This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Plugins

Plugins provide additional scanning capabilities to OpenClarity ecosystem. Project structure:

  • runner - Provides necessary logic to manage scanner plugins in OpenClarity.
  • sdk - Language-specific libraries, templates, and examples to aid with the implementation of scanner plugins.
  • store - Collection of available plugins that can be directly used in OpenClarity.

Requirements

Scanner plugins are distributed as containers and require Docker Engine on the host that runs the actual scanning via OpenClarity CLI to work.

Support

List of supported environments:

  1. AWS
  2. GCP
  3. Azure
  4. Docker

List of unsupported environments:

  • Kubernetes - We plan on adding plugin support to Kubernetes once we have dealt with all the security considerations.

Note: Plugin support has been tested against OpenClarity installation artifacts for the given environments.

Usage

You can start using plugins via Plugins Store. For example, you can pass the .families.yaml scan config file defined below to the OpenClarity CLI scan command. This configuration uses KICS scanner to scan /tmp dir for IaC security misconfigurations.

# --- .families.yaml
plugins:
  enabled: true
  scanners_list:
    - "kics"
  inputs: 
    - input: "/tmp"
      input_type: "rootfs"
  scanners_config:
    kics:
      image_name: "ghcr.io/openclarity/openclarity-plugin-kics:latest"
      config: "{}"

SDKs

You can use one of available SDKs in your language of choice to quickly develop scanner plugins for OpenClarity.

List of supported languages: