Sysdig Doubles Down on Open Source Commitment with the First eBPF Contribution to the CNCF

Company contributes the sysdig kernel module, eBPF probe, and Falco libraries, more than 100,000 hours of engineering time

SAN FRANCISCO — February 24, 2021 — Sysdig, Inc., the secure DevOps leader, today announced the company has contributed the sysdig kernel module, eBPF probe, and Falco libraries to the Cloud Native Computing Foundation (CNCF). This extended Berkeley Packet Filter (eBPF) contribution is the first eBPF project to be added to the CNCF and it is one of the largest eBPF code bases in the open. The contributed source code has taken more than 100,000 hours to write and with the announcement today, it has moved into the Falco organization. The contribution ensures Falco can continue its progress in becoming a foundational part of the cloud-native ecosystem. Falco, the only runtime security project in the CNCF, was contributed by Sysdig in October 2018. Falco has nearly 24 million Docker Hub downloads, an increase of nearly three million in the last two months, and a 300 percent increase over last year.

Blog: Read about the engineering work that went into this contribution.

Falco is used by more than a thousand organizations. Adopters include Logz.io, Sumo Logic, Shopify, and Rancher, now part of SUSE.  Sysdig is committed to the open source community and open standards, and this move will ensure Falco is fully owned by the community. This contribution includes the core components at the base of Falco and open source sysdig and it will live in the falcosecurity github repository. Open source sysdig is an incident response and troubleshooting tool for containers, Kubernetes, and Linux. While there are other tools in the CNCF that help developers use eBPF, this is the first that uses eBPF.

What this Means for the Community

This contribution includes powerful security building blocks that implement a sophisticated and extremely efficient system call capture framework in the Linux kernel. It includes system call capture functionality with full support for capture file abstraction and a battle-tested kernel event enrichment library with more than 70,000 lines of code. The potential for this technology goes beyond Falco. By open sourcing this critical piece of the stack, the community can use it to build new container and cloud security products and create a more secure cloud environment for everyone.

eBPF allows organizations to run programs in the Linux kernel without changing the kernel code or loading a module. This allows users to access kernel activity without risking system stability or security. While eBPF is a less intrusive way to extend the behavior of the Linux kernel, it is a technology with a steep learning curve. The technology Sysdig is contributing allows users to take full advantage of eBPF for a very important set of use cases – troubleshooting, performance analysis, forensics, and threat hunting – in a simple and well-packaged way.

The Future of Security is Open

Sysdig believes the future of security is open. Applying open source best practices to containers, Kubernetes, and cloud security provides transparency and a meritocracy, where the best ideas win. A distributed, coordinated ecosystem operating on top of agreed upon common standards will beat a single vendor operating behind closed doors. Open source security will be more secure, innovate faster, and organizations can adopt it knowing they are conforming to an accepted standard that will last.

Falco by the Numbers

  • Sysdig contributed Falco to the CNCF in October 2018.

  • Falco moved to an incubation-level hosted project in January 2020.

  • More than 600 contributors.

  • More than 25,000 contributions.

  • More than 10,000 code commits.

What the Community is Saying

“The donation to the CNCF by Sysdig sends a clear message of their commitment to open source and to the communities building upon their foundational components. This landmark contribution acts as a call to arms for others operating within the ecosystem to look inward at how they could take their collaboration and sharing to the next level,” said Alex Jones, Vice President Site Reliability Engineer at JPMorgan Chase.

“I’m really excited to see Sysdig double down on their commitment to working in the open through the CNCF. By completing the picture for Falco with all the dependencies, they ensure that there are clean lines between the project and the company and that it is an environment that everyone can build on and help grow,” said Joe Beda, Principal Engineer at VMWare.

“Sysdig continues to lead by example, demonstrating their commitment to the open source community by contributing their core drivers to the CNCF. Falco is a key tool in the CNCF landscape allowing end users to monitor their workloads in production like nothing else. As Booz Allen continues innovating for clients through open source capabilities, we can’t wait to see the continued growth of the Falco project and this donation will help to increase trust and security for the community,” said Steven Terrana, Chief Engineer at Booz Allen Hamilton.

“I am excited to see what the community builds with this massive collection of intellectual property,” said Loris Degioanni, Founder and Chief Technology Officer at Sysdig. “Sysdig was built on open source from day one and we have been working with eBPF since 2017. I believe this is the most sophisticated eBPF script on the planet and in the hands of the CNCF, it will touch a lot of lives.”

Learn More About the Contribution

Falco Resources

About Sysdig

Sysdig is driving the secure DevOps movement, empowering organizations to confidently secure containers, Kubernetes, and cloud services. With the Sysdig Secure DevOps Platform, cloud teams secure the build pipeline, detect and respond to runtime threats, continuously validate compliance, and monitor and troubleshoot cloud infrastructure and services. Sysdig is a SaaS platform, built on an open source stack that includes Falco and sysdig OSS, the open standards for runtime threat detection and response. Hundreds of companies rely on Sysdig for container and Kubernetes security and visibility. Learn more at www.sysdig.com.