Writing Plugins

Contents

17.1. Writing Plugins#

FlareInspect plugins extend the assessment pipeline with custom check logic.

17.1.1. Plugin Interface#

Each plugin must export a register function:

module.exports = {
  register(api) {
    api.addCheck({
      id: 'CUST-001',
      title: 'Custom Security Check',
      category: 'custom',
      severity: 'medium',
      description: 'Checks a custom security property',
      async run(context) {
        const value = await context.cloudflare.get('/some/endpoint');
        return {
          status: value.enabled ? 'PASS' : 'FAIL',
          observed: value.enabled ? 'enabled' : 'disabled',
          expected: 'enabled',
        };
      },
    });
  },
};

17.1.2. Plugin API#

Method	Description
`addCheck`	Register a custom check with the assessment pipeline
`addCategory`	Register a new check category

17.1.3. Check Context#

Property	Description
`cloudflare`	The Cloudflare API client
`zone`	The current zone being assessed (null for account-level)
`account`	The current account being assessed

17.1.4. Loading Plugins#

Plugins are loaded from the plugins/ directory relative to the working directory. Files must be valid CommonJS modules (.js) that export a register function.

17.1.5. Security Considerations#

Plugins run in the same process as FlareInspect with full access to the Cloudflare API client
Only load plugins from trusted sources
Plugins can make API calls using the provided token — review plugin code before loading
There is no sandboxing or permission isolation for plugins