docs: add STYLE_GUIDE.md for rules doc comments (closes #150)#364
docs: add STYLE_GUIDE.md for rules doc comments (closes #150)#364koiakoia wants to merge 3 commits into
Conversation
|
Welcome @koiakoia! It looks like this is your first PR to falcosecurity/rules 🎉 |
Implements the convention discussed in falcosecurity#150 (doc comments vs section comments, override examples in tuning macros, source attribution for list-derived data, "explain or delete" for commented-out items). Builds on @leogr's Go-Doc-inspired proposal from Feb 2026, fleshed out with GOOD/BAD examples drawn from running ~77 custom rules in production on OKD. Closes falcosecurity#150 Signed-off-by: koiakoia <jimhaistlinux@gmail.com>
koiakoia
force-pushed
the
style-guide-rules-doc-comments
branch
from
5d52b47 to
af134ef
Compare
|
Missed DCO on the initial push — force-pushed |
|
cc @falcosecurity/core-maintainers |
|
/assign |
| **Required in every tuning macro doc comment:** | ||
|
|
||
| 1. What the macro does (one sentence). | ||
| 2. How to override it — include a concrete `append: true` snippet. |
There was a problem hiding this comment.
Actually, append: true has been deprecated in favor of override: {replace|append}. Could you please adjust this section? append: true is also used in other sections, so it would be great if you can fix it also there.
There was a problem hiding this comment.
Shouldn't this be inside docs/ for mkdocs to find it? 🤔
| # To restrict SSH to known management hosts: | ||
| # | ||
| # - macro: allowed_ssh_hosts | ||
| # condition: (evt.hostname in (bastion.example.com, mgmt.example.com)) |
There was a problem hiding this comment.
Mmm this example uses evt.hostname, that is the name of the host running Falco, not the destination host. This means that this macro doesn't provide the described behaviour.
- Replace deprecated `append: true` with `override: append` throughout the examples and Quick Reference, per @ekoops review feedback. Add a note that `override: replace` is the swap-default counterpart. - Rewrite the `allowed_*` style example: the previous version used `evt.hostname`, which is the Falco runner's own hostname (not the destination), so the macro could never restrict SSH peers as described. Renamed to `allowed_ssh_initiators` and switched the condition to `proc.name`, with a callout that `fd.rip` is the right field for peer-IP allowlists. Reviewer thread: https://github.com/falcosecurity/rules/pull/<TBD> Signed-off-by: koiakoia <jimhaistlinux@gmail.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: koiakoia The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Per review feedback from @ekoops: the top-level STYLE_GUIDE.md isn't found by mkdocs since the project's docs_dir defaults to docs/. Moving the file into docs/ aligns with mkdocs convention and matches the existing docs/images/ placement. The mkdocs.yml nav entry `Style Guide: STYLE_GUIDE.md` already resolves to docs/STYLE_GUIDE.md under docs_dir, so no nav rewrite is needed; added a clarifying comment. Signed-off-by: koiakoia <jimhaistlinux@gmail.com>
|
@ekoops thank you for the careful review — both points well-taken. Pushed two commits:
Good catch — mkdocs's default Happy to make further changes if you spot anything else. |
|
|
||
| For comment and documentation conventions within rule files (doc comments, | ||
| section comments, tuning-macro override examples, and list provenance), see | ||
| **[STYLE_GUIDE.md](STYLE_GUIDE.md)**. |
There was a problem hiding this comment.
| **[STYLE_GUIDE.md](STYLE_GUIDE.md)**. | |
| **[STYLE_GUIDE.md](docs/STYLE_GUIDE.md)**. |
Since the file lives under docs/ now, this link needs the prefix, otherwise it 404s from CONTRIBUTING.md 🙏
| **Required in every tuning macro doc comment:** | ||
|
|
||
| 1. What the macro does (one sentence). | ||
| 2. How to override it — include a concrete `override: append` snippet. |
There was a problem hiding this comment.
| 2. How to override it — include a concrete `override: append` snippet. | |
| 2. How to override it — include a concrete `override:` block snippet (e.g. `condition: append`). |
Same syntax point as the inline comments below 🙏
| # override: append | ||
| # | ||
| # Use `override: replace` to swap the default condition entirely instead of | ||
| # extending it. Common override fields: proc.name, proc.exepath, | ||
| # container.image.repository. |
There was a problem hiding this comment.
| # override: append | |
| # | |
| # Use `override: replace` to swap the default condition entirely instead of | |
| # extending it. Common override fields: proc.name, proc.exepath, | |
| # container.image.repository. | |
| # override: | |
| # condition: append | |
| # | |
| # Use `condition: replace` (instead of `append`) to swap the default condition | |
| # entirely. Common override fields: proc.name, proc.exepath, | |
| # container.image.repository. |
override is a block in the canonical syntax (the value selects per-field append/replace). For a macro it is condition: append; for a list, items: append. See 👉 https://falco.org/docs/concepts/rules/overriding/
I verified with falco -V on 0.43.0: the single-value form (override: append) loads but produces schema warnings, so I would rather we teach the right shape from day one 🙏
| # override: append | ||
| # | ||
| # Use `override: replace` to swap the default condition entirely instead of | ||
| # extending it. Common override fields: proc.name, proc.exepath, fd.rip | ||
| # (for peer-IP allowlists). See also: macro never_true for the placeholder | ||
| # pattern. |
There was a problem hiding this comment.
| # override: append | |
| # | |
| # Use `override: replace` to swap the default condition entirely instead of | |
| # extending it. Common override fields: proc.name, proc.exepath, fd.rip | |
| # (for peer-IP allowlists). See also: macro never_true for the placeholder | |
| # pattern. | |
| # override: | |
| # condition: append | |
| # | |
| # Use `condition: replace` (instead of `append`) to swap the default condition | |
| # entirely. Common override fields: proc.name, proc.exepath, fd.rip | |
| # (for peer-IP allowlists). See also: macro never_true for the placeholder | |
| # pattern. |
Same here 🙏
| # | ||
| # - macro: possibly_node_in_container | ||
| # condition: (proc.pname=node and proc.aname[3]=docker-containe) | ||
| # override: replace # swap the default never_true guard entirely |
There was a problem hiding this comment.
| # override: replace # swap the default never_true guard entirely | |
| # override: | |
| # condition: replace # swap the default never_true guard entirely |
Same here 🙏
| |-----------|------------| | ||
| | Comment immediately precedes an item (no blank line) | Doc comment — documents that item | | ||
| | Comment has a blank line before it AND below it | Section comment — labels a group | | ||
| | Tuning macro (`user_*`, `allowed_*`) | Doc comment must include override snippet with `override: append` (or `override: replace`) | |
There was a problem hiding this comment.
| | Tuning macro (`user_*`, `allowed_*`) | Doc comment must include override snippet with `override: append` (or `override: replace`) | | |
| | Tuning macro (`user_*`, `allowed_*`) | Doc comment must include override snippet using an `override:` block (e.g. `condition: append` or `condition: replace`) | |
Same syntax fix as above 🙏
| This guide covers **comment conventions only**. For rule expression style, | ||
| output format, tag requirements, and maturity-level criteria, see the | ||
| [Falco Rules Style Guide](https://falco.org/docs/rules/style-guide/) and | ||
| [CONTRIBUTING.md](CONTRIBUTING.md). |
There was a problem hiding this comment.
| [CONTRIBUTING.md](CONTRIBUTING.md). | |
| [CONTRIBUTING.md](../CONTRIBUTING.md). |
CONTRIBUTING.md is at the repo root, so from here it needs ../. Otherwise the relative link breaks 🙏
4 participants
Closes #150.
As discussed in the issue, this introduces a
STYLE_GUIDE.mdcovering rule documentation conventions:user_*,allowed_*) — concreteappend: truesnippetsEach section pairs a GOOD example with a BAD example so the convention is unambiguous on review. The examples are drawn from actual items in
falco_rules.yamlrather than invented syntax.Also:
CONTRIBUTING.mdnear the top (just after the license note) so contributors find the style guide without hunting for itSTYLE_GUIDE.mdtomkdocs.ymlso it renders in the docs siteThese conventions emerged from running ~77 custom rules in production on OKD, so I expect the maintainers will have refinements based on a wider rule corpus. Happy to iterate on structure, examples, or scope during review.
/cc @leogr @LucaGuerra @Issif