Security Scanning

Overview

Every plugin version uploaded to the QGIS Plugins Website is automatically scanned using industry-standard open-source security tools. Scans run asynchronously in the background immediately after upload. Checks are divided into two tiers:

  • Blocking (CRITICAL) — Bandit and Secrets Detection. A plugin version is blocked from download and approval until critical findings are resolved by uploading a new, clean version.
  • Non-blocking (INFO / WARNING) — Flake8, file permissions, and suspicious file detection. Results are informational and do not affect availability.
Validation Statuses
  • Validating — The scan is queued or running. The version is not yet available for download or approval.
  • Validated — All checks passed (no critical issues). The version is available for approval; trusted users are approved automatically.
  • Blocked — One or more critical issues were found. The version cannot be downloaded or approved until a new, fixed version is uploaded.
Upload Flow
  1. You upload a plugin ZIP file.
  2. The plugin passes structural validation (metadata, package format, size limits) and is saved to the database with status Validating.
  3. You receive a confirmation email acknowledging receipt and noting that checks are running.
  4. Security and quality checks run asynchronously in the background.
  5. You receive a results email once checks complete:
    • All checks passed — your plugin is now available. Trusted users are auto-approved; others await staff approval.
    • Critical issues found — your plugin is blocked. The email lists the specific findings so you can fix them.
  6. Full scan details are always available on the version detail page under the Security tab.
Security Tools Used
  1. Bandit BLOCKING — Static analysis for Python security issues:
    • Shell injection (subprocess with shell=True)
    • Use of unsafe built-ins (eval, exec, pickle)
    • SQL injection risks
    • Hardcoded passwords and weak cryptography
    • 100+ additional checks
  2. detect-secrets BLOCKING — Detects hardcoded secrets:
    • AWS / cloud provider credentials
    • API keys and OAuth tokens
    • Private SSH keys
    • Database connection strings
    • High-entropy strings that resemble secrets
  3. Flake8 INFORMATIONAL — Python code quality:
    • PEP 8 style violations
    • Syntax errors and undefined names
    • Unused imports and variables
  4. File Analysis INFORMATIONAL — Package structure checks:
    • Executable and hidden files
    • Suspicious file types (e.g. compiled binaries, scripts)
    • Unusual file permissions
Understanding Scan Results

The Security tab on every version detail page shows:

  • Summary card — Overall status, pass rate, and scan timestamp
  • Stats grid — Total checks, passed checks, warnings, critical issues, files scanned
  • Per-check details — Expandable cards for each check showing:
    • Affected file names and line numbers
    • Issue descriptions and code snippets
Manual Re-scan

Plugin editors can trigger a manual re-scan at any time from the Security tab. Re-scans are informational only — they refresh the displayed results and the scan timestamp but do not change the version's validation status or approval state. To clear a Blocked status, upload a new version with the issues resolved.

Trusted Users & Auto-approval

Users who have been granted the trusted permission (can_approve) have their plugin versions automatically approved once validation passes. Staff approvers are notified by email only after a version reaches Validated status and requires manual approval.

Severity Levels
  • CRITICAL — Blocking. Security vulnerabilities that must be fixed before the plugin can be published (e.g. hardcoded credentials, shell injection).
  • WARNING — Non-blocking. Issues that could lead to problems and should be addressed (e.g. suspicious files, executable permissions).
  • INFO — Non-blocking. Code quality suggestions (e.g. PEP 8 violations, unused imports).
Important Notes
  • ⚠️ False positives: Some findings may be false positives. For example, a password-manager plugin may legitimately handle credentials. If you believe a critical finding is incorrect, contact the site administrators.
  • 🔒 Privacy: All scans run locally on the server. No plugin code is sent to external services.
  • 📊 Transparency: Full scan results are always visible to plugin authors and administrators on the version detail page.
Resolving a Blocked Plugin
  1. Open the Security tab on the blocked version's detail page.
  2. Review the critical findings and fix them in your local copy of the plugin.
  3. Upload a new version — the new version will be scanned automatically.
  4. You cannot unblock an existing version; each new upload starts a fresh scan.
Check Your Plugin Locally

Run the same tools locally before uploading to catch issues early:

# Install the security tools
pip install bandit detect-secrets flake8

# Run checks on your plugin directory
bandit -r your_plugin_directory/
detect-secrets scan your_plugin_directory/
flake8 your_plugin_directory/
Support
  • Review the detailed scan results on your plugin's version detail page.
  • Check the linked documentation for each security tool.
  • Ask questions on the QGIS Developers mailing list.
  • File issues on the QGIS-Plugins-Website GitHub repository .

Remember: The security scanner is here to help you create safer, higher-quality plugins. Critical findings must be resolved, but non-blocking results are purely advisory — use them as a guide for continuous improvement.

QGIS sustaining members

add supporter
Add your logo here?

Flagship membership


Flagship membership


Flagship membership


Large membership


Large membership


Large membership


Large membership


Large membership


Large membership


Large membership


Large membership


Large membership