Falco

Falco HTTP API

REST API served by the Falco web server providing health checks, version information, and rules management endpoints for the Falco runtime security engine.

GitHub OpenAPI

Documentation

📖
Documentation
https://falco.org/docs/

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/falco/refs/heads/main/openapi/falco-openapi.yml

SDKs

📦
GitHubRepository
https://github.com/falcosecurity/falco

Schemas & Data

📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/falco/refs/heads/main/json-schema/falco-alert-output.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/falco/refs/heads/main/json-schema/falco-rules.json

Other Resources

🔗
Reference
https://falco.org/docs/reference/

OpenAPI Specification

falco-openapi.yml Raw ↑ 
openapi: 3.0.3
info:
  title: Falco HTTP API
  description: >-
    The Falco HTTP API provides health check, version, and rules management
    endpoints for the Falco cloud-native runtime security engine. Falco uses
    eBPF to detect unexpected application behavior and alerts on threats at
    runtime. This API is served by the Falco web server when enabled via
    configuration.
  version: 0.39.0
  contact:
    name: Falco Community
    url: https://falco.org
  license:
    name: Apache 2.0
    url: https://www.apache.org/licenses/LICENSE-2.0
servers:
  - url: http://localhost:8765
    description: Default Falco web server
paths:
  /healthz:
    get:
      operationId: getHealthz
      summary: Falco Health check
      description: >-
        Returns the health status of the Falco engine. Returns 200 OK when
        Falco is running and healthy. Used by orchestrators such as Kubernetes
        for liveness and readiness probes.
      tags:
        - Health
      responses:
        '200':
          description: Falco is healthy and running
          content:
            application/json:
              schema:
                type: object
                properties:
                  status:
                    type: string
                    example: ok
        '503':
          description: Falco is not healthy
          content:
            application/json:
              schema:
                type: object
                properties:
                  status:
                    type: string
                    example: unhealthy
  /version:
    get:
      operationId: getVersion
      summary: Falco Version information
      description: >-
        Returns the version information for the running Falco instance,
        including the engine version and the version of the loaded rules files.
      tags:
        - Version
      responses:
        '200':
          description: Version information returned successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/VersionInfo'
  /api/v1/rules:
    get:
      operationId: getRules
      summary: Falco List loaded rules
      description: >-
        Returns the list of rules currently loaded in the Falco engine,
        including their names, descriptions, priorities, and enabled status.
      tags:
        - Rules
      responses:
        '200':
          description: List of loaded rules
          content:
            application/json:
              schema:
                type: object
                properties:
                  rules:
                    type: array
                    items:
                      $ref: '#/components/schemas/RuleSummary'
  /api/v1/rules/reload:
    post:
      operationId: reloadRules
      summary: Falco Reload rules
      description: >-
        Triggers a reload of the Falco rules files. This allows rules to
        be updated without restarting the Falco daemon.
      tags:
        - Rules
      responses:
        '200':
          description: Rules reloaded successfully
          content:
            application/json:
              schema:
                type: object
                properties:
                  status:
                    type: string
                    example: ok
                  message:
                    type: string
                    example: Rules reloaded successfully
        '500':
          description: Error reloading rules
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
components:
  schemas:
    VersionInfo:
      type: object
      properties:
        version:
          type: string
          description: Falco version string
          example: 0.39.0
        engine_version:
          type: string
          description: Falco engine version
          example: '33'
        engine_fields_checksum:
          type: string
          description: Checksum of the engine fields
          example: abc123def456
        rules_file_version:
          type: string
          description: Version of the loaded rules file
          example: falco_rules-3.3.0
      required:
        - version
        - engine_version
    RuleSummary:
      type: object
      properties:
        name:
          type: string
          description: Name of the rule
          example: Terminal shell in container
        description:
          type: string
          description: Description of what the rule detects
          example: A shell was used as the entrypoint/exec point into a container
        priority:
          type: string
          description: Severity level of the rule
          enum:
            - emergency
            - alert
            - critical
            - error
            - warning
            - notice
            - informational
            - debug
          example: notice
        enabled:
          type: boolean
          description: Whether the rule is currently enabled
          example: true
        source:
          type: string
          description: Data source the rule applies to
          enum:
            - syscall
            - k8s_audit
            - aws_cloudtrail
            - okta
            - github
          example: syscall
        tags:
          type: array
          items:
            type: string
          description: Tags associated with the rule
          example:
            - container
            - shell
            - mitre_execution
      required:
        - name
        - priority
        - enabled
        - source
    Error:
      type: object
      properties:
        status:
          type: string
          example: error
        message:
          type: string
          example: An error occurred
      required:
        - status
        - message
tags:
  - name: Health
    description: Health check endpoints
  - name: Rules
    description: Rules management endpoints
  - name: Version
    description: Version information