Deploy Falcosidekick alongside Falco; when using the Helm chart set falcosidekick.enabled=true so Falco is configured to forward JSON events to Falcosidekick on port 2801
Set the SLACK_WEBHOOKURL environment variable (or the equivalent Helm value falcosidekick.config.slack.webhookurl) to your Slack incoming webhook URL
Optionally configure SLACK_MINIMUMPRIORITY to filter which severity levels are forwarded to Slack
Configure a generic webhook output by setting WEBHOOK_ADDRESS to your endpoint URL; use WEBHOOK_MINIMUMPRIORITY to filter severity
Test the integration by sending a synthetic event with curl -s -XPOST http://localhost:2801/test and confirm delivery in Slack and at the webhook endpoint
Known gotchas
Falcosidekick listens for Falco HTTP output events on port 2801; Falco must be configured with http_output enabled and url pointing to Falcosidekick, otherwise no events are forwarded
Multiple outputs can be active simultaneously, each with independent minimumpriority thresholds; an output with no minimum set receives all events Falco forwards
Falcosidekick configuration via environment variables uses ALL_CAPS with underscores; the YAML config file uses nested lowercase keys—mixing them in Helm values requires careful mapping
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp