.arch == 'x86_64' }}
+    runs-on: windows-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Install NSIS
+        run: choco install nsis -y
+
+      # NOTE: Backslash doesn't work as line continuation on Windows.
+      - name: Prepare project
+        run: |
+          cmake -B build -S . -DCMAKE_BUILD_TYPE=Release -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
+
+      - name: Build project
+        run: |
+          cmake --build build --target package --config Release
+
+      - name: Run unit Tests
+        run: |
+          build/unit_tests/Release/falco_unit_tests.exe
+
+      - name: Upload Falco win32 installer
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: falco-installer-Release-win32.exe
+          path: build/falco-*.exe
+
+      - name: Upload Falco win32 package
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: falco-Release-win32.exe
+          path: |
+            ${{ github.workspace }}/build/userspace/falco/Release/falco.exe
+
+  build-macos-package:
+    if: ${{ inputs.arch == 'x86_64' }}
+    runs-on: macos-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Prepare project
+        run: |
+          cmake -B build -S . \
+                -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
+
+      - name: Build project
+        run: |
+          cmake --build build --target package
+
+      - name: Run unit Tests
+        run: |
+          sudo build/unit_tests/falco_unit_tests
+
+      - name: Upload Falco macos package
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: falco-${{ inputs.version }}-macos
+          path: |
+            ${{ github.workspace }}/build/userspace/falco/falco

.github/workflows/reusable_fetch_version.yaml

@@ -0,0 +1,42 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    outputs:
+      version:
+        description: "Falco version"
+        value: ${{ jobs.fetch-version.outputs.version }}
+
+permissions:  
+  contents: read
+
+jobs:
+  # We need to use an ubuntu-latest to fetch Falco version because
+  # Falco version is computed by some cmake scripts that do git sorceries
+  # to get the current version.
+  # But centos7 jobs have a git version too old and actions/checkout does not
+  # fully clone the repo, but uses http rest api instead.
+  fetch-version:
+    runs-on: ubuntu-latest
+    # Map the job outputs to step outputs
+    outputs:
+      version: ${{ steps.store_version.outputs.version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Install build dependencies
+        run: |
+          sudo apt update
+          sudo apt install -y cmake build-essential
+
+      - name: Configure project
+        run: |
+          cmake -B build -S . -DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off
+
+      - name: Load and store Falco version output
+        id: store_version
+        run: |
+          FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+          echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT

.github/workflows/reusable_publish_docker.yaml

@@ -18,116 +18,132 @@ on:
         default: false
 
 permissions:
-  id-token: write
   contents: read
-  
+
 jobs:
   publish-docker:
     runs-on: ubuntu-latest
+
+    permissions:
+      attestations: write
+      id-token: write
+      contents: read
+
     steps:
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-    
-      - name: Download images tarballs
-        uses: actions/download-artifact@v3
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+      - name: Download x86_64 images tarballs
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
-          name: falco-images
+          name: falco-images-x86_64
           path: /tmp/falco-images
-      
+
+      - name: Download aarch64 images tarballs
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: falco-images-aarch64
+          path: /tmp/falco-images
+
       - name: Load all images
         run: |
           for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done
-    
+
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_SECRET }}
-      
+
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco-ecr"
           aws-region: us-east-1 # The region must be set to us-east-1 in order to access ECR Public.
-          
+
       - name: Login to Amazon ECR
         id: login-ecr-public
         uses: aws-actions/amazon-ecr-login@2f9f10ea3fa2eed41ac443fee8bfbd059af2d0a4 # v1.6.0
         with:
-          registry-type: public    
-      
+          registry-type: public
+
       - name: Setup Crane
-        uses: imjasonh/setup-crane@v0.3
+        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
         with:
           version: v0.15.1
 
       # We're pushing the arch-specific manifests to Docker Hub so that we'll be able to easily create the index/multiarch later
       - name: Push arch-specific images to Docker Hub
         run: |
-          docker push docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }}
-          docker push docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian
+          docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian
           docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}-buster
+          docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}-buster
 
-      - name: Create no-driver manifest on Docker Hub
-        uses: Noelware/docker-manifest-action@0.3.1
-        with:
-          inputs: docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }}
-          images: docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
-          push: true
-          
-      - name: Tag slim manifest on Docker Hub
-        run: |
-          crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} docker.io/falcosecurity/falco:${{ inputs.tag }}-slim
-
-      - name: Create falco manifest on Docker Hub
-        uses: Noelware/docker-manifest-action@0.3.1
+      - name: Create Falco manifest on Docker Hub
+        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
         with:
           inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}
           images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
           push: true
-          
+
+      - name: Create falco-debian manifest on Docker Hub
+        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
+        with:
+          inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}-debian
+          images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian,docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian
+          push: true
+
       - name: Create falco-driver-loader manifest on Docker Hub
-        uses: Noelware/docker-manifest-action@0.3.1
+        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
         with:
           inputs: docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}
           images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
           push: true
 
+      - name: Create falco-driver-loader-buster manifest on Docker Hub
+        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
+        with:
+          inputs: docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster
+          images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}-buster,docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}-buster
+          push: true
+
       - name: Get Digests for images
         id: digests
+        # We could probably use the docker-manifest-action output instead of recomputing those with crane
         run: |
-          echo "falco-no-driver=$(crane digest docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }})" >> $GITHUB_OUTPUT
           echo "falco=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+          echo "falco-debian=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }}-debian)" >> $GITHUB_OUTPUT
           echo "falco-driver-loader=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+          echo "falco-driver-loader-buster=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster)" >> $GITHUB_OUTPUT
 
       - name: Publish images to ECR
         run: |
-          crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }}
           crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}
+          crane copy docker.io/falcosecurity/falco:${{ inputs.tag }}-debian public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian
           crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}
-          crane copy public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim
+          crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster
 
       - name: Tag latest on Docker Hub and ECR
         if: inputs.is_latest
         run: |
-          crane tag docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
           crane tag docker.io/falcosecurity/falco:${{ inputs.tag }} latest
+          crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian
           crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
-          crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
+          crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster
 
-          crane tag public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
           crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} latest
+          crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian
           crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
-          crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
+          crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster
 
       - name: Setup Cosign
         if: inputs.sign
-        uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: v2.0.2
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
       - name: Sign images with cosign
         if: inputs.sign
@@ -135,10 +151,24 @@ jobs:
           COSIGN_EXPERIMENTAL: "true"
           COSIGN_YES: "true"
         run: |
-          cosign sign docker.io/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
-          cosign sign docker.io/falcosecurity/falco@${{ steps.digests.outputs.falco }}
-          cosign sign docker.io/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
+          cosign sign docker.io/falcosecurity/falco:latest@${{ steps.digests.outputs.falco }}
+          cosign sign docker.io/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }}
+          cosign sign docker.io/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }}
+          cosign sign docker.io/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }}
 
-          cosign sign public.ecr.aws/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
-          cosign sign public.ecr.aws/falcosecurity/falco@${{ steps.digests.outputs.falco }}
-          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
+          cosign sign public.ecr.aws/falcosecurity/falco:latest@${{ steps.digests.outputs.falco }}
+          cosign sign public.ecr.aws/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }}
+          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }}
+          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }}
+
+      - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+        with:
+          subject-name: docker.io/falcosecurity/falco
+          subject-digest: ${{ steps.digests.outputs.falco }}
+          push-to-registry: true
+
+      - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+        with:
+          subject-name: docker.io/falcosecurity/falco-driver-loader
+          subject-digest: ${{ steps.digests.outputs.falco-driver-loader }}
+          push-to-registry: true

.github/workflows/reusable_publish_packages.yaml

@@ -23,122 +23,118 @@ env:
 jobs:
   publish-packages:
     runs-on: ubuntu-latest
-    container: docker.io/centos:7
+    container: docker.io/library/fedora:38
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
     
       - name: Install dependencies
         run: |
-          yum install epel-release -y
-          yum update -y
-          yum install rpm-sign expect which createrepo gpg python python-pip -y
-          pip install awscli==1.19.47
+          dnf install rpm-sign expect which createrepo gpg python python-pip -y
+          pip install awscli==1.29.60
 
       # Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
       # Note: master CI can only push dev packages as we have 2 different roles for master and release.
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3"
           aws-region: ${{ env.AWS_S3_REGION }}    
           
       - name: Download RPM x86_64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-x86_64.rpm
-          path: /tmp/falco-rpm
+          path: /tmp/falco-build-rpm
 
       - name: Download RPM aarch64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-aarch64.rpm
-          path: /tmp/falco-rpm
+          path: /tmp/falco-build-rpm
 
       - name: Download binary x86_64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-x86_64.tar.gz
-          path: /tmp/falco-bin
+          path: /tmp/falco-build-bin
 
       - name: Download binary aarch64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-aarch64.tar.gz
-          path: /tmp/falco-bin
+          path: /tmp/falco-build-bin
 
       - name: Download static binary x86_64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-static-x86_64.tar.gz
-          path: /tmp/falco-bin-static
-        
-      - name: Import gpg key 
+          path: /tmp/falco-build-bin-static
+
+      - name: Download WASM package
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: falco-${{ inputs.version }}-wasm.tar.gz
+          path: /tmp/falco-wasm
+
+      - name: Import gpg key
         env:
           GPG_KEY: ${{ secrets.GPG_KEY }}
         run: printenv GPG_KEY | gpg --import -
-        
+
       - name: Sign rpms
         run: |
-          echo "%_signature gpg" > ~/.rpmmacros
-          echo "%_gpg_name  Falcosecurity Package Signing" >> ~/.rpmmacros
-          echo "%__gpg_sign_cmd %{__gpg} --force-v3-sigs --batch --no-armor --passphrase-fd 3 --no-secmem-warning -u \"%{_gpg_name}\" -sb --digest-algo sha256 %{__plaintext_filename}'" >> ~/.rpmmacros
-          cat > ~/sign <<EOF
-          #!/usr/bin/expect -f
-          spawn rpmsign --addsign {*}\$argv
-          expect -exact "Enter pass phrase: "
-          send -- "\n"
-          expect eof
-          EOF
-          chmod +x ~/sign
-          ~/sign /tmp/falco-rpm/falco-*.rpm
-          rpm --qf %{SIGPGP:pgpsig} -qp /tmp/falco-rpm/falco-*.rpm | grep SHA256
+          rpmsign --define '_gpg_name Falcosecurity Package Signing' --addsign /tmp/falco-build-rpm/falco-*.rpm
+          rpm -qp --qf '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none)}|}|\n' /tmp/falco-build-rpm/falco-*.rpm
+
+      - name: Publish wasm
+        run: |
+          ./scripts/publish-wasm -f /tmp/falco-wasm/falco-${{ inputs.version }}-wasm.tar.gz
           
       - name: Publish rpm
         run: |
-          ./scripts/publish-rpm -f /tmp/falco-rpm/falco-${{ inputs.version }}-x86_64.rpm -f /tmp/falco-rpm/falco-${{ inputs.version }}-aarch64.rpm -r rpm${{ inputs.bucket_suffix }}
+          ./scripts/publish-rpm -f /tmp/falco-build-rpm/falco-${{ inputs.version }}-x86_64.rpm -f /tmp/falco-build-rpm/falco-${{ inputs.version }}-aarch64.rpm -r rpm${{ inputs.bucket_suffix }}
       
       - name: Publish bin
         run: |
-          ./scripts/publish-bin -f /tmp/falco-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
-          ./scripts/publish-bin -f /tmp/falco-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
+          ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
+          ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
           
       - name: Publish static
         run: |
-          ./scripts/publish-bin -f /tmp/falco-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
-          
+          ./scripts/publish-bin -f /tmp/falco-build-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
+
   publish-packages-deb:
     runs-on: ubuntu-latest
     container: docker.io/debian:stable
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
     
       - name: Install dependencies
         run: |
           apt update -y
-          apt-get install apt-utils bzip2 gpg python python3-pip -y
-          pip install awscli
+          apt-get install apt-utils bzip2 gpg awscli -y
       
       # Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
       # Note: master CI can only push dev packages as we have 2 different roles for master and release.
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3"
           aws-region: ${{ env.AWS_S3_REGION }}     
       
       - name: Download deb x86_64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-x86_64.deb
-          path: /tmp/falco-deb
+          path: /tmp/falco-build-deb
 
       - name: Download deb aarch64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-aarch64.deb
-          path: /tmp/falco-deb
+          path: /tmp/falco-build-deb
 
       - name: Import gpg key 
         env:
@@ -147,4 +143,4 @@ jobs:
           
       - name: Publish deb
         run: |
-          ./scripts/publish-deb -f /tmp/falco-deb/falco-${{ inputs.version }}-x86_64.deb -f /tmp/falco-deb/falco-${{ inputs.version }}-aarch64.deb -r deb${{ inputs.bucket_suffix }}
+          ./scripts/publish-deb -f /tmp/falco-build-deb/falco-${{ inputs.version }}-x86_64.deb -f /tmp/falco-build-deb/falco-${{ inputs.version }}-aarch64.deb -r deb${{ inputs.bucket_suffix }}

.github/workflows/reusable_test_packages.yaml

@@ -0,0 +1,68 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    inputs:
+      arch:
+        description: x86_64 or aarch64
+        required: true
+        type: string
+      static:
+        description: Falco packages use a static build
+        required: false
+        type: boolean
+        default: false
+      version:
+        description: The Falco version to use when testing packages
+        required: true
+        type: string
+      sanitizers:
+        description: Use sanitizer enabled build
+        required: false
+        default: false
+        type: boolean
+
+permissions:  
+  contents: read
+  
+jobs:
+  test-packages:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
+    steps:
+      - name: Download binary
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.tar.gz
+      
+      - name: Install Falco package
+        run: |
+          ls falco-*.tar.gz
+          tar -xvf $(ls falco-*.tar.gz)
+          cd falco-${{ inputs.version }}-${{ inputs.arch }}
+          sudo cp -r * /
+    
+      - name: Install kernel headers for falco-driver-loader tests
+        run: |
+          sudo apt update -y
+          sudo apt install -y --no-install-recommends linux-headers-$(uname -r)
+
+      # Some builds use sanitizers, we always install support for them so they can run
+      - name: Install sanitizer support
+        if: inputs.sanitizers
+        run: |
+          sudo apt update -y
+          sudo apt install -y libasan5 libubsan1
+          
+      - name: Run tests
+        env:
+          LSAN_OPTIONS: "intercept_tls_get_addr=0"
+        uses: falcosecurity/testing@main
+        with:
+          test-falco: 'true'
+          test-falcoctl: 'true'
+          test-k8saudit: 'true'
+          test-dummy: 'true'
+          static: ${{ inputs.static && 'true' || 'false' }}
+          test-drivers: 'true'
+          show-all: 'true'
+          report-name-suffix: ${{ inputs.static && '-static' || '' }}${{ inputs.sanitizers && '-sanitizers' || '' }}

.github/workflows/scorecard.yaml

@@ -0,0 +1,79 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    # Weekly on Mondays at 00:00.
+    - cron: '0 0 * * 1'
+
+  # The OSSF recommendation encourages to enable branch protection rules trigger
+  # to update the scorecard
+  # (https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection)
+  # but due to our GitHub org management this check is triggered too often and is
+  # therefore disabled.
+  # branch_protection_rule:
+  
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        with:
+          sarif_file: results.sarif
+

.github/workflows/staticanalysis.yaml

@@ -1,13 +1,16 @@
 name: StaticAnalysis
 on:
   pull_request:
+permissions:  
+  contents: read
+
 jobs:
   staticanalysis:
     runs-on: ubuntu-22.04
 
     steps:
       - name: Checkout ⤵️
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
@@ -19,13 +22,14 @@ jobs:
 
       - name: Build and run cppcheck 🏎️
         run: |
-          mkdir build
-          cd build && cmake -DUSE_BUNDLED_DEPS=On -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DCMAKE_BUILD_TYPE="release" -DBUILD_BPF=Off -DBUILD_DRIVER=Off ..
-          make -j4 cppcheck
-          make -j4 cppcheck_htmlreport
+          cmake -B build -S . \
+                -DCMAKE_BUILD_TYPE="release" \
+                -DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DBUILD_BPF=Off -DBUILD_DRIVER=Off
+          cmake --build build -j4 --target cppcheck
+          cmake --build build -j4 --target cppcheck_htmlreport
 
       - name: Upload reports ⬆️
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: static-analysis-reports
           path: ./build/static-analysis-reports

.gitignore

@@ -2,14 +2,7 @@
 *~
 *.pyc
 
-test/traces-negative
-test/traces-positive
-test/traces-info
-test/job-results
-test/.phoronix-test-suite
-test/results*.json.*
-test/build
-
 .vscode/*
 
 *.idea*
+CMakeUserPresets.json

.pre-commit-config.yaml

@@ -0,0 +1,23 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+fail_fast: false
+minimum_pre_commit_version: '0'
+repos:
+- repo: https://github.com/cheshirekow/cmake-format-precommit
+  rev: v0.6.13
+  hooks:
+  - id: cmake-format
+    stages: [commit]
+- repo: https://github.com/pre-commit/mirrors-clang-format
+  rev: v18.1.8
+  hooks:
+  - id: clang-format
+    types_or: [c++, c]
+    stages: [commit]
+- repo: local
+  hooks:
+  - id: dco-hook-local
+    name: DCO hook local
+    entry: ./tools/local_hooks/dco-pre-commit-msg.sh
+    language: script
+    stages: [prepare-commit-msg]

ADOPTERS.md

@@ -43,6 +43,8 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).
 
+* [NETWAYS Web Services](https://nws.netways.de/en/) - NETWAYS Web Services provides cloud and managed services tailored to their customers needs. From VPCs to managed databases and Kubernetes clusters, NETWAYS Web Services enables their customers to run infrastructure and applications without worries. Falco plays its part for NETWAYS Managed Services to ensure their platform conforms to ISO 27001 at all times and that their clients' workloads behave as expected by detecting anomalies in real-time.
+
 * [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
 
 * [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPAA compliance requirements.
@@ -58,6 +60,8 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [Shopify](https://www.shopify.com) - Shopify is the leading multi-channel commerce platform. Merchants use Shopify to design, set up, and manage their stores across multiple sales channels, including mobile, web, social media, marketplaces, brick-and-mortar locations, and pop-up shops. The platform also provides merchants with a powerful back-office and a single view of their business, from payments to shipping. The Shopify platform was engineered for reliability and scale, making enterprise-level technology available to businesses of all sizes. Shopify uses Falco to complement its Host and Network Intrusion Detection Systems.
 
+* [SafeDep](https://safedep.io/) - SafeDep is a open source software supply chain security platform that helps organizations identify and mitigate risks in their dependencies. At its core, SafeDep offers [`vet`](https://github.com/safedep/vet) a free and open source tool for detecting vulnerabilities, malicious code, and quality issues in open source components, while the enterprise offering, SafeDep Cloud, provides centralized control, data aggregation, and advanced features like malware analysis for large-scale deployments across thousands of repositories. 
+ 
 * [Sight Machine](https://www.sightmachine.com) - Sight Machine is the category leader for manufacturing analytics and used by Global 500 companies to make better, faster decisions about their operations. Sight Machine uses Falco to help enforce SOC2 compliance as well as a tool for real time security monitoring and alerting in Kubernetes.
 
 * [Skyscanner](https://www.skyscanner.net) - Skyscanner is the world's travel search engine for flights, hotels and car rentals. Most of our infrastructure is based on Kubernetes, and our Security team is using Falco to monitor anomalies at runtime, integrating Falco's findings with our internal ChatOps tooling to provide insight on the behavior of our machines in production. We also postprocess and store Falco's results to generate dashboards for auditing purposes.
@@ -68,12 +72,20 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [Shapesecurity/F5](https://www.shapesecurity.com/) Shapesecurity defends against application fraud attacks like Account Take Over, Credential Stuffing, Fake Accounts, etc. Required by FedRamp certification, we needed to find a FIM solution to help monitor and protect our Kubernetes clusters. Traditional FIM solutions were not scalable and not working for our environment, but with Falco we found the solution we needed. Falco's detection capabilities have helped us identify anomalous behaviour within our clusters. We leverage Sidekick (https://github.com/falcosecurity/charts/tree/master/falcosidekick) to send Falco alerts to a PubSub which in turn publishes those alerts to our SIEM (SumoLogic)
 
-* [Yahoo! JAPAN](https://www.yahoo.co.jp/) Yahoo! JAPAN is a leading company of internet in Japan. We build an AI Platform in our private cloud and provide it to scientists in our company. AI Platform is a multi-tenant Kubernetes environment and more flexible, faster, more efficient Machine Learning environment. Falco is used to detect unauthorized commands and malicious access and our AI Platform is monitored and alerted by Falco.
-
 * [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call driver. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
 
+* [Thales Group](https://www.thalesgroup.com) Thales is a global technology leader with more than 81,000 employees on five continents. The Thales Group is investing in digital and “deep tech” innovations – Big Data, artificial intelligence, connectivity, cybersecurity and quantum technology – to build a future we can all trust. In the past few years, the Cloud-Native paradigms and its frameworks and tools have challenged the way applications and services are developed, delivered, and instantiated. All sorts of services are container-based workloads managed by higher level layers of orchestration such as the Kubernetes environment. Thales is committed to develop Cloud-Native services and to provide its customers with security features that ensure their applications and services are protected against cyber threats. Falco is a framework that can help Thales' products and services reach the level of trust, security and safety our clients need.
+
+* [Thought Machine](https://www.thoughtmachine.net) Thought Machine builds Vault Core and Vault Payments: cloud-native core and payments technology enabling banks and fintechs to remain competitive and flourish into the future. Vault Core and Vault Payments are the foundation layer of a bank's technology stack. They can run any bank, any product, and any payment set. Thought Machine uses Falco to perform cloud agnostic real time detections of suspicious container behaviour.
+
+* [Tulip Retail](https://tulip.com) Tulip Retail uses Falco to monitor container activity in our environments. It's numerous integration points, easy deployment and easily customizable rules were the main reasons we chose Falco.
+
+* [Vinted](https://vinted.com/) Vinted uses Falco to continuously monitor container activities, identifying security threats, and ensuring compliance. The container-native approach, rule-based real-time threat detection, community support, extensibility, and compliance capabilities are the main factors why we chose it to enhance Vinted Kubernetes security. Falco Sidekick is used to send critical and warning severity alerts to our incident management solution (RTIR).
+
 * [Xenit AB](https://xenit.se/contact/) Xenit is a growth company with services within cloud and digital transformation. We provide an open-source Kubernetes framework that we leverage to help our customers get their applications to production as quickly and as securely as possible. We use Falco's detection capabilities to identify anomalous behaviour within our clusters in both Azure and AWS.
 
+* [Yahoo! JAPAN](https://www.yahoo.co.jp/) Yahoo! JAPAN is a leading company of internet in Japan. We build an AI Platform in our private cloud and provide it to scientists in our company. AI Platform is a multi-tenant Kubernetes environment and more flexible, faster, more efficient Machine Learning environment. Falco is used to detect unauthorized commands and malicious access and our AI Platform is monitored and alerted by Falco.
+
 ## Projects that use Falco libs
 
 * [R6/Phoenix](https://r6security.com/) is an attack surface protection company that uses moving target defense to provide fully automated, proactive and devops friendly security to its customers. There are a set of policies you can add to enable the moving target defense capabilities. Some of them are triggered by a combination of Falco's findings. You can kill, restart and rename pods according to the ever changing policies.
@@ -82,6 +94,8 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [StackRox](https://stackrox.io) is the industry’s first Kubernetes-native security platform enabling organizations to build, deploy, and run cloud-native applications securely. The platform works with Kubernetes environments and integrates with DevOps and security tools, enabling teams to operationalize and secure their supply chain, infrastructure, and workloads. StackRox aims to harness containerized applications’ development speed while giving operations and security teams greater context and risk profiling. StackRox leverages cloud-native principles and declarative artifacts to automate DevSecOps best practices.
 
+* [Wireshark](https://www.wireshark.org) is the world's most powerful and popular network protocol analyzer. The Wireshark team is combining Wireshark's features and Falco libs to create Logray, a cloud and system log analyzer with advanced filtering, capture, and scripting capabilities.
+
 ## Adding a name
 
 If you would like to add your name to this file, submit a pull request with your change.

