Artifact management is the process of storing, organising, and securing the essential components generated throughout software development. Cloudsmith defines artifacts as the tangible outputs of the development lifecycle, including compiled source code, libraries, executables, and configuration files.
Examples of Artifacts
Artifacts include a wide range of software components, such as compiled code like JAR files, binaries, and Docker images. This also extends to configuration files like YAML and JSON, as well as packages and dependencies such as Helm charts, Python wheels, and npm modules.
Without a centralised system, these artifacts can become disorganised, leading to inefficiencies and security risks. This is why artifact management is critical for CNCF projects like Falco, which handle a variety of artifacts such as rule files and plugins. Effective artifact management through falcoctl ensures streamlined DevOps pipelines by automating the storage, versioning, and distribution of Falco rules. Falcoctl is a command-line tool designed to simplify the process of handling these components, ensuring efficient deployment and maintenance.
The output below illustrates how Falcoctl interacts with artifacts, enabling users to manage rules and plugins effectively.
❯ falcoctl --help
__ _ _ _
/ _| __ _| | ___ ___ ___| |_| |
| |_ / _ | |/ __/ _ / __| __| |
| _| (_| | | (_| (_) | (__| |_| |
|_| __,_|_|______/ ___|__|_|
The official CLI tool for working with Falco and its ecosystem components.
Usage:
falcoctl [command]
Available Commands:
artifact Interact with Falco artifacts
completion Generate the autocompletion script for the specified shell
help Help with any command
index Interact with index
registry Interact with OCI registries
tls Generate and install TLS material for Falco
version Print the falcoctl version information
With falcoctl, users can search for existing artifacts within specific registries. These registries store artifacts in a format compatible with the Open Container Initiative (OCI) standard, allowing falcoctl to interact seamlessly with any OCI-compliant registry. The official registry for Falco artifacts is GitHub Packages.
After completing the setup, we can use falcoctl to search for available artifacts with the following command:
❯ sudo falcoctl artifact search falco
INDEX ARTIFACT TYPE REGISTRY REPOSITORY
falcosecurity falco-rules rulesfile ghcr.io falcosecurity/rules/falco-rules
❯ sudo falcoctl artifact search kubernetes
INDEX ARTIFACT TYPE REGISTRY REPOSITORY
falcosecurity k8saudit plugin ghcr.io falcosecurity/plugins/plugin/k8saudit
falcosecurity k8saudit-rules rulesfile ghcr.io falcosecurity/plugins/ruleset/k8saudit
Setting up a Falcoctl Artifact
Let’s push a rules file into an OCI registry. First create a rules file
cat << 'EOF' | sudo tee ./custom_rules.yaml
- list: falco_binaries
items: [falcoctl]
EOF
Login to the registry and then push that single rules file to the registry.
nigel@falco:/etc/falcoctl# falcoctl registry auth basic nigel_registry -u 'nigel' -p 'password'
2025-02-28 13:34:43 INFO Login succeeded registry: nigel_registry user: nigel
While OCI registries are commonly linked to container image storage, their capabilities extend far beyond that. They support a diverse range of OCI-compliant artifacts, and as adoption increases, we will likely see them become a standard for managing various software components across the development lifecycle.
export OCI_ARTIFACT_VERSION=latest
export OCI_REGISTRY=nigel_registry
export OCI_REPOSITORY=nigel_repo/falco-rules
export RULESET_FILE=custom_rules.yaml
falcoctl registry push
--config /dev/null
--type rulesfile
--version ${OCI_ARTIFACT_VERSION}
${OCI_REGISTRY}/${OCI_REPOSITORY}:${OCI_ARTIFACT_VERSION}
${RULESET_FILE}
After pushing the single rules file, we get the below output for that artifact:
2025-02-28 13:35:19 INFO Preparing to push artifact
2025-02-28 13:35:19 INFO Preparing to push artifact
├ name: nigel_registry/nigel_repo/falco-rules:latest
└ type: rulesfile
2025-02-28 13:35:19 ERROR open custom_rules.yaml: no such file or directory
nigel@falco:/etc/falcoctl# cd
nigel@falco:~# falcoctl registry push --config /dev/null --type rulesfile --version
${OCI_ARTIFACT_VERSION} ${OCI_REGISTRY}/${OCI_REPOSITORY}:${OCI_ARTIFACT_VERSION} ${RULESET_FILE}
2025-02-28 13:35:19 INFO Preparing to push artifact
├ name: nigel_registry/nigel_repo/falco-rules:latest
└ type: rulesfile
2025-02-28 13:35:19 INFO Parsing dependencies from: rulesfile: custom_rules.yaml
2025-02-28 13:35:19 WARN No dependencies were provided by the user and none were found in the
│ rulesfile.
