Falco Rules for Visual Studio Code

Falco

Full language support for Falco Security Rules

Features

🎨 Syntax Highlighting

Rich syntax highlighting for Falco rules files (.falco.yaml, .falco.yml, *_rules.yaml, *_rules.yml) with support for:

Rule, macro, and list definitions
Condition expressions with operators
Field references and string values
Comments and YAML structure

💡 Intelligent Code Completion

Context-aware completions for:

Top-level items: rule, macro, list, required_engine_version, required_plugin_versions
Rule properties: condition, output, priority, source, tags, exceptions, enabled, desc, append, override, capture, capture_duration, warn_evttypes, skip-if-unknown-filter
Falco fields: All syscall, container, and Kubernetes fields
Operators: Comparison (=, !=, contains, icontains, in, pmatch, glob, startswith, endswith) and logical (and, or, not)
User-defined symbols: Macros and lists defined in your files
Priority levels: EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFORMATIONAL, DEBUG
Sources: syscall, k8s_audit, aws_cloudtrail, gcp_auditlog, azure_platformlogs, github, okta, and more
Plugin version properties: name, version, alternatives

🔍 Hover Information

Hover over any element to see detailed information:

Field descriptions and types
Macro definitions and conditions
List contents preview

📍 Go to Definition

Jump to the definition of:

Macros referenced in conditions
Lists used in expressions
Rules by name

⚡ Real-time Diagnostics

Instant validation as you type:

Syntax errors: Invalid YAML or condition syntax
Undefined references: Unknown macros or lists
Field validation: Unknown or mismatched fields for source type
Best practices: Hints for dynamic fields requiring arguments

📋 Snippets

Quick templates for common patterns:

Complete rule definition with all properties
Macro with condition
List with items
Exception blocks
Engine version requirement
Plugin version requirements

🔧 JSON Schema Validation

Automatic schema validation for .falco.yaml, .falco.yml, *_rules.yaml, and *_rules.yml files ensures structural correctness and validates:

Required and optional properties for rules, macros, and lists
Correct data types (strings, booleans, arrays, objects)
Valid priority levels and source types
Proper structure for exceptions and plugin version requirements
Schema auto-synced from the official Falco repository

🎯 Advanced Features

Multi-file support: Cross-file symbol resolution for macros and lists
Workspace-wide validation: Validate all Falco files in your workspace at once
Exception handling: Full support for rule exceptions with field, comparison, and value validation
Source-aware validation: Field validation based on rule source type (syscall, k8s_audit, etc.)
Dynamic field hints: Warnings for fields that require arguments (e.g., proc.aname[n])
Append mode support: Validation for rules and lists using append: true

Installation

From VS Code Marketplace

Open VS Code
Go to Extensions (Ctrl+Shift+X / Cmd+Shift+X)
Search for "Falco Rules"
Click Install

From Command Line

code --install-extension c2ndev.falco-rules

Language Server Binary

The extension requires the falco-lang binary for full functionality. You can:

Use the bundled binary (included with the extension)

Build from source:

cd falco-lsp
make build
make install  # Installs to $GOPATH/bin

Download from releases: Get pre-built binaries from GitHub Releases

Version Requirements

Falco rules files can specify version requirements to ensure compatibility:

Engine Version

Use required_engine_version to specify the minimum Falco engine version:

- required_engine_version: 0.38.0

This ensures that the rules file is only loaded by Falco versions >= 0.38.0.

Plugin Versions

Use required_plugin_versions to specify required plugin versions:

- required_plugin_versions:
    - name: k8saudit
      version: 0.7.0
    - name: json
      version: 0.8.0
      alternatives:
        - name: json
          version: 0.7.3

The extension provides:

✅ Auto-completion for name, version, and alternatives properties
✅ JSON Schema validation for correct structure
✅ Snippets for quick insertion (engine-version, plugin-version)

Supported File Types

Pattern	Language ID	Description
`*.falco.yaml`	`falco-yaml`	Falco rules in YAML format
`*.falco.yml`	`falco-yaml`	Falco rules in YAML format
`*_rules.yaml`	`falco-yaml`	Official Falco rules naming convention
`*_rules.yml`	`falco-yaml`	Official Falco rules naming convention

Commands

Access commands via the Command Palette (Ctrl+Shift+P / Cmd+Shift+P):

Command	Description
`Falco: Validate Current File`	Validate the active Falco rules file
`Falco: Validate All Files in Workspace`	Validate all Falco files in the workspace
`Falco: Format Document`	Format the current document
`Falco: Show Output Channel`	Show the extension's output log
`Falco: Restart Language Server`	Restart the language server

Configuration

Configure the extension in VS Code settings:

Setting	Type	Default	Description
`falco.maxNumberOfProblems`	number	`100`	Maximum problems to report per document
`falco.enableFormatting`	boolean	`true`	Enable automatic code formatting
`falco.tabSize`	number	`2`	Tab size for formatting
`falco.insertSpaces`	boolean	`true`	Use spaces for indentation
`falco.validateYamlFiles`	boolean	`true`	Validate Falco rules in YAML files
`falco.trace.server`	string	`"off"`	Trace server communication (`off`, `messages`, `verbose`)

Example

Here's a complete example showcasing the main features:

# Specify minimum Falco engine version
- required_engine_version: 0.38.0

# Specify required plugin versions
- required_plugin_versions:
    - name: k8saudit
      version: 0.7.0

# Define reusable macros
- macro: container
  condition: container.id != host

- macro: spawned_process
  condition: evt.type in (execve, execveat) and evt.dir = <

# Define lists of values
- list: shell_binaries
  items: [bash, sh, zsh, ksh, csh, fish]

- list: sensitive_files
  items: [/etc/shadow, /etc/passwd, /etc/sudoers]

# Define detection rules
- rule: Shell Spawned in Container
  desc: Detect shell execution inside a container
  condition: spawned_process and container and proc.name in (shell_binaries)
  output: >
    Shell spawned in container
    (user=%user.name container=%container.name shell=%proc.name
    parent=%proc.pname cmdline=%proc.cmdline)
  priority: WARNING
  source: syscall
  tags: [container, shell, mitre_execution, T1059]

- rule: Read Sensitive File
  desc: Detect attempts to read sensitive system files
  condition: >
    evt.type in (open, openat, openat2) and
    evt.dir = < and
    fd.name in (sensitive_files) and
    not proc.name in (allowed_readers)
  output: >
    Sensitive file opened for reading
    (user=%user.name file=%fd.name process=%proc.name cmdline=%proc.cmdline)
  priority: ERROR
  source: syscall
  tags: [filesystem, security, mitre_credential_access, T1003]
  exceptions:
    - name: allowed_readers
      fields: [proc.name, fd.name]
      comps: [in, in]
      values:
        - [systemd, /etc/shadow]

Troubleshooting

Language Server Not Starting

Check the Output panel (View > Output) and select "Falco Rules"
Ensure the falco-lang binary is installed and accessible
Try restarting the language server: Falco: Restart Language Server

Diagnostics Not Updating

Save the file to trigger a fresh validation
Restart the language server
Check for syntax errors in the Output panel

Missing Completions

Ensure the language server is running (check the status bar for "Falco").

Contributing

Contributions are welcome! Please see our Contributing Guide for details.

Development

# Clone the repository
git clone https://github.com/c2ndev/falco-lsp.git
cd falco-lsp

# Build the Go language server
cd falco-lsp
make build

# Install extension dependencies
cd ../vscode-extension
npm install

# Build the extension
npm run build

Resources

License

Apache License 2.0 - See LICENSE for details.

Made with ❤️ by Alessandro Cannarella