CMakeLists.txt

@@ -1,60 +1,112 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
 cmake_minimum_required(VERSION 3.5.1)
 
 project(falco)
 
-option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
+option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" ON)
+option(USE_DYNAMIC_LIBELF "Dynamically link libelf" OFF)
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
-option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
+option(
+	MINIMAL_BUILD
+	"Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)"
+	OFF
+)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
 option(BUILD_FALCO_UNIT_TESTS "Build falco unit tests" OFF)
+option(USE_ASAN "Build with AddressSanitizer" OFF)
+option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF)
+option(UBSAN_HALT_ON_ERROR "Halt on error when building with UBSan" ON)
+
+# Mem allocators - linux only for now
+if(NOT WIN32
+   AND NOT APPLE
+   AND NOT MINIMAL_BUILD
+   AND NOT EMSCRIPTEN
+)
+	# If one enables multiple allocators, cmake will fail since all of the allocators cmake modules
+	# create a `malloc` target.
+	option(USE_JEMALLOC "Use jemalloc allocator, linux only" OFF)
+	option(USE_MIMALLOC "Use mimalloc (microsoft) allocator, linux only" OFF)
+endif()
+
+if(WIN32)
+	if(POLICY CMP0091)
+		# Needed for CMAKE_MSVC_RUNTIME_LIBRARY
+		# https://cmake.org/cmake/help/latest/policy/CMP0091.html
+		cmake_policy(SET CMP0091 NEW)
+	endif()
+	set(CPACK_GENERATOR "NSIS") # this needs NSIS installed, and available
+elseif(APPLE)
+	set(CPACK_GENERATOR "DragNDrop")
+elseif(EMSCRIPTEN)
+	set(USE_BUNDLED_DEPS
+		ON
+		CACHE BOOL "" FORCE
+	)
+	set(BUILD_DRIVER
+		OFF
+		CACHE BOOL "" FORCE
+	)
+	set(ENABLE_DKMS
+		OFF
+		CACHE BOOL "" FORCE
+	)
+	set(BUILD_BPF
+		OFF
+		CACHE BOOL "" FORCE
+	)
+	set(CPACK_GENERATOR
+		TGZ
+		CACHE BOOL "" FORCE
+	)
+endif()
 
 # gVisor is currently only supported on Linux x86_64
-if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
-  option(BUILD_FALCO_GVISOR "Build gVisor support for Falco" ON)
-  if (BUILD_FALCO_GVISOR)
-    add_definitions(-DHAS_GVISOR)
-  endif()
+if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64"
+   AND CMAKE_SYSTEM_NAME MATCHES "Linux"
+   AND NOT MINIMAL_BUILD
+)
+	option(BUILD_FALCO_GVISOR "Build gVisor support for Falco" ON)
+	if(BUILD_FALCO_GVISOR)
+		add_definitions(-DHAS_GVISOR)
+	endif()
 endif()
 
 # Modern BPF is not supported on not Linux systems and in MINIMAL_BUILD
 if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
-  option(BUILD_FALCO_MODERN_BPF "Build modern BPF support for Falco" OFF)
-  if(BUILD_FALCO_MODERN_BPF)
-    add_definitions(-DHAS_MODERN_BPF)
-  endif()
+	option(BUILD_FALCO_MODERN_BPF "Build modern BPF support for Falco" ON)
+	if(BUILD_FALCO_MODERN_BPF)
+		add_definitions(-DHAS_MODERN_BPF)
+	endif()
 endif()
 
 # We shouldn't need to set this, see https://gitlab.kitware.com/cmake/cmake/-/issues/16419
 option(EP_UPDATE_DISCONNECTED "ExternalProject update disconnected" OFF)
-if (${EP_UPDATE_DISCONNECTED})
-  set_property(
-    DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
-    PROPERTY EP_UPDATE_DISCONNECTED TRUE)
+if(${EP_UPDATE_DISCONNECTED})
+	set_property(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR} PROPERTY EP_UPDATE_DISCONNECTED TRUE)
 endif()
 
-set(CMAKE_CXX_STANDARD 17)
-set(CMAKE_CXX_EXTENSIONS OFF)
-
-# Elapsed time
-# set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
+# Elapsed time set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") #
+# TODO(fntlnz, leodido): add a flag to enable this
 
 # Make flag for parallel processing
 include(ProcessorCount)
-processorcount(PROCESSOR_COUNT)
+ProcessorCount(PROCESSOR_COUNT)
 if(NOT PROCESSOR_COUNT EQUAL 0)
-  set(PROCESSOUR_COUNT_MAKE_FLAG -j${PROCESSOR_COUNT})
+	set(PROCESSOUR_COUNT_MAKE_FLAG -j${PROCESSOR_COUNT})
 endif()
 
 # Custom CMake modules
@@ -64,80 +116,37 @@ list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
 include(GNUInstallDirs)
 
 if(NOT DEFINED FALCO_ETC_DIR)
-  set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
+	set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
 endif()
 
 # This will be used to print the architecture for which Falco is compiled.
-set(FALCO_TARGET_ARCH ${CMAKE_SYSTEM_PROCESSOR})
-
-if(NOT FALCO_EXTRA_DEBUG_FLAGS)
-  set(FALCO_EXTRA_DEBUG_FLAGS "-D_DEBUG")
-endif()
-
-string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE)
-if(CMAKE_BUILD_TYPE STREQUAL "debug")
-  set(KBUILD_FLAGS "${FALCO_EXTRA_DEBUG_FLAGS} ${FALCO_EXTRA_FEATURE_FLAGS}")
+if(EMSCRIPTEN)
+	set(FALCO_TARGET_ARCH "wasm")
 else()
-  set(CMAKE_BUILD_TYPE "release")
-  set(KBUILD_FLAGS "${FALCO_EXTRA_FEATURE_FLAGS}")
-  add_definitions(-DBUILD_TYPE_RELEASE)
-endif()
-message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")
-
-if(MINIMAL_BUILD)
-  set(MINIMAL_BUILD_FLAGS "-DMINIMAL_BUILD")
+	set(FALCO_TARGET_ARCH ${CMAKE_SYSTEM_PROCESSOR})
 endif()
 
-if(MUSL_OPTIMIZED_BUILD)
-  set(MUSL_FLAGS "-static -Os -fPIE -pie")
-  add_definitions(-DMUSL_OPTIMIZED)
-endif()
-
-# explicitly set hardening flags
-set(CMAKE_POSITION_INDEPENDENT_CODE ON)
-set(FALCO_SECURITY_FLAGS "-Wl,-z,relro,-z,now -fstack-protector-strong")
-if(CMAKE_BUILD_TYPE STREQUAL "release")
-  set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -D_FORTIFY_SOURCE=2")
-endif()
-
-set(CMAKE_COMMON_FLAGS "${FALCO_SECURITY_FLAGS} -Wall -ggdb ${FALCO_EXTRA_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
-
-if(BUILD_WARNINGS_AS_ERRORS)
-  set(CMAKE_SUPPRESSED_WARNINGS
-      "-Wno-unused-parameter -Wno-unused-variable -Wno-unused-but-set-variable -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation -Wno-stringop-truncation -Wno-stringop-overflow -Wno-restrict"
-  )
-  set(CMAKE_COMMON_FLAGS "${CMAKE_COMMON_FLAGS} -Wextra -Werror ${CMAKE_SUPPRESSED_WARNINGS}")
-endif()
-
-set(CMAKE_C_FLAGS "${CMAKE_COMMON_FLAGS}")
-set(CMAKE_CXX_FLAGS "-std=c++17 ${CMAKE_COMMON_FLAGS} -Wno-class-memaccess")
-
-set(CMAKE_C_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
-set(CMAKE_CXX_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
-
-set(CMAKE_C_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
-set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
-
-include(GetFalcoVersion)
+include(CompilerFlags)
 
 set(PACKAGE_NAME "falco")
 set(DRIVER_NAME "falco")
 set(DRIVER_DEVICE_NAME "falco")
 set(DRIVERS_REPO "https://download.falco.org/driver")
 
-# If no path is provided, try to search the BPF probe in: `home/.falco/falco-bpf.o`
-# This is the same fallback that we had in the libraries: `SCAP_PROBE_BPF_FILEPATH`.
+# If no path is provided, try to search the BPF probe in: `home/.falco/falco-bpf.o` This is the same
+# fallback that we had in the libraries: `SCAP_PROBE_BPF_FILEPATH`.
 set(FALCO_PROBE_BPF_FILEPATH ".${DRIVER_NAME}/${DRIVER_NAME}-bpf.o")
 add_definitions(-DFALCO_PROBE_BPF_FILEPATH="${FALCO_PROBE_BPF_FILEPATH}")
 
 if(NOT DEFINED FALCO_COMPONENT_NAME)
-    set(FALCO_COMPONENT_NAME "${CMAKE_PROJECT_NAME}")
+	set(FALCO_COMPONENT_NAME "${CMAKE_PROJECT_NAME}")
 endif()
 
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
-  set(CMAKE_INSTALL_PREFIX
-      /usr
-      CACHE PATH "Default install path" FORCE)
+	set(CMAKE_INSTALL_PREFIX
+		/usr
+		CACHE PATH "Default install path" FORCE
+	)
 endif()
 
 set(CMD_MAKE make)
@@ -147,69 +156,125 @@ include(ExternalProject)
 # libs
 include(falcosecurity-libs)
 
-# jq
-include(jq)
+# compute FALCO_VERSION (depends on libs)
+include(falco-version)
+
+# Mem allocators - linux only for now
+if(NOT WIN32
+   AND NOT APPLE
+   AND NOT MINIMAL_BUILD
+   AND NOT EMSCRIPTEN
+)
+
+	if(USE_JEMALLOC)
+		include(jemalloc)
+	endif()
+	if(USE_MIMALLOC)
+		include(mimalloc)
+	endif()
+
+	message(STATUS "Will use mem allocator library: ${MALLOC_LIB}")
+endif()
 
 # nlohmann-json
 include(njson)
 
-# b64
-include(b64)
-
 # yaml-cpp
 include(yaml-cpp)
 
-if(NOT MINIMAL_BUILD)
-  # OpenSSL
-  include(openssl)
+if(NOT WIN32
+   AND NOT APPLE
+   AND NOT MINIMAL_BUILD
+   AND NOT EMSCRIPTEN
+)
+	# OpenSSL
+	include(openssl)
 
-  # libcurl
-  include(curl)
+	# libcurl
+	include(curl)
 
-  # cpp-httlib
-  include(cpp-httplib)
+	# todo(jasondellaluce,rohith-raju): support webserver for non-linux builds too cpp-httlib
+	include(cpp-httplib)
 endif()
 
 include(cxxopts)
 
 # One TBB
-include(tbb)
+if(NOT EMSCRIPTEN)
+	include(tbb)
+endif()
 
+include(zlib)
+include(valijson)
 if(NOT MINIMAL_BUILD)
-  include(zlib)
-  include(cares)
-  include(protobuf)
-  # gRPC
-  include(grpc)
+	if(NOT WIN32
+	   AND NOT APPLE
+	   AND NOT EMSCRIPTEN
+	)
+		include(cares)
+		include(protobuf)
+		# gRPC
+		include(grpc)
+	endif()
 endif()
 
 # Installation
-install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
+if(WIN32)
+	set(FALCO_INSTALL_CONF_FILE
+		"%PROGRAMFILES%/${PACKAGE_NAME}-${FALCO_VERSION}/etc/falco/falco.yaml"
+	)
+	install(
+		FILES falco.yaml
+		DESTINATION etc/falco/
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+	install(
+		DIRECTORY
+		DESTINATION etc/falco/config.d
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+elseif(APPLE)
+	set(FALCO_INSTALL_CONF_FILE "/etc/falco/falco.yaml")
+	install(
+		FILES falco.yaml
+		DESTINATION etc/falco/
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+	install(
+		DIRECTORY
+		DESTINATION etc/falco/config.d
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+else()
+	set(FALCO_INSTALL_CONF_FILE "/etc/falco/falco.yaml")
+	install(
+		FILES falco.yaml
+		DESTINATION "${FALCO_ETC_DIR}"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+	install(
+		DIRECTORY
+		DESTINATION "${FALCO_ETC_DIR}/config.d"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+endif()
 
 if(NOT MINIMAL_BUILD)
-  # Coverage
-  include(Coverage)
-
-  # Tests
-  add_subdirectory(test)
+	# Coverage
+	include(Coverage)
 endif()
 
 # Rules
 include(rules)
 
-# Dockerfiles
-add_subdirectory(docker)
-
-# Clang format
-# add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)
+# Clang format add_custom_target(format COMMAND clang-format --style=file -i
+# $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)
 
 # Static analysis
 include(static-analysis)
 
 # Shared build variables
-set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)
-set(FALCO_PLUGINS_DIR ${FALCO_SHARE_DIR}/plugins)
 set(FALCO_ABSOLUTE_SHARE_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}")
 set(FALCO_BIN_DIR bin)
 
@@ -217,15 +282,46 @@ add_subdirectory(scripts)
 add_subdirectory(userspace/engine)
 add_subdirectory(userspace/falco)
 
-if(NOT MUSL_OPTIMIZED_BUILD)
-  include(plugins)
-endif()
+if(NOT WIN32
+   AND NOT APPLE
+   AND NOT EMSCRIPTEN
+   AND NOT MUSL_OPTIMIZED_BUILD
+)
+	include(falcoctl)
+	include(container_plugin)
 
-include(falcoctl)
+	# Generate a binary_dir/falco.yaml that automatically enables the plugin to be used for local
+	# testing.
+	configure_file(${CMAKE_SOURCE_DIR}/falco.yaml ${CMAKE_BINARY_DIR} COPYONLY)
+	# The custom target configures the plugin and set its path
+	add_custom_target(
+		container
+		COMMAND sed -i 's,^load_plugins: .*,load_plugins: [container],g'
+				${CMAKE_BINARY_DIR}/falco.yaml
+		COMMAND sed -i 's,library_path: libcontainer.so,library_path: ${CONTAINER_LIBRARY},g'
+				${CMAKE_BINARY_DIR}/falco.yaml
+		DEPENDS container_plugin
+	)
+	# Let `make falco` also download container plugin
+	add_dependencies(falco container)
+
+	# Install the plugin
+	install(
+		FILES "${CONTAINER_LIBRARY}"
+		DESTINATION "${FALCO_ABSOLUTE_SHARE_DIR}/plugins"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+	# Install additional config override file to enable the container plugin
+	install(
+		FILES "${PROJECT_SOURCE_DIR}/config/falco.container_plugin.yaml"
+		DESTINATION "${FALCO_ETC_DIR}/config.d"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+endif()
 
 # Packages configuration
 include(CPackConfig)
 
 if(BUILD_FALCO_UNIT_TESTS)
-  add_subdirectory(unit_tests)
+	add_subdirectory(unit_tests)
 endif()

Contributing.md

@@ -0,0 +1,207 @@
+# How to contribute
+
+## Enforce coding style 💻
+
+### Introduction
+
+This document introduces the coding style that will be applied in this repository.
+This coding style involves all the following files: `.c`, `.h`, `.cpp`, `.cmake`, `CMakeLists.txt`. To enforce it we rely on two main tools:
+
+1. `clang-format` version `18.1.8`.
+2. `cmake-format` version `0.6.13`.
+
+> __Please note__: tools versions are important! Different versions will enforce slightly different changes on the code. For example `clang-format-18` will produce a slightly different output respect to `clang-format-17` always respecting the imposed style.
+
+The coding style is expressed through the 2 configuration file that you find in this repo: `.clang-format`, `.cmake-format.json`.  
+
+### Enforce the style locally
+
+There are many ways to enforce the style locally, here we will describe two of them:
+
+1. Use `pre-commit` framework.
+2. Use the repo `Makefile`.
+
+#### 1.Pre-commit framework (suggested if you don't have the 2 tools already installed on your machine)
+
+The `pre-commit` framework allows you to automatically install different `git-hooks` that will run at every new commit. More precisely, if you use the `.pre-commit-config.yaml` in this repo you will install 3 different hooks:
+
+1. The `clang-format` hook: this is a `pre-commit` git hook that runs `clang-format` on your staged changes.
+2. The `cmake-format` hook: this is a `pre-commit` git hook that runs `cmake-format` on your staged changes.
+3. The `DCO signed-off` hook: this is a `pre-commit-msg` git hook that adds the `DCO` on your commit if not present. This hook is not strictly related to the coding style so we will talk about it in a separate section: [Add DCO signed-off to your commits](#add-dco-signed-off-to-your-commits).
+
+Now let's see what we need to use `pre-commit` framework.
+
+##### Step 1
+
+Install `pre-commit` framework following the [official documentation](https://pre-commit.com/#installation).
+
+> __Please note__: you have to follow only the "Installation" section.
+
+##### Step 2
+
+Once you have installed `pre-commit`, you don't need to install anything else! This is the good point of using a framework like `pre-commit`, all the tools necessary to format your code will be directly managed by the framework. But in order to be ready, you need to install the git hooks in your local repo.
+
+This simple command allows you to install the two `pre-commit` git hooks, `clang-format` and `cmake-format`.
+
+```bash
+pre-commit install --install-hooks --hook-type pre-commit --overwrite  
+```
+
+If you want to install also the `pre-commit-msg` git hook for the DCO you have to type the following command, but be sure to have configured all you need as said in the [dedicated section]((#add-dco-signed-off-to-your-commits))
+
+```bash
+pre-commit install --install-hooks --hook-type prepare-commit-msg --overwrite 
+```
+
+You have done, at every new commit, this hook will check that your patch respects the coding style of this repo!
+
+If you want to detach the git hooks, you can simply type:
+
+```bash
+pre-commit uninstall --hook-type prepare-commit-msg
+pre-commit uninstall --hook-type pre-commit 
+```
+
+#### 2.Makefile
+
+##### Step 1
+
+In order to use the repo `Makefile`, you need to install on your local machine the two aforementioned tools:
+
+__clang-format v18.1.8__
+
+One of the easiest ways to install `clang-format` could be directly downloading its static binary from [here](https://github.com/muttleyxd/clang-tools-static-binaries).
+There are other ways for example you can download the package for your distro or you can also build it from sources.
+
+__cmake-format v0.6.13__
+
+To install `cmake-format` you can follow the official documentation [here](https://cmake-format.readthedocs.io/en/latest/installation.html).
+
+> __NOTE__: Please check the versions of the two tool with `clang-format --version` and `cmake-format --version`.
+
+##### Step 2
+
+Once you have installed the __right__ versions of the 2 tools, you can simply type `make format-all` from the root directory of the project (`/libs`) to format all your code according to the coding style.
+
+Remember to do that before submitting a new patch upstream! 😁
+
+#### Other solutions
+
+Obviously, you can also install the 2 tools locally and enable some extension of your favorite IDE (like `VScode`) to format your code every time you save your files!
+
+## Add DCO signed-off to your commits 🔏
+
+### Introduction
+
+Another requirement for contributing to the `libs` repository, is applying the [DCO](https://cert-manager.io/docs/contributing/sign-off/) to every commit you want to push upstream.
+Before doing this you have to configure your git user `name` and `email` if you haven't already done it. To check your actual `name` and `email` type:
+
+```bash
+git config --get user.name
+git config --get user.email
+```
+
+If they are correct you have done, otherwise, you have to set them:
+
+```bash
+git config user.name <full-name>
+git config user.email <mail-used_with-GitHub-profile>
+```
+
+>__Please note__: If you have problems in doing this you can read the full documentation [here](https://docs.github.com/en/get-started/getting-started-with-git/setting-your-username-in-git).
+
+### Enforce the DCO locally
+
+Now you are ready to sign your commits! You have two main ways to do this:
+
+1. Manually with `git` tool.
+2. Use the `pre-commit-msg` hook quoted before.
+
+### Manually
+
+To do this you just need to remember the `-s` while performing your commits:
+
+```bash
+git commit -s
+```
+
+or with the inline message:
+
+```bash
+git commit -s -m "my first commit"
+```
+
+### Use `pre-commit` hook
+
+Here if you have already added the hook in the [previous section](#step-2), you have to do nothing otherwise you have to simply install the DCO hook with:
+
+```bash
+pre-commit install --install-hooks --hook-type prepare-commit-msg --overwrite 
+```
+
+And you have done! Now you don't have to remember the `-s` option every time you commit something, the DCO hook will automatically add the DCO if you forget it! 😄
+
+## Some best practices 📏
+
+### Class variables
+
+To know whether a variable belongs to a `class` or a `function`, we start member variables with `m_`.
+
+Example:
+
+```c
+    public int32_t m_counter;
+```
+
+### Global variables
+
+To know whether the variable is global or not, we start globals with `g_`.
+
+Example:
+
+```c
+    int g_nplugins;
+```
+
+### Capitalization
+
+The naming convention is camel-cased "Unix" style, i.e. always lower case. Words are separated by underscores.
+
+Example:
+
+```c
+    int32_t g_global_bean_counter;
+    int32_t count_beans();
+```
+
+and not,
+
+```c
+    int32_t GlobalBeanCounter;
+    int32_t CountBeans();
+```
+
+### Packed Structures
+
+Packed structures should use the GCC and MSVC-style supported `pragma`:
+
+Example:
+
+```c
+    #pragma pack(push,1)
+    struct frame_control
+    {
+        struct fields....
+    };
+    #pragma pack(pop)
+```
+
+### 64-bit constants
+
+Put an `LL` at the end of your `64-bit` constants. Without the `LL`, some platform compilers try to interpret the constant on the right-hand side as a `long integer` instead of a `long long` and this could lead to an error at building time.
+
+Example:
+
+```c
+    x=0X00FF00000000000LL
+```

LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2019 The Falco Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

Makefile

@@ -0,0 +1,81 @@
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# mofidy the following variables to match your paths
+CLANG_FORMAT_EXE ?= clang-format
+CLANG_FORMAT_VERSION = "$(shell ${CLANG_FORMAT_EXE} --version | grep -o '[0-9]*\.[0-9]*\.[0-9]*')"
+CLANG_FORMAT_DESIRED_VERSION ="18.1.8"
+
+CMAKE_FORMAT_EXE ?= cmake-format
+CMAKE_FORMAT_VERSION = "$(shell ${CMAKE_FORMAT_EXE} --version | grep -o '[0-9]*\.[0-9]*\.[0-9]*')"
+CMAKE_FORMAT_DESIRED_VERSION = "0.6.13"
+
+PROJECT_ROOT_DIR = $(shell git rev-parse --show-toplevel)
+
+######################
+#    Clang-format    #
+######################
+.PHONY: clang-format-install
+clang-format-install:
+ifeq (, $(shell ${CLANG_FORMAT_EXE} --version))
+	@echo "${CLANG_FORMAT_EXE} is not installed. Please read the 'coding style' doc to get more info."
+	@exit 1
+endif
+
+ifneq ($(CLANG_FORMAT_VERSION), $(CLANG_FORMAT_DESIRED_VERSION))
+	@echo "${CLANG_FORMAT_EXE} version is not '${CLANG_FORMAT_DESIRED_VERSION}'. Actual version is '${CLANG_FORMAT_VERSION}'"
+	@exit 1
+endif
+
+.PHONY: format-clang
+format-clang: clang-format-install
+	git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cpp|h|c)$$' | xargs ${CLANG_FORMAT_EXE} -Werror --style=file:${PROJECT_ROOT_DIR}/.clang-format -i
+
+.PHONY: check-clang
+check-clang: clang-format-install
+	git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cpp|h|c)$$' | xargs ${CLANG_FORMAT_EXE} -Werror --style=file:${PROJECT_ROOT_DIR}/.clang-format -n
+
+######################
+#    Cmake-format    #
+######################
+.PHONY: cmake-format-install
+cmake-format-install:
+ifeq (, $(shell ${CMAKE_FORMAT_EXE} --version))
+	@echo "${CMAKE_FORMAT_EXE} is not installed. Please read the 'coding style' doc to get more info."
+	@exit 1
+endif
+
+ifneq ($(CMAKE_FORMAT_VERSION), $(CMAKE_FORMAT_DESIRED_VERSION))
+	@echo "${CMAKE_FORMAT_EXE} version is not '${CMAKE_FORMAT_DESIRED_VERSION}'. Actual version is '${CMAKE_FORMAT_VERSION}'"
+	@exit 1
+endif
+
+.PHONY: format-cmake
+format-cmake: cmake-format-install
+	git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cmake)$$|CMakeLists.txt$$' | xargs ${CMAKE_FORMAT_EXE} --config-files ${PROJECT_ROOT_DIR}/.cmake-format.json -i
+
+.PHONY: check-cmake
+check-cmake: cmake-format-install
+	git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cmake)$$|CMakeLists.txt$$' | xargs ${CMAKE_FORMAT_EXE} --config-files ${PROJECT_ROOT_DIR}/.cmake-format.json --check
+
+# Add new formatters here...
+
+.PHONY: format-all
+format-all: format-clang format-cmake
+
+.PHONY: check-all
+check-all: check-clang check-cmake
+

OWNERS

@@ -4,9 +4,13 @@ approvers:
   - jasondellaluce
   - fededp
   - andreagit97
+  - LucaGuerra
+  - sgaist
+  - ekoops
 reviewers:
   - kaizhe
 emeritus_approvers:
   - fntlnz
   - kris-nova
   - leodido
+  - incertum

README.md

@@ -1,108 +1,46 @@
-<p align="center"><img src="https://raw.githubusercontent.com/falcosecurity/community/master/logo/primary-logo.png" width="360"></p>
-<p align="center"><b>Cloud Native Runtime Security.</b></p>
+# Falco
 
-<hr>
+[![Latest release](https://img.shields.io/github/v/release/falcosecurity/falco?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![Supported Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![License](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING) [![Docs](https://img.shields.io/badge/docs-latest-green.svg?style=for-the-badge)](https://falco.org/docs)
 
-[![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING) [![Latest](https://img.shields.io/github/v/release/falcosecurity/falco?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) ![Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)
+[![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable)  [![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/falcosecurity/falco?label=openssf%20scorecard&style=for-the-badge)](https://scorecard.dev/viewer/?uri=github.com/falcosecurity/falco)  [![OpenSSF Best Practices](https://img.shields.io/cii/summary/2317?label=OpenSSF%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317)
 
-## Latest releases
+[![Falco](https://falco.org/img/brand/falco-horizontal-color.svg)](https://falco.org)
 
-<!-- 
-Badges in the following table are constructed by using the
-https://img.shields.io/badge/dynamic/xml endpoint.
+[Falco](https://falco.org/) is a cloud native runtime security tool for Linux operating systems. It is designed to detect and alert on abnormal behavior and potential security threats in real-time.
 
-Parameters are configured for fetching packages from S3 before 
-(filtered by prefix, sorted in ascending order) and for picking 
-the latest package by using an XPath selector after.
+At its core, Falco is a kernel monitoring and detection agent that observes events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems.
 
-- Common query parameters:
-
-color=#300aec7
-style=flat-square
-label=Falco
-
-- DEB packages parameters:
-
-url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/deb/stable/falco-
-query=substring-before(substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'],"falco-"),".asc")
-
-- RPM packages parameters:
-
-url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/rpm/falco-
-query=substring-before(substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'],"falco-"),".asc")
-
-- BIN packages parameters:
-
-url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/bin/x86_64/falco-
-query=substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'], "falco-")
-
-Notes:
- - if more than 1000 items are present under as S3 prefix, 
-   the actual latest package will be not picked;
-   see https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html
- - for `-dev` packages, the S3 prefix is modified accordingly
- - finally, all parameters are URL encoded and appended to the badge endpoint
-
--->
-
-|              | stable                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-|--------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| rpm-x86_64          | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-%26delimiter=aarch64)][2]          |
-| deb-x86_64          | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-%26delimiter=aarch64)][4] |
-| binary-x86_64       | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Fx86_64%2Ffalco-)][6]                                                     |
-| rpm-aarch64    | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-%26delimiter=x86_64)][2]           |
-| deb-aarch64    | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-%26delimiter=x86_64)][4]  |
-| binary-aarch64 | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Faarch64%2Ffalco-)][8]                                                    |
-
-For comprehensive information on the latest updates and changes to the project, please refer to the [change log](CHANGELOG.md). Additionally, we have documented the [release process](RELEASE.md) for delivering new versions of Falco.
-
-## Introduction to Falco
-
-[Falco](https://falco.org/), originally created by [Sysdig](https://sysdig.com), is an incubating project under the [CNCF](https://cncf.io).
-
-Falco is a cloud native runtime security tool for Linux operating systems. It is designed to detect and alert on abnormal behavior and potential security threats in real-time.
-
-At its core, Falco is a kernel event monitoring and detection agent that captures events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems.
+Falco, originally created by [Sysdig](https://sysdig.com), is a **graduated project** under the [Cloud Native Computing Foundation](https://cncf.io) (CNCF) used in production by various [organisations](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md).
 
 For detailed technical information and insights into the cyber threats that Falco can detect, visit the official [Falco](https://falco.org/) website.
 
+For comprehensive information on the latest updates and changes to the project, please refer to the [Change Log](CHANGELOG.md).
 
-## Falco Repo: Powering the Core of The Falco Project
+## The Falco Project
 
-This is the main Falco repository which contains the source code for building the Falco binary. By utilizing its [libraries](https://github.com/falcosecurity/libs) and the [falco.yaml](falco.yaml) configuration file, this repository forms the foundation of Falco's functionality. The Falco repository is closely interconnected with the following *core* repositories:
+The Falco Project codebase is maintained under the [falcosecurity GitHub organization](https://github.com/falcosecurity). The primary repository, [falcosecurity/falco](https://github.com/falcosecurity/falco), holds the source code for the Falco binary, while other sub-projects are hosted in dedicated repositories. This approach of isolating components into specialized repositories enhances modularity and focused development. Notable [core repositories](https://github.com/falcosecurity/evolution?tab=readme-ov-file#core) include:
 
-- [falcosecurity/libs](https://github.com/falcosecurity/libs): Falco's libraries are key to its fundamental operations, making up the greater portion of the source code of the Falco binary and providing essential features such as kernel drivers.
-- [falcosecurity/rules](https://github.com/falcosecurity/rules): Contains the official ruleset for Falco, providing pre-defined detection rules for various security threats and abnormal behaviors.
-- [falcosecurity/plugins](https://github.com/falcosecurity/plugins/): Falco plugins facilitate integration with external services, expand Falco's capabilities beyond syscalls and container events, and are designed to evolve with specialized functionality in future releases.
-- [falcosecurity/falcoctl](https://github.com/falcosecurity/falcoctl): Command-line utility for managing and interacting with Falco.
+- [falcosecurity/libs](https://github.com/falcosecurity/libs): This repository hosts Falco's core libraries, which constitute the majority of the binary’s source code and provide essential features, such as kernel drivers.
+- [falcosecurity/rules](https://github.com/falcosecurity/rules): It contains the official ruleset for Falco, offering pre-defined detection rules for various security threats and abnormal behaviors.
+- [falcosecurity/plugins](https://github.com/falcosecurity/plugins): This repository supports integration with external services through plugins that extend Falco's capabilities beyond syscalls and container events, with plans for evolving specialized functionalities in future releases.
+- [falcosecurity/falcoctl](https://github.com/falcosecurity/falcoctl): A command-line utility designed for managing and interacting with Falco.
+- [falcosecurity/charts](https://github.com/falcosecurity/charts): This repository provides Helm charts for deploying Falco and its ecosystem, simplifying the installation and management process.
 
-For more information, visit the official hub of The Falco Project: [falcosecurity/evolution](https://github.com/falcosecurity/evolution). It provides valuable insights and information about the project's repositories.
+For further insights into our repositories and additional details about our governance model, please visit the official hub of The Falco Project: [falcosecurity/evolution](https://github.com/falcosecurity/evolution).
 
 ## Getting Started with Falco
 
-Carefully review and follow the [official guide and documentation](https://falco.org/docs/getting-started/).
+If you're new to Falco, begin your journey with our [Getting Started](https://falco.org/docs/getting-started/) guide. For production deployments, please refer to our comprehensive [Setup](https://falco.org/docs/setup/) documentation.
 
-Considerations and guidance for Falco adopters:
+As final recommendations before deploying Falco, verify environment compatibility, define your detection goals, optimize performance, choose the appropriate build, and plan for SIEM or data lake integration to ensure effective incident response.
 
-1. Understand dependencies: Assess the environment where you'll run Falco and consider kernel versions and architectures.
-
-2. Define threat detection objectives: Clearly identify the threats you want to detect and evaluate Falco's strengths and limitations.
-
-3. Consider performance and cost: Assess compute performance overhead and align with system administrators or SREs. Budget accordingly.
-
-4. Choose build and customization approach: Decide between the open source Falco build or creating a custom build pipeline. Customize the build and deployment process as necessary, including incorporating unique tests or approaches, to ensure a resilient deployment with fast deployment cycles.
-
-5. Integrate with output destinations: Integrate Falco with SIEM, data lake systems, or other preferred output destinations to establish a robust foundation for comprehensive data analysis and enable effective incident response workflows.
-
-
-## How to Contribute
-
-Please refer to the [contributing guide](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) and the [code of conduct](https://github.com/falcosecurity/evolution/CODE_OF_CONDUCT.md) for more information on how to contribute.
+### Demo Environment
 
+A demo environment is provided via a docker-compose file that can be started on a docker host which includes falco, falcosidekick, falcosidekick-ui and its required redis database. For more information see the [docker-compose section](docker/docker-compose/)
 
 ## Join the Community
 
-To get involved with the Falco Project please visit the [community repository](https://github.com/falcosecurity/community) to find more information and ways to get involved.
+To get involved with the Falco Project please visit the [Community](https://github.com/falcosecurity/community) repository to find more information and ways to get involved.
 
 If you have any questions about Falco or contributing, do not hesitate to file an issue or contact the Falco maintainers and community members for assistance.
 
@@ -116,15 +54,81 @@ How to reach out?
 
 Full reports of various security audits can be found [here](./audits/).
 
-In addition, you can refer to the [falco security](https://github.com/falcosecurity/falco/security) and [libs security](https://github.com/falcosecurity/libs/security) sections for detailed updates on security advisories and policies.
+In addition, you can refer to the [falco](https://github.com/falcosecurity/falco/security) and [libs](https://github.com/falcosecurity/libs/security) security sections for detailed updates on security advisories and policies.
 
 To report security vulnerabilities, please follow the community process outlined in the documentation found [here](https://github.com/falcosecurity/.github/blob/main/SECURITY.md).
 
-## What's next for Falco?
+## Building
+
+For comprehensive, step-by-step instructions on building Falco from source, please refer to the [official documentation](https://falco.org/docs/developer-guide/source/).
+
+## Testing
+
+<details>
+	<summary>Expand Testing Instructions</summary>
+
+Falco's [Build Falco from source](https://falco.org/docs/developer-guide/source/) is the go-to resource to understand how to build Falco from source. In addition, the [falcosecurity/libs](https://github.com/falcosecurity/libs) repository offers additional valuable information about tests and debugging of Falco's underlying libraries and kernel drivers.
+
+Here's an example of a `cmake` command that will enable everything you need for all unit tests of this repository:
+
+```bash
+cmake \
+-DUSE_BUNDLED_DEPS=ON \
+-DBUILD_LIBSCAP_GVISOR=ON \
+-DBUILD_BPF=ON \
+-DBUILD_DRIVER=ON \
+-DBUILD_FALCO_MODERN_BPF=ON \
+-DCREATE_TEST_TARGETS=ON \
+-DBUILD_FALCO_UNIT_TESTS=ON ..;
+```
+
+Build and run the unit test suite:
+
+```bash
+nproc=$(grep processor /proc/cpuinfo | tail -n 1 | awk '{print $3}');
+make -j$(($nproc-1)) falco_unit_tests;
+# Run the tests
+sudo ./unit_tests/falco_unit_tests;
+```
+
+Optionally, build the driver of your choice and test run the Falco binary to perform manual tests.
+
+Lastly, The Falco Project has moved its Falco regression tests to [falcosecurity/testing](https://github.com/falcosecurity/testing).
+
+
+</details>
+
+</br>
+
+ ## How to Contribute
+
+Please refer to the [Contributing](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) guide and the [Code of Conduct](https://github.com/falcosecurity/evolution/blob/main/CODE_OF_CONDUCT.md) for more information on how to contribute.
+
+## FAQs
+
+### Why is Falco in C++ rather than Go or {language}?
+
+<details>
+	<summary>Expand Information</summary>
+
+1. The first lines of code at the base of Falco were written some time ago, where Go didn't yet have the same level of maturity and adoption as today.
+2. The Falco execution model is sequential and mono-thread due to the statefulness requirements of the tool, and so most of the concurrency-related selling points of the Go runtime would not be leveraged at all.
+3. The Falco code deals with very low-level programming in many places (e.g. some headers are shared with the eBPF probe and the Kernel module), and we all know that interfacing Go with C is possible but brings tons of complexity and tradeoffs to the table.
+4. As a security tool meant to consume a crazy high throughput of events per second, Falco needs to squeeze performance in all hot paths at runtime and requires deep control on memory allocation, which the Go runtime can't provide (there's also garbage collection involved).
+5. Although Go didn't suit the engineering requirements of the core of Falco, we still thought that it could be a good candidate for writing Falco extensions through the plugin system. This is the main reason we gave special attention and high priority to the development of the plugin-sdk-go.
+6. Go is not a requirement for having statically-linked binaries. In fact, we provide fully-static Falco builds since few years. The only issue with those is that the plugin system can't be supported with the current dynamic library model we currently have.
+7. The plugin system has been envisioned to support multiple languages, so on our end maintaining a C-compatible codebase is the best strategy to ensure maximum cross-language compatibility.
+8. In general, plugins have GLIBC requirements/dependencies because they have low-level C bindings required for dynamic loading. A potential solution for the future could be to also support plugin to be statically-linked at compilation time and so released as bundled in the Falco binary. Although no work started yet in this direction, this would solve most issues you reported and would provide a totally-static binary too. Of course, this would not be compatible with dynamic loading anymore, but it may be a viable solution for our static-build flavor of Falco.
+9. Memory safety is definitely a concern and we try our best to keep an high level of quality even though C++ is quite error prone. For instance, we try to use smart pointers whenever possible, we build the libraries with an address sanitizer in our CI, we run Falco through Valgrind before each release, and have ways to stress-test it to detect performance regressions or weird memory usage (e.g. https://github.com/falcosecurity/event-generator). On top of that, we also have third parties auditing the codebase by time to time. None of this make a perfect safety standpoint of course, but we try to maximize our odds. Go would definitely make our life easier from this perspective, however the tradeoffs never made it worth it so far due to the points above.
+10. The C++ codebase of falcosecurity/libs, which is at the core of Falco, is quite large and complex. Porting all that code to another language would be a major effort requiring lots of development resource and with an high chance of failure and regression. As such, our approach so far has been to choose refactors and code polishing instead, up until we'll reach an optimal level of stability, quality, and modularity, on that portion of code. This would allow further developments to be smoother and more feasibile in the future.
+
+</details>
+</br>
+
+### What's next for Falco?
 
 Stay updated with Falco's evolving capabilities by exploring the [Falco Roadmap](https://github.com/orgs/falcosecurity/projects/5), which provides insights into the features currently under development and planned for future releases.
 
-
 ## License
 
 Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
@@ -138,13 +142,6 @@ Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
  - [Repositories Guidelines](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md)
  - [Repositories List](https://github.com/falcosecurity/evolution/blob/main/README.md#repositories)
  - [Adopters List](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md)
-
-
-[1]: https://download.falco.org/?prefix=packages/rpm-dev/
-[2]: https://download.falco.org/?prefix=packages/rpm/
-[3]: https://download.falco.org/?prefix=packages/deb-dev/stable/
-[4]: https://download.falco.org/?prefix=packages/deb/stable/
-[5]: https://download.falco.org/?prefix=packages/bin-dev/x86_64/
-[6]: https://download.falco.org/?prefix=packages/bin/x86_64/
-[7]: https://download.falco.org/?prefix=packages/bin-dev/aarch64/
-[8]: https://download.falco.org/?prefix=packages/bin/aarch64/
+ - [Release Process](RELEASE.md)
+ - [Setup documentation](https://falco.org/docs/setup/)
+ - [Troubleshooting](https://falco.org/docs/troubleshooting/)

RELEASE.md

@@ -66,7 +66,7 @@ Changes and new features are organized into [milestones](https://github.com/falc
 
 The release process is mostly automated, requiring only a few manual steps to initiate and complete.
 
-Moreover, we assign owners for each release (typically pairing a new person with an experienced one). Assignees and due dates for releases are proposed during the [weekly community call](https://github.com/falcosecurity/community).
+Moreover, we assign owners for each release (typically pairing a new person with an experienced one). Assignees and due dates for releases are proposed during the [community call](https://github.com/falcosecurity/community).
 
 At a high level each Falco release needs to follow a pre-determined sequencing of releases and build order:
 
@@ -84,11 +84,15 @@ Before proceeding with the release, make sure to complete the following preparat
 
 ### 1. Release notes
 - Find the previous release date (`YYYY-MM-DD`) by looking at the [Falco releases](https://github.com/falcosecurity/falco/releases)
+- Double-check, by using the following filters, if there is any closed issue/merge PR with no milestone assigned:
+  - `is:issue state:closed no:milestone closed:>YYYY-MM-DD`
+    [filter](https://github.com/falcosecurity/falco/issues?q=is%3Aissue%20state%3Aclosed%20no%3Amilestone%20closed%3A%3EYYYY-MM-DD)
+  - `is:pr state:closed no:milestone closed:>YYYY-MM-DD`
+    [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD)
+- Assign any issue/PR identified in the previous point to the milestone corresponding to the currently undergoing release
 - Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
     - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
     - If the PR has no milestone, assign it to the milestone currently undergoing release
-- Check issues without a milestone (using `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) ) and add them to the milestone currently undergoing release
-- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, update those missing
 
 ### 2. Milestones
 
@@ -102,7 +106,7 @@ Its naming will be `release/M.m.x`; for example: `release/0.34.x`.
 The same branch will then be used for any eventual cherry pick for patch releases.  
 
 For patch releases, instead, the `release/M.m.x` branch should already be in place; no more steps are needed.  
-Double check that any PR that should be part of the tag has been cherry-picked from master!
+Double-check that any PR that should be part of the tag has been cherry-picked from master!
 
 ### 4. Release PR
 
@@ -112,7 +116,7 @@ The release PR is meant to be made against the respective `release/M.m.x` branch
     - If any, manually correct it then open an issue to automate version number bumping later
     - Versions table in the `README.md` updates itself automatically
 - Generate the change log using [rn2md](https://github.com/leodido/rn2md):
-    - Execute `rn2md -o falcosecurity -m <version> -r falco`
+    - Execute `rn2md -r falcosecurity/falco -m M.m.p -b release/M.m.x`
     - In case `rn2md` emits error try to generate an GitHub OAuth access token and provide it with the `-t` flag
 - Add the latest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
@@ -125,7 +129,7 @@ The release PR is meant to be made against the respective `release/M.m.x` branch
 Core maintainers and/or the release manager can decide to publish pre-releases at any time before the final release
 is live for development and testing purposes.
 
-The prerelease tag must be formatted as `M.m.p-r`where `r` is the prerelease version information (e.g. `0.35.0-rc1`.)
+The prerelease tag must be formatted as `M.m.p-r` where `r` is the prerelease version information (e.g. `0.35.0-rc1`.)
 
 To do so:
 
@@ -146,46 +150,8 @@ Assume `M.m.p` is the new version.
 
 - [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
 - Use `M.m.p` both as tag version and release title
-- Use the following template to fill the release description:
-    ```
-    <!-- Substitute M.m.p with the current release version -->
-
-    | Packages | Download                                                                                                                                               |
-    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
-    | rpm-x86_64      | [![rpm](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-M.m.p-x86_64.rpm)        |
-    | deb-x86_64      | [![deb](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-M.m.p-x86_64.deb) |
-    | tgz-x86_64      | [![tgz](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-M.m.p-x86_64.tar.gz) |
-    | rpm-aarch64      | [![rpm](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-M.m.p-aarch64.rpm)        |
-    | deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-M.m.p-aarch64.deb) |
-    | tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/aarch64/falco-M.m.p-aarch64.tar.gz) |
-
-    | Images                                                                      |
-    | --------------------------------------------------------------------------- |
-    | `docker pull docker.io/falcosecurity/falco:M.m.p`                           |
-    | `docker pull public.ecr.aws/falcosecurity/falco:M.m.p`                      |
-    | `docker pull docker.io/falcosecurity/falco-driver-loader:M.m.p`             |
-    | `docker pull docker.io/falcosecurity/falco-no-driver:M.m.p`                 |
-
-    <changelog>
-
-    <!-- Substitute <changelog> with the one generated by [rn2md](https://github.com/leodido/rn2md) -->
-
-    ### Statistics
-
-    | Merged PRs      | Number |
-    | --------------- | ------ |
-    | Not user-facing | x      |
-    | Release note    | x      |
-    | Total           | x      |
-
-    <!-- Calculate stats and fill the above table -->
-
-    #### Release Manager <github handle>
-
-    <!-- Substitute GitHub handle with the release manager's one -->
-    ```
-
-- Finally, publish the release!
+- Do NOT fill body, since it will be autogenerated by the [github release workflow](.github/workflows/release.yaml)
+- Publish the release!
 - The release pipeline will start automatically upon publication and all packages and container images will be uploaded to the stable repositories.
 
 In order to check the status of the release pipeline click on the [GitHub Actions tab](https://github.com/falcosecurity/falco/actions?query=event%3Arelease) in the Falco repository and filter by release.
@@ -196,7 +162,7 @@ For each release we archive the meeting notes in git for historical purposes.
 
  - The notes from the Falco meetings can be [found here](https://hackmd.io/3qYPnZPUQLGKCzR14va_qg).
     - Note: There may be other notes from working groups that can optionally be added as well as needed.
- - Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/master/meeting-notes](https://github.com/falcosecurity/community/tree/master/meeting-notes) as a new file labeled `release-M.m.p.md`
+ - Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/main/meeting-notes](https://github.com/falcosecurity/community/tree/main/meeting-notes) as a new file labeled `release-M.m.p.md`
  - Open up a pull request with the new change.
 
 
@@ -204,10 +170,10 @@ For each release we archive the meeting notes in git for historical purposes.
 
 Announce the new release to the world!
 
+- IFF the ongoing release introduces a **new minor version**, [archive a snapshot of the Falco website](https://github.com/falcosecurity/falco-website/blob/master/release.md#documentation-versioning)
 - Publish a blog on [Falco website](https://github.com/falcosecurity/falco-website) ([example](https://github.com/falcosecurity/falco-website/blob/master/content/en/blog/falco-0-28-1.md))
 - Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
 - Let folks in the slack #falco channel know about a new release came out
-- IFF the on going release introduces a **new minor version**, [archive a snapshot of the Falco website](https://github.com/falcosecurity/falco-website/blob/master/release.md#documentation-versioning)
 
 
 ## Falco Components Versioning
@@ -217,11 +183,9 @@ This section provides more details around the versioning of the components that
 
 ### Falco repo (this repo)
 - Falco version is a git tag (`x.y.z`), see [Procedures](#procedures) section. Note that the Falco version is a sem-ver-like schema, but not fully compatible with sem-ver.
-- [FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/userspace/engine/falco_engine_version.h) is not sem-ver and must be bumped either when a backward incompatible change has been introduced to the rules files syntax and/or `FALCO_FIELDS_CHECKSUM` computed via `falco --list -N | sha256sum` has changed. The primary idea is that when new filter / display fields (see currently supported [Falco fields](https://falco.org/docs/rules/supported-fields/)) are introduced, a version change indicates that these fields were not available in previous engine versions. See the [rules release guidelines](https://github.com/falcosecurity/rules/blob/main/RELEASE.md#versioning-a-ruleset) to understand how this affects the versioning of Falco rules. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. Lastly, `FALCO_ENGINE_VERSION` is typically incremented once during a Falco release cycle, while `FALCO_FIELDS_CHECKSUM` is bumped whenever necessary during the development and testing phases of the release cycle.
+- [FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/userspace/engine/falco_engine_version.h) is not sem-ver and must be bumped either when a backward incompatible change has been introduced to the rules files syntax and loading logic, and/or when `FALCO_ENGINE_CHECKSUM` has changed. The checksum is computed by considering the available rules fields (see currently supported [Falco fields](https://falco.org/docs/reference/rules/supported-fields/)), the event types (see currently supported [Falco events](https://falco.org/docs/reference/rules/supported-events/)), and the supported driver schema version. A checksum indicates that something was not available in previous engine versions. See the [rules release guidelines](https://github.com/falcosecurity/rules/blob/main/RELEASE.md#versioning-a-ruleset) to understand how this affects the versioning of Falco rules. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. The version number must be incremented every time and only when a single change or an atomic group of changes - which meet the criteria described above - is included in the `master` branch. Thus, a version bump can occur multiple times during the development and testing phases of a given release cycle. A given version bump must not group multiple changes that occurred sporadically during the release cycle.
 - During development and release preparation, libs and driver reference commits are often bumped in Falco's cmake setup ([falcosecurity-libs cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/falcosecurity-libs.cmake#L30) and [driver cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/driver.cmake#L29)) in order to merge new Falco features. In practice, they are mostly bumped at the same time referencing the same `libs` commit. However, for the official Falco build `FALCOSECURITY_LIBS_VERSION` flag that references the stable libs version is used (read below).
-- Similarly, Falco plugins versions are bumped in Falco's cmake setup ([plugins cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/plugins.cmake)) and those versions are the ones used for the Falco release.
 - At release time Plugin, Libs and Driver versions are compatible with Falco.
-- If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with (read more below under Libs).
 
