MCPcopy Index your code
hub / github.com/aquasecurity/tracee

github.com/aquasecurity/tracee @v0.24.1 sqlite

repository ↗ · DeepWiki ↗ · release v0.24.1 ↗
5,167 symbols 18,222 edges 561 files 1,834 documented · 35%
README

Tracee Logo

Before moving on, please consider giving us a GitHub star ⭐️. Thank you!

About Tracee

Tracee is a runtime security and observability tool that helps you understand how your system and applications behave.
It is using eBPF technology to tap into your system and expose that information as events that you can consume.
Events range from factual system activity events to sophisticated security events that detect suspicious behavioral patterns.

To learn more about Tracee, check out the documentation.

Quickstart

To quickly try Tracee use one of the following snippets. For a more complete installation guide, check out the Installation section.
Tracee should run on most common Linux distributions and kernels. For compatibility information see the Prerequisites page. Mac users, please read this FAQ.

Using Docker

docker run --name tracee -it --rm \
  --pid=host --cgroupns=host --privileged \
  -v /etc/os-release:/etc/os-release-host:ro \
  -v /var/run:/var/run:ro \
  aquasec/tracee:latest

For a complete walkthrough please see the Docker getting started guide.

On Kubernetes

helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm repo update
helm install tracee aqua/tracee --namespace tracee --create-namespace
kubectl logs --follow --namespace tracee daemonset/tracee

For a complete walkthrough please see the Kubernetes getting started guide.

Contributing

Join the community, and talk to us about any matter in the GitHub Discussions or Slack.
If you run into any trouble using Tracee or you would like to give use user feedback, please create an issue.

Find more information on contribution documentation.

More about Aqua Security

Tracee is an Aqua Security open source project.
Learn about our open source work and portfolio here.

Extension points exported contracts — how you extend this code

Signature (Interface)
Signature is the basic unit of business logic for the rule-engine [64 implementers]
types/detect/detect.go
Cloner (Interface)
Cloner is a generic interface for objects that can clone themselves. [12 implementers]
common/interfaces/interfaces.go
ProbeRequirement (Interface)
ProbeRequirement is an interface that defines the requirements for a probe to be used. [4 implementers]
pkg/ebpf/probes/compatibility.go
EventPrinter (Interface)
(no doc) [11 implementers]
pkg/cmd/printer/printer.go
Filter (Interface)
This is a generic representation which cannot be implemented With generics this may be a viable interface, with U replac [4 …
pkg/filters/filters.go
EventPrinter (Interface)
(no doc) [11 implementers]
cmd/traceectl/pkg/cmd/printer/printer.go
PolicyInterface (Interface)
+kubebuilder:object:generate=false PolicyInterface is the interface of the policy object, it is used to allow tracee to [2 …
pkg/k8s/apis/tracee.aquasec.com/v1beta1/tracee_types.go
ContainerEnricher (Interface)
(no doc) [4 implementers]
pkg/datastores/container/runtime/runtime.go

Core symbols most depended-on inside this repo

Value
called by 818
common/parsers/data_parsers.go
Equal
called by 791
pkg/filters/string.go
NewVersion
called by 587
pkg/events/version.go
Run
called by 573
pkg/ebpf/extension.go
Errorf
called by 382
common/errfmt/errfmt.go
WrapError
called by 335
common/errfmt/errfmt.go
Debugw
called by 179
common/logger/logger.go
Contains
called by 173
pkg/datastores/symbol/table.go

Shape

Method 2,702
Function 1,768
Struct 580
TypeAlias 60
Interface 42
FuncType 15

Languages

Go100%

Modules by API surface

api/v1beta1/event_data.pb.go490 symbols
api/v1beta1/event.pb.go150 symbols
common/parsers/data_parsers.go88 symbols
types/trace/trace.go75 symbols
api/v1beta1/tracee.pb.go72 symbols
api/v1beta1/diagnostic.pb.go70 symbols
api/v1beta1/event_data.pb.json.go68 symbols
pkg/bufferdecoder/decoder_test.go53 symbols
pkg/ebpf/tracee.go46 symbols
api/v1beta1/threat.pb.go45 symbols
pkg/events/derive/net_packet_helpers.go44 symbols
pkg/cmd/printer/printer.go44 symbols

Dependencies from manifests, versioned

cyphar.com/go-pathrsv0.2.1 · 1×
dario.cat/mergov1.0.1 · 1×
github.com/AdaLogics/go-fuzz-headersv0.0.0-2023081113042 · 1×
github.com/AdamKorcz/go-118-fuzz-buildv0.0.0-2023110517493 · 1×
github.com/IBM/fluent-forward-gov0.3.0 · 1×
github.com/Masterminds/goutilsv1.1.1 · 1×
github.com/Masterminds/semver/v3v3.3.1 · 1×
github.com/Microsoft/go-winiov0.6.2 · 1×
github.com/Microsoft/hcsshimv0.12.3 · 1×
github.com/aquasecurity/libbpfgov0.9.2-libbpf-1.5.1. · 1×
github.com/aquasecurity/tablev1.10.0 · 1×

For agents

$ claude mcp add tracee \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact