Rule Configuration & Skipping

The security scanning system uses a configurable, opt-in rule model to minimise false positives while maintaining security standards. Site administrators control which rules are active and which may be skipped; developers may then opt out of specific skippable rules during upload.

Administrator Rule Configuration

Site administrators can configure security rules through the Django admin interface:

  • Enabled/Disabled: Rules ship with sensible defaults — critical and warning rules are enabled; info (style/cosmetic) rules are disabled. Only enabled rules are checked during scans.
  • Skippable: Each rule can be marked skippable or non-skippable. Critical rules are non-skippable by default and cannot be bypassed by developers. Warning and info rules are skippable by default.
  • Severity: Rules are categorised by severity (Critical, Warning, Info), which determines how they are displayed and whether they block plugin approval.
  • Bulk Actions: The admin interface provides bulk actions to enable, disable, or toggle skippability for multiple rules at once.
Developer Rule Skipping

When uploading a plugin version you can choose to skip specific security rules that produce known false positives for your plugin. For example:

  • A plugin that safely uses XML parsing may skip Bandit's XML-related warnings if those uses have been verified as secure.
  • A plugin that includes vendored third-party libraries may skip secrets detection for those specific files if they contain test keys or example configurations.
  • A plugin with intentional style choices may skip specific Flake8 rules that conflict with the project's coding standards.

Important limitations:

  • Only rules that are both enabled AND marked as skippable by administrators can be skipped by developers.
  • Non-skippable rules (typically the most critical security checks) cannot be bypassed via the skip mechanism. Consider using security config files to suppress specific findings within those tools.
  • All skipped rules are logged and visible to administrators, creating an audit trail.
  • The skip list is displayed on the version detail page's Security tab.
  • XML-RPC uploads automatically skip all skippable rules. The legacy XML-RPC upload interface (plugin.upload / plugin.uploadVersion) has a fixed binary parameter signature and cannot accept a rule-skip list from the client. As a result, the server automatically skips every rule that is currently marked as skippable on behalf of XML-RPC callers. This mirrors the most permissive choice a developer could make via the web form. Only non-skippable (mandatory) rules are enforced for XML-RPC uploads.
Skipping Rules via the Web Upload Form
  1. Navigate to the plugin upload page or version creation form.
  2. Below the file upload field, a Security Rules panel lists all enabled, skippable rules (only shown if at least one such rule is configured).
  3. All rules start with their toggle ON (enabled — will be checked during the scan). Click a row or the toggle switch to turn a rule OFF and skip it for this upload. Each rule shows its code, name, severity, and a short description. A counter in the panel header tracks how many rules will actually run.
  4. Upload your plugin as normal.
  5. Rules toggled OFF are excluded from the scan for this specific version only and do not affect any other version.
  6. View which rules were skipped in the Security tab on the version detail page.
Skipping Rules via the Token-Based REST API

When uploading with an authentication token, include one skip_security_rules POST field per rule you want to skip. The value must be the rule's check code exactly as shown on the Security Rules reference page (e.g. B311, KeywordDetector, E722).

# Upload and skip two skippable rules
curl -X POST https://plugins.qgis.org/plugins/<plugin-slug>/version/add/ \
  -H "Authorization: Token <your-token>" \
  -F "[email protected]" \
  -F "skip_security_rules=B311" \
  -F "skip_security_rules=KeywordDetector"
  • Only rules that are enabled and marked skippable by an administrator can be skipped this way.
  • Check codes are case-sensitive. Unknown or non-skippable codes are silently ignored.
  • Skipped rules are recorded and visible on the version detail page's Security tab.
Requesting Rule Configuration Changes

If you believe a rule is producing excessive false positives or should be made skippable:

  • File an issue on the QGIS-Plugins-Website GitHub repository explaining the specific rule and why it's problematic.
  • Provide concrete examples of false positives from your plugin.
  • Site administrators will review the request and may adjust the rule configuration or provide guidance.

Config Files

Suppress false positives using tool config files bundled in your ZIP.

Config Files Guide

Troubleshooting

Blocked plugin? Find out how to resolve issues and get help.

Troubleshooting