Open sboschman opened 1 year ago
Issif
commented
1 year ago Hi,
The templatedfields are a pretty new feature, thanks for having tested it. I see your point, I'll dig deeper to see the advantages/drawbacks to implement Sprig.
For you example, I suppose it should be even better to add directly github.repo.name and github.repo.url as fields in the plugin. It's not a big deal. Could you create the issue in https://github.com/falcosecurity/plugins/issues please?
sboschman
commented
1 year ago Hi @Issif , having a github.repo.name and github.repo.url makes sense. But imo those two fields only really become useful once it is possible to add additional output fields, unrelated to the fields used in the output text field, in Falco itself (Falco #2172).
Currently it requires you to overwrite all the github rules to add e.g. github.repo.name to the output, so it gets added to output_fields by Falco. Other option is to modify all the default github rules to include both github.repo.name and github.repo.url. I consider both options as workarounds for the underlying issue described in Falco #2172.
Still, even if Falco provides a option to expand to output_fields in the future, the flexibility of more advanced manipulation in templatedfields sounds like a very nice feature to have.
Issif
commented
1 year ago I see. I'm adding that feature in my todo. I can't give you an ETA.
poiana
commented
1 year ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
poiana
commented
1 year ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Issif
commented
1 year ago /remove-lifecycle rotten
poiana
commented
10 months ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
poiana
commented
9 months ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Issif
commented
9 months ago /remove-lifecycle rotten
mapkon
commented
8 months ago @Issif Are you still working on this?
Issif
commented
8 months ago Still haven't started, sorry
mapkon
commented
8 months ago No worries, I was asking because I was looking for something to pick up. But I am working with @alacuku on something else.
poiana
commented
3 months ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
poiana
commented
2 months ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Issif
commented
2 months ago /remove-lifecycle rotten
Motivation
The default go templating language does not come with many data manipulation functions. This limits the 'templating' you can do with the
templatedfieldsoption. Especially manipulating the output field values from plugins. E.g. thegithubplugin only output the full repo uri (https://github.com/<owner>/<repo>). Would be nice to be able to usetemplatedfieldsto create a field just containing the<repo>part, instead of the full uri to pass on to one of falcosidekick' outputs.Feature
Add Sprig template functions to the go template rendering of
templatedfields. Helm uses Sprig as well to extend their templating functions.Alternatives
Additional context