 
 ```

brand/README.md

@@ -7,13 +7,9 @@ Falco is an open source security project whose brand and identity are governed b
 
 This document describes the official branding guidelines of The Falco Project. Please see the [Falco Branding](https://falco.org/community/falco-brand/) page on our website for further details.
 
-Content in this document can be used to publicly share about Falco.
-
-
-
 ### Logo
 
-There are 3 logos available for use in this directory. Use the primary logo unless required otherwise due to background issues, or printing.
+There are 3 logos available for use in this directory. Use the primary logo unless required otherwise due to background issues or printing.
 
 The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.
 
@@ -36,55 +32,6 @@ The primary colors are those in the first two rows.
 
 > Cloud Native Runtime Security
 
-### What is Falco?
-
-Falco is a runtime security project originally created by Sysdig, Inc.
-Falco was contributed to the CNCF in October 2018.
-The CNCF now owns The Falco Project.
-
-### What is Runtime Security?
-
-Runtime security refers to an approach to preventing unwanted activity on a computer system. 
-With runtime security, an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
-Runtime security is the practice of using detection tooling to detect unwanted behavior, such that it can then be prevented using prevention techniques.
-Runtime security is a holistic approach to defense, and useful in scenarios where prevention tooling either was unaware of an exploit or attack vector, or when defective applications are ran in even the most secure environment.
-
-### What does Falco do?
-
-Falco consumes signals from the Linux kernel, and container management tools such as Docker and Kubernetes.
-Falco parses the signals and asserts them against security rules.
-If a rule has been violated, Falco triggers an alert. 
-
-### How does Falco work?
-
-Falco traces kernel events and reports information about the system calls being executed at runtime.
-Falco leverages the extended berkeley packet filter (eBPF) which is a kernel feature implemented for dynamic crash-resilient and secure code execution in the kernel. 
-Falco enriches these kernel events with information about containers running on the system.
-Falco also can consume signals from other input streams such as the containerd socket, the Kubernetes API server and the Kubernetes audit log.
-At runtime, Falco will reason about these events and assert them against configured security rules.
-Based on the severity of a violation an alert is triggered.
-These alerts are configurable and extensible, for instance sending a notification or [plumbing through to other projects like Prometheus](https://github.com/falcosecurity/falco-exporter). 
-
-### Benefits of using Falco
-
- - **Strengthen Security** Create security rules driven by a context-rich and flexible engine to define unexpected application behavior.
- - **Reduce Risk** Immediately respond to policy violation alerts by plugging Falco into your current security response workflows and processes.
- - **Leverage up-to-date Rules** Alert using community-sourced detections of malicious activity and CVE exploits.
-    
-### Falco and securing Kubernetes
-
-Securing Kubernetes requires putting controls in place to detect unexpected behavior that could be malicious or harmful to a cluster or application(s). 
-
-Examples of malicious behavior include: 
-
- - Exploits of unpatched and new vulnerabilities in applications or Kubernetes itself. 
- - Insecure configurations in applications or Kubernetes itself. 
- - Leaked or weak credentials or secret material.
- - Insider threats from adjacent applications running at the same layer. 
-
-Falco is capable of [consuming the Kubernetes audit logs](https://kubernetes.io/docs/tasks/debug-application-cluster/falco/#use-falco-to-collect-audit-events).
-By adding Kubernetes application context, and Kubernetes audit logs teams can understand who did what.
-
 ### Writing about Falco
 
 ##### Yes
@@ -100,49 +47,31 @@ Notice the capitalization of the following terms.
  - the falco project
  - the Falco project
 
-### Encouraged Phrasing
-
-Below are phrases that the project has reviewed, and found to be effective ways of messaging Falco's value add.
-Even when processes are in place for vulnerability scanning and implementing pod security and network policies, not every risk will be addressed. You still need mechanisms to confirm these security barriers are effective, help configure them, and provide with a last line of defense when they fail.
-
-##### Falco as a factory
-
-This term refers to the concept that Falco is a stateless processing engine. A large amount of data comes into the engine, but meticulously crafted security alerts come out.
-
-##### The engine that powers...
-
-Falco ultimately is a security engine. It reasons about signals coming from a system at runtime, and can alert if an anomaly is detected.
-
-##### Anomaly detection
-
-This refers to an event that occurs with something unusual, concerning, or odd occurs.
-We can associate anomalies with unwanted behavior, and alert in their presence.
-
-##### Detection tooling
-
-Falco does not prevent unwanted behavior.
-Falco however alerts when unusual behavior occurs.
-This is commonly referred to as **detection** or **forensics**.
-
 ---
 
-# Glossary 
+# Glossary
 
-#### Probe
+This section contains key terms specifically used within the context of The Falco Project. For a more comprehensive list of Falco-related terminology, we invite you to visit the [Glossary](https://falco.org/docs/reference/glossary/) page on our official website.
+
+#### eBPF Probe
 
 Used to describe the `.o` object that would be dynamically loaded into the kernel as a secure and stable (e)BPF probe. 
 This is one option used to pass kernel events up to userspace for Falco to consume.
-Sometimes this word is incorrectly used to refer to a `module`.
 
-#### Module
+#### Modern eBPF Probe
+
+More robust [eBPF probe](#ebpf-probe), which brings the CO-RE paradigm, better performances, and maintainability. 
+Unlike the legacy probe, the modern eBPF probe is not shipped as a separate artifact but bundled into the Falco binary itself.
+This is one option used to pass kernel events up to userspace for Falco to consume.
+
+#### Kernel Module
 
 Used to describe the `.ko` object that would be loaded into the kernel as a potentially risky kernel module.
 This is one option used to pass kernel events up to userspace for Falco to consume.
-Sometimes this word is incorrectly used to refer to a `probe`.
 
 #### Driver 
 
-The global term for the software that sends events from the kernel. Such as the eBPF `probe` or the `kernel module`.
+The global term for the software that sends events from the kernel. Such as the [eBPF probe](#ebpf-probe), the [Modern eBPF probe](#modern-ebpf-probe), or the [Kernel Module](#kernel-module).
 
 #### Plugin
 
@@ -150,13 +79,5 @@ Used to describe a dynamic shared library (`.so` files in Unix, `.dll` files in
 
 #### Falco
 
-The name of the project, and also the name of [the main engine](https://github.com/falcosecurity/falco) that the rest of the project is built on.
-
-#### Sysdig, Inc
-
-The name of the company that originally created The Falco Project, and later donated to the CNCF.
-
-#### sysdig 
-
-A [CLI tool](https://github.com/draios/sysdig) used to evaluate kernel system events at runtime. 
+The name of the project and also the name of [the main engine](https://github.com/falcosecurity/falco) that the rest of the project is built on.
 

cmake/cpack/CMakeCPackOptions.cmake

@@ -1,11 +1,54 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
 if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
-	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-custom.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falcoctl-artifact-follow.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(
+		APPEND
+		CPACK_INSTALL_COMMANDS
+		"mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
+	)
+	list(
+		APPEND
+		CPACK_INSTALL_COMMANDS
+		"cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
+	)
+	list(
+		APPEND
+		CPACK_INSTALL_COMMANDS
+		"cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
+	)
+	list(
+		APPEND
+		CPACK_INSTALL_COMMANDS
+		"cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
+	)
+	list(
+		APPEND
+		CPACK_INSTALL_COMMANDS
+		"cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
+	)
+	list(
+		APPEND
+		CPACK_INSTALL_COMMANDS
+		"cp scripts/systemd/falco-custom.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
+	)
+	list(
+		APPEND
+		CPACK_INSTALL_COMMANDS
+		"cp scripts/systemd/falcoctl-artifact-follow.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
+	)
 endif()
 
 if(CPACK_GENERATOR MATCHES "TGZ")

cmake/modules/CPackConfig.cmake

@@ -1,43 +1,64 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
 
 set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
 set(CPACK_PACKAGE_VENDOR "Cloud Native Computing Foundation (CNCF) cncf.io.")
-set(CPACK_PACKAGE_CONTACT "cncf-falco-dev@lists.cncf.io") # todo: change this once we've got @falco.org addresses
+set(CPACK_PACKAGE_CONTACT "cncf-falco-dev@lists.cncf.io") # todo: change this once we've got
+# @falco.org addresses
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Falco - Container Native Runtime Security")
 set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
 set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
 set(CPACK_PACKAGE_VERSION_MAJOR "${FALCO_VERSION_MAJOR}")
 set(CPACK_PACKAGE_VERSION_MINOR "${FALCO_VERSION_MINOR}")
 set(CPACK_PACKAGE_VERSION_PATCH "${FALCO_VERSION_PATCH}")
-set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptions.cmake")
-set(CPACK_STRIP_FILES "ON")
+if(CMAKE_BUILD_TYPE STREQUAL "debug")
+	set(CPACK_STRIP_FILES "OFF")
+else()
+	set(CPACK_STRIP_FILES "ON")
+endif()
 set(CPACK_PACKAGE_RELOCATABLE "OFF")
+if(EMSCRIPTEN)
+	set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-wasm")
+else()
+	set(CPACK_PACKAGE_FILE_NAME
+		"${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}"
+	)
+endif()
+
+if(WIN32)
+	set(CPACK_PACKAGE_INSTALL_DIRECTORY "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}")
+endif()
 
 # Built packages will include only the following components
 set(CPACK_INSTALL_CMAKE_PROJECTS
-  "${CMAKE_CURRENT_BINARY_DIR};${FALCO_COMPONENT_NAME};${FALCO_COMPONENT_NAME};/"
-  "${CMAKE_CURRENT_BINARY_DIR};${DRIVER_COMPONENT_NAME};${DRIVER_COMPONENT_NAME};/"
+	"${CMAKE_CURRENT_BINARY_DIR};${FALCO_COMPONENT_NAME};${FALCO_COMPONENT_NAME};/"
 )
-if(NOT MUSL_OPTIMIZED_BUILD) # static builds do not have plugins
-  list(APPEND CPACK_INSTALL_CMAKE_PROJECTS
-    "${CMAKE_CURRENT_BINARY_DIR};${PLUGINS_COMPONENT_NAME};${PLUGINS_COMPONENT_NAME};/"
-  )
+
+if(CMAKE_SYSTEM_NAME MATCHES "Linux") # only Linux has drivers
+	list(APPEND CPACK_INSTALL_CMAKE_PROJECTS
+		 "${CMAKE_CURRENT_BINARY_DIR};${DRIVER_COMPONENT_NAME};${DRIVER_COMPONENT_NAME};/"
+	)
 endif()
 
 if(NOT CPACK_GENERATOR)
-    set(CPACK_GENERATOR DEB RPM TGZ)
+	if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+		set(CPACK_GENERATOR DEB RPM TGZ)
+	else()
+		set(CPACK_GENERATOR TGZ)
+	endif()
 endif()
 
 message(STATUS "Using package generators: ${CPACK_GENERATOR}")
@@ -45,33 +66,35 @@ message(STATUS "Package architecture: ${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
 
 if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
+	set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
 endif()
 if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
-  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64")
+	set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64")
 endif()
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
-set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
+set(CPACK_DEBIAN_PACKAGE_SUGGESTS "dkms (>= 2.1.0.0)")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
-    "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
+	"${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
 )
 
 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
 set(CPACK_RPM_PACKAGE_ARCHITECTURE, "amd64")
 set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, systemd")
+set(CPACK_RPM_PACKAGE_REQUIRES "systemd")
+set(CPACK_RPM_PACKAGE_SUGGESTS "dkms, kernel-devel")
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
 set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
 set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
 set(CPACK_RPM_PACKAGE_VERSION "${FALCO_VERSION}")
 set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
-    /usr/src
-    /usr/share/man
-    /usr/share/man/man8
-    /etc
-    /usr
-    /usr/bin
-    /usr/share)
+	/usr/src
+	/usr/share/man
+	/usr/share/man/man8
+	/etc
+	/usr
+	/usr/bin
+	/usr/share
+)
 set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF")
 
 include(CPack)

cmake/modules/CompilerFlags.cmake

@@ -0,0 +1,136 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_EXTENSIONS OFF)
+
+if(NOT FALCO_EXTRA_DEBUG_FLAGS)
+	set(FALCO_EXTRA_DEBUG_FLAGS "-D_DEBUG")
+endif()
+
+string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE)
+if(CMAKE_BUILD_TYPE STREQUAL "debug")
+	set(KBUILD_FLAGS "${FALCO_EXTRA_DEBUG_FLAGS} ${FALCO_EXTRA_FEATURE_FLAGS}")
+elseif(CMAKE_BUILD_TYPE STREQUAL "relwithdebinfo")
+	set(KBUILD_FLAGS "${FALCO_EXTRA_FEATURE_FLAGS}")
+	add_definitions(-DBUILD_TYPE_RELWITHDEBINFO)
+else()
+	set(CMAKE_BUILD_TYPE "release")
+	set(KBUILD_FLAGS "${FALCO_EXTRA_FEATURE_FLAGS}")
+	add_definitions(-DBUILD_TYPE_RELEASE)
+endif()
+message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")
+
+if(MINIMAL_BUILD)
+	set(MINIMAL_BUILD_FLAGS "-DMINIMAL_BUILD")
+endif()
+
+if(MUSL_OPTIMIZED_BUILD)
+	set(MUSL_FLAGS "-static -Os -fPIE -pie")
+	add_definitions(-DMUSL_OPTIMIZED)
+endif()
+
+# explicitly set hardening flags
+set(CMAKE_POSITION_INDEPENDENT_CODE ON)
+set(FALCO_SECURITY_FLAGS "")
+if(LINUX)
+	set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fstack-protector-strong")
+	set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,-z,relro,-z,now")
+endif()
+
+if(NOT MSVC)
+
+	if(CMAKE_BUILD_TYPE STREQUAL "release")
+		set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -D_FORTIFY_SOURCE=2")
+	endif()
+
+	if(USE_ASAN)
+		set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fsanitize=address")
+	endif()
+
+	if(USE_UBSAN)
+		set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fsanitize=undefined")
+		if(UBSAN_HALT_ON_ERROR)
+			set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fno-sanitize-recover=undefined")
+		endif()
+	endif()
+
+	set(CMAKE_COMMON_FLAGS
+		"${FALCO_SECURITY_FLAGS} -Wall -ggdb ${FALCO_EXTRA_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}"
+	)
+
+	if(BUILD_WARNINGS_AS_ERRORS)
+		set(CMAKE_SUPPRESSED_WARNINGS
+			"-Wno-unused-parameter -Wno-unused-variable -Wno-unused-but-set-variable -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation -Wno-stringop-truncation -Wno-stringop-overflow -Wno-restrict -Wno-deprecated-declarations"
+		)
+		set(CMAKE_COMPILE_WARNING_AS_ERROR ON)
+		set(CMAKE_COMMON_FLAGS "${CMAKE_COMMON_FLAGS} -Wextra ${CMAKE_SUPPRESSED_WARNINGS}")
+	endif()
+
+	set(CMAKE_C_FLAGS "${CMAKE_COMMON_FLAGS}")
+	set(CMAKE_CXX_FLAGS "-std=c++17 ${CMAKE_COMMON_FLAGS}")
+
+	set(CMAKE_C_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
+	set(CMAKE_CXX_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
+
+	set(CMAKE_C_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
+	set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
+
+	set(CMAKE_C_FLAGS_RELWITHDEBINFO "${CMAKE_C_FLAGS_RELEASE} -g")
+	set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "${CMAKE_CXX_FLAGS_RELEASE} -g")
+
+	# Add linker flags to generate separate debug files
+	set(CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO
+		"${CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO} -Wl,--build-id"
+	)
+	set(CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO
+		"${CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO} -Wl,--build-id"
+	)
+
+else() # MSVC
+	set(MINIMAL_BUILD ON)
+	set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")
+
+	# The WIN32_LEAN_AND_MEAN define avoids possible macro pollution when a libsinsp consumer
+	# includes the windows.h header: https://stackoverflow.com/a/28380820 Same goes for NOMINMAX:
+	# https://stackoverflow.com/questions/5004858/why-is-stdmin-failing-when-windows-h-is-included
+	add_compile_definitions(
+		_HAS_STD_BYTE=0 _CRT_SECURE_NO_WARNINGS WIN32 MINIMAL_BUILD WIN32_LEAN_AND_MEAN NOMINMAX
+	)
+
+	set(FALCOSECURITY_LIBS_COMMON_FLAGS "/EHsc /W3 /Zi /std:c++17")
+	set(FALCOSECURITY_LIBS_DEBUG_FLAGS "/MTd /Od")
+	set(FALCOSECURITY_LIBS_RELEASE_FLAGS "/MT")
+	set(FALCOSECURITY_LIBS_RELWITHDEBINFO_FLAGS "/MT /Zi")
+
+	# Ensure linker generates PDB files for MSVC
+	set(CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO "${CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO} /DEBUG")
+	set(CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO
+		"${CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO} /DEBUG"
+	)
+
+	set(CMAKE_C_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS}")
+	set(CMAKE_CXX_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS}")
+
+	set(CMAKE_C_FLAGS_DEBUG "${FALCOSECURITY_LIBS_DEBUG_FLAGS}")
+	set(CMAKE_CXX_FLAGS_DEBUG "${FALCOSECURITY_LIBS_DEBUG_FLAGS}")
+
+	set(CMAKE_C_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
+	set(CMAKE_CXX_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
+
+	set(CMAKE_C_FLAGS_RELWITHDEBINFO "${FALCOSECURITY_LIBS_RELWITHDEBINFO_FLAGS}")
+	set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "${FALCOSECURITY_LIBS_RELWITHDEBINFO_FLAGS}")
+
+endif()

cmake/modules/Coverage.cmake

@@ -1,25 +1,29 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
 
 # Tests coverage
 option(FALCO_COVERAGE "Build test suite with coverage information" OFF)
 if(FALCO_COVERAGE)
-  if(NOT (("${CMAKE_CXX_COMPILER_ID}" MATCHES "GNU") OR ("${CMAKE_CXX_COMPILER_ID}" MATCHES "Clang")))
-    message(FATAL_ERROR "FALCO_COVERAGE requires GCC or Clang.")
-  endif()
+	if(NOT (("${CMAKE_CXX_COMPILER_ID}" MATCHES "GNU") OR ("${CMAKE_CXX_COMPILER_ID}" MATCHES
+														   "Clang"))
+	)
+		message(FATAL_ERROR "FALCO_COVERAGE requires GCC or Clang.")
+	endif()
 
-  message(STATUS "Building with coverage information")
-  add_compile_options(-g --coverage)
-  set(CMAKE_SHARED_LINKER_FLAGS "--coverage ${CMAKE_SHARED_LINKER_FLAGS}")
-  set(CMAKE_EXE_LINKER_FLAGS "--coverage ${CMAKE_EXE_LINKER_FLAGS}")
+	message(STATUS "Building with coverage information")
+	add_compile_options(-g --coverage)
+	set(CMAKE_SHARED_LINKER_FLAGS "--coverage ${CMAKE_SHARED_LINKER_FLAGS}")
+	set(CMAKE_EXE_LINKER_FLAGS "--coverage ${CMAKE_EXE_LINKER_FLAGS}")
 endif()

cmake/modules/GetFalcoVersion.cmake

@@ -1,84 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-# Retrieve git ref and commit hash
-include(GetGitRevisionDescription)
-
-# Create the falco version variable according to git index
-if(NOT FALCO_VERSION)
-  # Try to obtain the exact git tag
-  git_get_exact_tag(FALCO_TAG)
-  if(NOT FALCO_TAG)
-      # Obtain the closest tag
-      git_describe(FALCO_VERSION "--always" "--tags" "--abbrev=7")
-      string(REGEX MATCH "^[0-9]+.[0-9]+.[0-9]+$" FALCO_TAG ${FALCO_VERSION})
-      if(FALCO_VERSION MATCHES "NOTFOUND$" OR FALCO_TAG STREQUAL "")
-        # Fetch current hash
-        get_git_head_revision(refspec FALCO_HASH)
-        if(NOT FALCO_HASH OR FALCO_HASH MATCHES "NOTFOUND$")
-          set(FALCO_VERSION "0.0.0")
-        else()
-          # Obtain the closest tag
-          git_get_latest_tag(FALCO_LATEST_TAG)
-          if(NOT FALCO_LATEST_TAG OR FALCO_LATEST_TAG MATCHES "NOTFOUND$")
-            set(FALCO_VERSION "0.0.0")
-          else()
-            # Compute commit delta since tag
-            git_get_delta_from_tag(FALCO_DELTA ${FALCO_LATEST_TAG} ${FALCO_HASH})
-            if(NOT FALCO_DELTA OR FALCO_DELTA MATCHES "NOTFOUND$")
-              set(FALCO_VERSION "0.0.0")
-            else()
-              # Cut hash to 7 bytes
-              string(SUBSTRING ${FALCO_HASH} 0 7 FALCO_HASH)
-              # Format FALCO_VERSION to be semver with prerelease and build part
-              set(FALCO_VERSION
-                    "${FALCO_LATEST_TAG}-${FALCO_DELTA}+${FALCO_HASH}")
-            endif()
-          endif()
-        endif()
-      endif()
-      # Format FALCO_VERSION to be semver with prerelease and build part
-      string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
-  else()
-    # A tag has been found: use it as the Falco version
-    set(FALCO_VERSION "${FALCO_TAG}")
-  endif()
-endif()
-
-# Remove the starting "v" in case there is one
-string(REGEX REPLACE "^v(.*)" "\\1" FALCO_VERSION "${FALCO_VERSION}")
-
-# TODO(leodido) > ensure Falco version is semver before extracting parts Populate partial version variables
-string(REGEX MATCH "^(0|[1-9][0-9]*)" FALCO_VERSION_MAJOR "${FALCO_VERSION}")
-string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" FALCO_VERSION_MINOR "${FALCO_VERSION}")
-string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3" FALCO_VERSION_PATCH
-                     "${FALCO_VERSION}")
-string(
-  REGEX
-  REPLACE
-    "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
-    "\\5"
-    FALCO_VERSION_PRERELEASE
-    "${FALCO_VERSION}")
-
-if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")
-  set(FALCO_VERSION_PRERELEASE "")
-endif()
-if(NOT FALCO_VERSION_BUILD)
-  string(REGEX REPLACE ".*\\+([0-9a-zA-Z-]+(\\.[0-9a-zA-Z-]+)*)" "\\1" FALCO_VERSION_BUILD "${FALCO_VERSION}")
-endif()
-if(FALCO_VERSION_BUILD STREQUAL "${FALCO_VERSION}")
-  set(FALCO_VERSION_BUILD "")
-endif()
-
-message(STATUS "Falco version: ${FALCO_VERSION}")

cmake/modules/GetGitRevisionDescription.cmake

@@ -1,275 +0,0 @@
-# * Returns a version string from Git
-#
-# These functions force a re-configure on each git commit so that you can trust the values of the variables in your
-# build system.
-#
-# get_git_head_revision(<refspecvar> <hashvar> [<additional arguments to git describe> ...])
-#
-# Returns the refspec and sha hash of the current head revision
-#
-# git_describe(<var> [<additional arguments to git describe> ...])
-#
-# Returns the results of git describe on the source tree, and adjusting the output so that it tests false if an error
-# occurs.
-#
-# git_get_exact_tag(<var> [<additional arguments to git describe> ...])
-#
-# Returns the results of git describe --exact-match on the source tree, and adjusting the output so that it tests false
-# if there was no exact matching tag.
-#
-# git_local_changes(<var>)
-#
-# Returns either "CLEAN" or "DIRTY" with respect to uncommitted changes. Uses the return code of "git diff-index --quiet
-# HEAD --". Does not regard untracked files.
-#
-# Requires CMake 2.6 or newer (uses the 'function' command)
-#
-# Original Author: 2009-2010 Ryan Pavlik <rpavlik@iastate.edu> <abiryan@ryand.net> http://academic.cleardefinition.com
-# Iowa State University HCI Graduate Program/VRAC
-#
-# Copyright Iowa State University 2009-2010. Distributed under the Boost Software License, Version 1.0. (See
-# accompanying file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)
-
-if(__get_git_revision_description)
-  return()
-endif()
-set(__get_git_revision_description YES)
-
-# We must run the following at "include" time, not at function call time, to find the path to this module rather than
-# the path to a calling list file
-get_filename_component(_gitdescmoddir ${CMAKE_CURRENT_LIST_FILE} PATH)
-
-function(get_git_head_revision _refspecvar _hashvar)
-  set(GIT_PARENT_DIR "${CMAKE_CURRENT_SOURCE_DIR}")
-  set(GIT_DIR "${GIT_PARENT_DIR}/.git")
-  while(NOT EXISTS "${GIT_DIR}") # .git dir not found, search parent directories
-    set(GIT_PREVIOUS_PARENT "${GIT_PARENT_DIR}")
-    get_filename_component(GIT_PARENT_DIR ${GIT_PARENT_DIR} PATH)
-    if(GIT_PARENT_DIR STREQUAL GIT_PREVIOUS_PARENT)
-      # We have reached the root directory, we are not in git
-      set(${_refspecvar}
-          "GITDIR-NOTFOUND"
-          PARENT_SCOPE)
-      set(${_hashvar}
-          "GITDIR-NOTFOUND"
-          PARENT_SCOPE)
-      return()
-    endif()
-    set(GIT_DIR "${GIT_PARENT_DIR}/.git")
-  endwhile()
-  # check if this is a submodule
-  if(NOT IS_DIRECTORY ${GIT_DIR})
-    file(READ ${GIT_DIR} submodule)
-    string(REGEX REPLACE "gitdir: (.*)\n$" "\\1" GIT_DIR_RELATIVE ${submodule})
-    get_filename_component(SUBMODULE_DIR ${GIT_DIR} PATH)
-    get_filename_component(GIT_DIR ${SUBMODULE_DIR}/${GIT_DIR_RELATIVE} ABSOLUTE)
-  endif()
-  set(GIT_DATA "${CMAKE_CURRENT_BINARY_DIR}/CMakeFiles/git-data")
-  if(NOT EXISTS "${GIT_DATA}")
-    file(MAKE_DIRECTORY "${GIT_DATA}")
-  endif()
-
-  if(NOT EXISTS "${GIT_DIR}/HEAD")
-    return()
-  endif()
-  set(HEAD_FILE "${GIT_DATA}/HEAD")
-  configure_file("${GIT_DIR}/HEAD" "${HEAD_FILE}" COPYONLY)
-
-  configure_file("${_gitdescmoddir}/GetGitRevisionDescription.cmake.in" "${GIT_DATA}/grabRef.cmake" @ONLY)
-  include("${GIT_DATA}/grabRef.cmake")
-
-  set(${_refspecvar}
-      "${HEAD_REF}"
-      PARENT_SCOPE)
-  set(${_hashvar}
-      "${HEAD_HASH}"
-      PARENT_SCOPE)
-endfunction()
-
-function(git_get_latest_tag _var)
-  if(NOT GIT_FOUND)
-    find_package(Git QUIET)
-  endif()
-
-  # We use git describe --tags `git rev-list --exclude "*.*.*-*" --tags --max-count=1`
-  # Note how we eclude prereleases tags (the ones with "-alphaX")
-  execute_process(COMMAND
-          "${GIT_EXECUTABLE}"
-          rev-list
-          --exclude "*.*.*-*"
-          --tags
-          --max-count=1
-          WORKING_DIRECTORY
-          "${CMAKE_CURRENT_SOURCE_DIR}"
-          RESULT_VARIABLE
-          res
-          OUTPUT_VARIABLE
-          tag_hash
-          ERROR_QUIET
-          OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(out "${tag_hash}-${res}-NOTFOUND" PARENT_SCOPE)
-    return()
-  endif()
-
-  execute_process(COMMAND
-    "${GIT_EXECUTABLE}"
-    describe
-    --tags
-    ${tag_hash}
-    WORKING_DIRECTORY
-    "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE
-    res
-    OUTPUT_VARIABLE
-    out
-    ERROR_QUIET
-    OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(out "${out}-${res}-NOTFOUND")
-  endif()
-  set(${_var} "${out}" PARENT_SCOPE)
-endfunction()
-
-function(git_get_delta_from_tag _var tag hash)
-  if(NOT GIT_FOUND)
-    find_package(Git QUIET)
-  endif()
-
-  # Count commits in HEAD
-  execute_process(COMMAND
-    "${GIT_EXECUTABLE}"
-    rev-list
-    --count
-    ${hash}
-    WORKING_DIRECTORY
-    "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE
-    res
-    OUTPUT_VARIABLE
-    out_counter_head
-    ERROR_QUIET
-    OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(${_var} "HEADCOUNT-NOTFOUND" PARENT_SCOPE)
-    return()
-  endif()
-
-  # Count commits in latest tag
-  execute_process(COMMAND
-    "${GIT_EXECUTABLE}"
-    rev-list
-    --count
-    ${tag}
-    WORKING_DIRECTORY
-    "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE
-    res
-    OUTPUT_VARIABLE
-    out_counter_tag
-    ERROR_QUIET
-    OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(${_var} "TAGCOUNT-NOTFOUND" PARENT_SCOPE)
-    return()
-  endif()
-
-  execute_process(COMMAND
-    expr
-    ${out_counter_head} - ${out_counter_tag}
-    WORKING_DIRECTORY
-    "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE
-    res
-    OUTPUT_VARIABLE
-    out_delta
-    ERROR_QUIET
-    OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(${_var} "DELTA-NOTFOUND" PARENT_SCOPE)
-    return()
-  endif()
-  set(${_var} "${out_delta}" PARENT_SCOPE)
-endfunction()
-
-function(git_describe _var)
-  if(NOT GIT_FOUND)
-    find_package(Git QUIET)
-  endif()
-  get_git_head_revision(refspec hash)
-  if(NOT GIT_FOUND)
-    set(${_var}
-            "GIT-NOTFOUND"
-            PARENT_SCOPE)
-    return()
-  endif()
-  if(NOT hash)
-    set(${_var}
-            "HEAD-HASH-NOTFOUND"
-            PARENT_SCOPE)
-    return()
-  endif()
-
-  execute_process(COMMAND
-          "${GIT_EXECUTABLE}"
-          describe
-          ${hash}
-          ${ARGN}
-          WORKING_DIRECTORY
-          "${CMAKE_CURRENT_SOURCE_DIR}"
-          RESULT_VARIABLE
-          res
-          OUTPUT_VARIABLE
-          out
-          ERROR_QUIET
-          OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(out "${out}-${res}-NOTFOUND")
-  endif()
-
-  set(${_var}
-          "${out}"
-          PARENT_SCOPE)
-endfunction()
-
-function(git_get_exact_tag _var)
-  git_describe(out --exact-match ${ARGN})
-  set(${_var}
-      "${out}"
-      PARENT_SCOPE)
-endfunction()
-
-function(git_local_changes _var)
-  if(NOT GIT_FOUND)
-    find_package(Git QUIET)
-  endif()
-  get_git_head_revision(refspec hash)
-  if(NOT GIT_FOUND)
-    set(${_var}
-        "GIT-NOTFOUND"
-        PARENT_SCOPE)
-    return()
-  endif()
-  if(NOT hash)
-    set(${_var}
-        "HEAD-HASH-NOTFOUND"
-        PARENT_SCOPE)
-    return()
-  endif()
-
-  execute_process(
-    COMMAND "${GIT_EXECUTABLE}" diff-index --quiet HEAD --
-    WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE res
-    OUTPUT_VARIABLE out
-    ERROR_QUIET OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(res EQUAL 0)
-    set(${_var}
-        "CLEAN"
-        PARENT_SCOPE)
-  else()
-    set(${_var}
-        "DIRTY"
-        PARENT_SCOPE)
-  endif()
-endfunction()

cmake/modules/GetGitRevisionDescription.cmake.in

@@ -1,41 +0,0 @@
-#
-# Internal file for GetGitRevisionDescription.cmake
-#
-# Requires CMake 2.6 or newer (uses the 'function' command)
-#
-# Original Author:
-# 2009-2010 Ryan Pavlik <rpavlik@iastate.edu> <abiryan@ryand.net>
-# http://academic.cleardefinition.com
-# Iowa State University HCI Graduate Program/VRAC
-#
-# Copyright Iowa State University 2009-2010.
-# Distributed under the Boost Software License, Version 1.0.
-# (See accompanying file LICENSE_1_0.txt or copy at
-# http://www.boost.org/LICENSE_1_0.txt)
-
-set(HEAD_HASH)
-
-file(READ "@HEAD_FILE@" HEAD_CONTENTS LIMIT 1024)
-
-string(STRIP "${HEAD_CONTENTS}" HEAD_CONTENTS)
-if(HEAD_CONTENTS MATCHES "ref")
-	# named branch
-	string(REPLACE "ref: " "" HEAD_REF "${HEAD_CONTENTS}")
-	if(EXISTS "@GIT_DIR@/${HEAD_REF}")
-		configure_file("@GIT_DIR@/${HEAD_REF}" "@GIT_DATA@/head-ref" COPYONLY)
-	else()
-		configure_file("@GIT_DIR@/packed-refs" "@GIT_DATA@/packed-refs" COPYONLY)
-		file(READ "@GIT_DATA@/packed-refs" PACKED_REFS)
-		if(${PACKED_REFS} MATCHES "([0-9a-z]*) ${HEAD_REF}")
-			set(HEAD_HASH "${CMAKE_MATCH_1}")
-		endif()
-	endif()
-else()
-	# detached HEAD
-	configure_file("@GIT_DIR@/HEAD" "@GIT_DATA@/head-ref" COPYONLY)
-endif()
-
-if(NOT HEAD_HASH)
-	file(READ "@GIT_DATA@/head-ref" HEAD_HASH LIMIT 1024)
-	string(STRIP "${HEAD_HASH}" HEAD_HASH)
-endif()

cmake/modules/cares.cmake

@@ -0,0 +1,78 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_CARES "Enable building of the bundled c-ares" ${USE_BUNDLED_DEPS})
+
+if(CARES_INCLUDE)
+	# we already have c-ares
+elseif(NOT USE_BUNDLED_CARES)
+	find_path(CARES_INCLUDE NAMES cares/ares.h ares.h)
+	find_library(CARES_LIB NAMES cares)
+	if(CARES_INCLUDE AND CARES_LIB)
+		message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system c-ares")
+	endif()
+else()
+	if(BUILD_SHARED_LIBS)
+		set(CARES_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+		set(CARES_STATIC_OPTION "Off")
+	else()
+		set(CARES_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+		set(CARES_STATIC_OPTION "On")
+	endif()
+	set(CARES_SRC "${PROJECT_BINARY_DIR}/c-ares-prefix/src/c-ares")
+	set(CARES_INCLUDE "${CARES_SRC}/include/")
+	set(CARES_LIB "${CARES_SRC}/lib/libcares${CARES_LIB_SUFFIX}")
+
+	if(NOT TARGET c-ares)
+		message(STATUS "Using bundled c-ares in '${CARES_SRC}'")
+		ExternalProject_Add(
+			c-ares
+			PREFIX "${PROJECT_BINARY_DIR}/c-ares-prefix"
+			URL "https://github.com/c-ares/c-ares/releases/download/v1.33.1/c-ares-1.33.1.tar.gz"
+			URL_HASH "SHA256=06869824094745872fa26efd4c48e622b9bd82a89ef0ce693dc682a23604f415"
+			BUILD_IN_SOURCE 1
+			CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
+					   -DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
+					   -DCMAKE_INSTALL_LIBDIR=lib
+					   -DCARES_SHARED=${BUILD_SHARED_LIBS}
+					   -DCARES_STATIC=${CARES_STATIC_OPTION}
+					   -DCARES_STATIC_PIC=${ENABLE_PIC}
+					   -DCARES_BUILD_TOOLS=Off
+					   -DCARES_INSTALL=Off
+					   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+			BUILD_BYPRODUCTS ${CARES_INCLUDE} ${CARES_LIB}
+			INSTALL_COMMAND ""
+		)
+		install(
+			FILES "${CARES_LIB}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${CARES_INCLUDE}"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+	endif()
+
+endif()
+
+if(NOT TARGET c-ares)
+	add_custom_target(c-ares)
+endif()
+
+include_directories("${CARES_INCLUDE}")

cmake/modules/copy_files_to_build_dir.cmake

@@ -1,30 +1,33 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
 
 function(copy_files_to_build_dir source_files targetsuffix)
 
-  set(build_files)
+	set(build_files)
 
-  foreach(file_path ${source_files})
-	  get_filename_component(trace_file ${file_path} NAME)
-	  list(APPEND build_files ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
-  endforeach()
+	foreach(file_path ${source_files})
+		get_filename_component(trace_file ${file_path} NAME)
+		list(APPEND build_files ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
+	endforeach()
 
-  add_custom_target(copy-files-${targetsuffix} ALL
-	  DEPENDS ${build_files})
+	add_custom_target(copy-files-${targetsuffix} ALL DEPENDS ${build_files})
 
-  add_custom_command(OUTPUT ${build_files}
-	  COMMAND ${CMAKE_COMMAND} -E copy_if_different ${source_files} ${CMAKE_CURRENT_BINARY_DIR}
-	  DEPENDS ${source_files})
+	add_custom_command(
+		OUTPUT ${build_files}
+		COMMAND ${CMAKE_COMMAND} -E copy_if_different ${source_files} ${CMAKE_CURRENT_BINARY_DIR}
+		DEPENDS ${source_files}
+	)
 
 endfunction()

cmake/modules/cpp-httplib.cmake

@@ -1,32 +1,35 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
 
-#
-# cpp-httplib (https://github.com/yhirose/cpp-httplib)
-#
-if(CPPHTTPLIB_INCLUDE)
-	# we already have cpp-httplib
+option(USE_BUNDLED_CPPHTTPLIB "Enable building of the bundled cpp-httplib" ${USE_BUNDLED_DEPS})
+
+if(USE_BUNDLED_CPPHTTPLIB)
+	set(HTTPLIB_USE_BROTLI_IF_AVAILABLE OFF)
+	set(HTTPLIB_REQUIRE_BROTLI OFF)
+	set(HTTPLIB_USE_ZLIB_IF_AVAILABLE OFF)
+	set(HTTPLIB_REQUIRE_ZLIB OFF)
+	set(HTTPLIB_USE_ZSTD_IF_AVAILABLE OFF)
+	set(HTTPLIB_REQUIRE_ZSTD OFF)
+	set(HTTPLIB_USE_NON_BLOCKING_GETADDRINFO OFF)
+	include(FetchContent)
+	FetchContent_Declare(
+		cpp-httplib
+		URL https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.23.1.tar.gz
+		URL_HASH SHA256=410a1347ed6bcbcc4a19af8ed8ad3873fe9fa97731d52db845c4c78f3f9c31e6
+	)
+	FetchContent_MakeAvailable(cpp-httplib)
 else()
-	set(CPPHTTPLIB_SRC "${PROJECT_BINARY_DIR}/cpp-httplib-prefix/src/cpp-httplib")
-	set(CPPHTTPLIB_INCLUDE "${CPPHTTPLIB_SRC}")
-
-	message(STATUS "Using bundled cpp-httplib in '${CPPHTTPLIB_SRC}'")
-
-	ExternalProject_Add(cpp-httplib
-		PREFIX "${PROJECT_BINARY_DIR}/cpp-httplib-prefix"
-		URL "https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.11.3.tar.gz"
-		URL_HASH "SHA256=799b2daa0441d207f6cd1179ae3a34869722084a434da6614978be1682c1e12d"
-		CONFIGURE_COMMAND ""
-		BUILD_COMMAND ""
-		INSTALL_COMMAND "")	
+	find_package(httplib CONFIG REQUIRED)
 endif()

cmake/modules/curl.cmake

@@ -0,0 +1,100 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_CURL "Enable building of the bundled curl" ${USE_BUNDLED_DEPS})
+
+include(openssl)
+include(zlib)
+
+if(CURL_INCLUDE_DIRS)
+	# we already have curl
+elseif(NOT USE_BUNDLED_CURL)
+	find_package(CURL REQUIRED)
+	message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIRS}, lib: ${CURL_LIBRARIES}")
+else()
+	if(BUILD_SHARED_LIBS)
+		set(CURL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+		set(CURL_STATIC_OPTION)
+	else()
+		set(CURL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+		set(CURL_STATIC_OPTION --disable-shared)
+	endif()
+	set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
+	set(CURL_INCLUDE_DIRS "${CURL_BUNDLE_DIR}/include/")
+	set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl${CURL_LIB_SUFFIX}")
+
+	if(NOT USE_BUNDLED_OPENSSL)
+		set(CURL_SSL_OPTION "--with-ssl")
+	else()
+		set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
+		message(STATUS "Using SSL for curl in '${OPENSSL_INSTALL_DIR}'")
+	endif()
+
+	if(NOT USE_BUNDLED_ZLIB)
+		set(CURL_ZLIB_OPTION "--with-zlib")
+	else()
+		set(CURL_ZLIB_OPTION "--with-zlib=${ZLIB_SRC}")
+		message(STATUS "Using zlib for curl in '${ZLIB_SRC}'")
+	endif()
+	message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
+
+	if(NOT ENABLE_PIC)
+		set(CURL_PIC_OPTION)
+	else()
+		set(CURL_PIC_OPTION "--with-pic")
+	endif()
+
+	if(NOT TARGET curl)
+		ExternalProject_Add(
+			curl
+			PREFIX "${PROJECT_BINARY_DIR}/curl-prefix"
+			DEPENDS openssl zlib
+			URL "https://github.com/curl/curl/releases/download/curl-8_7_1/curl-8.7.1.tar.bz2"
+			URL_HASH "SHA256=05bbd2b698e9cfbab477c33aa5e99b4975501835a41b7ca6ca71de03d8849e76"
+			CONFIGURE_COMMAND
+				./configure ${CURL_SSL_OPTION} ${CURL_ZLIB_OPTION} ${CURL_STATIC_OPTION}
+				${CURL_PIC_OPTION} --enable-optimize --disable-curldebug --disable-rt --enable-http
+				--disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp
+				--disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb
+				--disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp
+				--without-winssl --without-polarssl --without-cyassl --without-nss --without-axtls
+				--without-librtmp --without-winidn --without-libidn2 --without-libpsl
+				--without-nghttp2 --without-libssh2 --with-ca-path=/etc/ssl/certs/
+				--disable-threaded-resolver --without-brotli --without-zstd
+			BUILD_COMMAND make
+			BUILD_IN_SOURCE 1
+			BUILD_BYPRODUCTS ${CURL_LIBRARIES}
+			INSTALL_COMMAND ""
+		)
+		install(
+			FILES "${CURL_LIBRARIES}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${CURL_INCLUDE_DIRS}curl"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+			FILES_MATCHING
+			PATTERN "*.h"
+		)
+	endif()
+endif()
+
+if(NOT TARGET curl)
+	add_custom_target(curl)
+endif()
+
+include_directories("${CURL_INCLUDE_DIRS}")

cmake/modules/cxxopts.cmake

@@ -1,23 +1,45 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
 
-set(CXXOPTS_SRC "${PROJECT_BINARY_DIR}/cxxopts-prefix/src/cxxopts/")
-set(CXXOPTS_INCLUDE_DIR "${CXXOPTS_SRC}/include")
+#
+# cxxopts (https://github.com/jarro2783/cxxopts)
+#
 
-ExternalProject_Add(
-        cxxopts
-        URL "https://github.com/jarro2783/cxxopts/archive/refs/tags/v3.0.0.tar.gz"
-        URL_HASH "SHA256=36f41fa2a46b3c1466613b63f3fa73dc24d912bc90d667147f1e43215a8c6d00"
-	CONFIGURE_COMMAND ""
-	BUILD_COMMAND ""
-	INSTALL_COMMAND "")
+option(USE_BUNDLED_CXXOPTS "Enable building of the bundled cxxopts" ${USE_BUNDLED_DEPS})
+
+if(CXXOPTS_INCLUDE_DIR)
+	# we already have cxxopts
+elseif(NOT USE_BUNDLED_CXXOPTS)
+	find_package(cxxopts CONFIG REQUIRED)
+	get_target_property(CXXOPTS_INCLUDE_DIR cxxopts::cxxopts INTERFACE_INCLUDE_DIRECTORIES)
+else()
+	set(CXXOPTS_SRC "${PROJECT_BINARY_DIR}/cxxopts-prefix/src/cxxopts/")
+	set(CXXOPTS_INCLUDE_DIR "${CXXOPTS_SRC}/include")
+
+	message(STATUS "Using bundled cxxopts in ${CXXOPTS_SRC}")
+
+	ExternalProject_Add(
+		cxxopts
+		URL "https://github.com/jarro2783/cxxopts/archive/refs/tags/v3.0.0.tar.gz"
+		URL_HASH "SHA256=36f41fa2a46b3c1466613b63f3fa73dc24d912bc90d667147f1e43215a8c6d00"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND ""
+	)
+endif()
+
+if(NOT TARGET cxxopts)
+	add_custom_target(cxxopts)
+endif()

cmake/modules/driver-repo/CMakeLists.txt

@@ -1,29 +1,32 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
 cmake_minimum_required(VERSION 3.5.1)
 
 project(driver-repo NONE)
 
 include(ExternalProject)
+message(STATUS "Driver repository: ${DRIVER_REPO}")
 message(STATUS "Driver version: ${DRIVER_VERSION}")
 
 ExternalProject_Add(
-  driver
-  URL "https://github.com/falcosecurity/libs/archive/${DRIVER_VERSION}.tar.gz"
-  URL_HASH "${DRIVER_CHECKSUM}"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND ""
-  TEST_COMMAND ""
-  PATCH_COMMAND sh -c "mv ./driver ../driver.tmp && rm -rf ./* && mv ../driver.tmp/* ."
+	driver
+	URL "https://github.com/${DRIVER_REPO}/archive/${DRIVER_VERSION}.tar.gz"
+	URL_HASH "${DRIVER_CHECKSUM}"
+	CONFIGURE_COMMAND ""
+	BUILD_COMMAND ""
+	INSTALL_COMMAND ""
+	TEST_COMMAND ""
+	PATCH_COMMAND sh -c "mv ./driver ../driver.tmp && rm -rf ./* && mv ../driver.tmp/* ."
 )

cmake/modules/driver.cmake

@@ -1,14 +1,16 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2025 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
 
 set(DRIVER_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/driver-repo")
@@ -17,26 +19,42 @@ set(DRIVER_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/driver-repo")
 file(MAKE_DIRECTORY ${DRIVER_CMAKE_WORKING_DIR})
 
 if(DRIVER_SOURCE_DIR)
-  set(DRIVER_VERSION "0.0.0-local")
-  message(STATUS "Using local version for driver: '${DRIVER_SOURCE_DIR}'")
+	set(DRIVER_VERSION "0.0.0-local")
+	message(STATUS "Using local version for driver: '${DRIVER_SOURCE_DIR}'")
 else()
-  # DRIVER_VERSION accepts a git reference (branch name, commit hash, or tag) to the falcosecurity/libs repository
-  # which contains the driver source code under the `/driver` directory.
-  # The chosen driver version must be compatible with the given FALCOSECURITY_LIBS_VERSION.
-  # In case you want to test against another driver version (or branch, or commit) just pass the variable -
-  # ie., `cmake -DDRIVER_VERSION=dev ..`
-  if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "5.0.1+driver")
-    set(DRIVER_CHECKSUM "SHA256=8b197b916b6419dac8fb41807aa05d822164c7bfd2c3eef66d20d060a05a485a")
-  endif()
+	# DRIVER_REPO accepts a repository name (<org name>/<repo name>) alternative to the
+	# falcosecurity/libs repository. In case you want to test against a fork of falcosecurity/libs
+	# just pass the variable - ie., `cmake -DDRIVER_REPO=<your-gh-handle>/libs ..`
+	if(NOT DRIVER_REPO)
+		set(DRIVER_REPO "falcosecurity/libs")
+	endif()
 
-  # cd /path/to/build && cmake /path/to/source
-  execute_process(COMMAND "${CMAKE_COMMAND}" -DDRIVER_VERSION=${DRIVER_VERSION} -DDRIVER_CHECKSUM=${DRIVER_CHECKSUM}
-    ${DRIVER_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${DRIVER_CMAKE_WORKING_DIR})
+	# DRIVER_VERSION accepts a git reference (branch name, commit hash, or tag) to the
+	# falcosecurity/libs repository which contains the driver source code under the `/driver`
+	# directory. The chosen driver version must be compatible with the given
+	# FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or
+	# branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..`
+	if(NOT DRIVER_VERSION)
+		set(DRIVER_VERSION "9.0.0+driver")
+		set(DRIVER_CHECKSUM
+			"SHA256=ef563fe19f9cdbdfcf17cee3e83c79e8387b78a87e0593eb3e2787c9b8540113"
+		)
+	endif()
 
-  # cmake --build .
-  execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${DRIVER_CMAKE_WORKING_DIR}")
-  set(DRIVER_SOURCE_DIR "${DRIVER_CMAKE_WORKING_DIR}/driver-prefix/src/driver")
+	# cd /path/to/build && cmake /path/to/source
+	execute_process(
+		COMMAND
+			"${CMAKE_COMMAND}" -DCMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}" -DDRIVER_REPO=${DRIVER_REPO}
+			-DDRIVER_VERSION=${DRIVER_VERSION} -DDRIVER_CHECKSUM=${DRIVER_CHECKSUM}
+			${DRIVER_CMAKE_SOURCE_DIR}
+		WORKING_DIRECTORY ${DRIVER_CMAKE_WORKING_DIR}
+	)
+
+	# cmake --build .
+	execute_process(
+		COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${DRIVER_CMAKE_WORKING_DIR}"
+	)
+	set(DRIVER_SOURCE_DIR "${DRIVER_CMAKE_WORKING_DIR}/driver-prefix/src/driver")
 endif()
 
 add_definitions(-D_GNU_SOURCE)

cmake/modules/falco-version.cmake

@@ -0,0 +1,56 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+# Retrieve git ref and commit hash
+include(GetVersionFromGit)
+
+# Get Falco version variable according to git index
+if(NOT FALCO_VERSION)
+	set(FALCO_VERSION "0.0.0")
+	get_version_from_git(FALCO_VERSION "" "")
+endif()
+
+# Remove the starting "v" in case there is one
+string(REGEX REPLACE "^v(.*)" "\\1" FALCO_VERSION "${FALCO_VERSION}")
+
+string(REGEX MATCH "^(0|[1-9][0-9]*)" FALCO_VERSION_MAJOR "${FALCO_VERSION}")
+string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" FALCO_VERSION_MINOR
+					 "${FALCO_VERSION}"
+)
+string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3"
+					 FALCO_VERSION_PATCH "${FALCO_VERSION}"
+)
+string(
+	REGEX
+	REPLACE
+		"^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
+		"\\5"
+		FALCO_VERSION_PRERELEASE
+		"${FALCO_VERSION}"
+)
+
+if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")
+	set(FALCO_VERSION_PRERELEASE "")
+endif()
+if(NOT FALCO_VERSION_BUILD)
+	string(REGEX REPLACE ".*\\+([0-9a-zA-Z-]+(\\.[0-9a-zA-Z-]+)*)" "\\1" FALCO_VERSION_BUILD
+						 "${FALCO_VERSION}"
+	)
+endif()
+if(FALCO_VERSION_BUILD STREQUAL "${FALCO_VERSION}")
+	set(FALCO_VERSION_BUILD "")
+endif()
+
+message(STATUS "Falco version: ${FALCO_VERSION}")

cmake/modules/falcoctl.cmake

@@ -1,36 +1,56 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2025 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
 
 include(ExternalProject)
 
-string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
+option(ADD_FALCOCTL_DEPENDENCY "Add falcoctl dependency while building falco" ON)
 
-set(FALCOCTL_VERSION "0.5.0")
+if(ADD_FALCOCTL_DEPENDENCY)
+	string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-    set(FALCOCTL_HASH "ba82ee14ee72fe5737f1b5601e403d8a9422dfe2c467d1754eb488001eeea5f1")
-else() # aarch64
-    set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-    set(FALCOCTL_HASH "be145ece641d439011cc4a512d0fd2dac5974cab7399f9a7cd43f08eb43dd446")
+	set(FALCOCTL_VERSION "0.11.4")
+
+	message(STATUS "Building with falcoctl: ${FALCOCTL_VERSION}")
+
+	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+		set(FALCOCTL_SYSTEM_PROC_GO "amd64")
+		set(FALCOCTL_HASH "8015cadcb4328abcbf140c3ca88031cd46426f7f3279d2802f0937ab1e41d66c")
+	else() # aarch64
+		set(FALCOCTL_SYSTEM_PROC_GO "arm64")
+		set(FALCOCTL_HASH "246874f1168abb7a8463509c6191ede460e5a2b8a39058ef5c4a17b67cb86c85")
+	endif()
+
+	ExternalProject_Add(
+		falcoctl
+		URL "https://github.com/falcosecurity/falcoctl/releases/download/v${FALCOCTL_VERSION}/falcoctl_${FALCOCTL_VERSION}_${FALCOCTL_SYSTEM_NAME}_${FALCOCTL_SYSTEM_PROC_GO}.tar.gz"
+		URL_HASH "SHA256=${FALCOCTL_HASH}"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND ""
+	)
+
+	install(
+		PROGRAMS "${PROJECT_BINARY_DIR}/falcoctl-prefix/src/falcoctl/falcoctl"
+		DESTINATION "${FALCO_BIN_DIR}"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+	install(
+		DIRECTORY
+		DESTINATION "${FALCO_ABSOLUTE_SHARE_DIR}/plugins"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+else()
+	message(STATUS "Won't build with falcoctl")
 endif()
-
-ExternalProject_Add(
-        falcoctl
-        URL "https://github.com/falcosecurity/falcoctl/releases/download/v${FALCOCTL_VERSION}/falcoctl_${FALCOCTL_VERSION}_${FALCOCTL_SYSTEM_NAME}_${FALCOCTL_SYSTEM_PROC_GO}.tar.gz"
-        URL_HASH "SHA256=${FALCOCTL_HASH}"
-        CONFIGURE_COMMAND ""
-        BUILD_COMMAND ""
-        INSTALL_COMMAND "")
-
-install(PROGRAMS "${PROJECT_BINARY_DIR}/falcoctl-prefix/src/falcoctl/falcoctl" DESTINATION "${FALCO_BIN_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")

cmake/modules/falcosecurity-libs-repo/CMakeLists.txt

@@ -1,28 +1,31 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
 cmake_minimum_required(VERSION 3.5.1)
 
 project(falcosecurity-libs-repo NONE)
 
 include(ExternalProject)
+message(STATUS "Libs repository: ${FALCOSECURITY_LIBS_REPO}")
 message(STATUS "Libs version: ${FALCOSECURITY_LIBS_VERSION}")
 
 ExternalProject_Add(
-  falcosecurity-libs
-  URL "https://github.com/falcosecurity/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
-  URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND ""
-  TEST_COMMAND ""
+	falcosecurity-libs
+	URL "https://github.com/${FALCOSECURITY_LIBS_REPO}/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
+	URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}"
+	CONFIGURE_COMMAND ""
+	BUILD_COMMAND ""
+	INSTALL_COMMAND ""
+	TEST_COMMAND ""
 )

cmake/modules/falcosecurity-libs.cmake

@@ -1,82 +1,144 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2025 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
 
-set(FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/falcosecurity-libs-repo")
+set(FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR
+	"${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/falcosecurity-libs-repo"
+)
 set(FALCOSECURITY_LIBS_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/falcosecurity-libs-repo")
 
 file(MAKE_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
 
 # explicitly disable the bundled driver, since we pull it separately
-set(USE_BUNDLED_DRIVER OFF CACHE BOOL "")
+set(USE_BUNDLED_DRIVER
+	OFF
+	CACHE BOOL ""
+)
 
 if(FALCOSECURITY_LIBS_SOURCE_DIR)
-  set(FALCOSECURITY_LIBS_VERSION "0.0.0-local")
-  message(STATUS "Using local version of falcosecurity/libs: '${FALCOSECURITY_LIBS_SOURCE_DIR}'")
+	set(FALCOSECURITY_LIBS_VERSION "0.0.0-local")
+	message(STATUS "Using local version of falcosecurity/libs: '${FALCOSECURITY_LIBS_SOURCE_DIR}'")
 else()
-  # FALCOSECURITY_LIBS_VERSION accepts a git reference (branch name, commit hash, or tag) to the falcosecurity/libs repository.
-  # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
-  # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` 
-  if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "0.11.0-rc5")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=079ab5f596a0d8af2a7f843e8159f83cb7c864331019aaed822daa737c75e9e7")
-  endif()
+	# FALCOSECURITY_LIBS_REPO accepts a repository name (<org name>/<repo name>) alternative to the
+	# falcosecurity/libs repository. In case you want to test against a fork of falcosecurity/libs
+	# just pass the variable - ie., `cmake -DFALCOSECURITY_LIBS_REPO=<your-gh-handle>/libs ..`
+	if(NOT FALCOSECURITY_LIBS_REPO)
+		set(FALCOSECURITY_LIBS_REPO "falcosecurity/libs")
+	endif()
 
-  # cd /path/to/build && cmake /path/to/source
-  execute_process(COMMAND "${CMAKE_COMMAND}"
-      -DCMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}"
-      -DFALCOSECURITY_LIBS_VERSION=${FALCOSECURITY_LIBS_VERSION}
-      -DFALCOSECURITY_LIBS_CHECKSUM=${FALCOSECURITY_LIBS_CHECKSUM}
-    ${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
+	# FALCOSECURITY_LIBS_VERSION accepts a git reference (branch name, commit hash, or tag) to the
+	# falcosecurity/libs repository. In case you want to test against another falcosecurity/libs
+	# version (or branch, or commit) just pass the variable - ie., `cmake
+	# -DFALCOSECURITY_LIBS_VERSION=dev ..`
+	if(NOT FALCOSECURITY_LIBS_VERSION)
+		set(FALCOSECURITY_LIBS_VERSION "0.22.2")
+		set(FALCOSECURITY_LIBS_CHECKSUM
+			"SHA256=53cfb7062cac80623dec7496394739aabdfee8a774942f94be0990d81e3b2fbc"
+		)
+	endif()
 
-  # cmake --build .
-  execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}")
-  set(FALCOSECURITY_LIBS_SOURCE_DIR "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}/falcosecurity-libs-prefix/src/falcosecurity-libs")
+	# cd /path/to/build && cmake /path/to/source
+	execute_process(
+		COMMAND
+			"${CMAKE_COMMAND}" -DCMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}"
+			-DFALCOSECURITY_LIBS_REPO=${FALCOSECURITY_LIBS_REPO}
+			-DFALCOSECURITY_LIBS_VERSION=${FALCOSECURITY_LIBS_VERSION}
+			-DFALCOSECURITY_LIBS_CHECKSUM=${FALCOSECURITY_LIBS_CHECKSUM}
+			${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR}
+		WORKING_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}
+	)
+
+	# cmake --build .
+	execute_process(
+		COMMAND "${CMAKE_COMMAND}" --build .
+		WORKING_DIRECTORY "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}"
+	)
+	set(FALCOSECURITY_LIBS_SOURCE_DIR
+		"${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}/falcosecurity-libs-prefix/src/falcosecurity-libs"
+	)
 endif()
 
 set(LIBS_PACKAGE_NAME "falcosecurity")
 
-add_definitions(-D_GNU_SOURCE)
-add_definitions(-DHAS_CAPTURE)
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	add_definitions(-D_GNU_SOURCE)
+endif()
 
 if(MUSL_OPTIMIZED_BUILD)
-  add_definitions(-DMUSL_OPTIMIZED)
+	add_definitions(-DMUSL_OPTIMIZED)
 endif()
 
 set(SCAP_HOST_ROOT_ENV_VAR_NAME "HOST_ROOT")
 set(SCAP_HOSTNAME_ENV_VAR "FALCO_HOSTNAME")
 set(SINSP_AGENT_CGROUP_MEM_PATH_ENV_VAR "FALCO_CGROUP_MEM_PATH")
 
-if(NOT LIBSCAP_DIR)
-  set(LIBSCAP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
+if(NOT LIBS_DIR)
+	set(LIBS_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
 endif()
 
-set(LIBSINSP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
-
 # configure gVisor support
-set(BUILD_LIBSCAP_GVISOR ${BUILD_FALCO_GVISOR} CACHE BOOL "")
+set(BUILD_LIBSCAP_GVISOR
+	${BUILD_FALCO_GVISOR}
+	CACHE BOOL ""
+)
 
 # configure modern BPF support
-set(BUILD_LIBSCAP_MODERN_BPF ${BUILD_FALCO_MODERN_BPF} CACHE BOOL "")
+set(BUILD_LIBSCAP_MODERN_BPF
+	${BUILD_FALCO_MODERN_BPF}
+	CACHE BOOL ""
+)
 
 # explicitly disable the tests/examples of this dependency
-set(CREATE_TEST_TARGETS OFF CACHE BOOL "")
-set(BUILD_LIBSCAP_EXAMPLES OFF CACHE BOOL "")
+set(CREATE_TEST_TARGETS
+	OFF
+	CACHE BOOL ""
+)
+set(BUILD_LIBSCAP_EXAMPLES
+	OFF
+	CACHE BOOL ""
+)
 
-set(USE_BUNDLED_TBB ON CACHE BOOL "")
-set(USE_BUNDLED_B64 ON CACHE BOOL "")
-set(USE_BUNDLED_JSONCPP ON CACHE BOOL "")
-set(USE_BUNDLED_VALIJSON ON CACHE BOOL "")
-set(USE_BUNDLED_RE2 ON CACHE BOOL "")
+set(USE_BUNDLED_TBB
+	ON
+	CACHE BOOL ""
+)
+set(USE_BUNDLED_JSONCPP
+	ON
+	CACHE BOOL ""
+)
+set(USE_BUNDLED_VALIJSON
+	ON
+	CACHE BOOL ""
+)
+set(USE_BUNDLED_RE2
+	ON
+	CACHE BOOL ""
+)
+set(USE_BUNDLED_UTHASH
+	ON
+	CACHE BOOL ""
+)
+if(USE_DYNAMIC_LIBELF)
+	set(USE_BUNDLED_LIBELF
+		OFF
+		CACHE BOOL ""
+	)
+	set(USE_SHARED_LIBELF
+		ON
+		CACHE BOOL ""
+	)
+endif()
 
 list(APPEND CMAKE_MODULE_PATH "${FALCOSECURITY_LIBS_SOURCE_DIR}/cmake/modules")
 
@@ -84,12 +146,18 @@ include(CheckSymbolExists)
 check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)
 
 if(HAVE_STRLCPY)
-  message(STATUS "Existing strlcpy found, will *not* use local definition by setting -DHAVE_STRLCPY.")
-  add_definitions(-DHAVE_STRLCPY)
+	message(
+		STATUS
+			"Existing strlcpy and strlcat found, will *not* use local definition by setting -DHAVE_STRLCPY and -DHAVE_STRLCAT."
+	)
+	add_definitions(-DHAVE_STRLCPY)
+	add_definitions(-DHAVE_STRLCAT)
 else()
-  message(STATUS "No strlcpy found, will use local definition")
+	message(STATUS "No strlcpy and strlcat found, will use local definition")
 endif()
 
-include(driver)
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	include(driver)
+endif()
 include(libscap)
 include(libsinsp)

cmake/modules/grpc.cmake

@@ -0,0 +1,278 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_GRPC "Enable building of the bundled grpc" ${USE_BUNDLED_DEPS})
+
+if(GRPC_INCLUDE)
+	# we already have grpc
+elseif(NOT USE_BUNDLED_GRPC)
+	# gRPC
+	find_package(gRPC CONFIG)
+	if(gRPC_FOUND)
+		message(STATUS "Using gRPC ${gRPC_VERSION}")
+		set(GPR_LIB gRPC::gpr)
+		set(GRPC_LIB gRPC::grpc)
+		set(GRPCPP_LIB gRPC::grpc++)
+
+		# gRPC C++ plugin
+		get_target_property(GRPC_CPP_PLUGIN gRPC::grpc_cpp_plugin LOCATION)
+		if(NOT GRPC_CPP_PLUGIN)
+			message(FATAL_ERROR "System grpc_cpp_plugin not found")
+		endif()
+
+		# gRPC include dir + properly handle grpc{++,pp}
+		get_target_property(GRPC_INCLUDE gRPC::grpc++ INTERFACE_INCLUDE_DIRECTORIES)
+		find_path(
+			GRPCXX_INCLUDE
+			NAMES grpc++/grpc++.h
+			PATHS ${GRPC_INCLUDE}
+		)
+		if(NOT GRPCXX_INCLUDE)
+			find_path(
+				GRPCPP_INCLUDE
+				NAMES grpcpp/grpcpp.h
+				PATHS ${GRPC_INCLUDE}
+			)
+			add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
+		endif()
+	else()
+		# Fallback to manually find libraries; Some distro, namely Ubuntu focal, do not install gRPC
+		# config cmake module
+		find_library(GPR_LIB NAMES gpr)
+		if(GPR_LIB)
+			message(STATUS "Found gpr lib: ${GPR_LIB}")
+		else()
+			message(FATAL_ERROR "Couldn't find system gpr")
+		endif()
+		find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
+		if(GRPCXX_INCLUDE)
+			set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
+		else()
+			find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
+			set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
+			add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
+		endif()
+		find_library(GRPC_LIB NAMES grpc)
+		find_library(GRPCPP_LIB NAMES grpc++)
+		if(GRPC_INCLUDE
+		   AND GRPC_LIB
+		   AND GRPCPP_LIB
+		)
+			message(
+				STATUS
+					"Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}"
+			)
+		else()
+			message(FATAL_ERROR "Couldn't find system grpc")
+		endif()
+		find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
+		if(NOT GRPC_CPP_PLUGIN)
+			message(FATAL_ERROR "System grpc_cpp_plugin not found")
+		endif()
+	endif()
+else()
+	include(cares)
+	include(protobuf)
+	include(zlib)
+	include(openssl)
+	if(BUILD_SHARED_LIBS)
+		set(GRPC_OPENSSL_STATIC_LIBS_OPTION FALSE)
+	else()
+		set(GRPC_OPENSSL_STATIC_LIBS_OPTION TRUE)
+	endif()
+	include(re2)
+	set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
+	set(GRPC_INSTALL_DIR "${GRPC_SRC}/target")
+	set(GRPC_INCLUDE "${GRPC_INSTALL_DIR}/include" "${GRPC_SRC}/third_party/abseil-cpp")
+	set(GPR_LIB "${GRPC_SRC}/libgpr.a")
+	set(GRPC_LIB "${GRPC_SRC}/libgrpc.a")
+	set(GRPCPP_LIB "${GRPC_SRC}/libgrpc++.a")
+	set(GRPC_CPP_PLUGIN "${GRPC_SRC}/grpc_cpp_plugin")
+	set(GRPC_MAIN_LIBS "")
+	list(
+		APPEND
+		GRPC_MAIN_LIBS
+		"${GPR_LIB}"
+		"${GRPC_LIB}"
+		"${GRPCPP_LIB}"
+		"${GRPC_SRC}/libgrpc++_alts.a"
+		"${GRPC_SRC}/libgrpc++_error_details.a"
+		"${GRPC_SRC}/libgrpc++_reflection.a"
+		"${GRPC_SRC}/libgrpc++_unsecure.a"
+		"${GRPC_SRC}/libgrpc_plugin_support.a"
+		"${GRPC_SRC}/libgrpc_unsecure.a"
+		"${GRPC_SRC}/libgrpcpp_channelz.a"
+	)
+
+	get_filename_component(PROTOC_DIR ${PROTOC} PATH)
+
+	if(NOT TARGET grpc)
+		message(STATUS "Using bundled grpc in '${GRPC_SRC}'")
+
+		# fixme(leogr): this workaround is required to inject the missing deps (built by gRCP
+		# cmakefiles) into target_link_libraries later note: the list below is manually generated
+		# starting from the output of pkg-config --libs grpc++
+		set(GRPC_LIBRARIES "")
+		list(
+			APPEND
+			GRPC_LIBRARIES
+			"${GRPC_SRC}/libaddress_sorting.a"
+			"${GRPC_SRC}/libupb.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_hash.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_city.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_low_level_hash.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_raw_hash_set.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_hashtablez_sampler.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_statusor.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_status.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_functions.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/profiling/libabsl_exponential_biased.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_optional_access.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_variant_access.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_str_format_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_synchronization.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_graphcycles_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_stacktrace.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_symbolize.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_debugging_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_demangle_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_malloc_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_civil_time.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_base.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_spinlock_wait.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/numeric/libabsl_int128.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_throw_delegate.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_raw_logging_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_log_severity.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time_zone.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_info.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_handle.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_pool_urbg.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes_impl.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_slow.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_seed_material.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_platform.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_seed_gen_exception.a"
+		)
+
+		# Make abseil-cpp build compatible with gcc-13 See
+		# https://patchwork.yoctoproject.org/project/oe/patch/20230518093301.2938164-1-Martin.Jansa@gmail.com/
+		# TO BE DROPPED once we finally upgrade grpc...
+		set(GRPC_PATCH_CMD
+			sh
+			-c
+			"sed -i '20s/^/#include <cstdint>/' ${GRPC_SRC}/third_party/abseil-cpp/absl/strings/internal/str_format/extension.h"
+			&&
+			sh
+			-c
+			"sed -i 's|off64_t|off_t|g' ${GRPC_SRC}/third_party/abseil-cpp/absl/base/internal/direct_mmap.h"
+		)
+
+		# Zig workaround: Add a PATCH_COMMAND to grpc cmake to fixup emitted -march by abseil-cpp
+		# cmake module, making it use a name understood by zig for arm64. See
+		# https://github.com/abseil/abseil-cpp/blob/master/absl/copts/GENERATED_AbseilCopts.cmake#L226.
+		if(CMAKE_C_COMPILER MATCHES "zig")
+			message(STATUS "Enabling zig workaround for abseil-cpp")
+			set(GRPC_PATCH_CMD
+				${GRPC_PATCH_CMD}
+				&&
+				sh
+				-c
+				"sed -i 's/armv8-a/cortex_a57/g' ${GRPC_SRC}/third_party/abseil-cpp/absl/copts/GENERATED_AbseilCopts.cmake"
+			)
+		endif()
+
+		ExternalProject_Add(
+			grpc
+			PREFIX "${PROJECT_BINARY_DIR}/grpc-prefix"
+			DEPENDS openssl protobuf c-ares zlib re2
+			GIT_REPOSITORY https://github.com/grpc/grpc.git
+			GIT_TAG v1.44.0
+			GIT_SUBMODULES "third_party/abseil-cpp"
+			CMAKE_CACHE_ARGS
+				-DCMAKE_INSTALL_PREFIX:PATH=${GRPC_INSTALL_DIR}
+				-DCMAKE_BUILD_TYPE:STRING=${CMAKE_BUILD_TYPE}
+				-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=${ENABLE_PIC}
+				-DgRPC_INSTALL:BOOL=OFF
+				# disable unused stuff
+				-DgRPC_BUILD_TESTS:BOOL=OFF
+				-DgRPC_BUILD_CSHARP_EXT:BOOL=OFF
+				-DgRPC_BUILD_GRPC_CSHARP_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_NODE_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_OBJECTIVE_C_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_PHP_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_PYTHON_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_RUBY_PLUGIN:BOOL=OFF
+				# deps provided by us
+				# https://github.com/grpc/grpc/blob/v1.32.0/cmake/modules/Findc-ares.cmake
+				-DgRPC_CARES_PROVIDER:STRING=package
+				-Dc-ares_DIR:PATH=${CARES_SRC}
+				-Dc-ares_INCLUDE_DIR:PATH=${CARES_INCLUDE}
+				-Dc-ares_LIBRARY:PATH=${CARES_LIB}
+				# https://cmake.org/cmake/help/v3.6/module/FindProtobuf.html
+				-DgRPC_PROTOBUF_PROVIDER:STRING=package
+				-DCMAKE_CXX_FLAGS:STRING=-I${PROTOBUF_INCLUDE}
+				-DProtobuf_INCLUDE_DIR:PATH=${PROTOBUF_INCLUDE}
+				-DProtobuf_LIBRARY:PATH=${PROTOBUF_LIB}
+				-DProtobuf_PROTOC_LIBRARY:PATH=${PROTOC_LIB}
+				-DProtobuf_PROTOC_EXECUTABLE:PATH=${PROTOC}
+				# https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html
+				-DgRPC_SSL_PROVIDER:STRING=package
+				-DOPENSSL_ROOT_DIR:PATH=${OPENSSL_INSTALL_DIR}
+				-DOPENSSL_USE_STATIC_LIBS:BOOL=${GRPC_OPENSSL_STATIC_LIBS_OPTION}
+				# https://cmake.org/cmake/help/v3.6/module/FindZLIB.html
+				-DgRPC_ZLIB_PROVIDER:STRING=package
+				-DZLIB_ROOT:STRING=${ZLIB_SRC}
+				# RE2
+				-DgRPC_RE2_PROVIDER:STRING=package
+				-Dre2_DIR:PATH=${RE2_DIR}
+			BUILD_IN_SOURCE 1
+			BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB} ${GPR_LIB} ${GRPC_LIBRARIES}
+			# Keep installation files into the local ${GRPC_INSTALL_DIR} since here is the case when
+			# we are embedding gRPC
+			UPDATE_COMMAND ""
+			PATCH_COMMAND ${GRPC_PATCH_CMD}
+			INSTALL_COMMAND DESTDIR= ${CMAKE_MAKE_PROGRAM} install
+		)
+		install(
+			FILES ${GRPC_MAIN_LIBS}
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			FILES ${GRPC_LIBRARIES}
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${GRPC_SRC}/target/include/"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+	endif()
+endif()
+
+if(NOT TARGET grpc)
+	add_custom_target(grpc)
+endif()
+
+include_directories("${GRPC_INCLUDE}")

cmake/modules/jemalloc.cmake

@@ -0,0 +1,75 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2025 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_JEMALLOC "Use bundled jemalloc allocator" ${USE_BUNDLED_DEPS})
+
+if(JEMALLOC_INCLUDE)
+	# we already have JEMALLOC
+elseif(NOT USE_BUNDLED_JEMALLOC)
+	find_path(JEMALLOC_INCLUDE jemalloc/jemalloc.h)
+	set(JEMALLOC_INCLUDE ${JEMALLOC_INCLUDE}/jemalloc)
+	if(BUILD_SHARED_LIBS)
+		set(JEMALLOC_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+	else()
+		set(JEMALLOC_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+	endif()
+	find_library(MALLOC_LIB NAMES libjemalloc${JEMALLOC_LIB_SUFFIX})
+	if(MALLOC_LIB)
+		message(STATUS "Found system jemalloc: include: ${JEMALLOC_INCLUDE}, lib: ${MALLOC_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system jemalloc")
+	endif()
+else()
+	if(BUILD_SHARED_LIBS)
+		set(JEMALLOC_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+	else()
+		set(JEMALLOC_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+	endif()
+	set(JEMALLOC_SRC "${PROJECT_BINARY_DIR}/jemalloc-prefix/src")
+	set(MALLOC_LIB "${JEMALLOC_SRC}/malloc/lib/libjemalloc${JEMALLOC_LIB_SUFFIX}")
+	set(JEMALLOC_INCLUDE "${JEMALLOC_SRC}/malloc/include/jemalloc")
+	if(CMAKE_SYSTEM_PROCESSOR STREQUAL "aarch64")
+		set(JEMALLOC_ARCH_SPECIFIC_CONFIGURE_ARGS --with-lg-page=14)
+	else()
+		set(JEMALLOC_ARCH_SPECIFIC_CONFIGURE_ARGS "")
+	endif()
+	ExternalProject_Add(
+		malloc
+		PREFIX "${PROJECT_BINARY_DIR}/jemalloc-prefix"
+		URL "https://github.com/jemalloc/jemalloc/archive/refs/tags/5.3.0.tar.gz"
+		URL_HASH "SHA256=ef6f74fd45e95ee4ef7f9e19ebe5b075ca6b7fbe0140612b2a161abafb7ee179"
+		CONFIGURE_COMMAND ./autogen.sh --enable-prof --disable-libdl
+						  ${JEMALLOC_ARCH_SPECIFIC_CONFIGURE_ARGS}
+		BUILD_IN_SOURCE 1
+		BUILD_COMMAND make build_lib_static
+		INSTALL_COMMAND ""
+		UPDATE_COMMAND ""
+		BUILD_BYPRODUCTS ${MALLOC_LIB}
+	)
+	install(
+		FILES "${MALLOC_LIB}"
+		DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "libs-deps"
+	)
+endif()
+
+# We add a custom target, in this way we can always depend on `jemalloc` without distinguishing
+# between "bundled" and "not-bundled" case
+if(NOT TARGET malloc)
+	add_custom_target(malloc)
+endif()
+
+include_directories(${JEMALLOC_INCLUDE})
+add_compile_definitions(HAS_JEMALLOC)

cmake/modules/libyaml.cmake

@@ -1,27 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
-set(LIBYAML_INSTALL_DIR "${LIBYAML_SRC}/target")
-message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
-set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
-externalproject_add(
-  libyaml
-  URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
-  URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
-  CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  BUILD_BYPRODUCTS ${LIBYAML_LIB}
-  INSTALL_COMMAND ${CMD_MAKE} install
-)

cmake/modules/mimalloc.cmake

@@ -0,0 +1,92 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2025 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_MIMALLOC "Use bundled mimalloc (microsoft) allocator" ${USE_BUNDLED_DEPS})
+
+if(MIMALLOC_INCLUDE)
+	# we already have MIMALLOC
+elseif(NOT USE_BUNDLED_MIMALLOC)
+	find_path(MIMALLOC_INCLUDE mimalloc/mimalloc.h)
+	set(MIMALLOC_INCLUDE ${MIMALLOC_INCLUDE}/mimalloc)
+	if(BUILD_SHARED_LIBS)
+		set(MIMALLOC_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+	else()
+		set(MIMALLOC_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+	endif()
+	find_library(MALLOC_LIB NAMES libmimalloc${MIMALLOC_LIB_SUFFIX})
+	if(MALLOC_LIB)
+		message(STATUS "Found system mimalloc: include: ${MIMALLOC_INCLUDE}, lib: ${MALLOC_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system mimalloc")
+	endif()
+else()
+	if(BUILD_SHARED_LIBS)
+		set(BUILD_STATIC Off)
+		set(MIMALLOC_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+	else()
+		set(BUILD_STATIC On)
+		set(MIMALLOC_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+	endif()
+	set(MIMALLOC_SRC "${PROJECT_BINARY_DIR}/mimalloc-prefix/src")
+	string(TOLOWER "${CMAKE_BUILD_TYPE}" _build_type)
+	if(_build_type STREQUAL "debug")
+		set(MIMALLOC_LIB_BASENAME "libmimalloc-debug")
+	else()
+		set(MIMALLOC_LIB_BASENAME "libmimalloc")
+	endif()
+	set(MALLOC_LIB "${MIMALLOC_SRC}/malloc-build/${MIMALLOC_LIB_BASENAME}${MIMALLOC_LIB_SUFFIX}")
+	set(MIMALLOC_INCLUDE ${MIMALLOC_SRC}/malloc/include/)
+
+	# To avoid recent clang versions complaining with "error: expansion of date or time macro is not
+	# reproducible" while building mimalloc, we force-set both variables.
+	string(TIMESTAMP DATE "%Y%m%d")
+	string(TIMESTAMP TIME "%H:%M")
+	set(MIMALLOC_EXTRA_CPPDEFS __DATE__="${DATE}",__TIME__="${TIME}")
+
+	# We disable arch specific optimization because of issues with building with zig. Optimizations
+	# would be only effective on arm64. See MI_NO_OPT_ARCH=On.
+	ExternalProject_Add(
+		malloc
+		PREFIX "${PROJECT_BINARY_DIR}/mimalloc-prefix"
+		URL "https://github.com/microsoft/mimalloc/archive/refs/tags/v3.1.5.tar.gz"
+		URL_HASH "SHA256=1c6949032069d5ebea438ec5cedd602d06f40a92ddf0f0d9dcff0993e5f6635c"
+		LIST_SEPARATOR "," # to pass MIMALLOC_EXTRA_CPPDEFS as list
+		CMAKE_ARGS -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+				   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+				   -DMI_BUILD_SHARED=${BUILD_SHARED_LIBS}
+				   -DMI_BUILD_STATIC=${BUILD_STATIC}
+				   -DMI_BUILD_TESTS=Off
+				   -DMI_BUILD_OBJECT=Off
+				   -DMI_NO_OPT_ARCH=On
+				   -DMI_EXTRA_CPPDEFS=${MIMALLOC_EXTRA_CPPDEFS}
+		INSTALL_COMMAND ""
+		UPDATE_COMMAND ""
+		BUILD_BYPRODUCTS ${MALLOC_LIB}
+	)
+	install(
+		FILES "${MALLOC_LIB}"
+		DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "libs-deps"
+	)
+endif()
+
+# We add a custom target, in this way we can always depend on `mimalloc` without distinguishing
+# between "bundled" and "not-bundled" case
+if(NOT TARGET malloc)
+	add_custom_target(malloc)
+endif()
+
+include_directories(${MIMALLOC_INCLUDE})
+add_compile_definitions(HAS_MIMALLOC)

cmake/modules/njson.cmake

@@ -1,34 +1,28 @@
+# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
 
-#
-# nlohmann-json
-#
-if(NJSON_INCLUDE)
-    # Adding the custom target we can use it with `add_dependencies()`
-    if(NOT TARGET njson)
-        add_custom_target(njson)
-    endif()
+option(USE_BUNDLED_NLOHMANN_JSON "Enable building of the bundled nlohmann-json" ${USE_BUNDLED_DEPS})
+
+if(USE_BUNDLED_NLOHMANN_JSON)
+	include(FetchContent)
+	FetchContent_Declare(
+		nlohmann_json
+		URL https://github.com/nlohmann/json/archive/v3.11.3.tar.gz
+		URL_HASH SHA256=0d8ef5af7f9794e3263480193c491549b2ba6cc74bb018906202ada498a79406
+	)
+	FetchContent_MakeAvailable(nlohmann_json)
 else()
-    # We always use the bundled version
-    set(NJSON_SRC "${PROJECT_BINARY_DIR}/njson-prefix/src/njson")
-    set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
-    ExternalProject_Add(
-        njson
-        URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
-        URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
-        CONFIGURE_COMMAND ""
-        BUILD_COMMAND ""
-        INSTALL_COMMAND "")
-    message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
+	find_package(nlohmann_json CONFIG REQUIRED)
 endif()

cmake/modules/openssl.cmake

@@ -0,0 +1,81 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_OPENSSL "Enable building of the bundled OpenSSL" ${USE_BUNDLED_DEPS})
+
+if(OPENSSL_INCLUDE_DIR)
+	# we already have openssl
+elseif(NOT USE_BUNDLED_OPENSSL)
+	find_package(OpenSSL REQUIRED)
+	message(STATUS "Found OpenSSL: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
+else()
+	if(BUILD_SHARED_LIBS)
+		set(OPENSSL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+		set(OPENSSL_SHARED_OPTION shared)
+	else()
+		set(OPENSSL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+		set(OPENSSL_SHARED_OPTION no-shared)
+	endif()
+	set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
+	set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
+	set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include/")
+	set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl${OPENSSL_LIB_SUFFIX}")
+	set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto${OPENSSL_LIB_SUFFIX}")
+	set(OPENSSL_LIBRARIES ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO})
+
+	if(NOT TARGET openssl)
+		if(NOT ENABLE_PIC)
+			set(OPENSSL_PIC_OPTION)
+		else()
+			set(OPENSSL_PIC_OPTION "-fPIC")
+		endif()
+
+		message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
+
+		ExternalProject_Add(
+			openssl
+			PREFIX "${PROJECT_BINARY_DIR}/openssl-prefix"
+			URL "https://github.com/openssl/openssl/releases/download/openssl-3.1.4/openssl-3.1.4.tar.gz"
+			URL_HASH "SHA256=840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3"
+			CONFIGURE_COMMAND ./config ${OPENSSL_SHARED_OPTION} ${OPENSSL_PIC_OPTION}
+							  --prefix=${OPENSSL_INSTALL_DIR} --libdir=lib
+			BUILD_COMMAND make
+			BUILD_IN_SOURCE 1
+			BUILD_BYPRODUCTS ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO}
+			INSTALL_COMMAND make install_sw
+		)
+		install(
+			FILES "${OPENSSL_LIBRARY_SSL}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			FILES "${OPENSSL_LIBRARY_CRYPTO}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${OPENSSL_INCLUDE_DIR}"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+	endif()
+endif()
+
+if(NOT TARGET openssl)
+	add_custom_target(openssl)
+endif()
+
+include_directories("${OPENSSL_INCLUDE_DIR}")

cmake/modules/plugins.cmake

@@ -1,97 +0,0 @@
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-include(ExternalProject)
-
-# 'stable' or 'dev'
-set(PLUGINS_DOWNLOAD_BUCKET "dev")
-
-string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)
-
-if(NOT DEFINED PLUGINS_COMPONENT_NAME)
-    set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins")
-endif()
-
-# k8saudit
-set(PLUGIN_K8S_AUDIT_VERSION "0.6.0-0.5.3-33%2B81ffddd")
-if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_K8S_AUDIT_HASH "990e5c67d3b3c7cf5d30c73d73871b58767171ce7c998c1ca1d94d70c67db290")
-else() # aarch64
-    set(PLUGIN_K8S_AUDIT_HASH "c3634dfa83c8c8898811ab6b7587ea6d1c6dfffbdfa56def28cab43aaf01f88c")
-endif()
-
-ExternalProject_Add(
-  k8saudit-plugin
-  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/k8saudit-${PLUGIN_K8S_AUDIT_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=${PLUGIN_K8S_AUDIT_HASH}"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND "")
-
-install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/libk8saudit.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
-
-ExternalProject_Add(
-  k8saudit-rules
-  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz"
-  URL_HASH "SHA256=2e3214fee00a012b32402aad5198df889773fc5f86b8ab87583fbc56ae5fb78c"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND "")
-
-install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
-
-# cloudtrail
-set(PLUGIN_CLOUDTRAIL_VERSION "0.8.0-0.7.3-33%2B81ffddd")
-if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_CLOUDTRAIL_HASH "144c297ae4285ea84b04af272f708a8b824f58bc9427a2eb91b467a6285d9e10")
-else() # aarch64
-    set(PLUGIN_CLOUDTRAIL_HASH "19e7e8e11aaecd16442f65a265d3cd80ffb736ca4d3d8215893900fa0f04b926")
-endif()
-
-ExternalProject_Add(
-  cloudtrail-plugin
-  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/cloudtrail-${PLUGIN_CLOUDTRAIL_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=${PLUGIN_CLOUDTRAIL_HASH}"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND "")
-
-install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
-
-ExternalProject_Add(
-  cloudtrail-rules
-  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz"
-  URL_HASH "SHA256=4f51d4bd9679f7f244c225b6fe530323f3536663da26a5b9d94d6953ed4e2cbc"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND "")
-
-install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
-
-# json
-set(PLUGIN_JSON_VERSION "0.7.0-0.6.2-36%2B81ffddd")
-if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_JSON_HASH "a9d8c595a139df5dc0cf2117127b496c94a9d3a3d0e84c1f18b3ccc9163f5f4a")
-else() # aarch64
-    set(PLUGIN_JSON_HASH "7d78620395526d1e6a948cc915d1d52a343c2b637c9ac0e3892e76826fcdc2df")
-endif()
-
-ExternalProject_Add(
-  json-plugin
-  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/json-${PLUGIN_JSON_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=${PLUGIN_JSON_HASH}"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND "")
-
-install(FILES "${PROJECT_BINARY_DIR}/json-plugin-prefix/src/json-plugin/libjson.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")

cmake/modules/rules.cmake

@@ -1,70 +1,95 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2025 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
 
 include(GNUInstallDirs)
 include(ExternalProject)
 
-# falco_rules.yaml
-set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-0.1.0")
-set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=0d3705a4650f09d10e7831b16e7af59c1da34ff19e788896e9ee77010014db4d")
-set(FALCOSECURITY_RULES_FALCO_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml")
-ExternalProject_Add(
-  falcosecurity-rules-falco
-  URL "https://download.falco.org/rules/${FALCOSECURITY_RULES_FALCO_VERSION}.tar.gz"
-  URL_HASH "${FALCOSECURITY_RULES_FALCO_CHECKSUM}"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND ""
-  TEST_COMMAND ""
-)
+if(NOT DEFINED FALCOSECURITY_RULES_FALCO_PATH)
+	# falco_rules.yaml
+	set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-5.0.0")
+	set(FALCOSECURITY_RULES_FALCO_CHECKSUM
+		"SHA256=ca87d972e102a9f960fed41f90d2736a73079fcc7e787187028f455ad58b1637"
+	)
+	set(FALCOSECURITY_RULES_FALCO_PATH
+		"${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml"
+	)
+	ExternalProject_Add(
+		falcosecurity-rules-falco
+		URL "https://download.falco.org/rules/${FALCOSECURITY_RULES_FALCO_VERSION}.tar.gz"
+		URL_HASH "${FALCOSECURITY_RULES_FALCO_CHECKSUM}"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND ""
+		TEST_COMMAND ""
+	)
+endif()
 
-# falco_rules.local.yaml
-set(FALCOSECURITY_RULES_LOCAL_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-local-prefix/falco_rules.local.yaml")
-file(WRITE "${FALCOSECURITY_RULES_LOCAL_PATH}" "# Your custom rules!\n")
+if(NOT DEFINED FALCOSECURITY_RULES_LOCAL_PATH)
+	# falco_rules.local.yaml
+	set(FALCOSECURITY_RULES_LOCAL_PATH
+		"${PROJECT_BINARY_DIR}/falcosecurity-rules-local-prefix/falco_rules.local.yaml"
+	)
+	file(WRITE "${FALCOSECURITY_RULES_LOCAL_PATH}" "# Your custom rules!\n")
+endif()
 
 if(NOT DEFINED FALCO_ETC_DIR)
-  set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
+	set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
+endif()
+
+if(WIN32 OR APPLE)
+	set(FALCO_ETC_DIR "etc/falco")
 endif()
 
 if(NOT DEFINED FALCO_RULES_DEST_FILENAME)
-  set(FALCO_RULES_DEST_FILENAME "falco_rules.yaml")
-  set(FALCO_LOCAL_RULES_DEST_FILENAME "falco_rules.local.yaml")
+	set(FALCO_RULES_DEST_FILENAME "falco_rules.yaml")
+	set(FALCO_LOCAL_RULES_DEST_FILENAME "falco_rules.local.yaml")
 endif()
 
-if(DEFINED FALCO_COMPONENT) # Allow a slim version of Falco to be embedded in other projects, intentionally *not* installing all rulesets.
-  install(
-    FILES "${FALCOSECURITY_RULES_FALCO_PATH}"
-    COMPONENT "${FALCO_COMPONENT}"
-    DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_RULES_DEST_FILENAME}")
+if(DEFINED FALCO_COMPONENT) # Allow a slim version of Falco to be embedded in other projects,
+	# intentionally *not* installing all rulesets.
+	install(
+		FILES "${FALCOSECURITY_RULES_FALCO_PATH}"
+		COMPONENT "${FALCO_COMPONENT}"
+		DESTINATION "${FALCO_ETC_DIR}"
+		RENAME "${FALCO_RULES_DEST_FILENAME}"
+	)
 
-  install(
-    FILES "${FALCOSECURITY_RULES_LOCAL_PATH}"
-    COMPONENT "${FALCO_COMPONENT}"
-    DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
+	install(
+		FILES "${FALCOSECURITY_RULES_LOCAL_PATH}"
+		COMPONENT "${FALCO_COMPONENT}"
+		DESTINATION "${FALCO_ETC_DIR}"
+		RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}"
+	)
 else() # Default Falco installation
-  install(
-    FILES "${FALCOSECURITY_RULES_FALCO_PATH}"
-    DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_RULES_DEST_FILENAME}"
-    COMPONENT "${FALCO_COMPONENT_NAME}")
+	install(
+		FILES "${FALCOSECURITY_RULES_FALCO_PATH}"
+		DESTINATION "${FALCO_ETC_DIR}"
+		RENAME "${FALCO_RULES_DEST_FILENAME}"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
 
-  install(
-    FILES "${FALCOSECURITY_RULES_LOCAL_PATH}"
-    DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}"
-    COMPONENT "${FALCO_COMPONENT_NAME}")
+	install(
+		FILES "${FALCOSECURITY_RULES_LOCAL_PATH}"
+		DESTINATION "${FALCO_ETC_DIR}"
+		RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
 
-  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d" COMPONENT "${FALCO_COMPONENT_NAME}")
+	install(
+		DIRECTORY
+		DESTINATION "${FALCO_ETC_DIR}/rules.d"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
 endif()

cmake/modules/static-analysis.cmake

@@ -1,3 +1,18 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
 # create the reports folder
 file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports)
 file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck)
@@ -8,35 +23,42 @@ find_program(CPPCHECK cppcheck)
 find_program(CPPCHECK_HTMLREPORT cppcheck-htmlreport)
 
 if(NOT CPPCHECK)
-  message(STATUS "cppcheck command not found, static code analysis using cppcheck will not be available.")
+	message(
+		STATUS
+			"cppcheck command not found, static code analysis using cppcheck will not be available."
+	)
 else()
-  message(STATUS "cppcheck found at: ${CPPCHECK}")
-  # we are aware that cppcheck can be run
-  # along with the software compilation in a single step
-  # using the CMAKE_CXX_CPPCHECK variables.
-  # However, for practical needs we want to keep the
-  # two things separated and have a specific target for it.
-  # Our cppcheck target reads the compilation database produced by CMake
-  set(CMAKE_EXPORT_COMPILE_COMMANDS On)
-  add_custom_target(
-      cppcheck
-      COMMAND ${CPPCHECK}
-      "--enable=all"
-      "--force"
-      "--inconclusive"
-      "--inline-suppr" # allows to specify suppressions directly in source code
-      "--xml" # we want to generate a report
-      "--output-file=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck/cppcheck.xml" # generate the report under the reports folder in the build folder
-      "-i${CMAKE_CURRENT_BINARY_DIR}"# exclude the build folder
-      "${CMAKE_SOURCE_DIR}"
-  )
+	message(STATUS "cppcheck found at: ${CPPCHECK}")
+	# we are aware that cppcheck can be run along with the software compilation in a single step
+	# using the CMAKE_CXX_CPPCHECK variables. However, for practical needs we want to keep the two
+	# things separated and have a specific target for it. Our cppcheck target reads the compilation
+	# database produced by CMake
+	set(CMAKE_EXPORT_COMPILE_COMMANDS On)
+	add_custom_target(
+		cppcheck
+		COMMAND
+			${CPPCHECK} "--enable=all" "--force" "--inconclusive" "--inline-suppr" # allows to
+			# specify suppressions directly in source code
+			"--xml" # we want to generate a report
+			"--output-file=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck/cppcheck.xml" # generate
+			# the report under the reports folder in the build folder
+			"-i${CMAKE_CURRENT_BINARY_DIR}" # exclude the build folder
+			"${CMAKE_SOURCE_DIR}"
+	)
 endif() # CPPCHECK
 
 if(NOT CPPCHECK_HTMLREPORT)
-  message(STATUS "cppcheck-htmlreport command not found, will not be able to produce html reports for cppcheck results")
+	message(
+		STATUS
+			"cppcheck-htmlreport command not found, will not be able to produce html reports for cppcheck results"
+	)
 else()
-  message(STATUS "cppcheck-htmlreport found at: ${CPPCHECK_HTMLREPORT}")
-  add_custom_target(
-    cppcheck_htmlreport
-    COMMAND ${CPPCHECK_HTMLREPORT} --title=${CMAKE_PROJECT_NAME} --report-dir=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck --file=static-analysis-reports/cppcheck/cppcheck.xml)
+	message(STATUS "cppcheck-htmlreport found at: ${CPPCHECK_HTMLREPORT}")
+	add_custom_target(
+		cppcheck_htmlreport
+		COMMAND
+			${CPPCHECK_HTMLREPORT} --title=${CMAKE_PROJECT_NAME}
+			--report-dir=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck
+			--file=static-analysis-reports/cppcheck/cppcheck.xml
+	)
 endif() # CPPCHECK_HTMLREPORT

cmake/modules/yaml-cpp.cmake

@@ -1,35 +1,28 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
 #
-mark_as_advanced(YAMLCPP_INCLUDE_DIR YAMLCPP_LIB)
-if(NOT USE_BUNDLED_DEPS)
-  find_path(YAMLCPP_INCLUDE_DIR NAMES yaml-cpp/yaml.h)
-  find_library(YAMLCPP_LIB NAMES yaml-cpp)
-  if(YAMLCPP_INCLUDE_DIR AND YAMLCPP_LIB)
-    message(STATUS "Found yamlcpp: include: ${YAMLCPP_INCLUDE_DIR}, lib: ${YAMLCPP_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system yamlcpp")
-  endif()
-  add_custom_target(yamlcpp)
+
+option(USE_BUNDLED_YAMLCPP "Enable building of the bundled yamlcpp" ${USE_BUNDLED_DEPS})
+
+if(USE_BUNDLED_YAMLCPP)
+	include(FetchContent)
+	FetchContent_Declare(
+		yamlcpp
+		URL https://github.com/jbeder/yaml-cpp/archive/c2bec4c755c67ad86185a2a264996137904fb712.tar.gz
+		URL_HASH SHA256=faea1ffdbad81b958b3b45a63ba667f4db53a3fffb983ca5df4745cf90044797
+	)
+	FetchContent_MakeAvailable(yamlcpp)
 else()
-  set(YAMLCPP_SRC "${PROJECT_BINARY_DIR}/yamlcpp-prefix/src/yamlcpp")
-  message(STATUS "Using bundled yaml-cpp in '${YAMLCPP_SRC}'")
-  set(YAMLCPP_LIB "${YAMLCPP_SRC}/libyaml-cpp.a")
-  set(YAMLCPP_INCLUDE_DIR "${YAMLCPP_SRC}/include")
-  ExternalProject_Add(
-    yamlcpp
-    URL "https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.6.2.tar.gz"
-    URL_HASH "SHA256=e4d8560e163c3d875fd5d9e5542b5fd5bec810febdcba61481fe5fc4e6b1fd05"
-    BUILD_BYPRODUCTS ${YAMLCPP_LIB}
-    BUILD_IN_SOURCE 1
-    INSTALL_COMMAND "")
+	find_package(yaml-cpp CONFIG REQUIRED)
 endif()

config/falco.container_plugin.yaml

@@ -0,0 +1,2 @@
+# Enable container plugin for linux non musl installation.
+load_plugins: [container]

config/falco.iso8601_timeformat.yaml

@@ -0,0 +1,2 @@
+# Enable iso 8601 time format on docker
+time_format_iso_8601: true

docker/CMakeLists.txt

@@ -1 +0,0 @@
-add_subdirectory(local)

docker/README.md

@@ -4,14 +4,9 @@ This directory contains various ways to package Falco as a container and related
 
 ## Currently Supported Images
 
-| Name | Directory | Description |
-|---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
-| _not yet published (experimental)_ | docker/ubi | Falco (built from RedHat's UBI base image) with the building toolchain. |
-| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
-| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
-| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/getting-started/source/) for more details on building from source. Used to build Falco (CI). |
-| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
-| _not to be published_ | docker/local | Built on-the-fly and used by falco-tester. |
-
-> Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
+| Name                                                                                                                                                                                                                                                                                                                                                                                       | Directory                   | Description                                                                                                                                                                                                                |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco)                                                                                                          | docker/falco                | Distroless image based on the latest released tar.gz of Falco. No tools are included in the image.                                                                              |
+| [falcosecurity/falco:latest-debian](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-debian](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-debian](https://hub.docker.com/repository/docker/falcosecurity/falco)                                                                                     | docker/falco-debian         | Debian-based image. Include some tools (i.e. jq, curl). No driver-building toolchain support. |
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader)                      | docker/driver-loader        | Based on falcosecurity/falco:x.y.z-debian (see above) plus the driver building toolchain support and falcoctl. This is intended to be used as an installer or an init container when modern eBPF cannot be used.                     |
+| [falcosecurity/falco-driver-loader:latest-buster](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_-buster](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master-debian](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader-buster | Similar to falcosecurity/falco-driver-loader (see above) but based on a legacy Debian image (i.e. buster ). Recommended only for old kernel versions.                                                                      |

docker/builder/Dockerfile

@@ -1,47 +0,0 @@
-FROM centos:7
-
-LABEL name="falcosecurity/falco-builder"
-LABEL usage="docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-
-ARG BUILD_TYPE=release
-ARG BUILD_DRIVER=OFF
-ARG BUILD_BPF=OFF
-ARG BUILD_WARNINGS_AS_ERRORS=ON
-ARG MAKE_JOBS=4
-ARG FALCO_VERSION
-ARG CMAKE_VERSION=3.22.5
-
-ENV BUILD_TYPE=${BUILD_TYPE}
-ENV BUILD_DRIVER=${BUILD_DRIVER}
-ENV BUILD_BPF=${BUILD_BPF}
-ENV BUILD_WARNINGS_AS_ERRORS=${BUILD_WARNINGS_AS_ERRORS}
-ENV MAKE_JOBS=${MAKE_JOBS}
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV CMAKE_VERSION=${CMAKE_VERSION}
-
-# build toolchain
-RUN yum -y install centos-release-scl && \
-    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel llvm-toolset-7.0 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel rpm-build libyaml-devel" && \
-    yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
-    rpm -V $INSTALL_PKGS
-
-
-RUN source scl_source enable devtoolset-7 llvm-toolset-7.0
-
-RUN curl -L -o /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz && \
-    gzip -d /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz && \
-    tar -xpf /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar --directory=/tmp && \
-    cp -R /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m)/* /usr && \
-    rm -rf /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m)
-
-COPY ./root /
-
-# DTS
-ENV BASH_ENV=/usr/bin/scl_enable \
-    ENV=/usr/bin/scl_enable \
-    PROMPT_COMMAND=". /usr/bin/scl_enable"
-
-ENTRYPOINT ["entrypoint"]
-CMD ["usage"]

docker/builder/README.md

@@ -1,8 +0,0 @@
-# Builder folder
-
-* We use `Dockerfile` to build the `centos7` Falco builder image.
-* We use `modern-falco-builder.Dockerfile` to build Falco with the modern probe and return it as a Dockerfile output. This Dockerfile doesn't generate a Docker image but returns as output (through the `--output` command):
-  * Falco `tar.gz`.
-  * Falco `deb` package.
-  * Falco `rpm` package.
-  * Falco build directory, used by other CI jobs.

docker/builder/modern-falco-builder.Dockerfile

@@ -1,62 +0,0 @@
-
-FROM centos:7 AS build-stage
-
-# To build Falco you need to pass the cmake option
-ARG CMAKE_OPTIONS=""
-ARG MAKE_JOBS=6
-
-# Install all the dependencies
-WORKDIR /
-
-RUN yum -y install centos-release-scl; \
-    yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++; \
-    source scl_source enable devtoolset-9; \
-    yum install -y git wget make m4 rpm-build
-
-# With some previous cmake versions it fails when downloading `zlib` with curl in the libs building phase
-RUN curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz; \
-    gzip -d /tmp/cmake.tar.gz; \
-    tar -xpf /tmp/cmake.tar --directory=/tmp; \
-    cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr; \
-    rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)/
-
-# Copy Falco folder from the build context
-COPY . /source
-WORKDIR /build/release
-
-RUN source scl_source enable devtoolset-9; \
-    cmake ${CMAKE_OPTIONS} /source; \
-    make falco -j${MAKE_JOBS}
-RUN make package
-
-# We need `make all` for integration tests.
-RUN make all -j${MAKE_JOBS}
-
-FROM scratch AS export-stage
-
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-
-ARG DEST_BUILD_DIR="/build"
-
-COPY --from=build-stage /build/release/falco-*.tar.gz /packages/
-COPY --from=build-stage /build/release/falco-*.deb /packages/
-COPY --from=build-stage /build/release/falco-*.rpm /packages/
-
-# This is what we need for integration tests. We don't export all the build directory
-# outside the container since its size is almost 6 GB, we export only what is strictly necessary
-# for integration tests.
-# This is just a workaround to fix the CI build until we replace our actual testing framework.
-COPY --from=build-stage /build/release/cloudtrail-plugin-prefix ${DEST_BUILD_DIR}/cloudtrail-plugin-prefix
-COPY --from=build-stage /build/release/cloudtrail-rules-prefix ${DEST_BUILD_DIR}/cloudtrail-rules-prefix
-COPY --from=build-stage /build/release/falcosecurity-rules-falco-prefix ${DEST_BUILD_DIR}/falcosecurity-rules-falco-prefix
-COPY --from=build-stage /build/release/falcosecurity-rules-local-prefix ${DEST_BUILD_DIR}/falcosecurity-rules-local-prefix
-COPY --from=build-stage /build/release/json-plugin-prefix ${DEST_BUILD_DIR}/json-plugin-prefix
-COPY --from=build-stage /build/release/k8saudit-plugin-prefix ${DEST_BUILD_DIR}/k8saudit-plugin-prefix
-COPY --from=build-stage /build/release/k8saudit-rules-prefix ${DEST_BUILD_DIR}/k8saudit-rules-prefix
-COPY --from=build-stage /build/release/scripts ${DEST_BUILD_DIR}/scripts
-COPY --from=build-stage /build/release/test ${DEST_BUILD_DIR}/test
-COPY --from=build-stage /build/release/userspace/falco/falco ${DEST_BUILD_DIR}/userspace/falco/falco
-COPY --from=build-stage /build/release/userspace/falco/config_falco.h ${DEST_BUILD_DIR}/userspace/falco/config_falco.h
-COPY --from=build-stage /build/release/falco-*.tar.gz ${DEST_BUILD_DIR}/
-COPY --from=build-stage /build/release/falco-*.deb ${DEST_BUILD_DIR}/
-COPY --from=build-stage /build/release/falco-*.rpm ${DEST_BUILD_DIR}/

docker/builder/root/usr/bin/entrypoint

@@ -1,59 +0,0 @@
-#!/usr/bin/env bash
-
-set -eu -o pipefail
-
-SOURCE_DIR=/source
-BUILD_DIR=/build
-CMD=${1:-usage}
-shift
-
-# Build type can be "debug" or "release", fallbacks to "release" by default
-BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
-FALCO_EXTRA_DEBUG_FLAGS=
-case "$BUILD_TYPE" in
-"debug")
-    FALCO_EXTRA_DEBUG_FLAGS="-D_DEBUG -DNDEBUG"
-    ;;
-*)
-    BUILD_TYPE="release"
-    ;;
-esac
-
-case "$CMD" in
-"cmake")
-    # Check that source directory contains Falco
-    if [ ! -d "$SOURCE_DIR/falco" ]; then
-        echo "Missing falco source." >&2
-        exit 1
-    fi
-    # Prepare build directory
-    mkdir -p "$BUILD_DIR/$BUILD_TYPE"
-    cd "$BUILD_DIR/$BUILD_TYPE"
-
-    cmake \
-    -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
-    -DCMAKE_INSTALL_PREFIX=/usr \
-    -DBUILD_DRIVER="$BUILD_DRIVER" \
-    -DBUILD_BPF="$BUILD_BPF" \
-    -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
-    -DFALCO_VERSION="$FALCO_VERSION" \
-    -DFALCO_EXTRA_DEBUG_FLAGS="$FALCO_EXTRA_DEBUG_FLAGS" \
-    -DUSE_BUNDLED_DEPS=ON \
-    "$SOURCE_DIR/falco"
-    exit "$(printf '%d\n' $?)"
-    ;;
-"bash")
-    CMD=/bin/bash
-    ;& # fallthrough
-"usage")
-    exec "$CMD" "$@"
-    ;;
-*)
-    if [ ! -d "$BUILD_DIR/$BUILD_TYPE" ]; then
-        echo "Missing $BUILD_DIR/$BUILD_TYPE directory: run cmake."
-        exit 1
-    fi
-    cd "$BUILD_DIR/$BUILD_TYPE"
-    make -j"$MAKE_JOBS" "$CMD"
-    ;;
-esac

docker/builder/root/usr/bin/scl_enable

@@ -1,6 +0,0 @@
-# IMPORTANT: Do not add more content to this file unless you know what you are doing.
-#            This file is sourced every time the shell session is opened.
-#
-# This will make scl collection binaries work out of box.
-unset BASH_ENV PROMPT_COMMAND ENV
-source scl_source enable devtoolset-7 llvm-toolset-7.0

docker/builder/root/usr/bin/usage

@@ -1,53 +0,0 @@
-#!/usr/bin/env bash
-
-gccversion=$(gcc --version | head -n1)
-cppversion=$(g++ -dM -E -x c++ /dev/null | grep -F __cplusplus | cut -d' ' -f3)
-cmakeversion=$(cmake --version | head -n1)
-clangversion=$(clang --version | head -n1)
-
-cat <<EOF
-Hello, this is the Falco builder container.
-
-How to use.
-
-    The default commands for the Falco builder image reports usage and environment info.
-    * docker run falcosecurity/falco-builder
-    * docker run falcosecurity/falco-builder usage
-
-    It supports bash.
-    * docker run -ti falcosecurity/falco-builder bash
-
-    To build Falco it needs:
-    - a bind-mount on the source directory (ie., the directory containing the Falco source as sibling)
-
-    Optionally, you can also bind-mount the build directory.
-    So, you can execute it from the Falco root directory as follows.
-
-    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake
-    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder [<cmake-target-x>, ..., <cmake-target-y>]
-
-    Eg.,
-    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder tests
-    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder install
-
-How to build.
-
-    * cd docker/builder && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-builder .
-
-    In case you want to customise the builder at build time the following build arguments are provided:
-    - BUILD_TYPE                whether you want a "release" or "debug" build (defaults to "release").
-    - BUILD_DRIVER              whether to build the driver or not (defaults to "OFF")
-    - BUILD_BPF                 whether to build the BPF driver or not (defaults to "OFF")
-    - BUILD_WARNINGS_AS_ERRORS  whether to intend warnings as errors or not (defaults to "ON")
-    - MAKE_JOBS                 the number of jobs to use during make (defaults to "4")
-    - FALCO_VERSION             the version to label the build (built from git index in case it is missing)
-
-    It is possible to change these at runtime (in the container) since environment variables with the same names are provided, too.
-
-Environment.
-
-    * ${gccversion}
-    * cplusplus ${cppversion}
-    * ${cmakeversion}
-    * ${clangversion}
-EOF

docker/docker-compose/README.md

@@ -0,0 +1,17 @@
+# Warning
+
+This environment is provided for demonstration purposes only and does not represent a production ready deployment of Falco.
+
+# Components
+The components that this docker-compose file spins up are [Falco](https://falco.org/), [falcosidekick](https://github.com/falcosecurity/falcosidekick), [falcosidekick-ui](https://github.com/falcosecurity/falcosidekick-ui) and a [redis](https://redis.io/) database.
+
+# Running
+To start this environment run `docker-compose up`.
+Note: You may need to use sudo for Falco to start correctly.
+
+# Cleaning up
+
+To clean up run `docker-compose rm`.
+
+# Generating events
+If you'd like to generate events that will trigger rules and show up in the UI you can run `docker run -it --rm falcosecurity/event-generator run syscall --loop`

docker/docker-compose/config/http_output.yml

@@ -0,0 +1,11 @@
+# [Stable] `http_output`
+#
+# Send logs to an HTTP endpoint or webhook.
+#
+# When using falcosidekick, it is necessary to set `json_output` to true.
+json_output: true
+json_include_output_property: true
+http_output:
+  enabled: true
+  url: "http://falco-sidekick:2801/"
+  

docker/docker-compose/docker-compose.yaml

@@ -0,0 +1,34 @@
+version: "3"
+services:
+  falco:
+    container_name: falco
+    cap_drop:
+      - all
+    cap_add:
+      - sys_admin
+      - sys_resource
+      - sys_ptrace
+    volumes:
+      - /var/run/docker.sock:/host/var/run/docker.sock
+      - /proc:/host/proc:ro
+      - /etc:/host/etc:ro
+      - ./config/http_output.yml:/etc/falco/config.d/http_output.yml
+    image: falcosecurity/falco:latest
+
+  sidekick:
+    container_name: falco-sidekick
+    image: falcosecurity/falcosidekick
+    environment:
+      WEBUI_URL: http://falco-webui:2802
+
+  webui:
+    container_name: falco-webui
+    image: falcosecurity/falcosidekick-ui:2.2.0
+    ports:
+      - 2802:2802
+    depends_on:
+      - redis
+    command: ['-r', 'redis:6379', '-d']
+
+  redis:
+    image: redis/redis-stack:7.2.0-v11

docker/driver-loader-buster/Dockerfile

@@ -1,52 +1,62 @@
 FROM debian:buster
 
-LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+ARG FALCO_COMMIT_SHA
+ARG FALCO_VERSION=latest
+
+LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
+      org.opencontainers.image.url='https://falco.org' \
+      org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
+      org.opencontainers.image.vendor='Falco Organization' \
+      org.opencontainers.image.licenses='Apache-2.0' \
+      org.opencontainers.image.revision=${FALCO_COMMIT_SHA} \
+      org.opencontainers.image.version=${FALCO_VERSION} \
+      maintainer="cncf-falco-dev@lists.cncf.io"
+
+LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest-buster [driver] [options]"
 
 ARG TARGETARCH
 
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
+ARG VERSION_BUCKET=deb
+ENV VERSION_BUCKET=${VERSION_BUCKET}
 
-ENV HOST_ROOT /host
-
-ENV HOME /root
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV HOST_ROOT=/host
+ENV HOME=/root
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
+# Use 20250630T203427Z debian apt snapshot as it still contains support for buster.
+RUN cat <<EOF > /etc/apt/sources.list
+deb http://snapshot.debian.org/archive/debian/20250630T203427Z buster main
+deb http://snapshot.debian.org/archive/debian-security/20250630T203427Z buster/updates main
+deb http://snapshot.debian.org/archive/debian/20250630T203427Z buster-updates main
+EOF
+
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bash-completion \
 	bc \
+	bison \
 	clang-7 \
 	ca-certificates \
 	curl \
 	dkms \
+	flex \
 	gnupg2 \
 	gcc \
 	jq \
 	libc6-dev \
-	libelf-dev \
-	libyaml-0-2 \
+	libssl-dev \
 	llvm-7 \
 	netcat \
-	xz-utils \
-	libmpc3 \
-	binutils \
-	libgomp1 \
-	libitm1 \
-	libatomic1 \
-	liblsan0 \
-	libtsan0 \
-	libcc1-0 \
 	patchelf \
+	xz-utils \
+	zstd \
 	&& rm -rf /var/lib/apt/lists/*
 
 RUN if [ "$TARGETARCH" = "amd64" ]; \
-    then apt-get install -y --no-install-recommends libmpx2 libquadmath0; \
-    fi
+	then apt-get install -y --no-install-recommends libmpx2; \
+	fi
 
 # gcc 6 is no longer included in debian stable, but we need it to
 # build kernel modules on the default debian-based ami used by
@@ -55,7 +65,7 @@ RUN if [ "$TARGETARCH" = "amd64" ]; \
 # or so.
 
 RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
-    curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
+	curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
 	&& curl -L -o gcc-6-base_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_${TARGETARCH}.deb \
 	&& curl -L -o gcc-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_${TARGETARCH}.deb \
 	&& curl -L -o libasan3_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_${TARGETARCH}.deb \
@@ -64,8 +74,8 @@ RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGE
 	&& curl -L -o libmpfr4_3.1.3-2_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_${TARGETARCH}.deb \
 	&& curl -L -o libisl15_0.18-1_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-1_${TARGETARCH}.deb \
 	&& dpkg -i cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb; \
-    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
-    dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
+	if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+	dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
 	&& rm -f cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb libcilkrts5_6.3.0-18_${TARGETARCH}.deb libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb
 
 # gcc 5 is no longer included in debian stable, but we need it to
@@ -74,15 +84,15 @@ RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGE
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
 RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libmpx0_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
-    curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
+	curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
 	&& curl -L -o gcc-5-base_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_${TARGETARCH}.deb \
 	&& curl -L -o gcc-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_${TARGETARCH}.deb \
 	&& curl -L -o libasan2_5.5.0-12_${TARGETARCH}.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_${TARGETARCH}.deb \
 	&& curl -L -o libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb \
 	&& curl -L -o libisl15_0.18-4_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-4_${TARGETARCH}.deb \
 	&& dpkg -i cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb; \
-    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
-    dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
+	if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+	dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
 	&& rm -f cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb libmpx0_5.5.0-12_${TARGETARCH}.deb
 
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
@@ -94,28 +104,31 @@ RUN rm -rf /usr/bin/clang \
 	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
 	&& ln -s /usr/bin/llc-7 /usr/bin/llc
 
+RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
+	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
+	&& apt-get update -y \
+	&& if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+	&& apt-get clean \
+	&& rm -rf /var/lib/apt/lists/*
+
+# Change the falco config within the container to enable ISO 8601 output.
+ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
+
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
 RUN rm -df /lib/modules \
 	&& ln -s $HOST_ROOT/lib/modules /lib/modules
 
-ADD falco-${FALCO_VERSION}-*.deb /
-RUN dpkg -i /falco-${FALCO_VERSION}-$(uname -m).deb
-
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
+
 RUN if [ "$TARGETARCH" = "amd64" ] ; then \
-    curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
-    else  \
-    curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
-    fi
+	curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+	else  \
+	curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+	fi
 
 RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils_2.30-22_${TARGETARCH}.deb \
 	&& curl -L -o libbinutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/libbinutils_2.30-22_${TARGETARCH}.deb \
@@ -123,13 +136,6 @@ RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dep
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 
-# The local container also copies some test trace files and
-# corresponding rules that are used when running regression tests.
-COPY rules/*.yaml /rules/
-COPY traces/*.scap /traces/
-
-COPY ./docker-entrypoint.sh /
+COPY ./docker/driver-loader-buster/docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
-
-CMD ["/usr/bin/falco"]

docker/driver-loader-buster/docker-entrypoint.sh

@@ -0,0 +1,126 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+
+print_usage() {
+	echo ""
+	echo "Usage:"
+	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest-buster [driver] [options]"
+	echo ""
+	echo "Available drivers:"
+	echo "  auto	       leverage automatic driver selection logic (default)"
+	echo "  modern_ebpf    modern eBPF CORE probe"
