Skip to content

Add guide to disable automatic updates in Falco #1512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
youness240 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add guide to disable automatic updates in Falco #1512

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
742f4d9
Add guide to disable automatic updates in Falco
youness240 Dec 1, 2025
a7b4ba0
Update disable-auto-updates.md with falcoctl note
youness240 Dec 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions content/en/docs/setup/disable-auto-updates.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
# Disabling Automatic Updates in Falco
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing required Hugo frontmatter. All documentation pages in this repository require YAML frontmatter at the top of the file with fields like title, description, and weight. Without this, the page will not render correctly in the documentation site. Add the frontmatter block before the heading.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This documentation file is missing the required frontmatter (YAML metadata) that all other files in this directory include. The file should start with YAML frontmatter between --- delimiters containing at minimum the title, description, and weight fields. For example:

title: Disabling Automatic Updates
description: Learn how to disable automatic updates for Falco engine and rules
weight: [appropriate number]

This frontmatter is required for the documentation site to properly render and organize this page.

Copilot uses AI. Check for mistakes.

This is a guide to completely disable automatic updates for both the Falco engine and rules, addressing concerns about supply chain risks.

---
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Misplaced horizontal rule. The triple dash (---) at line 8 is not valid Markdown separator usage here - it appears to be leftover from where the Hugo frontmatter should be. Since the frontmatter should be added at the top, this line should be removed.

Suggested change
---

Copilot uses AI. Check for mistakes.

## Without `falcoctl`

By default, Falco itself does **not automatically update** its engine or rules. If you installed Falco via package manager or container image, updates occur **only when you manually upgrade the package or image**.

To ensure safety:

1. **Do not run any update commands** inside the container or host for Falco rules
2. Use local rules only:
- `/etc/falco/falco_rules.yaml`
- `/etc/falco/falco_rules.local.yaml`
3. Avoid enabling any external artifact fetching tools

## With `falcoctl`

**falcoctl** can automatically manage artifacts (rules, plugins, drivers). To disable updates:
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inconsistent formatting. The tool name "falcoctl" should not be bolded here. Based on documentation conventions, use backticks when referring to commands (e.g., falcoctl driver) but no special formatting when referring to the tool as a product name in prose.

Suggested change
**falcoctl** can automatically manage artifacts (rules, plugins, drivers). To disable updates:
falcoctl can automatically manage artifacts (rules, plugins, drivers). To disable updates:

Copilot uses AI. Check for mistakes.

### If the configuration file does not exist :
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spacing issue with colon. The heading has a space before the colon which is inconsistent with standard English typography. Remove the space before the colon.

Suggested change
### If the configuration file does not exist :
### If the configuration file does not exist:

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The heading should use consistent capitalization. In markdown documentation, section headings typically use sentence case or title case consistently. The colon and space at the end are also unnecessary. This should be:

If the configuration file does not exist

This maintains consistency with the heading on line 50.

Copilot uses AI. Check for mistakes.

Create the configuration directory and file:

```sh
mkdir -p /etc/falcoctl
cat <<EOF > /etc/falcoctl/falcoctl.yaml
artifact:
install:
enabled: false
follow:
enabled: false
indexes: []
EOF
Comment on lines +32 to +39
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code block is incorrectly marked as sh syntax but contains YAML content. This should be:

artifact:
  install:
    enabled: false
  follow:
    enabled: false
indexes: []

Using the correct language identifier ensures proper syntax highlighting.

Copilot uses AI. Check for mistakes.
```

- artifact.install.enabled: false → prevents falcoctl from **automatically downloading or installing any artifacts** (rules, plugins, drivers)
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing backticks for inline code. Configuration keys should be formatted with backticks for consistency. Apply backticks to artifact.install.enabled: false.

Suggested change
- artifact.install.enabled: false → prevents falcoctl from **automatically downloading or installing any artifacts** (rules, plugins, drivers)
- `artifact.install.enabled: false` → prevents falcoctl from **automatically downloading or installing any artifacts** (rules, plugins, drivers)

Copilot uses AI. Check for mistakes.

- artifact.follow.enabled: false → prevents falcoctl from **tracking or updating any remote artifact indexes**
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing backticks for inline code. Configuration keys should be formatted with backticks for consistency. Apply backticks to artifact.follow.enabled: false.

Suggested change
- artifact.follow.enabled: false → prevents falcoctl from **tracking or updating any remote artifact indexes**
- `artifact.follow.enabled: false` → prevents falcoctl from **tracking or updating any remote artifact indexes**

Copilot uses AI. Check for mistakes.

- indexes: [] → ensures no external repositories are used
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing backticks for inline code. Configuration keys should be formatted with backticks for consistency. Apply backticks to indexes: [].

Suggested change
- indexes: [] → ensures no external repositories are used
- `indexes: []` → ensures no external repositories are used

Copilot uses AI. Check for mistakes.

This configuration guarantees that falcoctl will **not connect to GitHub or any remote registry**, fully disabling automatic updates.

## If the configuration file already exists :
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spacing issue with colon. The heading has a space before the colon which is inconsistent with standard English typography. Remove the space before the colon.

Suggested change
## If the configuration file already exists :
## If the configuration file already exists:

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inconsistent heading level. This section header is a level-2 heading (##) while the previous similar section "If the configuration file does not exist" is a level-3 heading (###). They should be at the same level for consistency since they are parallel sections.

Suggested change
## If the configuration file already exists :
### If the configuration file already exists :

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The heading level hierarchy is inconsistent. Line 26 and line 50 use H3 (###) headings, but they appear to be at the same level as the H2 (##) sections "Without falcoctl" and "With falcoctl". These should be H3 headings nested under the "With falcoctl" section. Consider restructuring as:

With falcoctl

If the configuration file does not exist

[content...]

If the configuration file already exists

This creates a clearer hierarchy where both scenarios are subsections under the "With falcoctl" section.

Suggested change
## If the configuration file already exists :
### If the configuration file already exists :

Copilot uses AI. Check for mistakes.

1. Open /etc/falcoctl/falcoctl.yaml (or $HOME/.falcoctl.yaml if using user config).
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing backticks for inline code. File paths and environment variables should be formatted with backticks for consistency with documentation conventions. Apply backticks to /etc/falcoctl/falcoctl.yaml and $HOME/.falcoctl.yaml.

Suggested change
1. Open /etc/falcoctl/falcoctl.yaml (or $HOME/.falcoctl.yaml if using user config).
1. Open `/etc/falcoctl/falcoctl.yaml` (or `$HOME/.falcoctl.yaml` if using user config).

Copilot uses AI. Check for mistakes.
2. Ensure the artifact section contains:
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing backticks for inline code. The word "artifact" is referring to a YAML configuration section and should be formatted with backticks for consistency.

Suggested change
2. Ensure the artifact section contains:
2. Ensure the `artifact` section contains:

Copilot uses AI. Check for mistakes.

```sh
artifact:
install:
enabled: false
follow:
enabled: false
```
Comment on lines +55 to +61
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Incorrect language identifier for YAML code block. The code block is showing YAML configuration but uses 'sh' as the language identifier. Change to 'yaml' for proper syntax highlighting.

Copilot uses AI. Check for mistakes.

- If install or follow keys are missing, add them with enabled: false
Copy link

Copilot AI Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing backticks for inline code. Configuration keys and values should be formatted with backticks. Apply backticks to install, follow, and enabled: false.

Suggested change
- If install or follow keys are missing, add them with enabled: false
- If `install` or `follow` keys are missing, add them with `enabled: false`

Copilot uses AI. Check for mistakes.

- This overrides any defaults that would fetch or update rules/plugins automatically

Comment on lines +63 to +66
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The list items should use consistent formatting with the explanation on lines 42-46. Consider using bullet points instead of a dash, or ensuring the dash formatting matches markdown list syntax with a space after the dash and before the content. The current format with "- If install..." creates inconsistent visual styling.

Suggested change
- If install or follow keys are missing, add them with enabled: false
- This overrides any defaults that would fetch or update rules/plugins automatically
3. If `install` or `follow` keys are missing, add them with `enabled: false`.
4. This overrides any defaults that would fetch or update rules/plugins automatically.

Copilot uses AI. Check for mistakes.
By explicitly disabling install and follow, falcoctl will stop all automatic artifact updates, addressing supply chain security concerns.
Comment on lines +63 to +67
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing backticks around configuration key names. For consistency with documentation formatting standards, the key names "install" and "follow" should be formatted with backticks: "install" and "follow".

Suggested change
- If install or follow keys are missing, add them with enabled: false
- This overrides any defaults that would fetch or update rules/plugins automatically
By explicitly disabling install and follow, falcoctl will stop all automatic artifact updates, addressing supply chain security concerns.
- If `install` or `follow` keys are missing, add them with enabled: false
- This overrides any defaults that would fetch or update rules/plugins automatically
By explicitly disabling `install` and `follow`, falcoctl will stop all automatic artifact updates, addressing supply chain security concerns.

Copilot uses AI. Check for mistakes.
Comment on lines +63 to +67
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing backticks around configuration key names. For consistency with documentation formatting standards, the key names "install" and "follow" should be formatted with backticks: "install" and "follow".

Suggested change
- If install or follow keys are missing, add them with enabled: false
- This overrides any defaults that would fetch or update rules/plugins automatically
By explicitly disabling install and follow, falcoctl will stop all automatic artifact updates, addressing supply chain security concerns.
- If `install` or `follow` keys are missing, add them with enabled: false
- This overrides any defaults that would fetch or update rules/plugins automatically
By explicitly disabling `install` and `follow`, falcoctl will stop all automatic artifact updates, addressing supply chain security concerns.

Copilot uses AI. Check for mistakes.