https://github.com/falcosecurity/plugins
Falco plugins registry
https://github.com/falcosecurity/plugins
falco falco-plugins plugin registry
Last synced: about 2 months ago
JSON representation
Falco plugins registry
- Host: GitHub
- URL: https://github.com/falcosecurity/plugins
- Owner: falcosecurity
- License: apache-2.0
- Created: 2021-09-20T22:03:58.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2025-05-07T14:18:05.000Z (about 2 months ago)
- Last Synced: 2025-05-07T14:29:49.582Z (about 2 months ago)
- Topics: falco, falco-plugins, plugin, registry
- Language: Go
- Homepage:
- Size: 16.5 MB
- Stars: 94
- Watchers: 8
- Forks: 88
- Open Issues: 16
-
Metadata Files:
- Readme: README.md
- Changelog: changelog-gen.sh
- License: LICENSE
Awesome Lists containing this project
README
# Plugins
[](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable) [](./LICENSE)
This repository is the central hub for the Falco Plugin ecosystem. It serves two main purposes:
- **Be a registry:** A comprehensive catalog of plugins recognized by The Falco Project, regardless of where their source code is hosted.
- **Monorepo for Falcosecurity plugins:** Official plugins hosted and maintained by The Falco Project, with robust release and distribution processes.For more information about the plugin system’s architecture and concepts, please see the [official documentation](https://falco.org/docs/plugins).
---
## Plugin Registry
The registry contains metadata and information about every plugin known and recognized by the Falcosecurity organization. It lists plugins hosted either in this repository or in other repositories. These plugins are developed for Falco and made available to the community.
> Check out the [Registering a Plugin](./docs/registering-a-plugin.md) to know how to add your plugin to this registry.
### Registered Plugins
The tables below list all the plugins currently registered. The tables are automatically generated from the [registry.yaml](./registry.yaml) file.
| Name | Capabilities | Description
| --- | --- | --- |
| plugin-id-zero-value | **Event Sourcing**
ID: 0
`` | This ID is reserved for particular purposes and cannot be registered. A plugin author should not use this ID unless specified by the documentation.
Authors: N/A
License: N/A |
| test | **Event Sourcing**
ID: 999
`test` | This ID is reserved for source plugin development. Any plugin author can use this ID, but authors can expect events from other developers with this ID. After development is complete, the author should request an actual ID
Authors: N/A
License: N/A |
| [k8saudit](https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit) | **Event Sourcing**
ID: 1
`k8s_audit`
**Field Extraction**
`k8s_audit` | Read Kubernetes Audit Events and monitor Kubernetes Clusters
Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [cloudtrail](https://github.com/falcosecurity/plugins/tree/main/plugins/cloudtrail) | **Event Sourcing**
ID: 2
`aws_cloudtrail`
**Field Extraction**
`aws_cloudtrail` | Reads Cloudtrail JSON logs from files/S3 and injects as events
Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [json](https://github.com/falcosecurity/plugins/tree/main/plugins/json) | **Field Extraction**
*All Sources* | Extract values from any JSON payload
Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [dummy](https://github.com/falcosecurity/plugins/tree/main/plugins/dummy) | **Event Sourcing**
ID: 3
`dummy`
**Field Extraction**
`dummy` | Reference plugin used to document interface
Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [dummy_c](https://github.com/falcosecurity/plugins/tree/main/plugins/dummy_c) | **Event Sourcing**
ID: 4
`dummy_c`
**Field Extraction**
`dummy_c` | Like dummy, but written in C++
Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [docker](https://github.com/Issif/docker-plugin) | **Event Sourcing**
ID: 5
`docker`
**Field Extraction**
`docker` | Docker Events
Authors: [Thomas Labarussias](https://github.com/Issif)
License: Apache-2.0 |
| [seccompagent](https://github.com/kinvolk/seccompagent) | **Event Sourcing**
ID: 6
`seccompagent`
**Field Extraction**
`seccompagent` | Seccomp Agent Events
Authors: [Alban Crequy](https://github.com/kinvolk/seccompagent)
License: Apache-2.0 |
| [okta](https://github.com/falcosecurity/plugins/tree/main/plugins/okta) | **Event Sourcing**
ID: 7
`okta`
**Field Extraction**
`okta` | Okta Log Events
Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [github](https://github.com/falcosecurity/plugins/tree/main/plugins/github) | **Event Sourcing**
ID: 8
`github`
**Field Extraction**
`github` | Github Webhook Events
Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [k8saudit-eks](https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit-eks) | **Event Sourcing**
ID: 9
`k8s_audit`
**Field Extraction**
`k8s_audit` | Read Kubernetes Audit Events from AWS EKS Clusters
Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [nomad](https://github.com/albertollamaso/nomad-plugin/tree/main) | **Event Sourcing**
