fix: Improve Falco installation reliability with version verification

devatsecure · claude · devatsecure · commit 3ee7f1bd3589 · 2026-02-16T18:34:23.000+05:00
Add falco --version check after install, FALCO_FRONTEND=noninteractive
to prevent interactive prompts, and detailed failure diagnostics (GPG
keyring, apt source, binary existence). Installation remains non-fatal
but now provides clear success/failure status. Docker E2E workflow
keeps Falco disabled with explanatory comment.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/docker-e2e.yml b/.github/workflows/docker-e2e.yml
@@ -42,6 +42,9 @@ jobs:
           push: false
           load: true
           tags: argus-security:e2e-test
+          # Falco requires kernel headers and privileged access for driver loading,
+          # which are unavailable in GitHub Actions runners. Keep disabled to avoid
+          # flaky CI failures from apt repo or driver issues.
           build-args: INSTALL_FALCO=false
           cache-from: type=gha
           cache-to: type=gha,mode=max
diff --git a/Dockerfile.complete b/Dockerfile.complete
@@ -81,14 +81,22 @@ RUN ZAP_VERSION="2.16.0" && \
 # Falco for runtime security monitoring (opt-in via build arg)
 ARG INSTALL_FALCO=true
 RUN if [ "$INSTALL_FALCO" = "true" ]; then \
-        curl -fsSL https://falco.org/repo/falcosecurity-packages.asc \
+        echo "=== Installing Falco ===" \
+        && curl -fsSL https://falco.org/repo/falcosecurity-packages.asc \
             | gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg \
         && echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main" \
             | tee /etc/apt/sources.list.d/falcosecurity.list \
         && apt-get update \
-        && apt-get install -y --no-install-recommends falco \
+        && FALCO_FRONTEND=noninteractive apt-get install -y --no-install-recommends falco \
         && rm -rf /var/lib/apt/lists/* \
-        || echo "WARNING: Falco installation failed (non-fatal) — runtime monitoring will be unavailable"; \
+        && falco --version \
+        && echo "=== Falco installed successfully ===" \
+        || { echo "ERROR: Falco installation failed (non-fatal) — runtime monitoring will be unavailable"; \
+             echo "  Diagnostics:"; \
+             echo "  - GPG keyring exists: $(test -f /usr/share/keyrings/falco-archive-keyring.gpg && echo yes || echo no)"; \
+             echo "  - Apt source exists: $(test -f /etc/apt/sources.list.d/falcosecurity.list && echo yes || echo no)"; \
+             echo "  - falco binary: $(which falco 2>/dev/null || echo 'not found')"; \
+             rm -rf /var/lib/apt/lists/*; }; \
     else \
         echo "Skipping Falco installation (INSTALL_FALCO=$INSTALL_FALCO)"; \
     fi