+	echo "  kmod           kernel module"
+	echo "  ebpf           eBPF probe"
+	echo ""
+	echo "Options:"
+	echo "  --help           show this help message"
+	echo "  --clean          try to remove an already present driver installation"
+	echo "  --compile        try to compile the driver locally (default true)"
+	echo "  --download       try to download a prebuilt driver (default true)"
+ 	echo "  --http-insecure	 enable insecure downloads"
+	echo "  --print-env      skip execution and print env variables for other tools to consume"
+	echo ""
+	echo "Environment variables:"
+	echo "  FALCOCTL_DRIVER_REPOS         specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
+	echo "  FALCOCTL_DRIVER_NAME          specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_HTTP_HEADERS  specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')"
+	echo ""
+}
+
+echo "* Setting up /usr/src links from host"
+
+for i in "$HOST_ROOT/usr/src"/*
+do
+    base=$(basename "$i")
+    ln -s "$i" "/usr/src/$base"
+done
+
+ENABLE_COMPILE="false"
+ENABLE_DOWNLOAD="false"
+HTTP_INSECURE="false"
+driver=
+has_opts=
+while test $# -gt 0; do
+	case "$1" in
+		auto|kmod|ebpf|modern_ebpf)
+			if [ -n "$driver" ]; then
+				>&2 echo "Only one driver per invocation"
+				print_usage
+				exit 1
+			else
+			  driver=$1
+			fi
+			;;
+		-h|--help)
+			print_usage
+			exit 0
+			;;
+		--clean)
+			/usr/bin/falcoctl driver cleanup
+			exit 0
+			;;
+		--compile)
+			ENABLE_COMPILE="true"
+			has_opts="true"
+			;;
+		--download)
+			ENABLE_DOWNLOAD="true"
+			has_opts="true"
+			;;
+		--http-insecure)
+			HTTP_INSECURE="true"
+			;;
+		--print-env)
+			/usr/bin/falcoctl driver printenv
+			exit 0
+			;;
+		--*)
+			>&2 echo "Unknown option: $1"
+			print_usage
+			exit 1
+			;;
+		*)
+			>&2 echo "Unknown driver: $1"
+			print_usage
+			exit 1
+			;;
+	esac
+    shift
+done
+
+# No opts passed, enable both compile and download
+if [ -z "$has_opts" ]; then
+    ENABLE_COMPILE="true"
+    ENABLE_DOWNLOAD="true"
+fi
+
+# Default value: auto
+if [ -z "$driver" ]; then
+  driver="auto"
+fi
+
+if [ "$driver" != "auto" ]; then
+  /usr/bin/falcoctl driver config --type $driver
+else
+  # Needed because we need to configure Falco to start with correct driver
+  /usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf
+fi
+
+/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS"

docker/driver-loader/Dockerfile

@@ -1,14 +1,55 @@
 ARG FALCO_IMAGE_TAG=latest
-FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}
+FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}-debian
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+ARG FALCO_COMMIT_SHA
+ARG FALCO_VERSION
 
-LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name NAME IMAGE"
+LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
+      org.opencontainers.image.url='https://falco.org' \
+      org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
+      org.opencontainers.image.vendor='Falco Organization' \
+      org.opencontainers.image.licenses='Apache-2.0' \
+      org.opencontainers.image.revision=${FALCO_COMMIT_SHA} \
+      org.opencontainers.image.version=${FALCO_VERSION} \
+      maintainer="cncf-falco-dev@lists.cncf.io"
 
-ENV HOST_ROOT /host
-ENV HOME /root
+LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest [driver] [options]"
 
-COPY ./docker-entrypoint.sh /
+ENV HOST_ROOT=/host
+ENV HOME=/root
+
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+RUN apt-get update \
+	&& apt-get install -y --no-install-recommends \
+	bc \
+	bison \
+	ca-certificates \
+	clang \
+	curl \
+	dkms \
+	dwarves \
+	flex \
+	gcc \
+	gcc-11 \
+	gnupg2 \
+	jq \
+	libc6-dev \
+	libssl-dev \
+	llvm \
+	make \
+	netcat-openbsd \
+	patchelf \
+	xz-utils \
+	zstd \
+	&& rm -rf /var/lib/apt/lists/*
+
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+
+COPY ./docker/driver-loader/docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]

docker/driver-loader/docker-entrypoint.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,12 +18,122 @@
 #
 
 
+print_usage() {
+	echo ""
+	echo "Usage:"
+	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest [driver] [options]"
+	echo ""
+	echo "Available drivers:"
+	echo "  auto	       leverage automatic driver selection logic (default)"
+	echo "	modern_ebpf    modern eBPF CORE probe"
+	echo "  kmod           kernel module"
+	echo "  ebpf           eBPF probe"
+	echo ""
+	echo "Options:"
+	echo "  --help                   show this help message"
+	echo "  --clean                  try to remove an already present driver installation"
+	echo "  --compile                try to compile the driver locally (default true)"
+	echo "  --download               try to download a prebuilt driver (default true)"
+	echo "  --kernel-release <value> set the kernel release"
+	echo "  --kernel-version <value> set the kernel version"
+ 	echo "  --http-insecure	         enable insecure downloads"
+	echo "  --print-env              skip execution and print env variables for other tools to consume"
+	echo ""
+	echo "Environment variables:"
+	echo "  FALCOCTL_DRIVER_REPOS         specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
+	echo "  FALCOCTL_DRIVER_NAME          specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_HTTP_HEADERS  specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')"
+	echo ""
+}
+
 echo "* Setting up /usr/src links from host"
 
 for i in "$HOST_ROOT/usr/src"/*
 do
+    [[ -e $i ]] || continue
     base=$(basename "$i")
     ln -s "$i" "/usr/src/$base"
 done
 
-/usr/bin/falco-driver-loader "$@"
+ENABLE_COMPILE="false"
+ENABLE_DOWNLOAD="false"
+HTTP_INSECURE="false"
+driver=
+has_opts=
+extra_args=
+
+while test $# -gt 0; do
+	case "$1" in
+		auto|kmod|ebpf|modern_ebpf)
+			if [ -n "$driver" ]; then
+				>&2 echo "Only one driver per invocation"
+				print_usage
+				exit 1
+			else
+				driver=$1
+			fi
+			;;
+		-h|--help)
+			print_usage
+			exit 0
+			;;
+		--clean)
+			/usr/bin/falcoctl driver cleanup
+			exit 0
+			;;
+		--compile)
+			ENABLE_COMPILE="true"
+			has_opts="true"
+			;;
+		--download)
+			ENABLE_DOWNLOAD="true"
+			has_opts="true"
+			;;
+		--http-insecure)
+			HTTP_INSECURE="true"
+			;;
+		--kernel-release)
+			extra_args+="--kernelrelease=$2 "
+			shift
+			;;
+		--kernel-version)
+			extra_args+="--kernelversion=$2 "
+			shift
+			;;
+		--print-env)
+			/usr/bin/falcoctl driver printenv
+			exit 0
+			;;
+		--*)
+			>&2 echo "Unknown option: $1"
+			print_usage
+			exit 1
+			;;
+		*)
+			>&2 echo "Unknown driver: $1"
+			print_usage
+			exit 1
+			;;
+	esac
+    shift
+done
+
+# No opts passed, enable both compile and download
+if [ -z "$has_opts" ]; then
+    ENABLE_COMPILE="true"
+    ENABLE_DOWNLOAD="true"
+fi
+
+# Default value: auto
+if [ -z "$driver" ]; then
+  driver="auto"
+fi
+
+if [ "$driver" != "auto" ]; then
+  /usr/bin/falcoctl driver config --type $driver
+else
+  # Needed because we need to configure Falco to start with correct driver
+  /usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf
+fi
+
+/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" $extra_args

docker/falco-debian/Dockerfile

@@ -0,0 +1,40 @@
+FROM debian:12-slim
+
+ARG FALCO_COMMIT_SHA
+ARG FALCO_VERSION
+
+LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
+      org.opencontainers.image.url='https://falco.org' \
+      org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
+      org.opencontainers.image.vendor='Falco Organization' \
+      org.opencontainers.image.licenses='Apache-2.0' \
+      org.opencontainers.image.revision=${FALCO_COMMIT_SHA} \
+      org.opencontainers.image.version=${FALCO_VERSION} \
+      maintainer="cncf-falco-dev@lists.cncf.io"
+
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro -v /etc:/host/etc:ro falcosecurity/falco:latest-debian"
+
+ARG VERSION_BUCKET=deb
+
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV VERSION_BUCKET=${VERSION_BUCKET}
+
+ENV HOST_ROOT=/host
+ENV HOME=/root
+
+RUN apt-get -y update && apt-get -y install ca-certificates curl jq ca-certificates gnupg2 \
+	&& apt clean -y && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /
+
+RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
+	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
+	&& apt-get update -y \
+	&& if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+	&& apt-get clean \
+	&& rm -rf /var/lib/apt/lists/*
+
+# Change the falco config within the container to enable ISO 8601 output.
+ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
+
+CMD ["/usr/bin/falco"]

docker/falco/Dockerfile

@@ -1,130 +1,45 @@
-FROM debian:buster
+FROM cgr.dev/chainguard/wolfi-base
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+ARG FALCO_COMMIT_SHA
+ARG FALCO_VERSION
 
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
+LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
+      org.opencontainers.image.url='https://falco.org' \
+      org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
+      org.opencontainers.image.vendor='Falco Organization' \
+      org.opencontainers.image.licenses='Apache-2.0' \
+      org.opencontainers.image.revision=${FALCO_COMMIT_SHA} \
+      org.opencontainers.image.version=${FALCO_VERSION} \
+      maintainer="cncf-falco-dev@lists.cncf.io"
 
-ARG TARGETARCH
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro  -v /etc:/host/etc:ro falcosecurity/falco:latest"
+# NOTE: for the "least privileged" use case, please refer to the official documentation
 
-ARG FALCO_VERSION=latest
-ARG VERSION_BUCKET=deb
-ENV VERSION_BUCKET=${VERSION_BUCKET}
+ARG VERSION_BUCKET=bin
 
 ENV FALCO_VERSION=${FALCO_VERSION}
-ENV HOST_ROOT /host
-ENV HOME /root
+ENV VERSION_BUCKET=${VERSION_BUCKET}
+ENV HOST_ROOT=/host
+ENV HOME=/root
 
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+RUN apk update && apk add curl ca-certificates jq libstdc++
 
-RUN apt-get update \
-	&& apt-get install -y --no-install-recommends \
-	bash-completion \
-	bc \
-	bison \
-	clang-7 \
-	ca-certificates \
-	curl \
-	dkms \
-	flex \
-	gnupg2 \
-	gcc \
-	jq \
-	libc6-dev \
-	libelf-dev \
-	libssl-dev \
-	llvm-7 \
-	netcat \
-	patchelf \
-	xz-utils \
-	&& rm -rf /var/lib/apt/lists/*
+WORKDIR /
 
-RUN if [ "$TARGETARCH" = "amd64" ]; \
-    then apt-get install -y --no-install-recommends libmpx2; \
-    fi
+RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
+    curl -L -o falco.tar.gz \
+    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \
+    tar -xvf falco.tar.gz && \
+    rm -f falco.tar.gz && \
+    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
+    rm -rf /falco/usr/src/falco-* && \
+    cp -r /falco/* / && \
+    rm -rf /falco
 
-# gcc 6 is no longer included in debian stable, but we need it to
-# build kernel modules on the default debian-based ami used by
-# kops. So grab copies we've saved from debian snapshots with the
-# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
-# or so.
+# Change the falco config within the container to enable ISO 8601 output.
+ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
 
-RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
-    curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o gcc-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o libasan3_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o libubsan0_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_${TARGETARCH}.deb \
-	&& curl -L -o libisl15_0.18-1_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-1_${TARGETARCH}.deb \
-	&& dpkg -i cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb; \
-    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
-    dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
-	&& rm -f cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb libcilkrts5_6.3.0-18_${TARGETARCH}.deb libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb
-
-# gcc 5 is no longer included in debian stable, but we need it to
-# build centos kernels, which are 3.x based and explicitly want a gcc
-# version 3, 4, or 5 compiler. So grab copies we've saved from debian
-# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
-
-RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libmpx0_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
-    curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o gcc-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o libasan2_5.5.0-12_${TARGETARCH}.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o libisl15_0.18-4_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-4_${TARGETARCH}.deb \
-	&& dpkg -i cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb; \
-    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
-    dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
-	&& rm -f cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb libmpx0_5.5.0-12_${TARGETARCH}.deb
-
-# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
-# default to gcc-5.
-RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
-
-RUN rm -rf /usr/bin/clang \
-	&& rm -rf /usr/bin/llc \
-	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
-	&& ln -s /usr/bin/llc-7 /usr/bin/llc
-
-RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
-	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
-	&& apt-get update -y \
-	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
-	&& apt-get clean \
-	&& rm -rf /var/lib/apt/lists/*
-
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-# Some base images have an empty /lib/modules by default
-# If it's not empty, docker build will fail instead of
-# silently overwriting the existing directory
-RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
-
-# debian:stable head contains binutils 2.31, which generates
-# binaries that are incompatible with kernels < 4.16. So manually
-# forcibly install binutils 2.30-22 instead.
-
-RUN if [ "$TARGETARCH" = "amd64" ] ; then \
-    curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
-    else  \
-    curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
-    fi
-
-RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils_2.30-22_${TARGETARCH}.deb \
-	&& curl -L -o libbinutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/libbinutils_2.30-22_${TARGETARCH}.deb \
-	&& curl -L -o binutils-common_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-common_2.30-22_${TARGETARCH}.deb \
-	&& dpkg -i *binutils*.deb \
-	&& rm -f *binutils*.deb
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
+# Falcoctl is not included here.
+RUN rm -rf /usr/bin/falcoctl /etc/falcoctl/
 
 CMD ["/usr/bin/falco"]

docker/falco/docker-entrypoint.sh

@@ -1,33 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
-
-if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
-    echo "* Setting up /usr/src links from host"
-
-    for i in "$HOST_ROOT/usr/src"/*
-    do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
-    done
-
-    /usr/bin/falco-driver-loader
-fi
-
-exec "$@"

docker/local/CMakeLists.txt

@@ -1,17 +0,0 @@
-add_subdirectory(traces)
-add_subdirectory(rules)
-
-add_custom_target(local-Dockerfile ALL
-	DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile)
-
-add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile
-	COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile
-	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile)
-
-add_custom_target(local-docker-entrypoint ALL
-	DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint)
-
-add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint
-	COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/docker-entrypoint.sh ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint.sh
-	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/docker-entrypoint.sh)
-

docker/local/docker-entrypoint.sh

@@ -1,34 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-
-# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
-
-if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
-    echo "* Setting up /usr/src links from host"
-
-    for i in "$HOST_ROOT/usr/src"/*
-    do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
-    done
-
-    /usr/bin/falco-driver-loader
-fi
-
-exec "$@"

docker/local/rules/CMakeLists.txt

@@ -1,7 +0,0 @@
-include(copy_files_to_build_dir)
-
-# Note: list of rules is created at cmake time, not build time
-file(GLOB test_rule_files
-	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/rules/*.yaml")
-
-copy_files_to_build_dir("${test_rule_files}" docker-local-rules)

docker/local/traces/CMakeLists.txt

@@ -1,7 +0,0 @@
-include(copy_files_to_build_dir)
-
-# Note: list of traces is created at cmake time, not build time
-file(GLOB test_trace_files
-	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/trace_files/*.scap")
-
-copy_files_to_build_dir("${test_trace_files}" docker-local-traces)

docker/no-driver/Dockerfile

@@ -1,39 +0,0 @@
-FROM ubuntu:18.04 as ubuntu
-
-ARG FALCO_VERSION
-ARG VERSION_BUCKET=bin
-
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
-
-RUN apt-get -y update && apt-get -y install gridsite-clients curl ca-certificates
-
-WORKDIR /
-
-RUN curl -L -o falco.tar.gz \
-    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-$(urlencode ${FALCO_VERSION})-$(uname -m).tar.gz && \
-    tar -xvf falco.tar.gz && \
-    rm -f falco.tar.gz && \
-    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
-    rm -rf /falco/usr/src/falco-* /falco/usr/bin/falco-driver-loader
-
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
-    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
-
-FROM debian:11-slim
-
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
-# NOTE: for the "least privileged" use case, please refer to the official documentation
-
-RUN apt-get -y update && apt-get -y install ca-certificates curl jq \
-    && apt clean -y && rm -rf /var/lib/apt/lists/*
-
-ENV HOST_ROOT /host
-ENV HOME /root
-
-COPY --from=ubuntu /falco /
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/tester/Dockerfile

@@ -1,30 +0,0 @@
-FROM fedora:31
-
-LABEL name="falcosecurity/falco-tester"
-LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build --name <name> falcosecurity/falco-tester test"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-
-ARG TARGETARCH
-
-ENV FALCO_VERSION=
-ENV BUILD_TYPE=release
-
-RUN if [ "$TARGETARCH" = "amd64" ] ; then curl -L -o grpcurl.tar.gz \
-    https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_x86_64.tar.gz; \
-    else curl -L -o grpcurl.tar.gz \
-    https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_arm64.tar.gz; \
-    fi;
-
-RUN dnf install -y python-pip python docker findutils jq unzip sed curl && dnf clean all
-ENV PATH="/root/.local/bin/:${PATH}"
-RUN pip install --user avocado-framework==69.0
-RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
-RUN pip install --user watchdog==0.10.2
-RUN pip install --user pathtools==0.1.2
-RUN tar -C /usr/bin -xvf grpcurl.tar.gz
-
-COPY ./root /
-
-ENTRYPOINT ["entrypoint"]
-CMD ["usage"]

docker/tester/root/runners/deb.Dockerfile

@@ -1,21 +0,0 @@
-FROM ubuntu:18.04
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
-
-RUN apt update -y
-RUN apt install dkms -y
-
-ADD falco-${FALCO_VERSION}-*.deb /
-RUN dpkg -i /falco-${FALCO_VERSION}-$(uname -m).deb
-
-# Change the falco config within the container to enable ISO 8601 output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-COPY rules/*.yaml /rules/
-COPY trace_files/*.scap /traces/
-
-CMD ["/usr/bin/falco"]

docker/tester/root/runners/rpm.Dockerfile

@@ -1,22 +0,0 @@
-FROM centos:7
-
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
-
-RUN yum update -y
-RUN yum install epel-release -y
-
-ADD falco-${FALCO_VERSION}-*.rpm /
-RUN yum install -y /falco-${FALCO_VERSION}-$(uname -m).rpm
-
-# Change the falco config within the container to enable ISO 8601 output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-COPY rules/*.yaml /rules/
-COPY trace_files/*.scap /traces/
-
-CMD ["/usr/bin/falco"]

docker/tester/root/runners/tar.gz.Dockerfile

@@ -1,21 +0,0 @@
-FROM ubuntu:18.04
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
-
-RUN apt update -y
-RUN apt install dkms curl -y
-
-ADD falco-${FALCO_VERSION}-*.tar.gz /
-RUN cp -R /falco-${FALCO_VERSION}-$(uname -m)/* /
-
-# Change the falco config within the container to enable ISO 8601 output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-COPY rules/*.yaml /rules/
-COPY trace_files/*.scap /traces/
-
-CMD ["/usr/bin/falco"]

docker/tester/root/usr/bin/entrypoint

@@ -1,93 +0,0 @@
-#!/usr/bin/env bash
-
-BUILD_DIR=${BUILD_DIR:-/build}
-SOURCE_DIR=${SOURCE_DIR:-/source}
-SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
-
-CMD=${1:-test}
-shift
-
-# Stop the execution if a command in the pipeline has an error, from now on
-set -e -u -o pipefail
-
-# build type can be "debug" or "release", fallbacks to "release" by default
-BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
-case "$BUILD_TYPE" in
-"debug")
-    ;;
-*)
-    BUILD_TYPE="release"
-    ;;
-esac
-
-build_image() {
-    BUILD_DIR=$1
-    BUILD_TYPE=$2
-    FALCO_VERSION=$3
-    PACKAGE_TYPE=$4
-    PACKAGE="$BUILD_DIR/$BUILD_TYPE/falco-$FALCO_VERSION-$(uname -m).${PACKAGE_TYPE}"
-    if [ ! -f "$PACKAGE" ]; then
-        echo "Package not found: ${PACKAGE}." >&2
-        exit 1
-    fi
-    DOCKER_IMAGE_NAME="falcosecurity/falco:test-${PACKAGE_TYPE}"
-    echo "Building local docker image $DOCKER_IMAGE_NAME from latest ${PACKAGE_TYPE} package..."
-
-    mkdir -p /runner-rootfs
-    cp "$PACKAGE" /runner-rootfs
-    cp -R "$SOURCE_DIR/falco/test/rules" /runner-rootfs
-    cp -R "$SOURCE_DIR/falco/test/trace_files" /runner-rootfs
-    docker build -f "/runners/$PACKAGE_TYPE.Dockerfile" --build-arg FALCO_VERSION="$FALCO_VERSION" -t "$DOCKER_IMAGE_NAME" /runner-rootfs
-}
-
-clean_image() {
-    PACKAGE_TYPE=$1
-    DOCKER_IMAGE_NAME="falcosecurity/falco:test-${PACKAGE_TYPE}"
-    docker rmi -f "$DOCKER_IMAGE_NAME"
-}
-
-case "$CMD" in
-"test")
-    if [ -z "$FALCO_VERSION" ]; then
-        echo "Automatically figuring out Falco version."
-        FALCO_VERSION_FULL=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version)
-        FALCO_VERSION=$(echo "$FALCO_VERSION_FULL" | head -n 1 | cut -d' ' -f3  | tr -d '\r')
-        echo "Falco version: $FALCO_VERSION"
-    fi
-    if [ -z "$FALCO_VERSION" ]; then
-        echo "Falco version cannot be guessed, please provide it with the FALCO_VERSION environment variable." >&2
-        exit 1
-    fi
-
-    # build docker images
-    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
-    fi
-
-    # check that source directory contains Falco
-    if [ ! -d "$SOURCE_DIR/falco/test" ]; then
-        echo "Missing $SOURCE_DIR/falco/test directory." >&2
-        exit 1
-    fi
-
-    # run tests
-    echo "Running regression tests ..."
-    cd "$SOURCE_DIR/falco/test"
-    SKIP_PACKAGES_TESTS=$SKIP_PACKAGES_TESTS ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"
-
-    # clean docker images
-    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
-        clean_image "deb"
-        clean_image "rpm"
-        clean_image "tar.gz"
-    fi
-    ;;
-"bash")
-    CMD=/bin/bash
-    ;& # fallthrough
-"usage")
-    exec "$CMD" "$@"
-    ;;
-esac

docker/tester/root/usr/bin/usage

@@ -1,41 +0,0 @@
-#!/usr/bin/env bash
-
-pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
-pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
-dockerversion=$(docker --version)
-avocadoversion=$(pip show avocado-framework | grep Version)
-avocadoversion=${avocadoversion#"Version: "}
-
-cat <<EOF
-Hello, this is the Falco tester container.
-
-How to use.
-
-    The default commands for the Falco tester image reports usage and environment info.
-    * docker run falcosecurity/falco-tester
-    * docker run falcosecurity/falco-tester usage
-
-    It supports bash.
-    * docker run -ti falcosecurity/falco-tester bash
-
-    To run Falco regression tests you need to provide:
-    - the docker socket
-    - the boot directory
-    - the source directory
-    - the directory where Falco has been built
-    - the environment variable FALCO_VARIABLE set to the value obtained during the Falco's build
-
-    Assuming you are running it from the Falco root directory, you can run it as follows.
-    * docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> falcosecurity/falco-tester test
-
-How to build.
-
-    * cd docker/tester && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-tester .
-
-Environment.
-
-    * python ${pythonversion}
-    * ${pipversion}
-    * avocado ${avocadoversion}
-    * ${dockerversion}
-EOF

docker/ubi/Dockerfile

@@ -1,46 +0,0 @@
-ARG UBI_VERSION=latest
-FROM registry.access.redhat.com/ubi8/ubi:${UBI_VERSION}
-
-ARG FALCO_VERSION
-RUN test -n "$FALCO_VERSION" || (echo "FALCO_VERSION  not set" && false)
-ENV FALCO_VERSION=${FALCO_VERSION}
-
-LABEL "name"="Falco Runtime Security"
-LABEL "vendor"="Falco"
-LABEL "version"="${FALCO_VERSION}"
-LABEL "release"="${FALCO_VERSION}"
-LABEL "ubi-version"="${UBI_VERSION}"
-LABEL "summary"="Falco is a security policy engine that monitors system calls and cloud events, and fires alerts when security policies are violated."
-LABEL "description"="Falco is a security policy engine that monitors system calls and cloud events, and fires alerts when security policies are violated."
-LABEL "io.k8s.display-name"="Falco"
-LABEL "io.k8s.description"="Falco is a security policy engine that monitors system calls and cloud events, and fires alerts when security policies are violated."
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
-
-
-ENV HOST_ROOT /host
-ENV HOME /root
-
-RUN  dnf -y update && \
-     dnf -y install \
-          curl \
-          make \
-          cmake \
-          gcc \
-          llvm-toolset \
-          clang \
-          kmod \
-     && dnf -y clean all ; rm -rf /var/cache/{dnf,yum}
-
-RUN mkdir /build && cd /build/ && curl --remote-name-all -L https://github.com/dell/dkms/archive/refs/tags/v3.0.3.tar.gz && \
-     tar xvf v3.0.3.tar.gz && cd dkms-3.0.3 && make install-redhat && rm -rf /build
-
-RUN mkdir /deploy && cd /deploy/ && curl --remote-name-all -L https://download.falco.org/packages/bin/$(uname -m)/falco-${FALCO_VERSION}-$(uname -m).tar.gz && \
-     cd / && tar --strip-components=1 -xvf /deploy/falco-${FALCO_VERSION}-$(uname -m).tar.gz && \
-     rm -rf /deploy
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD ["/usr/bin/falco"]

docker/ubi/docker-entrypoint.sh

@@ -1,39 +0,0 @@
-#!/bin/bash
-#
-# Copyright (C) 2022 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
-
-if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
-
-    # Required by dkms to find the required dependencies on RedHat UBI
-    rm -fr /usr/src/kernels/ && rm -fr /usr/src/debug/
-    rm -fr /lib/modules && ln -s $HOST_ROOT/lib/modules /lib/modules
-    rm -fr /boot && ln -s $HOST_ROOT/boot /boot
-
-    echo "* Setting up /usr/src links from host"
-
-    for i in "$HOST_ROOT/usr/src"/*
-    do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
-    done
-
-    /usr/bin/falco-driver-loader
-fi
-
-exec "$@"