Rule Configuration & Skipping
The security scanning system uses a configurable, opt-in rule model to
minimise false positives while maintaining security standards. Site administrators control
which rules are active and which may be skipped; developers may then opt out of specific
skippable rules during upload.
Administrator Rule Configuration
Site administrators can configure security rules through the Django admin interface:
-
Enabled/Disabled: Rules ship with sensible defaults — critical
and warning rules are enabled; info (style/cosmetic) rules are
disabled. Only enabled rules are checked during scans.
-
Skippable: Each rule can be marked skippable or non-skippable.
Critical rules are non-skippable by default and cannot be bypassed by
developers. Warning and info rules are skippable by default.
-
Severity: Rules are categorised by severity (Critical, Warning, Info),
which determines how they are displayed and whether they block plugin approval.
-
Bulk Actions: The admin interface provides bulk actions to enable,
disable, or toggle skippability for multiple rules at once.
Developer Rule Skipping
When uploading a plugin version you can choose to skip specific security rules that produce
known false positives for your plugin. For example:
-
A plugin that safely uses XML parsing may skip Bandit's XML-related warnings if those
uses have been verified as secure.
-
A plugin that includes vendored third-party libraries may skip secrets detection for
those specific files if they contain test keys or example configurations.
-
A plugin with intentional style choices may skip specific Flake8 rules that conflict
with the project's coding standards.
Important limitations:
-
Only rules that are both enabled AND marked as skippable by
administrators can be skipped by developers.
-
Non-skippable rules (typically the most critical security checks) cannot be bypassed
via the skip mechanism. Consider using
security config files
to suppress specific findings within those tools.
-
All skipped rules are logged and visible to administrators, creating an audit trail.
-
The skip list is displayed on the version detail page's Security tab.
-
XML-RPC uploads automatically skip all skippable rules. The legacy
XML-RPC upload interface (
plugin.upload / plugin.uploadVersion)
has a fixed binary parameter signature and cannot accept a rule-skip list from the
client. As a result, the server automatically skips every rule that is currently
marked as skippable on behalf of XML-RPC callers. This mirrors the most
permissive choice a developer could make via the web form. Only non-skippable
(mandatory) rules are enforced for XML-RPC uploads.
Skipping Rules via the Web Upload Form
- Navigate to the plugin upload page or version creation form.
-
Below the file upload field, a Security Rules panel lists all
enabled, skippable rules (only shown if at least one such rule is configured).
-
All rules start with their toggle ON (enabled — will be checked
during the scan). Click a row or the toggle switch to turn a rule OFF
and skip it for this upload. Each rule shows its code, name, severity, and a short
description. A counter in the panel header tracks how many rules will actually run.
- Upload your plugin as normal.
-
Rules toggled OFF are excluded from the scan for this specific
version only and do not affect any other version.
-
View which rules were skipped in the Security tab on the version
detail page.
Skipping Rules via the Token-Based REST API
When uploading with an authentication token, include one skip_security_rules
POST field per rule you want to skip. The value must be the rule's
check code exactly as shown on the
Security Rules reference page
(e.g. B311, KeywordDetector, E722).
# Upload and skip two skippable rules
curl -X POST https://plugins.qgis.org/plugins/<plugin-slug>/version/add/ \
-H "Authorization: Token <your-token>" \
-F "[email protected]" \
-F "skip_security_rules=B311" \
-F "skip_security_rules=KeywordDetector"
- Only rules that are enabled and marked skippable by an
administrator can be skipped this way.
- Check codes are case-sensitive. Unknown or non-skippable codes are silently
ignored.
- Skipped rules are recorded and visible on the version detail page's
Security tab.
Requesting Rule Configuration Changes
If you believe a rule is producing excessive false positives or should be made skippable:
-
File an issue on the
QGIS-Plugins-Website GitHub repository
explaining the specific rule and why it's problematic.
- Provide concrete examples of false positives from your plugin.
-
Site administrators will review the request and may adjust the rule configuration or
provide guidance.
Config Files
Suppress false positives using tool config files bundled in your ZIP.
Config Files Guide
Troubleshooting
Blocked plugin? Find out how to resolve issues and get help.
Troubleshooting