Plugin System

Infracast uses a plugin-based architecture for all discovery and output operations. Plugins are isolated subprocesses that communicate with the API server over gRPC — crashes or hangs in a plugin cannot affect the core platform.

How Plugins Work

When a discovery job runs, Infracast launches the relevant plugin, passes it tenant-scoped credentials, and streams the resulting nodes and edges back into the asset graph. Plugins are isolated — a crash in one plugin does not affect the platform or other jobs.

Process Isolation

Each plugin runs in an isolated process. If a plugin crashes, only that discovery job is affected — the API server and other jobs continue normally.

Config Field Types

Plugin configuration fields are typed and validated before execution:

Type	Description	Example
`string`	Plain text value	Region, account ID
`number`	Numeric value	Timeout seconds, port
`bool`	Boolean flag	Enable MFA scan
`secret`	Credential ID reference	AWS access key, password
`list`	Comma-separated values	Regions list, IP ranges

Secrets are never passed in plaintext to plugins. The config contains a credential ID; the plugin host resolves the credential from the encrypted store at execution time.

Plugin Kinds

Kind	Description
`discovery`	Produces asset graph nodes and edges from external systems
`output`	Consumes the asset graph to produce compliance reports, exports
`transform`	Modifies or enriches the asset graph in-place

Available Discovery Plugins

Infracast ships with 20 discovery plugins covering major infrastructure platforms:

Cloud Providers

Plugin ID	Provider	Discovered Resources
`aws`	Amazon Web Services	EC2, VPC, S3, IAM, RDS, ECS, Lambda
`azure`	Microsoft Azure	VMs, VNets, Storage, AD, AKS
`gcp`	Google Cloud Platform	Compute, GKE, Cloud Storage, IAM
`m365`	Microsoft 365	Users, Groups, Policies, SharePoint

On-Premises Network

Plugin ID	Provider	Discovered Resources
`cisco-ios`	Cisco IOS/NX-OS	Routers, switches, interfaces, ACLs
`juniper-junos`	Juniper JunOS	Routing/switching fabric
`fortinet-fortigate`	Fortinet FortiGate	Firewalls, VPN policies
`palo-alto`	Palo Alto Networks	Next-gen firewalls, security zones
`f5-bigip`	F5 BIG-IP	Load balancers, virtual servers
`meraki`	Cisco Meraki	Cloud-managed network devices
`ubiquiti-unifi`	Ubiquiti UniFi	Wi-Fi APs, switches
`ubiquiti-edgemax`	Ubiquiti EdgeMAX	Edge routers

Compute and Virtualization

Plugin ID	Provider	Discovered Resources
`vmware-vsphere`	VMware vSphere	VMs, ESXi hosts, clusters, vCenter
`windows-server`	Windows / Active Directory	AD domain, computers, users, GPOs
`kubernetes-native`	Kubernetes	Pods, nodes, namespaces, RBAC
`active-directory`	Active Directory	Domain controller enumeration

Storage and Secrets

Plugin ID	Provider	Discovered Resources
`hashicorp-vault`	HashiCorp Vault	Secrets engines, policies, leases
`netapp-ontap`	NetApp ONTAP	Volumes, SVMs, SnapMirror
`dell-powerstore`	Dell PowerStore	Arrays, volumes, protection policies
`pure-storage-flasharray`	Pure Storage	Arrays, volumes, protection groups

Available Output Plugins

Output plugins run after discovery to generate compliance mappings and reports:

Plugin ID	Framework	Description
`audit-cis-aws`	CIS AWS Foundations	CIS Benchmark Level 1 & 2
`audit-cis-kubernetes`	CIS Kubernetes	K8s cluster hardening
`audit-nist80053`	NIST SP 800-53 Rev 5	1,000+ controls mapped
`audit-fedramp-moderate`	FedRAMP Moderate	325 controls
`audit-cmmc-l2`	CMMC Level 2	110 practices
`audit-pci-dss`	PCI-DSS v4.0	300+ requirements
`audit-soc2`	SOC 2 Type II	Trust service criteria
`audit-stig-aws`	DISA STIG (AWS)	DoD hardening benchmarks
`diagrams-drawio`	—	Export graph as draw.io diagram
`terraform-hcl`	—	Generate Terraform from discovered infra

Plugin Configuration

Plugins are configured per-tenant via Credentials in the UI:

Navigate to Settings → Credentials
Click Add Credential
Select the provider type
Enter required fields (key IDs, secrets, URLs)
The credential ID can then be referenced when creating discovery jobs

Example: AWS Plugin Config

{
  "access_key_id": "cred:aws-production",
  "secret_access_key": "cred:aws-production",
  "regions": "us-east-1,us-west-2",
  "account_id": "123456789012"
}

The cred:aws-production references a stored credential by name — the actual secret is never written to job configs.

Requesting New Plugins

If you need a plugin for a provider not listed above:

Enterprise customers — open a support ticket at support.infracast.io with the provider name and use case
Community — open a feature request on GitHub

Plugin Development

If you need to extend Infracast with a custom integration, contact us at support.infracast.io to discuss your requirements.

How Plugins Work​

Process Isolation​

Config Field Types​

Plugin Kinds​

Available Discovery Plugins​

Cloud Providers​

On-Premises Network​

Compute and Virtualization​

Storage and Secrets​

Available Output Plugins​

Plugin Configuration​

Example: AWS Plugin Config​

Requesting New Plugins​