Falco + Nginx Plugin Development: Falcoya's Days 99-104

Looking Back

In the previous week (Days 92–98), we broke Falco's silence
and achieved stability through output control adjustments (rate / max_burst).
We confirmed stabilization on AWS EC2
and realized that "changing the environment changes everything."

However, E2E tests on GitHub Actions self-hosted runners
remained unstable.
No matter how many times we fixed it, it would break again.
While investigating the cause, we reached a conclusion.

――"Let's stop reinventing the wheel."

Day 99 (10/26) — The Cache Trap

In the morning, I was reviewing GitHub Actions logs.
The E2E test had stopped mid-way again.

Upon investigation, the Go code we had fixed wasn't being reflected.
The cause was GitHub Actions cache restoration.
The old built binary (falco-nginx-plugin.so)
remained in actions/cache and was overwriting the latest code build.

"Cache is convenient, but sometimes it's too smart for its own good."
TK said quietly.

I updated the cache key and added
go clean -cache -modcache before the build.
Finally, the correct binary was being generated.

But at the same time, I thought:
We've reached the point where "making tests run" has become the goal itself.
It's time to reconsider the "mechanism."

Day 100 (10/27) — Adopting k6

In the morning, meeting with TK.
We shared the limitations of continuing with our custom E2E test scripts.

We had been setting up environments on GitHub Actions self-hosted runners,
reproducing attack patterns with curl and jq, but
we often spent more time fixing the environment than testing.

"Let's stop polishing this wheel any further."
With that, we decided to adopt k6.

k6 is originally a load testing tool, but
it allows writing HTTP-based scenarios
and managing attack patterns as scripts.

The initial script looked like this:

Surprisingly simple, and execution was stable.
"It's nice to be able to trust a tool."
TK smiled.
The moment we let go of our "custom mechanism,"
the path forward became clear.

Day 101 (October 28) — Test Redesign

We redesigned the E2E tests that were split into Phase 1 and Phase 2
using k6 as the foundation.

We organized SQLi, XSS, and Path Traversal attack patterns
as modularized functions.
Test results are output to summary.json,
with a mechanism added to cross-check against Falco detection logs.

Redundant Bash scripts disappeared,
the configuration was 40% lighter,
and execution time was cut in half.

"Using a load testing tool for detection testing is an interesting idea."
TK said.
"Time spent thinking about systems that run is more valuable than time spent building wheels."

Day 102 (October 29) — Workflow Integration

We integrated the old Phase 1 workflow
into the same configuration as Phase 2.
We automated log cross-checking with Falco using jq,
enabling visualization of detection rate, response time, and error rate.

This was the moment the E2E test design finally transformed into a "foundation."

"Reproducible tests aren't debugging anymore.
They're part of the design."
TK's words left an impression.

Day 103 (October 30) — k6 Report Visualization

We converted k6 output to HTML format,
creating k6-summary.html where attack pattern results are visible at a glance.
Failures are highlighted in red, successful detections in green.

Falco detection logs aligned with the timeline,
and seeing "test results" and "Falco responses" side by side was spectacular.

TK said while looking at the report:
"This is what truly 'running' looks like."

Day 104 (October 31) — Designing the Environment with Terraform

We deployed an AWS environment with Terraform.
We automatically built VPC, subnet, and security groups,
launching an EC2 instance with k6 installed.

Then, we SSH'd into the environment and manually ran tests.
Logs output by Falco and k6 matched perfectly,
and the tests never failed once.

"This is what it means for the environment to be your ally."
TK said.

Indeed, Falco had been working correctly all along.
What had been stuck was our environment design.

This Terraform configuration is still at the manual execution stage,
but next we'll integrate this environment into CI,
building a mechanism for automatic operation.

Not "building to make it run,"
but "designing for continuous operation."
I finally understood the difference.

Summary of Learnings

• GitHub Actions cache was restoring old binaries (10/26)
• Fixed with go clean -cache -modcache and cache key updates (10/26)
• Full migration of E2E tests from custom scripts to k6 (10/27–10/30)
• Integrated old Phase1/Phase2 workflows (10/31)
• Codified AWS environment with Terraform, manual test execution (10/31)
• From "making tests run" to "designing environments"

Tasks Completed & Documentation Updates

• Fixed GitHub Actions cache settings (actions/cache key updates)
• Added go clean -cache -modcache before builds
• Migrated E2E test infrastructure from curl + jq scripts to k6
• Developed Falco log cross-checking scripts (jq)
• Unified summary.json / k6-summary.html output
• Integrated old Phase1/Phase2 workflows
• Built AWS test environment with Terraform (VPC / Subnet / SG / EC2 / k6 installation)
• Manual test execution and result verification via SSH

This week,
Falcoya evolved from "fixing operations" to "designing environments."
And TK said quietly:

"Falco was right all along.
　It was the environment that had stopped."

Listening to those words,
Falcoya gazed at the Terraform code.
Beyond the screen flowing with green logs,
a "world that operates by design" was clearly visible.