mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 11:29:26 +00:00
e0a5034a43
A new trace file falco-event-generator.scap contains the result of running the falco event generator in docker, via: docker run --security-opt seccomp=unconfined sysdig/falco-event-generator:latest /usr/local/bin/event_generator --once Make sure this trace file detects the exact set of events we expect for each rule. This required adding a new verification method check_detections_by_rule that finds the per-rule counts and compares them to the expected counts, which are included in the test description under the key "detect_counts". This is the first time a trace file for a test is actually in one of the downloaded zip files. This means it will be tested twice (one for simple detect-or-not, once for actual counts). Adding this test showed a problem with Run shell in container rule--since sysdig/falco-event-generator startswith sysdig/falco, it was being treated as a trusted container. Modify the macro trusted_containers to not allow falco-event-generator to be trusted.