Implement a Falco plugin in Go using the plugin-sdk-go SDK: register source and extractor capabilities in init(), implement Open() to return a source.Instance, and implement NextBatch() to generate batched events
Add github.com/falcosecurity/plugin-sdk-go as a Go module dependency
In your plugin package's init() function call plugins.SetFactory() with a FactoryFunc that constructs your plugin struct and calls source.Register(p) and extractor.Register(p) as needed
Implement the Info() method returning plugin name, version, and event-source name
Implement Open(params string) (source.Instance, error) to create a new event-stream instance per open call
Implement NextBatch(pState sdk.PluginState, evts sdk.EventWriters) (int, error) on your instance struct to fill the provided sdk.EventWriters batch and return the count produced
Implement Extract(req sdk.ExtractRequest, evt sdk.EventReader) error on your plugin struct to populate extraction fields from raw event data
Known gotchas
source.Register() and extractor.Register() must be called inside the FactoryFunc body, not at package init level; missing methods for a registered capability cause a compile-time error
NextBatch reuses the same sdk.EventWriters slab on every call; never hold references to EventWriter objects across batch boundaries
The plugin shared library must export the plugin_get_required_api_version symbol via the C plugin ABI; building with 'go build -buildmode=c-shared' and importing the sdk/plugins/wrappers package handles this automatically
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp