Security Scanning

Every plugin version uploaded to the QGIS Plugins Website is automatically scanned using industry-standard open-source security tools. Scans run asynchronously in the background immediately after upload. Checks are divided into two tiers:

  • Blocking (CRITICAL) — Bandit and detect-secrets. A plugin version is blocked from download and approval until critical findings are resolved by uploading a new, clean version.
  • Non-blocking (INFO / WARNING) — Flake8, file permissions, and suspicious file detection. Results are informational and do not affect availability.
Validation Statuses
  • Validating — The scan is queued or running. The version is not yet available for download or approval.
  • Validated — All checks passed (no critical issues). The version is available for approval; trusted users are approved automatically.
  • Validated (configured) — All checks passed and one or more security config files were detected in the plugin ZIP. Fully available for approval — identical to Validated — but the distinct status flags that scanner behaviour was influenced by developer-supplied config.
  • Blocked — One or more critical issues were found. The version cannot be downloaded or approved until a new, fixed version is uploaded.
Upload Flow
  1. You upload a plugin ZIP file.
  2. The plugin passes structural validation (metadata, package format, size limits) and is saved to the database with status Validating.
  3. You receive a confirmation email acknowledging receipt and noting that checks are running.
  4. Security and quality checks run asynchronously in the background.
  5. You receive a results email once checks complete:
    • All checks passed — your plugin is now available. Trusted users are auto-approved; others await staff approval.
    • Critical issues found — your plugin is blocked. The email lists the specific findings so you can fix them.
  6. Full scan details are always available on the version detail page under the Security tab.

Remember: The security scanner is here to help you create safer, higher-quality plugins. Critical findings must be resolved, but non-blocking results are purely advisory — use them as a guide for continuous improvement.


Detailed Documentation

Rule Skipping

How to skip skippable rules during upload via the web form or REST API, administrator configuration, and how to request rule changes.

Rule Skipping Guide

Config Files

Suppress specific findings by bundling .bandit, .secrets.baseline, or .flake8 config files inside your plugin ZIP.

Config Files Guide

Troubleshooting

Resolving a blocked plugin, dealing with false positives, raising an issue about a mandatory check, and getting support.

Troubleshooting