ID: 10
`nomad`
**Field Extraction**
`nomad` | Read Hashicorp Nomad Events Stream
Authors: [Alberto Llamas](https://github.com/albertollamaso/nomad-plugin/issues)
License: Apache-2.0 |
| [dnscollector](https://github.com/SysdigDan/dnscollector-falco-plugin) | **Event Sourcing**
ID: 11
`dnscollector`
**Field Extraction**
`dnscollector` | DNS Collector Events
Authors: [Daniel Moloney](https://github.com/SysdigDan/dnscollector-falco-plugin/issues)
License: Apache-2.0 |
| [gcpaudit](https://github.com/falcosecurity/plugins/tree/main/plugins/gcpaudit) | **Event Sourcing**
ID: 12
`gcp_auditlog`
**Field Extraction**
`gcp_auditlog` | Read GCP Audit Logs
Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [syslogsrv](https://github.com/nabokihms/syslogsrv-falco-plugin/tree/main/plugins/syslogsrv) | **Event Sourcing**
ID: 13
`syslogsrv`
**Field Extraction**
`syslogsrv` | Syslog Server Events
Authors: [Maksim Nabokikh](https://github.com/nabokihms/syslogsrv-falco-plugin/issues)
License: Apache-2.0 |
| [salesforce](https://github.com/an1245/falco-plugin-salesforce/) | **Event Sourcing**
ID: 14
`salesforce`
**Field Extraction**
`salesforce` | Falco plugin providing basic runtime threat detection and auditing logging for Salesforce
Authors: [Andy](https://github.com/an1245/falco-plugin-salesforce/issues)
License: Apache-2.0 |
| [box](https://github.com/an1245/falco-plugin-box/) | **Event Sourcing**
ID: 15
`box`
**Field Extraction**
`box` | Falco plugin providing basic runtime threat detection and auditing logging for Box
Authors: [Andy](https://github.com/an1245/falco-plugin-box/issues)
License: Apache-2.0 |
| [k8smeta](https://github.com/falcosecurity/plugins/tree/main/plugins/k8smeta) | **Field Extraction**
`syscall` | Enriche Falco syscall flow with Kubernetes Metadata
Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [k8saudit-gke](https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit-gke) | **Event Sourcing**
ID: 16
`k8s_audit`
**Field Extraction**
`k8s_audit` | Read Kubernetes Audit Events from GKE Clusters
Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [journald](https://github.com/gnosek/falco-journald-plugin) | **Event Sourcing**
ID: 17
`journal`
**Field Extraction**
`journal` | Read Journald events into Falco
Authors: [Grzegorz Nosek](https://github.com/gnosek/falco-journald-plugin)
License: Apache-2.0 |
| [kafka](https://github.com/falcosecurity/plugins/tree/main/plugins/kafka) | **Event Sourcing**
ID: 18
`kafka` | Read events from Kafka topics into Falco
Authors: [Hunter Madison](https://falco.org/community)
License: Apache-2.0 |
| [gitlab](https://github.com/an1245/falco-plugin-gitlab) | **Event Sourcing**
ID: 19
`gitlab`
**Field Extraction**
`gitlab` | Falco plugin providing basic runtime threat detection and auditing logging for GitLab
Authors: [Andy](https://github.com/an1245/falco-plugin-gitlab/issues)
License: Apache-2.0 |
| [keycloak](https://github.com/mattiaforc/falco-keycloak-plugin) | **Event Sourcing**
ID: 20
`keycloak`
**Field Extraction**
`keycloak` | Falco plugin for sourcing and extracting Keycloak user/admin events
Authors: [Mattia Forcellese](https://github.com/mattiaforc/falco-keycloak-plugin/issues)
License: Apache-2.0 |
| [k8saudit-aks](https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit-aks) | **Event Sourcing**
ID: 21
`k8s_audit`
**Field Extraction**
`k8s_audit` | Read Kubernetes Audit Events from Azure AKS Clusters
Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [k8saudit-ovh](https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit-ovh) | **Event Sourcing**
ID: 22
`k8s_audit`
**Field Extraction**
`k8s_audit` | Read Kubernetes Audit Events from OVHcloud MKS Clusters
Authors: [Aurélie Vache](https://falco.org/community)
License: Apache-2.0 |
| [dummy_rs](https://github.com/falcosecurity/plugins/tree/main/plugins/dummy_rs) | **Event Sourcing**
ID: 23
`dummy_rs`
**Field Extraction**
`dummy_rs` | Like dummy, but written in Rust
Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [container](https://github.com/falcosecurity/plugins/tree/main/plugins/container) | **Field Extraction**
`syscall` | Enriche Falco syscall flow with Container Metadata
Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [krsi](https://github.com/falcosecurity/plugins/tree/main/plugins/krsi) | **Field Extraction**
`syscall` | Security (KRSI) events support for Falco
Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |
| [collector](https://github.com/falcosecurity/plugins/tree/main/plugins/collector) | **Event Sourcing**
ID: 24
`collector` | Generic collector to ingest raw payloads into Falco
Authors: [The Falco Authors](https://falco.org/community)
License: Apache-2.0 |## Falcosecurity Plugins
Along with the registry, this repository hosts the official plugins maintained by the Falcosecurity organization. Each plugin is an independent project with its own directory in the [plugins folder](https://github.com/falcosecurity/plugins/tree/main/plugins).
