feat: add support for plugin index (#6674)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>

Author: knqyf263

.github/workflows/semantic-pr.yaml

@@ -44,6 +44,7 @@ jobs:
             k8s
             aws
             vm
+            plugin
 
             alpine
             wolfi

cmd/trivy/main.go

@@ -28,10 +28,7 @@ func main() {
 func run() error {
 	// Trivy behaves as the specified plugin.
 	if runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN"); runAsPlugin != "" {
-		if !plugin.IsPredefined(runAsPlugin) {
-			return xerrors.Errorf("unknown plugin: %s", runAsPlugin)
-		}
-		if err := plugin.RunWithURL(context.Background(), runAsPlugin, plugin.RunOptions{Args: os.Args[1:]}); err != nil {
+		if err := plugin.RunWithURL(context.Background(), runAsPlugin, plugin.Options{Args: os.Args[1:]}); err != nil {
 			return xerrors.Errorf("plugin error: %w", err)
 		}
 		return nil

docs/community/contribute/pr.md

@@ -114,6 +114,7 @@ mode:
 - server
 - aws
 - vm
+- plugin
 
 os:
 

docs/docs/advanced/plugins.md

@@ -399,7 +399,7 @@ $ trivy <target> [--format <format>] --output plugin=<plugin_name> [--output-plu
 ```
 
 This is useful for cases where you want to convert the output into a custom format, or when you want to send the output somewhere.
-For more details, please check [here](../advanced/plugins.md#output-plugins).
+For more details, please check [here](../plugin/plugins.md#output-plugins).
 
 ## Converting
 To generate multiple reports, you can generate the JSON report first and convert it to other formats with the `convert` subcommand.

docs/docs/configuration/reporting.md

@@ -0,0 +1,203 @@
+# Developer Guide
+
+## Developing Trivy plugins
+This section will guide you through the process of developing Trivy plugins.
+To help you get started quickly, we have published a [plugin template repository][plugin-template].
+You can use this template as a starting point for your plugin development.
+
+### Introduction
+If you are looking to start developing plugins for Trivy, read [the user guide](./user-guide.md) first.
+
+The development process involves the following steps:
+
+- Create a repository for your plugin, named `trivy-plugin-<name>`.
+- Create an executable binary that can be invoked as `trivy <name>`.
+- Place the executable binary in a repository.
+- Create a `plugin.yaml` file that describes the plugin.
+- (Submit your plugin to the [Trivy plugin index][trivy-plugin-index].)
+
+After you develop a plugin with a good name following the best practices and publish it, you can submit your plugin to the [Trivy plugin index][trivy-plugin-index].
+
+### Naming
+This section describes guidelines for naming your plugins.
+
+#### Use `trivy-plugin-` prefix
+The name of the plugin repository should be prefixed with `trivy-plugin-`.
+
+#### Use lowercase and hyphens
+Plugin names must be all lowercase and separate words with hyphens.
+Don’t use camelCase, PascalCase, or snake_case; use kebab-case.
+
+- NO: `trivy OpenSvc`
+- YES: `trivy open-svc`
+
+#### Be specific
+Plugin names should not be verbs or nouns that are generic, already overloaded, or likely to be used for broader purposes by another plugin.
+
+- NO: trivy sast (Too broad)
+- YES: trivy govulncheck
+
+
+#### Be unique
+Find a unique name for your plugin that differentiates it from other plugins that perform a similar function.
+
+- NO: `trivy images` (Unclear how it is different from the builtin “image" command)
+- YES: `trivy registry-images` (Unique name).
+
+#### Prefix Vendor Identifiers
+Use vendor-specific strings as prefix, separated with a dash.
+This makes it easier to search/group plugins that are about a specific vendor.
+
+- NO: `trivy security-hub-aws (Makes it harder to search or locate in a plugin list)
+- YES: `trivy aws-security-hub (Will show up together with other aws-* plugins)
+
+### Choosing a language
+Since Trivy plugins are standalone executables, you can write them in any programming language.
+
+If you are planning to write a plugin with Go, check out [the Report struct](https://github.com/aquasecurity/trivy/blob/787b466e069e2d04e73b3eddbda621e5eec8543b/pkg/types/report.go#L13-L24),
+which is the output of Trivy scan.
+
+
+### Writing your plugin
+Each plugin has a top-level directory, and then a `plugin.yaml` file.
+
+```bash
+your-plugin/
+  |
+  |- plugin.yaml
+  |- your-plugin.sh
+```
+
+In the example above, the plugin is contained inside a directory named `your-plugin`.
+It has two files: `plugin.yaml` (required) and an executable script, `your-plugin.sh` (optional).
+
+#### Writing a plugin manifest
+The plugin manifest is a simple YAML file named `plugin.yaml`.
+Here is an example YAML of [trivy-plugin-kubectl][trivy-plugin-kubectl] plugin that adds support for Kubernetes scanning.
+
+```yaml
+name: "kubectl"
+version: "0.1.0"
+repository: github.com/aquasecurity/trivy-plugin-kubectl
+maintainer: aquasecurity
+output: false
+summary: Scan kubectl resources
+description: |-
+  A Trivy plugin that scans the images of a kubernetes resource.
+  Usage: trivy kubectl TYPE[.VERSION][.GROUP] NAME
+platforms:
+  - selector: # optional
+      os: darwin
+      arch: amd64
+    uri: ./trivy-kubectl # where the execution file is (local file, http, git, etc.)
+    bin: ./trivy-kubectl # path to the execution file
+  - selector: # optional
+      os: linux
+      arch: amd64
+    uri: https://github.com/aquasecurity/trivy-plugin-kubectl/releases/download/v0.1.0/trivy-kubectl.tar.gz
+    bin: ./trivy-kubectl
+```
+
+We encourage you to copy and adapt plugin manifests of existing plugins.
+
+- [count][trivy-plugin-count]
+- [referrer][trivy-plugin-referrer]
+
+The `plugin.yaml` field should contain the following information:
+
+- name: The name of the plugin. This also determines how the plugin will be made available in the Trivy CLI. For example, if the plugin is named kubectl, you can call the plugin with `trivy kubectl`. (required)
+- version: The version of the plugin. [Semantic Versioning][semver] should be used. (required)
+- repository: The repository name where the plugin is hosted. (required)
+- maintainer: The name of the maintainer of the plugin. (required)
+- output: Whether the plugin supports [the output mode](./user-guide.md#output-mode-support). (optional)
+- usage: Deprecated: use summary instead. (optional)
+- summary: A short usage description. (required)
+- description: A long description of the plugin. This is where you could provide a helpful documentation of your plugin. (required)
+- platforms: (required)
+    - selector: The OS/Architecture specific variations of a execution file. (optional)
+        - os: OS information based on GOOS (linux, darwin, etc.) (optional)
+        - arch: The architecture information based on GOARCH (amd64, arm64, etc.) (optional)
+    - uri: Where the executable file is. Relative path from the root directory of the plugin or remote URL such as HTTP and S3. (required)
+    - bin: Which file to call when the plugin is executed. Relative path from the root directory of the plugin. (required)
+
+The following rules will apply in deciding which platform to select:
+
+- If both `os` and `arch` under `selector` match the current platform, search will stop and the platform will be used.
+- If `selector` is not present, the platform will be used.
+- If `os` matches and there is no more specific `arch` match, the platform will be used.
+- If no `platform` match is found, Trivy will exit with an error.
+
+After determining platform, Trivy will download the execution file from `uri` and store it in the plugin cache.
+When the plugin is called via Trivy CLI, `bin` command will be executed.
+
+#### Plugin arguments/flags
+The plugin is responsible for handling flags and arguments.
+Any arguments are passed to the plugin from the `trivy` command.
+
+#### Testing plugin installation locally
+A plugin should be archived `*.tar.gz`.
+After you have archived your plugin into a `.tar.gz` file, you can verify that your plugin installs correctly with Trivy.
+
+```bash
+$ tar -czvf myplugin.tar.gz plugin.yaml script.py
+plugin.yaml
+script.py
+
+$ trivy plugin install myplugin.tar.gz
+2023-03-03T19:04:42.026+0600	INFO	Installing the plugin from myplugin.tar.gz...
+2023-03-03T19:04:42.026+0600	INFO	Loading the plugin metadata...
+
+$ trivy myplugin
+Hello from Trivy demo plugin!
+```
+
+## Publishing plugins
+The [plugin.yaml](#writing-a-plugin-manifest) file is the core of your plugin, so as long as it is published somewhere, your plugin can be installed.
+If you choose to publish your plugin on GitHub, you can make it installable by placing the plugin.yaml file in the root directory of your repository.
+Users can then install your plugin with the command, `trivy plugin install github.com/org/repo`.
+
+While the `uri` specified in the plugin.yaml file doesn't necessarily need to point to the same repository, it's a good practice to host the executable file within the same repository when using GitHub.
+You can utilize GitHub Releases to distribute the executable file.
+For an example of how to structure your plugin repository, refer to [the plugin template repository][plugin-template].
+
+## Distributing plugins via the Trivy plugin index
+Trivy can install plugins directly by specifying a repository, like `trivy plugin install github.com/aquasecurity/trivy-plugin-referrer`,
+so you don't necessarily need to register your plugin in the Trivy plugin index.
+However, we would recommend distributing your plugin via the Trivy plugin index
+since it makes it easier for other users to find (`trivy plugin search`) and install your plugin (e.g. `trivy plugin install kubectl`).
+
+### Pre-submit checklist
+- Review [the plugin naming guide](#naming).
+- Ensure the `plugin.yaml` file has all the required fields.
+- Tag a git release with a semantic version (e.g. v1.0.0).
+- [Test your plugin installation locally](#testing-plugin-installation-locally).
+
+### Submitting plugins
+Submitting your plugin to the plugin index is a straightforward process.
+All you need to do is create a YAML file for your plugin and place it in the [plugins/](https://github.com/aquasecurity/trivy-plugin-index/tree/main/plugins) directory of [the index repository][trivy-plugin-index].
+
+Once you've done that, create a pull request (PR) and have it reviewed by the maintainers.
+Once your PR is merged, the index will be updated, and your plugin will be available for installation.
+[The plugin index page][plugin-list] will also be automatically updated to list your newly added plugin.
+
+The content of the YAML file is very simple.
+You only need to specify the name of your plugin and the repository where it is distributed.
+
+```yaml
+name: referrer
+repository: github.com/aquasecurity/trivy-plugin-referrer
+```
+
+After your PR is merged, the CI system will automatically retrieve the `plugin.yaml` file from your repository and update [the index.yaml file][index].
+If any required fields are missing from your `plugin.yaml`, the CI will fail, so make sure your `plugin.yaml` has all the required fields before creating a PR.
+Once [the index.yaml][index] has been updated, running `trivy plugin update` will download the updated index to your local machine.
+
+
+[plugin-template]: https://github.com/aquasecurity/trivy-plugin-template
+[plugin-list]: https://aquasecurity.github.io/trivy-plugin-index/
+[index]: https://aquasecurity.github.io/trivy-plugin-index/v1/index.yaml
+[semver]: https://semver.org/
+[trivy-plugin-index]: https://github.com/aquasecurity/trivy-plugin-index
+[trivy-plugin-kubectl]: https://github.com/aquasecurity/trivy-plugin-kubectl
+[trivy-plugin-count]: https://github.com/aquasecurity/trivy-plugin-count/blob/main/plugin.yaml
+[trivy-plugin-referrer]: https://github.com/aquasecurity/trivy-plugin-referrer/blob/main/plugin.yaml

docs/docs/plugin/developer-guide.md

@@ -0,0 +1,70 @@
+# Plugins
+Trivy provides a plugin feature to allow others to extend the Trivy CLI without the need to change the Trivy code base.
+This plugin system was inspired by the plugin system used in [kubectl][kubectl], [Helm][helm], and [Conftest][conftest].
+
+## Overview
+Trivy plugins are add-on tools that integrate seamlessly with Trivy.
+They provide a way to extend the core feature set of Trivy, but without requiring every new feature to be written in Go and added to the core tool.
+
+- They can be added and removed from a Trivy installation without impacting the core Trivy tool.
+- They can be written in any programming language.
+- They integrate with Trivy, and will show up in Trivy help and subcommands.
+
+!!! warning
+    Trivy plugins available in public are not audited for security.
+    You should install and run third-party plugins at your own risk, since they are arbitrary programs running on your machine.
+
+## Quickstart
+Trivy helps you discover and install plugins on your machine.
+
+You can install and use a wide variety of Trivy plugins to enhance your experience.
+
+Let’s get started:
+
+1. Download the plugin list:
+
+    ```bash
+    $ trivy plugin update
+    ```
+
+2. Discover Trivy plugins available on the plugin index:
+
+    ```bash
+    $ trivy plugin search
+    NAME                 DESCRIPTION                                                  MAINTAINER           OUTPUT
+    aqua                 A plugin for integration with Aqua Security SaaS platform    aquasecurity
+    kubectl              A plugin scanning the images of a kubernetes resource        aquasecurity
+    referrer             A plugin for OCI referrers                                   aquasecurity           ✓
+    [...]
+    ```
+
+3. Choose a plugin from the list and install it:
+
+    ```bash
+    $ trivy plugin install referrer
+    ```
+
+4. Use the installed plugin:
+
+    ```bash
+    $ trivy referrer --help
+    ```
+
+5. Keep your plugins up-to-date:
+
+    ```bash
+    $ trivy plugin upgrade
+    ```
+
+6. Uninstall a plugin you no longer use:
+
+    ```bash
+    trivy plugin uninstall referrer
+    ``` 
+
+This is practically all you need to know to start using Trivy plugins.
+
+
+[kubectl]: https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/
+[helm]: https://helm.sh/docs/topics/plugins/
+[conftest]: https://www.conftest.dev/plugins/

docs/docs/plugin/index.md

@@ -0,0 +1,207 @@
+# User Guide
+
+## Discovering Plugins
+You can find a list of Trivy plugins distributed via trivy-plugin-index [here][trivy-plugin-index].
+However, you can find plugins using the command line as well.
+
+First, refresh your local copy of the plugin index:
+
+```bash
+$ trivy plugin update
+```
+
+To list all plugins available, run:
+
+```bash
+$ trivy plugin search
+NAME                 DESCRIPTION                                                  MAINTAINER           OUTPUT
+aqua                 A plugin for integration with Aqua Security SaaS platform    aquasecurity
+kubectl              A plugin scanning the images of a kubernetes resource        aquasecurity
+referrer             A plugin for OCI referrers                                   aquasecurity           ✓
+```
+
+You can specify search keywords as arguments:
+
+```bash
+$ trivy plugin search referrer
+
+NAME                 DESCRIPTION                                                  MAINTAINER           OUTPUT
+referrer             A plugin for OCI referrers                                   aquasecurity           ✓
+```
+
+It lists plugins with the keyword in the name or description.
+
+## Installing  Plugins
+Plugins can be installed with the `trivy plugin install` command:
+
+```bash
+$ trivy plugin install referrer
+```
+
+This command will download the plugin and install it in the plugin cache.
+
+Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set.
+Trivy will now search XDG_DATA_HOME for the location of the Trivy plugins cache.
+The preference order is as follows:
+
+- XDG_DATA_HOME if set and .trivy/plugins exists within the XDG_DATA_HOME dir
+- ~/.trivy/plugins
+
+Furthermore, it is possible to download plugins that are not registered in the index by specifying the URL directly or by specifying the file path.
+
+```bash
+$ trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl
+```
+```bash
+$ trivy plugin install myplugin.tar.gz
+```
+
+Under the hood Trivy leverages [go-getter][go-getter] to download plugins.
+This means the following protocols are supported for downloading plugins:
+
+- OCI Registries
+- Local Files
+- Git
+- HTTP/HTTPS
+- Mercurial
+- Amazon S3
+- Google Cloud Storage
+
+## Listing Installed Plugins
+To list all plugins installed, run:
+
+```bash
+$ trivy plugin list
+```
+
+## Using Plugins
+Once the plugin is installed, Trivy will load all available plugins in the cache on the start of the next Trivy execution.
+A plugin will be made in the Trivy CLI based on the plugin name.
+To display all plugins, you can list them by `trivy --help`
+
+```bash
+$ trivy --help
+NAME:
+   trivy - A simple and comprehensive vulnerability scanner for containers
+
+USAGE:
+   trivy [global options] command [command options] target
+
+VERSION:
+   dev
+
+Scanning Commands
+  aws         [EXPERIMENTAL] Scan AWS account
+  config      Scan config files for misconfigurations
+  filesystem  Scan local filesystem
+  image       Scan a container image
+  
+...
+
+Plugin Commands
+  kubectl     scan kubectl resources
+  referrer    Put referrers to OCI registry
+```
+
+As shown above, `kubectl` subcommand exists in the `Plugin Commands` section.
+To call the kubectl plugin and scan existing Kubernetes deployments, you can execute the following command:
+
+```
+$ trivy kubectl deployment <deployment-id> -- --ignore-unfixed --severity CRITICAL
+```
+
+Internally the kubectl plugin calls the kubectl binary to fetch information about that deployment and passes the using images to Trivy.
+You can see the detail [here][trivy-plugin-kubectl].
+
+If you want to omit even the subcommand, you can use `TRIVY_RUN_AS_PLUGIN` environment variable.
+
+```bash
+$ TRIVY_RUN_AS_PLUGIN=kubectl trivy job your-job -- --format json
+```
+
+## Installing and Running Plugins on the fly
+`trivy plugin run` installs a plugin and runs it on the fly.
+If the plugin is already present in the cache, the installation is skipped.
+
+```bash
+trivy plugin run kubectl pod your-pod -- --exit-code 1
+```
+
+## Upgrading Plugins
+To upgrade all plugins that you have installed to their latest versions, run:
+
+```bash
+$ trivy plugin upgrade
+```
+
+To upgrade only certain plugins, you can explicitly specify their names:
+
+```bash
+$ trivy plugin upgrade <PLUGIN1> <PLUGIN2>
+```
+
+## Uninstalling Plugins
+Specify a plugin name with `trivy plugin uninstall` command.
+
+```bash
+$ trivy plugin uninstall kubectl
+```
+
+Here's the revised English documentation based on your requested changes:
+
+## Output Mode Support
+While plugins are typically intended to be used as subcommands of Trivy, plugins supporting the output mode can be invoked as part of Trivy's built-in commands.
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy supports plugins that are compatible with the output mode, which process Trivy's output, such as by transforming the output format or sending it elsewhere.
+You can determine whether a plugin supports the output mode by checking the `OUTPUT` column in the output of `trivy plugin search` or `trivy plugin list`.
+
+```bash
+$ trivy plugin search
+NAME                 DESCRIPTION                                                  MAINTAINER           OUTPUT
+aqua                 A plugin for integration with Aqua Security SaaS platform    aquasecurity
+kubectl              A plugin scanning the images of a kubernetes resource        aquasecurity
+referrer             A plugin for OCI referrers                                   aquasecurity           ✓
+```
+
+In this case, the `referrer` plugin supports the output mode.
+
+For instance, in the case of image scanning, a plugin supporting the output mode can be called as follows:
+
+```bash
+$ trivy image --format json --output plugin=<plugin_name> [--output-plugin-arg <plugin_flags>] <image_name>
+```
+
+Since scan results are passed to the plugin via standard input, plugins must be capable of handling standard input.
+
+!!! warning
+    To avoid Trivy hanging, you need to read all data from `Stdin` before the plugin exits successfully or stops with an error.
+
+While the example passes JSON to the plugin, other formats like SBOM can also be passed (e.g., `--format cyclonedx`).
+
+If a plugin requires flags or other arguments, they can be passed using `--output-plugin-arg`.
+This is directly forwarded as arguments to the plugin.
+For example, `--output plugin=myplugin --output-plugin-arg "--foo --bar=baz"` translates to `myplugin --foo --bar=baz` in execution.
+
+An example of a plugin supporting the output mode is available [here][trivy-plugin-count].
+It can be used as below:
+
+```bash
+# Install the plugin first
+$ trivy plugin install count
+
+# Call the plugin supporting the output mode in image scanning
+$ trivy image --format json --output plugin=count --output-plugin-arg "--published-after 2023-10-01" debian:12
+```
+
+## Example
+
+- [kubectl][trivy-plugin-kubectl]
+- [count][trivy-plugin-count]
+
+[trivy-plugin-index]: https://aquasecurity.github.io/trivy-plugin-index/
+[go-getter]: https://github.com/hashicorp/go-getter
+[trivy-plugin-kubectl]: https://github.com/aquasecurity/trivy-plugin-kubectl
+[trivy-plugin-count]: https://github.com/aquasecurity/trivy-plugin-count

docs/docs/plugin/user-guide.md

@@ -28,6 +28,8 @@ Manage plugins
 * [trivy plugin install](trivy_plugin_install.md)	 - Install a plugin
 * [trivy plugin list](trivy_plugin_list.md)	 - List installed plugin
 * [trivy plugin run](trivy_plugin_run.md)	 - Run a plugin on the fly
+* [trivy plugin search](trivy_plugin_search.md)	 - List Trivy plugins available on the plugin index and search among them
 * [trivy plugin uninstall](trivy_plugin_uninstall.md)	 - Uninstall a plugin
-* [trivy plugin update](trivy_plugin_update.md)	 - Update an existing plugin
+* [trivy plugin update](trivy_plugin_update.md)	 - Update the local copy of the plugin index
+* [trivy plugin upgrade](trivy_plugin_upgrade.md)	 - Upgrade installed plugins to newer versions
 

docs/docs/references/configuration/cli/trivy_plugin.md

@@ -3,7 +3,7 @@
 Install a plugin
 
 ```
-trivy plugin install URL | FILE_PATH
+trivy plugin install NAME | URL | FILE_PATH
 ```
 
 ### Options

docs/docs/references/configuration/cli/trivy_plugin_install.md

@@ -3,7 +3,7 @@
 Run a plugin on the fly
 
 ```
-trivy plugin run URL | FILE_PATH
+trivy plugin run NAME | URL | FILE_PATH
 ```
 
 ### Options

docs/docs/references/configuration/cli/trivy_plugin_run.md

@@ -0,0 +1,31 @@
+## trivy plugin search
+
+List Trivy plugins available on the plugin index and search among them
+
+```
+trivy plugin search [KEYWORD]
+```
+
+### Options
+
+```
+  -h, --help   help for search
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy plugin](trivy_plugin.md)	 - Manage plugins
+

docs/docs/references/configuration/cli/trivy_plugin_search.md

@@ -1,9 +1,9 @@
 ## trivy plugin update
 
-Update an existing plugin
+Update the local copy of the plugin index
 
 ```
-trivy plugin update PLUGIN_NAME
+trivy plugin update
 ```
 
 ### Options

docs/docs/references/configuration/cli/trivy_plugin_update.md

@@ -0,0 +1,31 @@
+## trivy plugin upgrade
+
+Upgrade installed plugins to newer versions
+
+```
+trivy plugin upgrade [PLUGIN_NAMES]
+```
+
+### Options
+
+```
+  -h, --help   help for upgrade
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy plugin](trivy_plugin.md)	 - Manage plugins
+

docs/docs/references/configuration/cli/trivy_plugin_upgrade.md

@@ -128,9 +128,12 @@ nav:
           - VEX: docs/supply-chain/vex.md
       - Compliance:
           - Reports:  docs/compliance/compliance.md
+      - Plugin:
+          - Overview: docs/plugin/index.md
+          - User Guide: docs/plugin/user-guide.md
+          - Developer Guide: docs/plugin/developer-guide.md
       - Advanced:
           - Modules: docs/advanced/modules.md
-          - Plugins: docs/advanced/plugins.md
           - Air-Gapped Environment: docs/advanced/air-gap.md
           - Container Image:
               - Embed in Dockerfile: docs/advanced/container/embed-in-dockerfile.md
@@ -152,16 +155,20 @@ nav:
                   - Filesystem: docs/references/configuration/cli/trivy_filesystem.md
                   - Image: docs/references/configuration/cli/trivy_image.md
                   - Kubernetes: docs/references/configuration/cli/trivy_kubernetes.md
-                  - Module: docs/references/configuration/cli/trivy_module.md
-                  - Module Install: docs/references/configuration/cli/trivy_module_install.md
-                  - Module Uninstall: docs/references/configuration/cli/trivy_module_uninstall.md
-                  - Plugin: docs/references/configuration/cli/trivy_plugin.md
-                  - Plugin Info: docs/references/configuration/cli/trivy_plugin_info.md
-                  - Plugin Install: docs/references/configuration/cli/trivy_plugin_install.md
-                  - Plugin List: docs/references/configuration/cli/trivy_plugin_list.md
-                  - Plugin Run: docs/references/configuration/cli/trivy_plugin_run.md
-                  - Plugin Uninstall: docs/references/configuration/cli/trivy_plugin_uninstall.md
-                  - Plugin Update: docs/references/configuration/cli/trivy_plugin_update.md
+                  - Module:
+                      - Module: docs/references/configuration/cli/trivy_module.md
+                      - Module Install: docs/references/configuration/cli/trivy_module_install.md
+                      - Module Uninstall: docs/references/configuration/cli/trivy_module_uninstall.md
+                  - Plugin:
+                      - Plugin: docs/references/configuration/cli/trivy_plugin.md
+                      - Plugin Info: docs/references/configuration/cli/trivy_plugin_info.md
+                      - Plugin Install: docs/references/configuration/cli/trivy_plugin_install.md
+                      - Plugin List: docs/references/configuration/cli/trivy_plugin_list.md
+                      - Plugin Run: docs/references/configuration/cli/trivy_plugin_run.md
+                      - Plugin Uninstall: docs/references/configuration/cli/trivy_plugin_uninstall.md
+                      - Plugin Update: docs/references/configuration/cli/trivy_plugin_update.md
+                      - Plugin Upgrade: docs/references/configuration/cli/trivy_plugin_upgrade.md
+                      - Plugin Search: docs/references/configuration/cli/trivy_plugin_search.md
                   - Repository: docs/references/configuration/cli/trivy_repository.md
                   - Rootfs: docs/references/configuration/cli/trivy_rootfs.md
                   - SBOM: docs/references/configuration/cli/trivy_sbom.md

mkdocs.yml

@@ -8,6 +8,11 @@ import (
 	clocktesting "k8s.io/utils/clock/testing"
 )
 
+type (
+	RealClock = clock.RealClock
+	FakeClock = clocktesting.FakeClock
+)
+
 // clockKey is the context key for clock. It is unexported to prevent collisions with context keys defined in
 // other packages.
 type clockKey struct{}
@@ -27,7 +32,7 @@ func Now(ctx context.Context) time.Time {
 func Clock(ctx context.Context) clock.Clock {
 	t, ok := ctx.Value(clockKey{}).(clock.Clock)
 	if !ok {
-		return clock.RealClock{}
+		return RealClock{}
 	}
 	return t
 }

pkg/clock/clock.go

@@ -1,6 +1,7 @@
 package commands
 
 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -111,20 +112,24 @@ func NewApp() *cobra.Command {
 }
 
 func loadPluginCommands() []*cobra.Command {
+	ctx := context.Background()
+	manager := plugin.NewManager()
+
 	var commands []*cobra.Command
-	plugins, err := plugin.LoadAll()
+	plugins, err := manager.LoadAll(ctx)
 	if err != nil {
-		log.Debug("No plugins loaded")
+		log.DebugContext(ctx, "No plugins loaded")
 		return nil
 	}
 	for _, p := range plugins {
 		p := p
 		cmd := &cobra.Command{
 			Use:     fmt.Sprintf("%s [flags]", p.Name),
-			Short:   p.Usage,
+			Short:   p.Summary,
+			Long:    p.Description,
 			GroupID: groupPlugin,
 			RunE: func(cmd *cobra.Command, args []string) error {
-				if err = p.Run(cmd.Context(), plugin.RunOptions{Args: args}); err != nil {
+				if err = p.Run(cmd.Context(), plugin.Options{Args: args}); err != nil {
 					return xerrors.Errorf("plugin error: %w", err)
 				}
 				return nil
@@ -719,14 +724,15 @@ func NewPluginCommand() *cobra.Command {
 	}
 	cmd.AddCommand(
 		&cobra.Command{
-			Use:                   "install URL | FILE_PATH",
+			Use:                   "install NAME | URL | FILE_PATH",
 			Aliases:               []string{"i"},
 			Short:                 "Install a plugin",
 			SilenceErrors:         true,
+			SilenceUsage:          true,
 			DisableFlagsInUseLine: true,
 			Args:                  cobra.ExactArgs(1),
 			RunE: func(cmd *cobra.Command, args []string) error {
-				if _, err := plugin.Install(cmd.Context(), args[0], true); err != nil {
+				if _, err := plugin.Install(cmd.Context(), args[0], plugin.Options{}); err != nil {
 					return xerrors.Errorf("plugin install error: %w", err)
 				}
 				return nil
@@ -735,12 +741,13 @@ func NewPluginCommand() *cobra.Command {
 		&cobra.Command{
 			Use:                   "uninstall PLUGIN_NAME",
 			Aliases:               []string{"u"},
-			SilenceErrors:         true,
 			DisableFlagsInUseLine: true,
 			Short:                 "Uninstall a plugin",
+			SilenceErrors:         true,
+			SilenceUsage:          true,
 			Args:                  cobra.ExactArgs(1),
-			RunE: func(_ *cobra.Command, args []string) error {
-				if err := plugin.Uninstall(args[0]); err != nil {
+			RunE: func(cmd *cobra.Command, args []string) error {
+				if err := plugin.Uninstall(cmd.Context(), args[0]); err != nil {
 					return xerrors.Errorf("plugin uninstall error: %w", err)
 				}
 				return nil
@@ -749,62 +756,86 @@ func NewPluginCommand() *cobra.Command {
 		&cobra.Command{
 			Use:                   "list",
 			Aliases:               []string{"l"},
-			SilenceErrors:         true,
 			DisableFlagsInUseLine: true,
+			SilenceErrors:         true,
+			SilenceUsage:          true,
 			Short:                 "List installed plugin",
 			Args:                  cobra.NoArgs,
 			RunE: func(cmd *cobra.Command, args []string) error {
-				info, err := plugin.List()
-				if err != nil {
+				if err := plugin.List(cmd.Context()); err != nil {
 					return xerrors.Errorf("plugin list display error: %w", err)
 				}
-				if _, err := fmt.Fprint(os.Stdout, info); err != nil {
-					return xerrors.Errorf("print error: %w", err)
-				}
 				return nil
 			},
 		},
 		&cobra.Command{
 			Use:                   "info PLUGIN_NAME",
 			Short:                 "Show information about the specified plugin",
-			SilenceErrors:         true,
 			DisableFlagsInUseLine: true,
+			SilenceErrors:         true,
+			SilenceUsage:          true,
 			Args:                  cobra.ExactArgs(1),
 			RunE: func(_ *cobra.Command, args []string) error {
-				info, err := plugin.Information(args[0])
-				if err != nil {
+				if err := plugin.Information(args[0]); err != nil {
 					return xerrors.Errorf("plugin information display error: %w", err)
 				}
-				if _, err := fmt.Fprint(os.Stdout, info); err != nil {
-					return xerrors.Errorf("print error: %w", err)
-				}
 				return nil
 			},
 		},
 		&cobra.Command{
-			Use:                   "run URL | FILE_PATH",
+			Use:                   "run NAME | URL | FILE_PATH",
 			Aliases:               []string{"r"},
-			SilenceErrors:         true,
 			DisableFlagsInUseLine: true,
+			SilenceErrors:         true,
+			SilenceUsage:          true,
 			Short:                 "Run a plugin on the fly",
 			Args:                  cobra.MinimumNArgs(1),
 			RunE: func(cmd *cobra.Command, args []string) error {
-				return plugin.RunWithURL(cmd.Context(), args[0], plugin.RunOptions{Args: args[1:]})
+				return plugin.RunWithURL(cmd.Context(), args[0], plugin.Options{Args: args[1:]})
 			},
 		},
 		&cobra.Command{
-			Use:                   "update PLUGIN_NAME",
-			Short:                 "Update an existing plugin",
-			SilenceErrors:         true,
+			Use:                   "update",
+			Short:                 "Update the local copy of the plugin index",
 			DisableFlagsInUseLine: true,
-			Args:                  cobra.ExactArgs(1),
-			RunE: func(_ *cobra.Command, args []string) error {
-				if err := plugin.Update(args[0]); err != nil {
+			SilenceErrors:         true,
+			SilenceUsage:          true,
+			Args:                  cobra.NoArgs,
+			RunE: func(cmd *cobra.Command, _ []string) error {
+				if err := plugin.Update(cmd.Context()); err != nil {
 					return xerrors.Errorf("plugin update error: %w", err)
 				}
 				return nil
 			},
 		},
+		&cobra.Command{
+			Use:                   "search [KEYWORD]",
+			DisableFlagsInUseLine: true,
+			SilenceErrors:         true,
+			SilenceUsage:          true,
+			Short:                 "List Trivy plugins available on the plugin index and search among them",
+			Args:                  cobra.MaximumNArgs(1),
+			RunE: func(cmd *cobra.Command, args []string) error {
+				var keyword string
+				if len(args) == 1 {
+					keyword = args[0]
+				}
+				return plugin.Search(cmd.Context(), keyword)
+			},
+		},
+		&cobra.Command{
+			Use:                   "upgrade [PLUGIN_NAMES]",
+			Short:                 "Upgrade installed plugins to newer versions",
+			DisableFlagsInUseLine: true,
+			SilenceErrors:         true,
+			SilenceUsage:          true,
+			RunE: func(cmd *cobra.Command, args []string) error {
+				if err := plugin.Upgrade(cmd.Context(), args); err != nil {
+					return xerrors.Errorf("plugin upgrade error: %w", err)
+				}
+				return nil
+			},
+		},
 	)
 	cmd.SetFlagErrorFunc(flagErrorFunc)
 	return cmd

pkg/commands/app.go

@@ -447,7 +447,7 @@ func (o *Options) outputPluginWriter(ctx context.Context) (io.Writer, func() err
 	pluginName := strings.TrimPrefix(o.Output, "plugin=")
 
 	pr, pw := io.Pipe()
-	wait, err := plugin.Start(ctx, pluginName, plugin.RunOptions{
+	wait, err := plugin.Start(ctx, pluginName, plugin.Options{
 		Args:  o.OutputPluginArgs,
 		Stdin: pr,
 	})

pkg/flag/options.go

@@ -14,6 +14,8 @@ import (
 	"github.com/fatih/color"
 	"github.com/samber/lo"
 	"golang.org/x/xerrors"
+
+	"github.com/aquasecurity/trivy/pkg/clock"
 )
 
 const (
@@ -145,6 +147,11 @@ func (h *ColorHandler) Handle(ctx context.Context, r slog.Record) error {
 		freeBuf(bufp)
 	}()
 
+	// For tests, use the fake clock's time.
+	if c, ok := clock.Clock(ctx).(*clock.FakeClock); ok {
+		r.Time = c.Now()
+	}
+
 	buf = h.handle(ctx, buf, r)
 
 	h.mu.Lock()

pkg/log/handler.go

@@ -0,0 +1,117 @@
+package plugin
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/samber/lo"
+	"golang.org/x/xerrors"
+	"gopkg.in/yaml.v3"
+
+	"github.com/aquasecurity/trivy/pkg/downloader"
+	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/utils/fsutils"
+)
+
+const indexURL = "https://aquasecurity.github.io/trivy-plugin-index/v1/index.yaml"
+
+type Index struct {
+	Version int `yaml:"version"`
+	Plugins []struct {
+		Name       string `yaml:"name"`
+		Maintainer string `yaml:"maintainer"`
+		Summary    string `yaml:"summary"`
+		Repository string `yaml:"repository"`
+		Output     bool   `yaml:"output"`
+	} `yaml:"plugins"`
+}
+
+func (m *Manager) Update(ctx context.Context) error {
+	m.logger.InfoContext(ctx, "Updating the plugin index...", log.String("url", m.indexURL))
+	if err := downloader.Download(ctx, m.indexURL, filepath.Dir(m.indexPath), ""); err != nil {
+		return xerrors.Errorf("unable to download the plugin index: %w", err)
+	}
+	return nil
+}
+
+func (m *Manager) Search(ctx context.Context, keyword string) error {
+	index, err := m.loadIndex()
+	if errors.Is(err, os.ErrNotExist) {
+		m.logger.ErrorContext(ctx, "The plugin index is not found. Please run 'trivy plugin update' to download the index.")
+		return xerrors.Errorf("plugin index not found: %w", err)
+	} else if err != nil {
+		return xerrors.Errorf("unable to load the plugin index: %w", err)
+	}
+
+	var buf bytes.Buffer
+	buf.WriteString(fmt.Sprintf("%-20s %-60s %-20s %s\n", "NAME", "DESCRIPTION", "MAINTAINER", "OUTPUT"))
+	for _, p := range index.Plugins {
+		if keyword == "" || strings.Contains(p.Name, keyword) || strings.Contains(p.Summary, keyword) {
+			s := fmt.Sprintf("%-20s %-60s %-20s %s\n", truncateString(p.Name, 20),
+				truncateString(p.Summary, 60), truncateString(p.Maintainer, 20),
+				lo.Ternary(p.Output, "  ✓", ""))
+			buf.WriteString(s)
+		}
+	}
+
+	if _, err = fmt.Fprintf(m.w, buf.String()); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// tryIndex returns the repository URL if the plugin name is found in the index.
+// Otherwise, it returns the input name.
+func (m *Manager) tryIndex(ctx context.Context, name string) string {
+	// If the index file does not exist, download it first.
+	if !fsutils.FileExists(m.indexPath) {
+		if err := m.Update(ctx); err != nil {
+			m.logger.ErrorContext(ctx, "Failed to update the plugin index", log.Err(err))
+			return name
+		}
+	}
+
+	index, err := m.loadIndex()
+	if errors.Is(err, os.ErrNotExist) {
+		m.logger.WarnContext(ctx, "The plugin index is not found. Please run 'trivy plugin update' to download the index.")
+		return name
+	} else if err != nil {
+		m.logger.ErrorContext(ctx, "Unable to load the plugin index: %w", err)
+		return name
+	}
+
+	for _, p := range index.Plugins {
+		if p.Name == name {
+			return p.Repository
+		}
+	}
+	return name
+}
+
+func (m *Manager) loadIndex() (*Index, error) {
+	f, err := os.Open(m.indexPath)
+	if err != nil {
+		return nil, xerrors.Errorf("unable to open the index file: %w", err)
+	}
+	defer f.Close()
+
+	var index Index
+	if err = yaml.NewDecoder(f).Decode(&index); err != nil {
+		return nil, xerrors.Errorf("unable to decode the index file: %w", err)
+	}
+
+	return &index, nil
+}
+
+func truncateString(str string, num int) string {
+	if len(str) <= num {
+		return str
+	}
+	return str[:num-3] + "..."
+}

pkg/plugin/index.go

@@ -0,0 +1,87 @@
+package plugin_test
+
+import (
+	"bytes"
+	"context"
+	"github.com/aquasecurity/trivy/pkg/plugin"
+	"github.com/aquasecurity/trivy/pkg/utils/fsutils"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestManager_Update(t *testing.T) {
+	tempDir := t.TempDir()
+	fsutils.SetCacheDir(tempDir)
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_, err := w.Write([]byte(`this is index`))
+		require.NoError(t, err)
+	}))
+	t.Cleanup(ts.Close)
+
+	manager := plugin.NewManager(plugin.WithIndexURL(ts.URL + "/index.yaml"))
+	err := manager.Update(context.Background())
+	require.NoError(t, err)
+
+	indexPath := filepath.Join(tempDir, "plugin", "index.yaml")
+	assert.FileExists(t, indexPath)
+
+	b, err := os.ReadFile(indexPath)
+	require.NoError(t, err)
+	assert.Equal(t, "this is index", string(b))
+}
+
+func TestManager_Search(t *testing.T) {
+	tests := []struct {
+		name    string
+		keyword string
+		dir     string
+		want    string
+		wantErr string
+	}{
+		{
+			name:    "all plugins",
+			keyword: "",
+			dir:     "testdata",
+			want: `NAME                 DESCRIPTION                                                  MAINTAINER           OUTPUT
+foo                  A foo plugin                                                 aquasecurity           ✓
+bar                  A bar plugin                                                 aquasecurity         
+test                 A test plugin                                                aquasecurity         
+`,
+		},
+		{
+			name:    "keyword",
+			keyword: "bar",
+			dir:     "testdata",
+			want: `NAME                 DESCRIPTION                                                  MAINTAINER           OUTPUT
+bar                  A bar plugin                                                 aquasecurity         
+`,
+		},
+		{
+			name:    "no index",
+			keyword: "",
+			dir:     "unknown",
+			wantErr: "plugin index not found",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			fsutils.SetCacheDir(tt.dir)
+
+			var got bytes.Buffer
+			m := plugin.NewManager(plugin.WithWriter(&got))
+			err := m.Search(context.Background(), tt.keyword)
+			if tt.wantErr != "" {
+				require.ErrorContains(t, err, tt.wantErr)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, tt.want, got.String())
+		})
+	}
+}

pkg/plugin/index_test.go

@@ -0,0 +1,355 @@
+package plugin
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/samber/lo"
+	"golang.org/x/xerrors"
+	"gopkg.in/yaml.v3"
+
+	"github.com/aquasecurity/trivy/pkg/downloader"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/utils/fsutils"
+)
+
+const configFile = "plugin.yaml"
+
+var (
+	pluginsRelativeDir = filepath.Join(".trivy", "plugins")
+
+	_defaultManager *Manager
+)
+
+type ManagerOption func(indexer *Manager)
+
+func WithWriter(w io.Writer) ManagerOption {
+	return func(indexer *Manager) {
+		indexer.w = w
+	}
+}
+
+func WithIndexURL(indexURL string) ManagerOption {
+	return func(indexer *Manager) {
+		indexer.indexURL = indexURL
+	}
+}
+
+// Manager manages the plugins
+type Manager struct {
+	w          io.Writer
+	indexURL   string
+	logger     *log.Logger
+	pluginRoot string
+	indexPath  string
+}
+
+func NewManager(opts ...ManagerOption) *Manager {
+	m := &Manager{
+		w:          os.Stdout,
+		indexURL:   indexURL,
+		logger:     log.WithPrefix("plugin"),
+		pluginRoot: filepath.Join(fsutils.HomeDir(), pluginsRelativeDir),
+		indexPath:  filepath.Join(fsutils.CacheDir(), "plugin", "index.yaml"),
+	}
+	for _, opt := range opts {
+		opt(m)
+	}
+	return m
+}
+
+func defaultManager() *Manager {
+	if _defaultManager == nil {
+		_defaultManager = NewManager()
+	}
+	return _defaultManager
+}
+
+func Install(ctx context.Context, name string, opts Options) (Plugin, error) {
+	return defaultManager().Install(ctx, name, opts)
+}
+func Start(ctx context.Context, name string, opts Options) (Wait, error) {
+	return defaultManager().Start(ctx, name, opts)
+}
+func RunWithURL(ctx context.Context, name string, opts Options) error {
+	return defaultManager().RunWithURL(ctx, name, opts)
+}
+func Upgrade(ctx context.Context, names []string) error { return defaultManager().Upgrade(ctx, names) }
+func Uninstall(ctx context.Context, name string) error  { return defaultManager().Uninstall(ctx, name) }
+func Information(name string) error                     { return defaultManager().Information(name) }
+func List(ctx context.Context) error                    { return defaultManager().List(ctx) }
+func Update(ctx context.Context) error                  { return defaultManager().Update(ctx) }
+func Search(ctx context.Context, keyword string) error  { return defaultManager().Search(ctx, keyword) }
+
+// Install installs a plugin
+func (m *Manager) Install(ctx context.Context, name string, opts Options) (Plugin, error) {
+	src := m.tryIndex(ctx, name)
+
+	// If the plugin is already installed, it skips installing the plugin.
+	if p, installed := m.isInstalled(ctx, src); installed {
+		m.logger.InfoContext(ctx, "The plugin is already installed", log.String("name", p.Name))
+		return p, nil
+	}
+
+	m.logger.InfoContext(ctx, "Installing the plugin...", log.String("src", src))
+	return m.install(ctx, src, opts)
+}
+
+func (m *Manager) install(ctx context.Context, src string, opts Options) (Plugin, error) {
+	tempDir, err := downloader.DownloadToTempDir(ctx, src)
+	if err != nil {
+		return Plugin{}, xerrors.Errorf("download failed: %w", err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	m.logger.DebugContext(ctx, "Loading the plugin metadata...")
+	plugin, err := m.loadMetadata(tempDir)
+	if err != nil {
+		return Plugin{}, xerrors.Errorf("failed to load the plugin metadata: %w", err)
+	}
+
+	if err = plugin.install(ctx, plugin.Dir(), tempDir, opts); err != nil {
+		return Plugin{}, xerrors.Errorf("failed to install the plugin: %w", err)
+	}
+
+	// Copy plugin.yaml into the plugin dir
+	f, err := os.Create(filepath.Join(plugin.Dir(), configFile))
+	if err != nil {
+		return Plugin{}, xerrors.Errorf("failed to create plugin.yaml: %w", err)
+	}
+	defer f.Close()
+
+	if err = yaml.NewEncoder(f).Encode(plugin); err != nil {
+		return Plugin{}, xerrors.Errorf("yaml encode error: %w", err)
+	}
+
+	m.logger.InfoContext(ctx, "Plugin successfully installed", log.String("name", plugin.Name))
+
+	return plugin, nil
+}
+
+// Uninstall installs the plugin
+func (m *Manager) Uninstall(ctx context.Context, name string) error {
+	pluginDir := filepath.Join(m.pluginRoot, name)
+	if !fsutils.DirExists(pluginDir) {
+		m.logger.ErrorContext(ctx, "No such plugin")
+		return nil
+	}
+	if err := os.RemoveAll(pluginDir); err != nil {
+		return xerrors.Errorf("failed to uninstall the plugin: %w", err)
+	}
+	m.logger.InfoContext(ctx, "Plugin successfully uninstalled", log.String("name", name))
+	return nil
+}
+
+// Information gets the information about an installed plugin
+func (m *Manager) Information(name string) error {
+	plugin, err := m.load(name)
+	if err != nil {
+		return xerrors.Errorf("plugin load error: %w", err)
+	}
+
+	_, err = fmt.Fprintf(m.w, `
+Plugin: %s
+  Version:     %s
+  Summary:     %s
+  Description: %s
+`, plugin.Name, plugin.Version, plugin.Summary, plugin.Description)
+
+	return err
+}
+
+// List gets a list of all installed plugins
+func (m *Manager) List(ctx context.Context) error {
+	s, err := m.list(ctx)
+	if err != nil {
+		return xerrors.Errorf("unable to list plugins: %w", err)
+	}
+	_, err = fmt.Fprintf(m.w, "%s\n", s)
+	return err
+}
+
+func (m *Manager) list(ctx context.Context) (string, error) {
+	if _, err := os.Stat(m.pluginRoot); err != nil {
+		if os.IsNotExist(err) {
+			return "No Installed Plugins", nil
+		}
+		return "", xerrors.Errorf("stat error: %w", err)
+	}
+	plugins, err := m.LoadAll(ctx)
+	if err != nil {
+		return "", xerrors.Errorf("unable to load plugins: %w", err)
+	} else if len(plugins) == 0 {
+		return "No Installed Plugins", nil
+	}
+	pluginList := []string{"Installed Plugins:"}
+	for _, plugin := range plugins {
+		pluginList = append(pluginList, fmt.Sprintf("  Name:    %s\n  Version: %s\n", plugin.Name, plugin.Version))
+	}
+
+	return strings.Join(pluginList, "\n"), nil
+}
+
+// Upgrade upgrades an existing plugins
+func (m *Manager) Upgrade(ctx context.Context, names []string) error {
+	if len(names) == 0 {
+		plugins, err := m.LoadAll(ctx)
+		if err != nil {
+			return xerrors.Errorf("unable to load plugins: %w", err)
+		} else if len(plugins) == 0 {
+			m.logger.InfoContext(ctx, "No installed plugins")
+			return nil
+		}
+		names = lo.Map(plugins, func(p Plugin, _ int) string { return p.Name })
+	}
+	for _, name := range names {
+		if err := m.upgrade(ctx, name); err != nil {
+			return xerrors.Errorf("unable to upgrade '%s' plugin: %w", name, err)
+		}
+	}
+	return nil
+}
+
+func (m *Manager) upgrade(ctx context.Context, name string) error {
+	plugin, err := m.load(name)
+	if err != nil {
+		return xerrors.Errorf("plugin load error: %w", err)
+	}
+
+	logger := m.logger.With("name", name)
+	logger.InfoContext(ctx, "Upgrading plugin...")
+	updated, err := m.install(ctx, plugin.Repository, Options{
+		// Use the current installed platform
+		Platform: ftypes.Platform{
+			Platform: &v1.Platform{
+				OS:           plugin.Installed.Platform.OS,
+				Architecture: plugin.Installed.Platform.Arch,
+			},
+		},
+	})
+	if err != nil {
+		return xerrors.Errorf("unable to perform an upgrade installation: %w", err)
+	}
+
+	if plugin.Version == updated.Version {
+		logger.InfoContext(ctx, "The plugin is up-to-date", log.String("version", plugin.Version))
+	} else {
+		logger.InfoContext(ctx, "Plugin upgraded",
+			log.String("from", plugin.Version), log.String("to", updated.Version))
+	}
+	return nil
+}
+
+// LoadAll loads all plugins
+func (m *Manager) LoadAll(ctx context.Context) ([]Plugin, error) {
+	dirs, err := os.ReadDir(m.pluginRoot)
+	if err != nil {
+		return nil, xerrors.Errorf("failed to read %s: %w", m.pluginRoot, err)
+	}
+
+	var plugins []Plugin
+	for _, d := range dirs {
+		if !d.IsDir() {
+			continue
+		}
+		plugin, err := m.loadMetadata(filepath.Join(m.pluginRoot, d.Name()))
+		if err != nil {
+			m.logger.WarnContext(ctx, "Plugin load error", log.Err(err))
+			continue
+		}
+		plugins = append(plugins, plugin)
+	}
+	return plugins, nil
+}
+
+// Start starts the plugin
+func (m *Manager) Start(ctx context.Context, name string, opts Options) (Wait, error) {
+	plugin, err := m.load(name)
+	if err != nil {
+		return nil, xerrors.Errorf("plugin load error: %w", err)
+	}
+
+	wait, err := plugin.Start(ctx, opts)
+	if err != nil {
+		return nil, xerrors.Errorf("unable to run %s plugin: %w", plugin.Name, err)
+	}
+	return wait, nil
+}
+
+// RunWithURL runs the plugin
+func (m *Manager) RunWithURL(ctx context.Context, name string, opts Options) error {
+	plugin, err := m.Install(ctx, name, opts)
+	if err != nil {
+		return xerrors.Errorf("plugin install error: %w", err)
+	}
+
+	if err = plugin.Run(ctx, opts); err != nil {
+		return xerrors.Errorf("unable to run %s plugin: %w", plugin.Name, err)
+	}
+	return nil
+}
+
+func (m *Manager) load(name string) (Plugin, error) {
+	pluginDir := filepath.Join(m.pluginRoot, name)
+	if _, err := os.Stat(pluginDir); err != nil {
+		if os.IsNotExist(err) {
+			return Plugin{}, xerrors.Errorf("could not find a plugin called '%s', did you install it?", name)
+		}
+		return Plugin{}, xerrors.Errorf("plugin stat error: %w", err)
+	}
+
+	plugin, err := m.loadMetadata(pluginDir)
+	if err != nil {
+		return Plugin{}, xerrors.Errorf("unable to load plugin metadata: %w", err)
+	}
+
+	return plugin, nil
+}
+
+func (m *Manager) loadMetadata(dir string) (Plugin, error) {
+	filePath := filepath.Join(dir, configFile)
+	f, err := os.Open(filePath)
+	if err != nil {
+		return Plugin{}, xerrors.Errorf("file open error: %w", err)
+	}
+	defer f.Close()
+
+	var plugin Plugin
+	if err = yaml.NewDecoder(f).Decode(&plugin); err != nil {
+		return Plugin{}, xerrors.Errorf("yaml decode error: %w", err)
+	}
+
+	if plugin.Name == "" {
+		return Plugin{}, xerrors.Errorf("'name' is empty")
+	}
+
+	// e.g. ~/.trivy/plugins/kubectl
+	plugin.dir = filepath.Join(m.pluginRoot, plugin.Name)
+
+	if plugin.Summary == "" && plugin.Usage != "" {
+		plugin.Summary = plugin.Usage // For backward compatibility
+		plugin.Usage = ""
+	}
+
+	return plugin, nil
+}
+
+func (m *Manager) isInstalled(ctx context.Context, url string) (Plugin, bool) {
+	installedPlugins, err := m.LoadAll(ctx)
+	if err != nil {
+		return Plugin{}, false
+	}
+
+	for _, plugin := range installedPlugins {
+		if plugin.Repository == url {
+			return plugin, true
+		}
+	}
+	return Plugin{}, false
+}

pkg/plugin/manager.go

@@ -3,48 +3,41 @@ package plugin
 import (
 	"context"
 	"errors"
-	"fmt"
 	"io"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"runtime"
-	"strings"
 
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
-	"gopkg.in/yaml.v3"
 
 	"github.com/aquasecurity/trivy/pkg/downloader"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/utils/fsutils"
 )
 
-const (
-	configFile = "plugin.yaml"
-)
-
-var (
-	pluginsRelativeDir = filepath.Join(".trivy", "plugins")
-
-	officialPlugins = map[string]string{
-		"kubectl": "github.com/aquasecurity/trivy-plugin-kubectl",
-		"aqua":    "github.com/aquasecurity/trivy-plugin-aqua",
-	}
-)
-
 // Plugin represents a plugin.
 type Plugin struct {
 	Name        string     `yaml:"name"`
 	Repository  string     `yaml:"repository"`
 	Version     string     `yaml:"version"`
-	Usage       string     `yaml:"usage"`
+	Summary     string     `yaml:"summary"`
+	Usage       string     `yaml:"usage"` // Deprecated: Use summary instead
 	Description string     `yaml:"description"`
 	Platforms   []Platform `yaml:"platforms"`
 
-	// runtime environment for testability
-	GOOS   string `yaml:"_goos"`
-	GOARCH string `yaml:"_goarch"`
+	// Installed holds the metadata about installation
+	Installed Installed `yaml:"installed"`
+
+	// dir points to the directory where the plugin is installed
+	dir string
+}
+
+type Installed struct {
+	Platform Selector `yaml:"platform"`
 }
 
 // Platform represents where the execution file exists per platform.
@@ -56,22 +49,23 @@ type Platform struct {
 
 // Selector represents the environment.
 type Selector struct {
-	OS   string
-	Arch string
+	OS   string `yaml:"os"`
+	Arch string `yaml:"arch"`
 }
 
-type RunOptions struct {
-	Args  []string
-	Stdin io.Reader
+type Options struct {
+	Args     []string
+	Stdin    io.Reader // For output plugin
+	Platform ftypes.Platform
 }
 
-func (p Plugin) Cmd(ctx context.Context, opts RunOptions) (*exec.Cmd, error) {
-	platform, err := p.selectPlatform()
+func (p *Plugin) Cmd(ctx context.Context, opts Options) (*exec.Cmd, error) {
+	platform, err := p.selectPlatform(ctx, opts)
 	if err != nil {
 		return nil, xerrors.Errorf("platform selection error: %w", err)
 	}
 
-	execFile := filepath.Join(dir(), p.Name, platform.Bin)
+	execFile := filepath.Join(p.Dir(), platform.Bin)
 
 	cmd := exec.CommandContext(ctx, execFile, opts.Args...)
 	cmd.Stdin = os.Stdin
@@ -90,7 +84,7 @@ type Wait func() error
 // Start starts the plugin
 //
 // After a successful call to Start the Wait method must be called.
-func (p Plugin) Start(ctx context.Context, opts RunOptions) (Wait, error) {
+func (p *Plugin) Start(ctx context.Context, opts Options) (Wait, error) {
 	cmd, err := p.Cmd(ctx, opts)
 	if err != nil {
 		return nil, xerrors.Errorf("cmd: %w", err)
@@ -103,7 +97,7 @@ func (p Plugin) Start(ctx context.Context, opts RunOptions) (Wait, error) {
 }
 
 // Run runs the plugin
-func (p Plugin) Run(ctx context.Context, opts RunOptions) error {
+func (p *Plugin) Run(ctx context.Context, opts Options) error {
 	cmd, err := p.Cmd(ctx, opts)
 	if err != nil {
 		return xerrors.Errorf("cmd: %w", err)
@@ -124,13 +118,15 @@ func (p Plugin) Run(ctx context.Context, opts RunOptions) error {
 	return nil
 }
 
-func (p Plugin) selectPlatform() (Platform, error) {
+func (p *Plugin) selectPlatform(ctx context.Context, opts Options) (Platform, error) {
 	// These values are only filled in during unit tests.
-	if p.GOOS == "" {
-		p.GOOS = runtime.GOOS
+	goos := runtime.GOOS
+	if opts.Platform.Platform != nil && opts.Platform.OS != "" {
+		goos = opts.Platform.OS
 	}
-	if p.GOARCH == "" {
-		p.GOARCH = runtime.GOARCH
+	goarch := runtime.GOARCH
+	if opts.Platform.Platform != nil && opts.Platform.Architecture != "" {
+		goarch = opts.Platform.Architecture
 	}
 
 	for _, platform := range p.Platforms {
@@ -139,250 +135,34 @@ func (p Plugin) selectPlatform() (Platform, error) {
 		}
 
 		selector := platform.Selector
-		if (selector.OS == "" || p.GOOS == selector.OS) &&
-			(selector.Arch == "" || p.GOARCH == selector.Arch) {
-			log.Debug("Platform found",
+		if (selector.OS == "" || goos == selector.OS) &&
+			(selector.Arch == "" || goarch == selector.Arch) {
+			log.DebugContext(ctx, "Platform found",
 				log.String("os", selector.OS), log.String("arch", selector.Arch))
 			return platform, nil
 		}
 	}
 	return Platform{}, xerrors.New("platform not found")
 }
 
-func (p Plugin) install(ctx context.Context, dst, pwd string) error {
-	log.Debug("Installing the plugin...", log.String("path", dst))
-	platform, err := p.selectPlatform()
+func (p *Plugin) install(ctx context.Context, dst, pwd string, opts Options) error {
+	log.DebugContext(ctx, "Installing the plugin...", log.String("path", dst))
+	platform, err := p.selectPlatform(ctx, opts)
 	if err != nil {
 		return xerrors.Errorf("platform selection error: %w", err)
 	}
+	p.Installed.Platform = lo.FromPtr(platform.Selector)
 
-	log.Debug("Downloading the execution file...", log.String("uri", platform.URI))
+	log.DebugContext(ctx, "Downloading the execution file...", log.String("uri", platform.URI))
 	if err = downloader.Download(ctx, platform.URI, dst, pwd); err != nil {
 		return xerrors.Errorf("unable to download the execution file (%s): %w", platform.URI, err)
 	}
 	return nil
 }
 
-func (p Plugin) dir() (string, error) {
-	if p.Name == "" {
-		return "", xerrors.Errorf("'name' is empty")
-	}
-
-	// e.g. ~/.trivy/plugins/kubectl
-	return filepath.Join(dir(), p.Name), nil
-}
-
-// Install installs a plugin
-func Install(ctx context.Context, url string, force bool) (Plugin, error) {
-	// Replace short names with full qualified names
-	// e.g. kubectl => github.com/aquasecurity/trivy-plugin-kubectl
-	if v, ok := officialPlugins[url]; ok {
-		url = v
-	}
-
-	if !force {
-		// If the plugin is already installed, it skips installing the plugin.
-		if p, installed := isInstalled(url); installed {
-			return p, nil
-		}
-	}
-
-	log.Info("Installing the plugin...", log.String("url", url))
-	tempDir, err := downloader.DownloadToTempDir(ctx, url)
-	if err != nil {
-		return Plugin{}, xerrors.Errorf("download failed: %w", err)
-	}
-	defer os.RemoveAll(tempDir)
-
-	log.Info("Loading the plugin metadata...")
-	plugin, err := loadMetadata(tempDir)
-	if err != nil {
-		return Plugin{}, xerrors.Errorf("failed to load the plugin metadata: %w", err)
-	}
-
-	pluginDir, err := plugin.dir()
-	if err != nil {
-		return Plugin{}, xerrors.Errorf("failed to determine the plugin dir: %w", err)
-	}
-
-	if err = plugin.install(ctx, pluginDir, tempDir); err != nil {
-		return Plugin{}, xerrors.Errorf("failed to install the plugin: %w", err)
-	}
-
-	// Copy plugin.yaml into the plugin dir
-	if _, err = fsutils.CopyFile(filepath.Join(tempDir, configFile), filepath.Join(pluginDir, configFile)); err != nil {
-		return Plugin{}, xerrors.Errorf("failed to copy plugin.yaml: %w", err)
-	}
-
-	return plugin, nil
-}
-
-// Uninstall installs the plugin
-func Uninstall(name string) error {
-	pluginDir := filepath.Join(dir(), name)
-	return os.RemoveAll(pluginDir)
-}
-
-// Information gets the information about an installed plugin
-func Information(name string) (string, error) {
-	plugin, err := load(name)
-	if err != nil {
-		return "", xerrors.Errorf("plugin load error: %w", err)
-	}
-
-	return fmt.Sprintf(`
-Plugin: %s
-  Description: %s
-  Version:     %s
-  Usage:       %s
-`, plugin.Name, plugin.Description, plugin.Version, plugin.Usage), nil
-}
-
-// List gets a list of all installed plugins
-func List() (string, error) {
-	if _, err := os.Stat(dir()); err != nil {
-		if os.IsNotExist(err) {
-			return "No Installed Plugins\n", nil
-		}
-		return "", xerrors.Errorf("stat error: %w", err)
-	}
-	plugins, err := LoadAll()
-	if err != nil {
-		return "", xerrors.Errorf("unable to load plugins: %w", err)
-	}
-	pluginList := []string{"Installed Plugins:"}
-	for _, plugin := range plugins {
-		pluginList = append(pluginList, fmt.Sprintf("  Name:    %s\n  Version: %s\n", plugin.Name, plugin.Version))
-	}
-
-	return strings.Join(pluginList, "\n"), nil
-}
-
-// Update updates an existing plugin
-func Update(name string) error {
-	plugin, err := load(name)
-	if err != nil {
-		return xerrors.Errorf("plugin load error: %w", err)
-	}
-
-	logger := log.With("name", name)
-	logger.Info("Updating plugin...")
-	updated, err := Install(nil, plugin.Repository, true)
-	if err != nil {
-		return xerrors.Errorf("unable to perform an update installation: %w", err)
-	}
-
-	if plugin.Version == updated.Version {
-		logger.Info("The plugin is up-to-date", log.String("version", plugin.Version))
-	} else {
-		logger.Info("Plugin updated",
-			log.String("from", plugin.Version), log.String("to", updated.Version))
-	}
-	return nil
-}
-
-// LoadAll loads all plugins
-func LoadAll() ([]Plugin, error) {
-	pluginsDir := dir()
-	dirs, err := os.ReadDir(pluginsDir)
-	if err != nil {
-		return nil, xerrors.Errorf("failed to read %s: %w", pluginsDir, err)
-	}
-
-	var plugins []Plugin
-	for _, d := range dirs {
-		if !d.IsDir() {
-			continue
-		}
-		plugin, err := loadMetadata(filepath.Join(pluginsDir, d.Name()))
-		if err != nil {
-			log.Warn("Plugin load error", log.Err(err))
-			continue
-		}
-		plugins = append(plugins, plugin)
-	}
-	return plugins, nil
-}
-
-// Start starts the plugin
-func Start(ctx context.Context, name string, opts RunOptions) (Wait, error) {
-	plugin, err := load(name)
-	if err != nil {
-		return nil, xerrors.Errorf("plugin load error: %w", err)
-	}
-
-	wait, err := plugin.Start(ctx, opts)
-	if err != nil {
-		return nil, xerrors.Errorf("unable to run %s plugin: %w", plugin.Name, err)
-	}
-	return wait, nil
-}
-
-// RunWithURL runs the plugin with URL
-func RunWithURL(ctx context.Context, url string, opts RunOptions) error {
-	plugin, err := Install(ctx, url, false)
-	if err != nil {
-		return xerrors.Errorf("plugin install error: %w", err)
-	}
-
-	if err = plugin.Run(ctx, opts); err != nil {
-		return xerrors.Errorf("unable to run %s plugin: %w", plugin.Name, err)
-	}
-	return nil
-}
-
-func IsPredefined(name string) bool {
-	_, ok := officialPlugins[name]
-	return ok
-}
-
-func load(name string) (Plugin, error) {
-	pluginDir := filepath.Join(dir(), name)
-	if _, err := os.Stat(pluginDir); err != nil {
-		if os.IsNotExist(err) {
-			return Plugin{}, xerrors.Errorf("could not find a plugin called '%s', did you install it?", name)
-		}
-		return Plugin{}, xerrors.Errorf("plugin stat error: %w", err)
-	}
-
-	plugin, err := loadMetadata(pluginDir)
-	if err != nil {
-		return Plugin{}, xerrors.Errorf("unable to load plugin metadata: %w", err)
-	}
-
-	return plugin, nil
-}
-
-func loadMetadata(dir string) (Plugin, error) {
-	filePath := filepath.Join(dir, configFile)
-	f, err := os.Open(filePath)
-	if err != nil {
-		return Plugin{}, xerrors.Errorf("file open error: %w", err)
-	}
-	defer f.Close()
-
-	var plugin Plugin
-	if err = yaml.NewDecoder(f).Decode(&plugin); err != nil {
-		return Plugin{}, xerrors.Errorf("yaml decode error: %w", err)
-	}
-
-	return plugin, nil
-}
-
-func dir() string {
-	return filepath.Join(fsutils.HomeDir(), pluginsRelativeDir)
-}
-
-func isInstalled(url string) (Plugin, bool) {
-	installedPlugins, err := LoadAll()
-	if err != nil {
-		return Plugin{}, false
-	}
-
-	for _, plugin := range installedPlugins {
-		if plugin.Repository == url {
-			return plugin, true
-		}
+func (p *Plugin) Dir() string {
+	if p.dir != "" {
+		return p.dir
 	}
-	return Plugin{}, false
+	return filepath.Join(fsutils.HomeDir(), pluginsRelativeDir, p.Name)
 }

pkg/plugin/plugin_test.go renamed to pkg/plugin/manager_test.go

@@ -0,0 +1,15 @@
+version: 1
+plugins:
+  - name: foo
+    output: true
+    maintainer: aquasecurity
+    summary: A foo plugin
+    repository: github.com/aquasecurity/trivy-plugin-foo
+  - name: bar
+    maintainer: aquasecurity
+    summary: A bar plugin
+    repository: github.com/aquasecurity/trivy-plugin-bar
+  - name: test
+    maintainer: aquasecurity
+    summary: A test plugin
+    repository: testdata/test_plugin

pkg/plugin/plugin.go

@@ -1,7 +1,7 @@
 name: "test_plugin"
 repository: github.com/aquasecurity/trivy-plugin-test
 version: "0.1.0"
-usage: test
+summary: test
 description: test
 platforms:
   - selector:

pkg/plugin/testdata/plugin/index.yaml

@@ -1,6 +1,7 @@
 package fsutils
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"io/fs"
@@ -84,6 +85,14 @@ func DirExists(path string) bool {
 	return true
 }
 
+func FileExists(filename string) bool {
+	_, err := os.Stat(filename)
+	if errors.Is(err, os.ErrNotExist) {
+		return false
+	}
+	return err == nil
+}
+
 type WalkDirRequiredFunc func(path string, d fs.DirEntry) bool
 
 type WalkDirFunc func(path string, d fs.DirEntry, r io.Reader) error