Added test workflow for custom config files

.github/workflows/test-analyze-mode-config.yaml

@@ -0,0 +1,52 @@
+on:
+  workflow_dispatch:
+
+name: Test Analyze Mode using Custom Config Files
+
+jobs:
+  test-falco:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Start Falco
+      uses: darryk10/falco-action/start@ddcff83af077b30af70f188ba7b5446c98041446
+      with:
+        mode: analyze
+        config-file: '${{ github.workspace }}/test/config-files/syscall_ignore_test.config'
+        verbose: true
+
+    - name: Overwrite Source Code
+      shell: bash
+      run: |
+        echo "pwned" > ${{ github.workspace }}/pwn.txt
+    
+    - name: Read Sensitive File
+      run: |
+        sleep 3
+        docker run --rm --privileged ubuntu cat /etc/shadow
+        sleep 3
+
+    - name: Stop Falco
+      uses: darryk10/falco-action/stop@ddcff83af077b30af70f188ba7b5446c98041446
+      with:
+        mode: analyze
+        verbose: true
+
+  analyze:
+    runs-on: ubuntu-latest
+    needs: test-falco
+    permissions:
+      contents: read
+      actions: read
+    steps:
+    - name: Analyze
+      uses: darryk10/falco-action/analyze@ddcff83af077b30af70f188ba7b5446c98041446
+      with:
+        custom-rule-file: '${{ github.workspace }}/rules/falco_cicd_rules.yaml'
+        falco-version: '0.39.0'
+        filters-config: '${{ github.workspace }}/test/config-files/filters_test.config'

test/config-files/filters_test.config

@@ -0,0 +1,36 @@
+{
+  "outbound_connections": [
+    {
+      "description": "Filter for connection from pythonist ",
+      "condition": "proc.name in (pythonist, dragent)"
+    }
+  ],
+  "written_files": [
+    {
+      "description": "Filter for file writes to Docker directories.",
+      "condition": "fd.name startswith '/var/lib/docker/'"
+    },
+    {
+      "description": "Filter for file writes to runner commands directory.",
+      "condition": "fd.name startswith '/home/runner/work/_temp/_runner_file_commands/'"
+    },
+    {
+      "description": "Filter for file writes to github runner",
+      "condition": "fd.name startswith '/home/runner/runners/' and proc.exepath endswith '/bin/Runner.Worker' and proc.pexepath endswith '/bin/Runner.Listener'"
+    },
+    {
+      "description": "test config - Removing file written by dockerd process"
+      "condition": "proc.exepath endswith '/usr/bin/dockerd'"
+    },
+    {
+      "description": "test config - Removing file written by systemd-networkd process"
+      "condition": "proc.exepath endswith '/usr/lib/systemd/systemd-networkd'"
+    }
+  ],
+  "processes": [
+    {
+      "description": "Whitelisting noisy process names.",
+      "condition": "proc.name in (sysdig, systemd-logind, systemd-network, systemd-resolve, systemd-udevd, linux-bench, journalctl, systemd-journal, systemd-cgroups)"
+    }
+  ]
+}

test/config-files/syscall_ignore_test.config

@@ -0,0 +1,18 @@
+{
+    "ignore_syscalls": [
+        "switch",
+        "rt_sigprocmask",
+        "clock_gettime",
+        "rt_sigaction",
+        "waitid",
+        "getpid",
+        "clock_getres",
+        "mprotect",
+        "gettimeofday",
+        "close",
+        "time",
+        "getdents64",
+        "clock_nanosleep"
+        "execveat"
+    ]
+}