The `main` branch reflects the latest development state, and plugins are released on a regular basis. Development builds are published automatically when a Pull Request is merged into `main`, while stable builds are released only when a new tag is created. You can find all published artifacts at [download.falco.org](https://download.falco.org/?prefix=plugins). For details on the release process, please see our [Release Process](./release.md).
The instructions below explain how to install and apply only to plugins from this repository.
### Installing Plugins
Plugins hosted in this repository are built and distributed through Falco's official channels. You can easily install them using either [falcoctl](https://github.com/falcosecurity/falcoctl) or the [Falco Helm chart](https://github.com/falcosecurity/charts/tree/master/charts/falco).
#### Using falcoctl
1. **Install falcoctl:** If you haven't already, follow the [falcoctl installation guide](https://github.com/falcosecurity/falcoctl?tab=readme-ov-file#installation).
2. **Install a Plugin:** Execute the following command, replacing `` with the name of the plugin you wish to install:
```bash
falcoctl index update falcosecurity
falcoctl artifact install
```
> Depending on your environment, you may need to run the above commands with `sudo`.
3. Configure Falco to load the plugin as described in the [plugin's documentation](https://falco.org/docs/concepts/plugins/usage/#loading-plugins-in-falco).#### Using the Falco Helm Chart
When installing Falco using the Helm chart, you can instruct the chart to install a specific plugin by setting the `falcoctl.config.artifact.install.refs` value and then adding the relevant plugin configuration under `falco`.
The Helm charts provides a preset [values-k8saudit.yaml](https://github.com/falcosecurity/charts/blob/master/charts/falco/values-k8saudit.yaml) file that can be used to install the `k8saudit` plugin or as example for installing other plugins.
## Contributing
If you want to help and wish to contribute, please review our [contribution guidelines](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md). Code contributions are always encouraged and welcome!
If you wish to contribute a plugin to The Falco Project, simply open a Pull Request to add your plugin to the `/plugins` folder and [update the registry accordingly](./docs/registering-a-plugin.md). Note that to be hosted in this repository, plugins must be licensed under the [Apache 2.0 License](./LICENSE).
### Enforcing coding style and repo policies locally
This repository supports enforcing coding style and policies locally through the `pre-commit` framework. `pre-commit`
allows to automatically install `git-hooks` that will be executed at every new commit. The following is the list of
`git-hooks` defined in `.pre-commit-config.yaml` (notice that some of them only target files written in a specific
language):
1. the `rust-fmt` hook - a `pre-commit` git hook running `rust fmt` on the staged changes
2. the `dco` hook - a `pre-commit-msg` git hook running adding the `DCO` on the commit if not presentThe following steps describe how to install these hooks.
##### Step 1
Install `pre-commit` framework following the [official documentation](https://pre-commit.com/#installation).
> __Please note__: you have to follow only the "Installation" section.
#### Step 2
Install `pre-commit` git hooks:
```bash
pre-commit install --hook-type pre-commit --hook-type prepare-commit-msg --overwrite
```## License
This project is licensed to you under the [Apache 2.0 Open Source License](./LICENSE).