Sensu Go plugin distribution model

What’s still not clear to me, and what doesn’t seem to be clear to other either 1 2, is:

  • Executing checks with commands from assets with sudo
  • Having the sensu user be able to find the path to commands from assets

With Sensu Core, I added secure_path to sudoers. I cannot do the same with Sensu Go, as the path to an asset is unknown (/var/cache/sensu/sensu-agent/$somethingunknown). Then, I would allow the sensu user to execute anything in /opt/sensu/embedded/bin, which I - again - cannot do as the path to asset’s commands are unknown.

How are others solving this issue?