Reference Library for Github Falco Threat Detection Rules

Sysdig Secure enables you to create and customize Threat Detection Rules to secure your environment. This topic provides all the fields and events that apply to Falco rules for Github.

Fields

Field Class: JSON

NameTypeDescription
json.valueCHARBUFExtracts a value from a JSON-encoded input. Syntax is json.value[], where is a json pointer (see https://datatracker.ietf.org/doc/html/rfc6901)
json.objCHARBUFThe full json message as a text string.
json.rawtimeCHARBUFThe time of the event, identical to evt.rawtime.
jevt.valueCHARBUFAlias for json.value, provided for backwards compatibility.
jevt.objCHARBUFAlias for json.obj, provided for backwards compatibility.
jevt.rawtimeCHARBUFAlias for json.rawtime, provided for backwards compatibility.

Field Class: Github

NameTypeDescription
github.typeCHARBUFMessage type, e.g. ‘star’ or ‘repository’.
github.actionCHARBUFThe github event action. This field typically qualifies the github.type field. For example, a message of type ‘star’ can have action ‘created’ or ‘deleted’.
github.userCHARBUFName of the user that triggered the event.
github.repoCHARBUF(deprecated) URL of the git repository where the event occurred. Github Webhook payloads contain the repository property when the event occurs from activity in a repository.
github.orgCHARBUFName of the organization the git repository belongs to.
github.ownerCHARBUFName of the repository’s owner.
github.repo.publicCHARBUF’true’ if the repository affected by the action is public. ‘false’ otherwise.
github.collaborator.nameCHARBUFThe member name for message that add or remove users.
github.collaborator.roleCHARBUFThe member name for message that add or remove users.
github.webhook.idCHARBUFWhen a new webhook has been created, the webhook id.
github.webhook.typeCHARBUFWhen a new webhook has been created, the webhook type, e.g. ‘repository’.
github.commit.modifiedCHARBUFComma separated list of files that have been modified.