Back to Plugins

Crowdstrike Falcon Foundry

CrowdStrike Falcon Foundry development skills for building cybersecurity applications on the Falcon platform. Includes UI development, collections, functions, workflows, API integration, security patterns, and debugging workflows.

securityapi
By CrowdStrike
181Updated 3 days agoShellMIT

Installation

/plugin install crowdstrike-falcon-foundry@claude-plugins-official

How to install

  1. Open Claude Code in your terminal
  2. Run the installation command above
  3. The plugin will be enabled automatically
  4. Use the plugin's features in your Claude Code sessions

CrowdStrike Falcon

Falcon Foundry Skills

Version CI

AI coding assistant skills for building CrowdStrike Falcon Foundry apps. Build Foundry apps from a natural language prompt — API integrations, workflows, UI pages, functions, and collections — all scaffolded with the Foundry CLI and deployed to the Falcon console.

Getting Started

Prerequisites

  • Foundry CLI: Install with brew tap crowdstrike/foundry-cli && brew install crowdstrike/foundry-cli/foundry (macOS/Linux) or download for Windows
  • CrowdStrike Account: With Falcon Foundry access
  • Authentication: Run foundry login to authenticate
  • AI Coding Assistant: Claude Code, Codex, Copilot CLI, Cursor, Gemini CLI, or any tool that supports loading reference documentation

Claude Code (Tested)

Install from the Anthropic Plugin Marketplace:

/plugin install crowdstrike-falcon-foundry

Or register this repo as a plugin marketplace, then install:

/plugin marketplace add CrowdStrike/foundry-skills
/plugin install crowdstrike-falcon-foundry@foundry-marketplace

Or install from a local clone for development:

git clone https://github.com/CrowdStrike/foundry-skills.git
claude --plugin-dir /path/to/foundry-skills

The --plugin-dir flag loads the plugin for that session. To make it permanent, add it to your .claude/settings.json:

{
  "plugins": ["/path/to/foundry-skills"]
}

Changes to skill files take effect on the next Claude Code session — no reinstall needed.

Codex (Experimental)

Codex discovers skills from ~/.agents/skills/. Clone and symlink:

git clone https://github.com/CrowdStrike/foundry-skills.git
mkdir -p ~/.agents/skills
ln -s /path/to/foundry-skills/skills ~/.agents/skills/foundry-skills

Restart Codex to discover the skills. See the Codex skills docs for details.

Copilot CLI (Experimental)

Copilot CLI shares the ~/.agents/skills/ discovery directory with Codex:

git clone https://github.com/CrowdStrike/foundry-skills.git
mkdir -p ~/.agents/skills
ln -s /path/to/foundry-skills/skills ~/.agents/skills/foundry-skills

Restart Copilot CLI to discover the skills.

Cursor (Experimental)

Add a rule file to your project's .cursor/rules/ directory:

git clone https://github.com/CrowdStrike/foundry-skills.git
mkdir -p .cursor/rules
cat > .cursor/rules/foundry-skills.mdc << 'EOF'
---
description: Use when building Falcon Foundry apps — API integrations, workflows, UI pages, functions, collections
alwaysApply: false
---

Reference the Falcon Foundry skills in /path/to/foundry-skills/skills/ for building Foundry apps.
The primary orchestrator is development-workflow/SKILL.md.
EOF

Cursor activates the rule automatically when your prompt matches the description.

Gemini CLI (Experimental)

Link the skills so Gemini discovers them as native Agent Skills:

git clone https://github.com/CrowdStrike/foundry-skills.git
gemini skills link /path/to/foundry-skills/skills --scope user

This creates symlinks in ~/.gemini/skills/ so all skills are available in every workspace. Use --scope workspace to install into the current project's .gemini/skills/ instead. Verify with gemini skills list or /skills list inside a session.

Gemini activates the right skill on demand based on your prompt.

Other Tools

These skills are plain markdown files. Any AI coding assistant that can read local files can use them. See AGENTS.md for the full development guide, or point your tool at the skills/ directory and start with development-workflow/SKILL.md as the entry point.

Usage

Example prompt

This prompt exercises the full skill set — API integration, workflow, and UI:

Can you create a Falcon Foundry app for me that has an Okta API integration
with openapi? Share its listusers endpoint with Falcon Fusion SOAR. Then,
create a workflow that can be run on-demand to email or print the list of
users. Finally, create a UI extension that calls the listusers endpoint and
displays the results.

How skill routing works

The skills include hooks that ensure the right skills get used:

  1. UserPromptSubmit hook — Matches an action verb paired with a Foundry noun — e.g., "create a foundry app". Explicit CLI commands and skill requests also trigger it.

  2. PreToolUse hook — When Foundry intent is detected, injects a non-blocking advisory reminder to use the Foundry workflow skill. Claude can still use all tools normally. If superpowers is installed, also intercepts superpowers:brainstorming and redirects to the Foundry workflow skill.

  3. PreToolUse hook (CLI guard) — Validates all Bash commands to ensure Foundry CLI commands include --no-prompt flag (prevents Error: EOF failures) and blocks manual directory creation for app structure (prevents invalid manifest.yml). This enforcement is automatic and transparent — you'll only see it when it catches an error.

Hooks observe prompts and tool I/O to keyword-match Foundry-specific actions; no data leaves the session.

Skills

SkillPurpose
development-workflowPrimary orchestrator — coordinates the full app lifecycle
api-integrationsOpenAPI spec import, auth scheme configuration, SOAR sharing
functions-falcon-apiCalling Falcon APIs from within Functions (OAuth, SDKs)
workflows-developmentYAML workflow creation, Falcon Fusion SOAR actions and triggers
ui-developmentReact/Vue UI pages with Shoelace components and Falcon theming
functions-developmentGo/Python serverless functions with CrowdStrike SDK
collections-developmentJSON Schema data modeling and CRUD operations
security-patternsOAuth scoping, input validation, content security
debugging-workflowsSystematic troubleshooting for CLI, manifest, and deployment issues
e2e-testingEnd-to-end testing with @crowdstrike/foundry-playwright

Architecture

The skills follow a hub-and-spoke pattern. development-workflow is the orchestrator that parses your requirements, runs CLI commands for scaffolding, and delegates capability-specific implementation to sub-skills:

graph TD
    O["development-workflow<br/>(Orchestrator)"]

    O --> UI["UI Development"]
    O --> FN["Functions Development"]
    O --> CO["Collections Development"]
    O --> WF["Workflows Development"]
    O --> AI["API Integrations"]
    O --> FA["Functions — Falcon API"]

    UI -.-> SP["Security Patterns"]
    FN -.-> SP
    CO -.-> SP
    WF -.-> SP
    AI -.-> SP

    UI -.-> DB["Debugging Workflows"]
    FN -.-> DB
    CO -.-> DB
    WF -.-> DB
    AI -.-> DB

    style O fill:#6366f1,stroke:#4f46e5,color:#fff
    style SP fill:#f59e0b,stroke:#d97706,color:#fff
    style DB fill:#f59e0b,stroke:#d97706,color:#fff

Use Cases

The use-cases/ directory contains real-world implementation patterns extracted from CrowdStrike Tech Hub blog posts:

  • API pagination strategies
  • Detection enrichment with UI extensions
  • LogScale data ingestion from functions
  • Lookup table enrichment with 3rd-party data
  • Custom SOAR actions
  • NGSIEM query export to CSV/JSON
  • Publishing certified apps
  • And more (see use-cases/README.md)

Recommended Companion: Superpowers

These skills pair well with obra/superpowers, which adds structured planning, TDD discipline, and code review workflows. Foundry skills handle the Foundry-specific CLI and platform knowledge while superpowers provides general software engineering best practices.

See skills/development-workflow/references/superpowers-integration.md for details on how they work together.

Note: The without-superpowers path produces more reliable results because the Foundry skill has full control from the start. Superpowers brainstorming loads first and creates a plan before the Foundry skills are read, which may not follow Foundry-specific patterns.

Foundry CLI Quick Reference

foundry login                                                    # Authenticate
foundry apps create --name "My App" --no-prompt --no-git         # Create app
foundry api-integrations create --name "X" --spec /tmp/spec.json --no-prompt  # Add API integration
foundry ui pages create --name "X" --from-template React --no-prompt          # Add UI page
foundry ui extensions create --name "X" --from-template React --sockets "activity.detections.details" --no-prompt  # Add UI extension
foundry functions create --name "X" --language python --no-prompt              # Add function
foundry collections create --name "X" --schema /tmp/schema.json --no-prompt   # Add collection
foundry workflows create --name "X" --spec /tmp/workflow.yaml --no-prompt     # Add workflow
foundry apps deploy --change-type Patch --change-log "msg" --no-prompt  # Deploy to cloud
foundry apps release                                             # Release to catalog

Troubleshooting

Skills not invoked

If Claude doesn't use Foundry skills automatically, phrase your prompt with a clear action verb and Foundry noun (e.g., "create a foundry app", "fix the foundry function"). You can also say "Use Foundry skills" at any point to redirect.

CLI authentication

foundry profile active    # Check current profile
foundry login             # Re-authenticate
foundry profile list      # List all profiles

Deployment failures

  1. Validate immediately after foundry api-integrations create (foundry apps validate --no-prompt) — Foundry's server-side OpenAPI parser is stricter than redocly lint and may reject large vendor specs
  2. Run foundry apps deploy from the project root directory
  3. Check the debugging-workflows skill for systematic troubleshooting

Testing

Three scripts validate skill changes at different levels. All require macOS or Linux (bash).

Tip: Wrap long-running tests with caffeinate -i to prevent macOS from sleeping mid-run:

caffeinate -i ./run-ab-test.sh --fresh 5

Hook tests

./test-hooks.sh

Unit tests for the three hook scripts (skill router, superpowers bridge, CLI guard). Fast, no API calls, no Foundry CLI needed. Run after any hook change.

Skill test (single run)

./test-skill.sh                    # 5 runs against local plugin
./test-skill.sh --runs 1           # Quick single run
./test-skill.sh --plugin-dir .     # Explicit plugin path (default is ".")

Runs the example Okta prompt end-to-end: scaffolds an app, deploys it, and scores the result. Each run takes 5-10 minutes and costs ~5-10M tokens. Results go to /tmp/foundry-skill-test/.

Verify apps (after test-skill)

SKIP_BROWSER=1 ./verify-apps.sh                           # Phase 1 only: spec analysis + release
OKTA_DOMAIN=... OKTA_API_KEY=... ./verify-apps.sh          # Phase 1 + Phase 2: browser install/uninstall

Verifies apps created by test-skill.sh or A/B tests — analyzes OpenAPI specs, releases apps, and optionally installs them in the Falcon console via browser automation.

./verify-apps.sh                   # Verify test-skill.sh runs (default: /tmp/foundry-skill-test/)
./verify-apps.sh --green           # Verify GREEN phase of A/B test
./verify-apps.sh --dir

…
View source on GitHub