Images
>falcosidekick

falcosidekick

Runs a lightweight event forwarder for Falco that sends security alerts to multiple external destinations such as Slack, AWS SNS, Kafka, Elasticsearch, or Prometheus.

falcosecurity/falco
falcosecurity/falco
prom/prometheus
prom/prometheus
elastic/elasticsearch
elastic/elasticsearch
grafana/loki
grafana/loki

What is falcosidekick image?

The falcosidekick image runs Falcosidekick, a companion service to Falco — the CNCF runtime security project for Kubernetes and container environments. It receives Falco security alerts over HTTP and forwards them to one or more configured outputs, enabling integration with existing monitoring, alerting, and logging systems.

Falcosidekick is designed to decouple Falco’s real-time detection engine from downstream systems, making event forwarding more scalable and reliable. It supports over 80 output integrations, including cloud services (AWS Lambda, GCP Pub/Sub), SIEM tools (Splunk, Elasticsearch), and incident response platforms (PagerDuty, Opsgenie).

In containerized environments, this image is typically deployed as a sidecar or DaemonSet alongside Falco. It provides teams with flexible, event-driven security observability and acts as a central hub for routing runtime alerts without modifying Falco itself.

How to use this image

The falcosidekick image can be deployed standalone, alongside Falco, or as part of a Kubernetes DaemonSet or Helm chart.

Run Falcosidekick locally with Falco:

docker network create falco-net docker run -d --name falcosidekick --network falco-net \ -e SLACK_WEBHOOKURL="https://hooks.slack.com/services/XXX" \ -e DEBUG=true \ -p 2801:2801 falcosecurity/falcosidekick docker run -d --name falco --network falco-net \ -v /var/run/docker.sock:/host/var/run/docker.sock \ falcosecurity/falco:latest \ falco --grpc-host=0.0.0.0:5060 --grpc-plaintext

In Kubernetes using Helm:

helm repo add falcosecurity https://falcosecurity.github.io/charts helm install falco falcosecurity/falco --set falcosidekick.enabled=true

Common outputs include: Slack, NATS, Kafka, AWS SNS, GCP Pub/Sub, and Prometheus metrics (on port 2801/metrics).

Logs are written to stdout, and Falcosidekick also exposes a small web dashboard for testing and health checks.

Image variants

Published under falcosecurity/falcosidekick, the image is available in multiple variants:

  • falcosecurity/falcosidekick:latest
    Latest stable release including all supported integrations.
    Ideal for testing and local deployments.
  • falcosecurity/falcosidekick: Tagged by version (e.g. 2.29.0, 2.27.1). Recommended for production environments to ensure consistent integrations and API behavior.
  • falcosecurity/falcosidekick:-arm64 Architecture-specific variant optimized for ARM64 nodes (e.g. Raspberry Pi or Graviton).
  • falcosecurity/falcosidekick:latest
    Latest stable release including all supported integrations.
    Ideal for testing and local deployments.
  • falcosecurity/falcosidekick:<version>
    Tagged by version (e.g. 2.29.0, 2.27.1).
    Recommended for production environments to ensure consistent integrations and API behavior.
  • falcosecurity/falcosidekick:<version>-arm64
    Architecture-specific variant optimized for ARM64 nodes (e.g. Raspberry Pi or Graviton).

Falcosidekick images are continuously updated with new output integrations and Falco compatibility improvements. For predictable deployments, pin to a specific version tag.

Interested in base images that start and stay clean?

Chat with a product expert