# SPDX-License-Identifier: Apache-2.0 # # Copyright (C) 2025 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # This nonce is used to force a CI job to re-run when no other meaningful changes are made. # For example, this can be used to update the artifact index: https://github.com/falcosecurity/falcoctl/blob/gh-pages/index.yaml # To trigger the job manually, update the number below (e.g., by replacing it with the current Unix timestamp). # It does not need to be secure or unique beyond being different from the previous value. # Example: `date +%s` on Unix-like systems will generate a suitable value. # # nonce: 1747055710 # This list of data sources is not allowed in plugins since they are already # used in Falco. reserved_sources: ["syscall", "internal", "plugins"] # The list of plugins officially recognized by the Falcosecurity organization. # Registering your plugin here is required to reserve a given name, source, or id. # # License IDs refer to the SPDX License List at https://spdx.org/licenses plugins: - name: plugin-id-zero-value description: This ID is reserved for particular purposes and cannot be registered. A plugin author should not use this ID unless specified by the documentation. reserved: true capabilities: sourcing: supported: true id: 0 - name: test description: This ID is reserved for source plugin development. Any plugin author can use this ID, but authors can expect events from other developers with this ID. After development is complete, the author should request an actual ID reserved: true capabilities: sourcing: supported: true id: 999 source: test - name: k8saudit description: Read Kubernetes Audit Events and monitor Kubernetes Clusters authors: The Falco Authors contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io keywords: - audit - audit-log - audit-events - kubernetes url: https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit rules_url: https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit/rules license: Apache-2.0 signature: cosign: certificate-oidc-issuer: https://token.actions.githubusercontent.com certificate-identity-regexp: https://github.com/falcosecurity/plugins/ capabilities: sourcing: supported: true id: 1 source: k8s_audit extraction: supported: true - name: cloudtrail description: Reads Cloudtrail JSON logs from files/S3 and injects as events authors: The Falco Authors contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io keywords: - audit - user-activity - api-usage - aws url: https://github.com/falcosecurity/plugins/tree/main/plugins/cloudtrail rules_url: https://github.com/falcosecurity/plugins/tree/main/plugins/cloudtrail/rules license: Apache-2.0 signature: cosign: certificate-oidc-issuer: https://token.actions.githubusercontent.com certificate-identity-regexp: https://github.com/falcosecurity/plugins/ capabilities: sourcing: supported: true id: 2 source: aws_cloudtrail extraction: supported: true - name: json description: Extract values from any JSON payload authors: The Falco Authors contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io keywords: - json-events - json-payload - extractor url: https://github.com/falcosecurity/plugins/tree/main/plugins/json license: Apache-2.0 signature: cosign: certificate-oidc-issuer: https://token.actions.githubusercontent.com certificate-identity-regexp: https://github.com/falcosecurity/plugins/ capabilities: extraction: supported: true - name: dummy description: Reference plugin used to document interface authors: The Falco Authors contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io url: https://github.com/falcosecurity/plugins/tree/main/plugins/dummy license: Apache-2.0 capabilities: sourcing: supported: true id: 3 source: dummy extraction: supported: true - name: dummy_c description: Like dummy, but written in C++ authors: The Falco Authors contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io url: https://github.com/falcosecurity/plugins/tree/main/plugins/dummy_c license: Apache-2.0 capabilities: sourcing: supported: true id: 4 source: dummy_c extraction: supported: true - name: docker description: Docker Events authors: Thomas Labarussias contact: https://github.com/Issif maintainers: - name: Thomas Labarussias email: issif_github@gadz.org keywords: - docker-events url: https://github.com/Issif/docker-plugin rules_url: https://github.com/Issif/docker-plugin/tree/main/rules license: Apache-2.0 capabilities: sourcing: supported: true id: 5 source: docker extraction: supported: true - name: seccompagent description: Seccomp Agent Events authors: Alban Crequy contact: https://github.com/kinvolk/seccompagent url: https://github.com/kinvolk/seccompagent keywords: - seccomp - kinvolk license: Apache-2.0 capabilities: sourcing: supported: true id: 6 source: seccompagent extraction: supported: true - name: okta description: Okta Log Events authors: The Falco Authors contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io keywords: - audit - log-events - okta url: https://github.com/falcosecurity/plugins/tree/main/plugins/okta rules_url: https://github.com/falcosecurity/plugins/tree/main/plugins/okta/rules license: Apache-2.0 signature: cosign: certificate-oidc-issuer: https://token.actions.githubusercontent.com certificate-identity-regexp: https://github.com/falcosecurity/plugins/ capabilities: sourcing: supported: true id: 7 source: okta extraction: supported: true - name: github description: Github Webhook Events authors: The Falco Authors contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io keywords: - audit - log-events - webhook - github-activity - github url: https://github.com/falcosecurity/plugins/tree/main/plugins/github rules_url: https://github.com/falcosecurity/plugins/tree/main/plugins/github/rules license: Apache-2.0 signature: cosign: certificate-oidc-issuer: https://token.actions.githubusercontent.com certificate-identity-regexp: https://github.com/falcosecurity/plugins/ capabilities: sourcing: supported: true id: 8 source: github extraction: supported: true - name: k8saudit-eks description: Read Kubernetes Audit Events from AWS EKS Clusters authors: The Falco Authors contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io url: https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit-eks rules_url: https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit/rules license: Apache-2.0 signature: cosign: certificate-oidc-issuer: https://token.actions.githubusercontent.com certificate-identity-regexp: https://github.com/falcosecurity/plugins/ keywords: - audit - audit-log - audit-events - kubernetes - eks - aws capabilities: sourcing: supported: true id: 9 source: k8s_audit extraction: supported: true - name: nomad description: Read Hashicorp Nomad Events Stream authors: Alberto Llamas contact: https://github.com/albertollamaso/nomad-plugin/issues maintainers: - name: Alberto Llamas keywords: - audit - audit-events - nomad url: https://github.com/albertollamaso/nomad-plugin/tree/main rules_url: https://github.com/albertollamaso/nomad-plugin/tree/main/rules license: Apache-2.0 capabilities: sourcing: supported: true id: 10 source: nomad extraction: supported: true - name: dnscollector description: DNS Collector Events authors: Daniel Moloney contact: https://github.com/SysdigDan/dnscollector-falco-plugin/issues maintainers: - name: Daniel Moloney keywords: - audit - log-events - dns url: https://github.com/SysdigDan/dnscollector-falco-plugin rules_url: https://github.com/SysdigDan/dnscollector-falco-plugin/tree/master/rules license: Apache-2.0 capabilities: sourcing: supported: true id: 11 source: dnscollector extraction: supported: true - name: gcpaudit description: Read GCP Audit Logs authors: The Falco Authors contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io keywords: - audit - audit-log - audit-events - gcp url: https://github.com/falcosecurity/plugins/tree/main/plugins/gcpaudit rules_url: https://github.com/falcosecurity/plugins/tree/main/plugins/gcpaudit/rules license: Apache-2.0 signature: cosign: certificate-oidc-issuer: https://token.actions.githubusercontent.com certificate-identity-regexp: https://github.com/falcosecurity/plugins/ capabilities: sourcing: supported: true id: 12 source: gcp_auditlog extraction: supported: true - name: syslogsrv description: Syslog Server Events authors: Maksim Nabokikh contact: https://github.com/nabokihms/syslogsrv-falco-plugin/issues maintainers: - name: Maksim Nabokikh keywords: - log-events - syslog url: https://github.com/nabokihms/syslogsrv-falco-plugin/tree/main/plugins/syslogsrv rules_url: https://github.com/nabokihms/syslogsrv-falco-plugin/tree/main/rules license: Apache-2.0 capabilities: sourcing: supported: true id: 13 source: syslogsrv extraction: supported: true - name: salesforce description: Falco plugin providing basic runtime threat detection and auditing logging for Salesforce authors: Andy contact: https://github.com/an1245/falco-plugin-salesforce/issues maintainers: - name: Andy keywords: - audit - log-events - salesforce url: https://github.com/an1245/falco-plugin-salesforce/ rules_url: https://github.com/an1245/falco-plugin-salesforce/tree/main/rules license: Apache-2.0 capabilities: sourcing: supported: true id: 14 source: salesforce extraction: supported: true - name: box description: Falco plugin providing basic runtime threat detection and auditing logging for Box authors: Andy contact: https://github.com/an1245/falco-plugin-box/issues maintainers: - name: Andy keywords: - audit - log-events - box url: https://github.com/an1245/falco-plugin-box/ rules_url: https://github.com/an1245/falco-plugin-box/tree/main/rules license: Apache-2.0 capabilities: sourcing: supported: true id: 15 source: box extraction: supported: true - name: k8smeta description: Enriche Falco syscall flow with Kubernetes Metadata authors: The Falco Authors contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io keywords: - kubernetes - syscall - extractor url: https://github.com/falcosecurity/plugins/tree/main/plugins/k8smeta license: Apache-2.0 signature: cosign: certificate-oidc-issuer: https://token.actions.githubusercontent.com certificate-identity-regexp: https://github.com/falcosecurity/plugins/ capabilities: extraction: supported: true sources: [syscall] - name: k8saudit-gke description: Read Kubernetes Audit Events from GKE Clusters authors: The Falco Authors contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io url: https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit-gke rules_url: https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit-gke/rules license: Apache-2.0 signature: cosign: certificate-oidc-issuer: https://token.actions.githubusercontent.com certificate-identity-regexp: https://github.com/falcosecurity/plugins/ keywords: - audit - audit-log - audit-events - kubernetes - gke capabilities: sourcing: supported: true id: 16 source: k8s_audit extraction: supported: true - name: journald description: Read Journald events into Falco authors: Grzegorz Nosek contact: https://github.com/gnosek/falco-journald-plugin maintainers: - name: Grzegorz Nosek url: https://github.com/gnosek/falco-journald-plugin license: Apache-2.0 keywords: - syslog - systemd - journald capabilities: sourcing: supported: true id: 17 source: journal extraction: supported: true - name: kafka description: Read events from Kafka topics into Falco authors: Hunter Madison contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io - name: Hunter Madison email: Hunter.Madison@ibm.com keywords: - events - kafka url: https://github.com/falcosecurity/plugins/tree/main/plugins/kafka rules_url: https://github.com/falcosecurity/plugins/tree/main/plugins/kafka/rules license: Apache-2.0 signature: cosign: certificate-oidc-issuer: https://token.actions.githubusercontent.com certificate-identity-regexp: https://github.com/falcosecurity/plugins/ capabilities: sourcing: supported: true id: 18 source: kafka extraction: supported: false - name: gitlab description: Falco plugin providing basic runtime threat detection and auditing logging for GitLab authors: Andy contact: https://github.com/an1245/falco-plugin-gitlab/issues maintainers: - name: Andy keywords: - audit - log-events - gitlab url: https://github.com/an1245/falco-plugin-gitlab rules_url: https://github.com/an1245/falco-plugin-gitlab/tree/main/rules license: Apache-2.0 capabilities: sourcing: supported: true id: 19 source: gitlab extraction: supported: true - name: keycloak description: Falco plugin for sourcing and extracting Keycloak user/admin events authors: Mattia Forcellese contact: https://github.com/mattiaforc/falco-keycloak-plugin/issues maintainers: - name: Mattia Forcellese email: mattiaforc@gmail.com keywords: - keycloak url: https://github.com/mattiaforc/falco-keycloak-plugin rules_url: https://github.com/mattiaforc/falco-keycloak-plugin/tree/main/rules license: Apache-2.0 capabilities: sourcing: supported: true id: 20 source: keycloak extraction: supported: true - name: k8saudit-aks description: Read Kubernetes Audit Events from Azure AKS Clusters authors: The Falco Authors contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io url: https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit-aks rules_url: https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit/rules license: Apache-2.0 signature: cosign: certificate-oidc-issuer: https://token.actions.githubusercontent.com certificate-identity-regexp: https://github.com/falcosecurity/plugins/ keywords: - audit - audit-log - audit-events - kubernetes - aks - azure capabilities: sourcing: supported: true id: 21 source: k8s_audit extraction: supported: true - name: k8saudit-ovh description: Read Kubernetes Audit Events from OVHcloud MKS Clusters authors: Aurélie Vache contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io - name: Aurélie Vache email: scraly@gmail.com url: https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit-ovh rules_url: https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit/rules license: Apache-2.0 signature: cosign: certificate-oidc-issuer: https://token.actions.githubusercontent.com certificate-identity-regexp: https://github.com/falcosecurity/plugins/ keywords: - audit - audit-log - audit-events - kubernetes - mks - ovh - ovhcloud - k8saudit-ovh capabilities: sourcing: supported: true id: 22 source: k8s_audit extraction: supported: true - name: dummy_rs description: Like dummy, but written in Rust authors: The Falco Authors contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io url: https://github.com/falcosecurity/plugins/tree/main/plugins/dummy_rs license: Apache-2.0 capabilities: sourcing: supported: true id: 23 source: dummy_rs extraction: supported: true - name: container description: Enriche Falco syscall flow with Container Metadata authors: The Falco Authors contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io keywords: - container - syscall - extractor url: https://github.com/falcosecurity/plugins/tree/main/plugins/container license: Apache-2.0 signature: cosign: certificate-oidc-issuer: https://token.actions.githubusercontent.com certificate-identity-regexp: https://github.com/falcosecurity/plugins/ capabilities: extraction: supported: true sources: [syscall] - name: krsi description: Security (KRSI) events support for Falco authors: The Falco Authors contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io keywords: - krsi - syscall - extractor url: https://github.com/falcosecurity/plugins/tree/main/plugins/krsi license: Apache-2.0 signature: cosign: certificate-oidc-issuer: https://token.actions.githubusercontent.com certificate-identity-regexp: https://github.com/falcosecurity/plugins/ capabilities: extraction: supported: true sources: [syscall] - name: collector description: Generic collector to ingest raw payloads into Falco authors: The Falco Authors contact: https://falco.org/community maintainers: - name: The Falco Authors email: cncf-falco-dev@lists.cncf.io keywords: - collector - json - raw - payload url: https://github.com/falcosecurity/plugins/tree/main/plugins/collector license: Apache-2.0 signature: cosign: certificate-oidc-issuer: https://token.actions.githubusercontent.com certificate-identity-regexp: https://github.com/falcosecurity/plugins/ capabilities: sourcing: supported: true id: 24 source: collector - name: awselb description: AWS Elastic Load Balancer access logs events authors: Yuki Nakamura contact: https://github.com/yukinakanaka/falco-plugin-aws-elb/issues maintainers: - name: Yuki Nakamura email: george.yuki1029@gmail.com keywords: - aws - elb url: https://github.com/yukinakanaka/falco-plugin-aws-elb rules_url: https://github.com/yukinakanaka/falco-plugin-aws-elb/tree/main/rules license: Apache-2.0 capabilities: sourcing: supported: true id: 25 source: awselb extraction: supported: true - name: edera description: A Falco plugin for forwarding libscap events out of Edera zones. authors: Edera contact: contact@edera.dev maintainers: - name: Edera email: contact@edera.dev keywords: - edera - containers - audit-events - kubernetes url: https://github.com/edera-dev/falco_plugin/ rules_url: https://docs.edera.dev/guides/observability/falco-integration/ license: Apache-2.0 capabilities: sourcing: supported: true id: 26 source: edera_zone extraction: supported: true - name: nginx description: | Real-time nginx access log monitoring for security threats. Detects SQL injection, XSS, path traversal, command injection, brute force attacks, and OWASP Top 10 vulnerabilities. authors: takaosgb3 contact: https://github.com/takaosgb3/falco-plugin-nginx/issues maintainers: - name: takaosgb3 keywords: - nginx - web-security - waf - sqli - xss - owasp - access-log url: https://github.com/takaosgb3/falco-plugin-nginx rules_url: https://github.com/takaosgb3/falco-plugin-nginx/tree/main/rules license: Apache-2.0 capabilities: sourcing: supported: true id: 27 source: nginx extraction: supported: true