From 64145ba9613b777b19c0c04567ddfe507a0debec Mon Sep 17 00:00:00 2001
From: Daniel Kerwin <daniel@gini.net>
Date: Tue, 5 Sep 2017 13:41:05 +0200
Subject: [PATCH] Add official gitlab EE docker image to list of known shell
 spawning images. sysdig-CLA-1.0-signed-off-by: Daniel Kerwin
 <daniel@gini.net>

---
 rules/falco_rules.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 0ea85f1ed25..5fdff313e39 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -512,7 +512,8 @@
 # as a packaging mechanism more than for a dedicated microservice.
 - macro: shell_spawning_containers
   condition: (container.image startswith jenkins or
-              container.image startswith gitlab/gitlab-ce)
+              container.image startswith gitlab/gitlab-ce or
+              container.image startswith gitlab/gitlab-ee)
 
 - rule: Launch Privileged Container
   desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images.