Security Scanning Feature
Overview
The QGIS Plugins Website includes an automated security, quality, and code analysis system that scans all uploaded plugin packages using industry-standard professional security tools. This is a non-blocking, informational feature designed to help developers identify potential security issues, code quality problems, and best practice violations.
Important: These security checks are informational and do not block plugin upload or approval. Results are provided to help you improve your plugin's security and quality.
Security Tools Used
The scanner leverages professional open-source security tools:
-
Bandit - Industry-standard security linter for Python code
- Detects common security issues
- Identifies SQL injection vulnerabilities
- Finds hardcoded passwords and secrets
- Checks for unsafe function usage
-
detect-secrets - Yelp's secrets detection tool
- Finds API keys, tokens, passwords
- Detects various secret patterns
- Low false-positive rate
-
Flake8 - Python code quality checker
- PEP 8 style guide enforcement
- Syntax error detection
- Code complexity analysis
What Gets Scanned
-
Bandit Security Analysis (CRITICAL)
- Common security vulnerabilities in Python
- SQL injection risks
- Hardcoded passwords and keys
- Use of unsafe functions (eval, exec, pickle)
- Shell injection vulnerabilities
- Weak cryptography usage
- And 100+ other security checks
-
Secrets Detection (CRITICAL)
- API keys and tokens
- AWS credentials
- Private SSH keys
- Database connection strings
- OAuth tokens
- Generic high-entropy strings
-
Code Quality - Flake8 (INFO)
- Python syntax errors
- PEP 8 style violations
- Undefined names
- Unused imports
- Code complexity warnings
-
File Analysis (INFO/WARNING)
- Executable files detection
- Hidden files
- Suspicious file types
- Unusual file permissions
How It Works
Upload Flow:
- User uploads a plugin ZIP file
- Plugin passes blocking validation (metadata, structure, size limits)
- Security scan runs automatically during the upload process
- Plugin is saved to database
- Results are stored and displayed immediately
- User sees scan summary in success messages
- Full details available on version detail page
Note: The security scan runs synchronously during upload, which means the upload process completes once the scan finishes. This typically takes a few seconds for most plugins.
Understanding Scan Results
Each plugin version has a dedicated Security Scan tab showing:
- Summary Card: Overall status, pass rate percentage, scan timestamp
- Quick Stats Grid: Total checks, passed checks, warnings, critical issues, files scanned
- Detailed Check Results: Expandable cards for each check showing:
- Affected file names
- Line numbers
- Issue descriptions
- Code snippets (when applicable)
Severity Levels
- CRITICAL: Security vulnerabilities that should be fixed immediately (e.g., hardcoded credentials, SQL injection risks)
- WARNING: Issues that could lead to problems (e.g., vulnerable dependencies, weak practices)
- INFO: Informational items and code quality suggestions (e.g., style violations, complexity warnings)
Important Notes
- ✅ Non-Blocking: Scans never prevent plugin upload or approval
- ⚠️ False Positives: Some warnings may be false positives. Review results in context of your plugin's functionality. For example, a password manager plugin may legitimately need to handle passwords.
- 🔒 Privacy: Scans run locally on the server after upload. No external services are used except for Safety database lookups.
- 📊 Transparency: All scan results are visible to plugin authors and administrators
Best Practices
- Review critical issues immediately - These may indicate serious security vulnerabilities
- Address warnings when possible - They help improve plugin security and quality
- Use external configuration - Don't hardcode secrets, API keys, or credentials in your code
- Keep dependencies updated - Regularly check for vulnerable packages
- Follow PEP 8 - Clean code is easier to audit and maintain
- Document legitimate use cases - If a warning is a false positive, consider adding comments explaining why
For Plugin Developers
To check your plugin locally before uploading:
# Install the security tools
pip install bandit detect-secrets flake8 flake8-json
# Run checks on your plugin directory
bandit -r your_plugin_directory/
detect-secrets scan your_plugin_directory/
flake8 your_plugin_directory/
Support
If you have questions about scan results or need help addressing issues:
- Review the detailed scan results on your plugin's version detail page
- Check the linked documentation for each security tool
- Ask questions on the QGIS Developers mailing list
- File issues on the QGIS-Plugins-Website GitHub repository
Remember: The security scanner is here to help you create safer, higher-quality plugins. It's a tool to support you, not a barrier to entry. We encourage iterative improvements based on scan results.
