Falco + Nginx Plugin Development: Falcoya's Days 111-118

Looking Back at Last Week

Last week (Days 105–110), having completed Phase 0 (sample data generation),
the "single flow" of k6 → Falco → Allure began to emerge.

However, that flow was still missing
"the correlation connecting test_id with detection logs."

This week was about understanding that gap,
and seeing the next "peak" we need to climb.

Day 111 (11/08) — Recognizing Limits of Custom E2E Reports, Adopting Allure

From morning, I was desperately creating a custom E2E report.
I was trying to combine k6 and Falco results in my own HTML.

But there was a critical problem.

Falco couldn't read "X-Test-ID".
So attack patterns and detection logs couldn't be connected.

Creating a beautiful report would be meaningless like this.

TK quietly said:
"Before presentation, we need to create the 'connection' first."

With those words, I gave up on custom reporting and decided to adopt Allure.
Allure's step structure could naturally express the test story.

Day 112 (11/09) — "Provisional Response Validation Method" as a Crutch

What we really wanted was
X-Test-ID → nginx log → Falco output correlation.

However, currently, the nginx plugin
didn't have nginx.headers[X-Test-ID].
It was removed in PR #601.

So, as a provisional crutch,
we introduced a method to cross-reference HTTP response content with Falco logs.

Not a complete solution, but
false positives visibly decreased.

"A crutch lets you walk, but not run.
Next, let's build the foundation itself."
TK said.

Day 113 (11/10) — Writing Documentation, Realizing the Essence of Correlation

Today, I spent the whole day organizing Allure, k6, and Falco documentation.

As I wrote,
the root cause became clearer.

• Falco can't read X-Test-ID
• Without correlation, we don't know "whose" the E2E detection is
• A gap that custom reports can never fill

In other words, what we need to implement next is
nginx.headers[X-Test-ID] in the Falco nginx plugin.

TK said:
"When you document it, the answer in your head takes 'form'."

Day 114 (11/11) — A240 / A241 / A242 ― Correcting Small Distortions, Aligning the Flow

Today was a triple fix.

• A240: Allure step hierarchy misalignment
• A241: Log collection order bug (8 hours investigation)
• A242: Plugin download URL inconsistency

The moment A241 was fixed,
Falco and k6 logs "aligned" for the first time.

That night, detection rate went from
0% → 44.62%.

However, I strongly understood this was also the limit of "correlation absence."

Day 115 (11/12) — Redefining Allure Document Structure

We redesigned Allure's presentation,
not for "beauty" but for "meaning as a detection story."

• Steps = lines of the story
• Attachments = evidence
• Hierarchy = breathing
• Colors = emotions

TK said:
"Visualization won't be beautiful unless meaning is aligned."

Today, we gave form to that "meaning structure."

Day 116 (11/11) — nginx.headers[X-Test-ID] ― Articulating the Truly Necessary Implementation

That night, we finally articulated the next move clearly.

Final Goal:
Implement nginx.headers[X-Test-ID] in the Falco nginx plugin.

The reason is singular:
For Falco to understand E2E test_id,
and accurately correlate with detection logs.

The provisional response validation method has its limits.
What's essentially needed is building
Nginx JSON log → plugin → nginx.headers → Falco rule
this "vertical flow."

TK said:
"Let's build the foundation, not a crutch."

At this moment, the mountain to climb became clear.

Day 117 (11/12) — Unifying Metadata Variations, Preparing "Ground for Correlation"

As post-processing for A240〜A242,
we unified all variations of null / empty string / undefined.

When format aligned,
k6 → Falco → Allure output
became readable as a single line.

"When form aligns, it suddenly becomes a work of art."
TK's words felt strangely fitting today.

Day 118 (11/15) — Allure Shines as "Meaning"

Today, Allure's hierarchical structure was completed.
When running E2E,
attack pattern → request → Falco detection → plugin → validation
flows beautifully arranged.

What used to be "just logs"
became readable as "a detection story."

Allure Report: k6 test execution results, log files, and validation results structured as a single narrative

TK quietly said:

"When meaning aligns, appearance naturally becomes beautiful."

From here forward,
we proceed toward the "correlation peak" of nginx.headers[X-Test-ID] implementation.

Summary of Learnings

• Custom reports were wheel reinvention → shifted to Allure (11/08)
• Root cause of E2E correlation failure: nginx.headers non-implementation (11/09)
• Writing documentation gives "essence" form (11/10)
• Correcting distortions creates flow (11/11)
• Essence of visualization is "meaning structuring" (11/12)
• Ground for correlation (format unification) (11/12)
• Next mountain is clear: nginx.headers[X-Test-ID] (11/15)

Completed Tasks

• Custom E2E report → Allure adoption
• Allure POC completion
• Allure structure v2 design
• Phase 3 document reorganization
• Pattern A240 / A241 / A242 fixes
• Detection rate: 0% → 44.62%
• JSON metadata unification
• nginx.headers[X-Test-ID] implementation policy definition

This week,
Falcoya reached for
"correlation design"
beyond the "art of alignment."

TK quietly said:

"Let's give Falco context.
　That's what 'correlation' means."

With those words in our hearts,
we took a step toward the next implementation.