2025-02-28 13:35:19 INFO Parsing requirements from: rulesfile: custom_rules.yaml
2025-02-28 13:35:19 WARN No requirements were provided by the user and none were found in the
│ rulesfile.
2025-02-28 13:35:19 INFO Pushing layer d5c35695420a
2025-02-28 13:35:20 INFO 97c38f4c17c8: layer already exists
2025-02-28 13:35:20 INFO Pushing layer c891d7815e0a
2025-02-28 13:35:20 INFO Artifact pushed
├ name: nigel_registry/nigel_repo/falco-rules:latest
├ type: rulesfile
└ digest: sha256:c891d7815e0a30a1a73e026aea4603503b0a12df9bc8b7efc38f61de2d77bd6b
Install your first Artifact
We can install the Default Falco Rules file as our first artifact.
❯ sudo falcoctl artifact install falco-rules
INFO Reading all configured index files from "/root/.config/falcoctl/indexes.yaml"
INFO Resolving dependencies ...
INFO Installing the following artifacts: [ghcr.io/falcosecurity/rules/falco-rules:latest]
INFO Preparing to pull "ghcr.io/falcosecurity/rules/falco-rules:latest"
INFO Pulling ad24f8acf278: ############################################# 100%
INFO Pulling 0d3705a4650f: ############################################# 100%
INFO Pulling 0957c1ef3fe4: ############################################# 100%
INFO Artifact successfully installed in "/etc/falco"
Version Control Your Artifacts
By default, the most recent version is used, but you can install a specific version by specifying a tag, such as:
❯ sudo falcoctl artifact info falco-rules
REF TAGS
ghcr.io/falcosecurity/rules/falco-rules 0.0.0 0.1.0-rc1 0.1.0 0.1.0 latest
Official artifacts include floating tags, allowing you to reference versions dynamically. For example, 0 refers to the latest 0.x.x release, while 0.5 refers to the latest 0.5.x release.
You can also explore the different versions and tags available directly on GitHub Packages [here]. For organizations seeking to automate updates and consistently use the most recent version of a particular package, Falcoctl’s daemon mode allows it to regularly check artifact repositories and automatically install new versions. This functionality can be configured within the /etc/falcoctl/falcoctl.yaml manifest.
As software systems grow in complexity, effective package management becomes essential. Platforms like Cloudsmith provide robust support for various package and container types, offering native ingress and egress to ensure full visibility into deployed artifacts across development and production environments.
In the case of Falco and falcoctl, the official Falco repository utilises Github Packages, which are available for free with any public GitHub repository. Packages can be thought of as structured bundles that include both compiled code and metadata detailing how they should be used. While all packages are a type of artifact, not all artifacts are considered packages.
Conclusion
With falcoctl, users can now modify Falco rules as OCI artifacts, making it easier to store, retrieve, and manage them in private or public container registries. This approach enhances flexibility, security, and version control, ensuring that DevOps teams have a structured and reliable way to manage critical security components.
The Falco community recognises the importance of staying ahead of evolving security threats. By adopting OCI artifacts, maintainers have created a more efficient, scalable, and controlled system for managing and delivering Falco rules.For more details on integrating Falco rules into GitOps workflows, check out the [official blog post]. To explore how Universal Artifact Management can enhance cloud-native security and operations, visit this [Cloudsmith blog post].
