Open Source Spotlight: Bringing web application security to Falco with Falcoya's Nginx plugin

Many organizations rely on Falco as their primary solution for runtime cloud security across Linux hosts, containers, and Kubernetes environments. However, these same teams have historically been unable to use Falco for their web application security.

That’s why the Sysdig Open Source Community and TK Shimizu are excited to highlight Falcoya  — a new addition to the open source security ecosystem that extends Falco’s capabilities into a critical but previously undercovered area: web application security.

Why web application security matters in runtime

If you're running Falco as your go-to solution for runtime security, you're already know it excels in detecting behaviors such as:

• Privilege escalation
• Unauthorized file access
• Suspicious process behavior

But what about threats at the application layer?

Web servers, like Nginx, sit at the edge of your infrastructure and are frequent targets of attack techniques such as:

• SQL Injection (SQLi): A web application attack where untrusted input is inserted into SQL queries, allowing attackers to read, modify, or delete database data by manipulating backend SQL commands.
• Cross-Site Scripting (XSS): A vulnerability where attackers inject malicious JavaScript into web pages viewed by other users, enabling actions like session hijacking or defacement in the user's browser.
• Directory Traversal: A web-based attack that manipulates file path inputs to access restricted directories and files outside the web root, potentially exposing sensitive application or system data.
• Command Injection (CMDi): A security flaw where unsanitized user input is passed to system shell commands, allowing attackers to execute arbitrary commands on the server hosting the web application.

However, Falco wasn’t built to natively inspect HTTP requests or web payloads. It was purpose-built to focus on system and infrastructure-level events.

This is where Falcoya comes in.

Introducing Falcoya: Nginx Log Analysis for Falco

Falcoya (falco-plugin-nginx) is a lightweight plugin for Falco designed to close the gap in web application security visibility.

Falcoya (falco-plugin-nginx) enables Falco to analyze Nginx access logs in real time, detecting application-layer attacks as they happen. It works by tailing the Nginx access log file, parsing new entries, and matching them against detection rules defined in YAML — the same rule style you already use with Falco!

How it works:

1. Incoming request → hits Nginx
2. Nginx access log → written to /var/log/nginx/access.log
3. Falcoya plugin → parses new lines in real time
4. Rules engine → matches against known attack patterns
5. Falco alert → logs structured output with metadata

The result? You can now detect SQLi, XSS, CMDi, and more — in real time — using your existing Falco setup.

Key features of Falcoya

• Real-time web attack detection: Discover threats in Nginx access logs instantly, including SQL injection, XSS, and command injection.
  
  
• Ultra-lightweight performance: Implemented in Go, the plugin has minimal system overhead, perfect for containerized environments.
  
  
• Custom rule creation: Use Falco-style YAML to define your own detection logic. Analysts can build new rules without touching code.

‍

Here’s an example rule that detects potential command injection:

# SQLi: Require both "words + symbols/encoding" to reduce false positives
- rule: NGINX SQLi Attempt
desc: Likely SQL injection attempt detected in URL or query string
enabled: true  priority: CRITICAL  
source: nginx  
condition: >    
(not nginx_is_static) and    
(nginx_is_readonly or nginx_has_body_method) and    
nginx_has_sqli_words and nginx_has_sqli_rawchars  
output: >    
[NGINX SQLi] ip=%nginx.remote_addr method=%nginx.method path=%nginx.path    qs=%nginx.query_string ua=%nginx.user_agent status=%nginx.status  
tags: [web, attack, sqli]

Benefits for security teams

Falcoya offers several real-world benefits that make it more than just a plugin:

• Enhanced visibility: Detect web-layer attacks often invisible to infrastructure tools
  
  
• Rapid response: Minimize time from attack to alert
  
  
• Cost efficiency: High-performance, open source detection without third-party WAF costs
  
  
• Easy integration: Seamlessly fits into existing Falco-based monitoring workflows
  
  

Try Falcoya yourself

Deploy Falcoya in minutes using the official install script:

curl -sSL https://raw.githubusercontent.com/takaosgb3/falco-plugin-nginx/main/install.sh | sudo bash

Test real attacks in a safe environment:

curl -sSL https://raw.githubusercontent.com/takaosgb3/falco-plugin-nginx/main/install.sh | sudo SETUP_TEST_CONTENT=yes bash

‍

This spins up a test-ready environment, complete with simulated attack endpoints, sample logs, and validation tools.

Conclusion: Expanding Falco’s runtime reach

Falco is already the go-to engine for detecting abnormal system behavior at runtime. Organizations that use Falcoya’s Nginx plugin will be able to extend their Falco projections to web application activity,  without giving up the speed, transparency, and customability of Falco.

If you're already running Falco and looking to level up your web security coverage, try Falcoya today.

If you want to join the open source discussion, stop by the Sysdig Open Source Community and jump in!

Explore the project: https://falcoya.dev
Get the plugin: GitHub - falco-plugin-nginx