Falco drivers tests

December 3, 2025 ยท View on GitHub

Falco kernel tests Repository Incubating Architectures Latest release

Falco drivers tests

This repository automatically runs Falco scap-open binary on all supported drivers through Ansible, spawning Firecracker microVMs to test Falco drivers against multiple kernels.
You can find list of machines being used here. You can find a document explaining the architecture of the solution here. Please read it carefully before deploying it.

Prerequisites

The following is the list of main prerequisites, each one annotated with a suggested (tested) version:

  • Ansible -> 2.16.3-0ubuntu2
  • Firecracker -> 1.13.1
  • Docker -> whatever is available
  • Golang -> 1.25.4

Exemplary instructions, installing and configuring all needed dependencies, and configuring host networking, can be found in config_example_amd64.sh. The script is not intended to be run as is: it is just demonstrative, and is required for the user to go through it and adapt the different parts to the specific environment.

Configure

It is advised to avoid directly modifying vars.yml file;
instead one can create a local vars.yml file to override keys from the default vars.

The only mandatory thing to be configured is an ssh key pair:

#Path to the generated SSH private key file
ssh_key_path: "" # <-- Replace here with the key path
ssh_key_name: "" # <-- Replace here with the key name

Run

From the ansible-playbooks directory you can run tests on all machines by typing:

ansible-playbook main-playbook.yml --ask-become --extra-vars "@/path/to/local/vars.yaml"

To rerun tests:

ansible-playbook scap-open.yml --ask-become --extra-vars "@/path/to/local/vars.yaml"

To clean up all machines

ansible-playbook clean-up.yml --ask-become --extra-vars "@/path/to/local/vars.yaml"

CI Usage

To better suit the CI usage, a GitHub composite action has been developed.
Therefore, running kernel-testing in your GitHub workflow is as easy as adding this step:

- uses: falcosecurity/kernel-testing@main
  # Give it an id to be able to later use its outputs
  id: kernel_tests
  with:
    # libs version to be tested, eg: master.
    # Default: 'master'
    libsversion: master
    
    # libs repo to be tested, eg: falcosecurity/libs.
    # Default: 'falcosecurity/libs'
    libsrepo: falcosecurity/libs
    
    # Whether to generate matrixes as matrix artifact.
    # Default: false
    build_matrix: 'true'

    # Images tag to be used, in the form vX.Y.Z
    # Required.
    images_tag: 'v0.3.2'

Then you can use action outputs to retrieve artifacts:

- uses: actions/upload-artifact@latest
  with:
    name: ansible_output
    path: ${{ steps.kernel_tests.outputs.ansible_output }}
        
- uses: actions/upload-artifact@latest
  with:
    name: matrix
    path: ${{ steps.kernel_tests.outputs.matrix_output }}

As an example, see libs reusable workflow.

NOTE: Since we don't use annotated tags, one cannot use eg: falcosecurity/kernel-testing@v0, but only either exact tag name or master.

NOTE: Of course, you'll need to run your tests on virtualization-enabled nodes.