Security Scanning
Every plugin version uploaded to the QGIS Plugins Website is automatically scanned using
industry-standard open-source security tools. Scans run asynchronously in
the background immediately after upload. Checks are divided into two tiers:
-
Blocking (CRITICAL) — Bandit and
detect-secrets. A plugin version is blocked from download and
approval until critical findings are resolved by uploading a new, clean version.
-
Non-blocking (INFO / WARNING) — Flake8, file
permissions, and suspicious file detection. Results are informational and do not
affect availability.
Validation Statuses
-
Validating — The scan is queued or running. The version is not yet
available for download or approval.
-
Validated — All checks passed (no critical issues). The version is
available for approval; trusted users are approved automatically.
-
Validated (configured) — All checks passed
and one or more
security config files
were detected in the plugin ZIP. Fully available for approval — identical to
Validated — but the distinct status flags that scanner behaviour was
influenced by developer-supplied config.
-
Blocked — One or more critical issues were
found. The version cannot be downloaded or approved until a new, fixed version is
uploaded.
Upload Flow
- You upload a plugin ZIP file.
-
The plugin passes structural validation (metadata, package format, size limits) and is
saved to the database with status Validating.
-
You receive a confirmation email acknowledging receipt and noting that
checks are running.
- Security and quality checks run asynchronously in the background.
-
You receive a results email once checks complete:
-
All checks passed — your plugin is now available. Trusted users are
auto-approved; others await staff approval.
-
Critical issues found — your plugin is blocked. The email lists the
specific findings so you can fix them.
-
Full scan details are always available on the version detail page under the
Security tab.
Remember: The security scanner is here to help you create safer,
higher-quality plugins. Critical findings must be resolved, but non-blocking results are
purely advisory — use them as a guide for continuous improvement.
Detailed Documentation
Security Tools
Bandit, detect-secrets, Flake8, and File Analysis — what each tool checks,
severity levels, how to read results, and how to run them locally.
Security Tools
Rules Reference
Full live list of every security and quality rule with its severity,
enabled/disabled status, and skip permissions.
View All Rules
Rule Skipping
How to skip skippable rules during upload via the web form or REST API,
administrator configuration, and how to request rule changes.
Rule Skipping Guide
Config Files
Suppress specific findings by bundling .bandit,
.secrets.baseline, or .flake8 config files inside
your plugin ZIP.
Config Files Guide
Troubleshooting
Resolving a blocked plugin, dealing with false positives, raising an issue
about a mandatory check, and getting support.
Troubleshooting