Security Tools

Every plugin version is automatically scanned using four complementary checks. The results are available on the version detail page under the Security tab.

Severity Levels
  • CRITICAL BLOCKING — Security vulnerabilities that must be fixed before the plugin can be published (e.g. hardcoded credentials, shell injection). The version cannot be downloaded or approved until a new, clean version is uploaded.
  • WARNING NON-BLOCKING — Issues that could lead to problems and should be addressed (e.g. suspicious files, executable permissions). Results are informational only.
  • INFO NON-BLOCKING — Code quality suggestions (e.g. PEP 8 violations, unused imports). Results are informational only.
Tools
1. Bandit BLOCKING — CRITICAL

Bandit performs static analysis for Python security issues. Findings at CRITICAL severity block the plugin.

  • Shell injection (subprocess with shell=True)
  • Use of unsafe built-ins (eval, exec, pickle)
  • SQL injection risks
  • Hardcoded passwords and weak cryptography
  • 100+ additional checks

Full Bandit test catalogue: bandit.readthedocs.io

2. detect-secrets BLOCKING — CRITICAL

detect-secrets scans for hardcoded secrets and high-entropy strings that resemble credentials.

  • AWS / cloud provider credentials
  • API keys and OAuth tokens
  • Private SSH keys
  • Database connection strings
  • High-entropy strings that resemble secrets

detect-secrets documentation: github.com/Yelp/detect-secrets

3. Flake8 INFORMATIONAL

Flake8 checks Python code quality. Results never block the plugin.

  • PEP 8 style violations
  • Syntax errors and undefined names
  • Unused imports and variables
4. File Analysis INFORMATIONAL

Built-in package structure checks that flag potentially unsafe file inclusions.

  • Executable and hidden files
  • Suspicious file types (e.g. compiled binaries, scripts)
  • Unusual file permissions
Understanding Scan Results

The Security tab on every version detail page shows:

  • Summary card — Overall status, pass rate, and scan timestamp
  • Stats grid — Total checks, passed checks, warnings, critical issues, files scanned
  • Per-check details — Expandable cards for each check showing:
    • Affected file names and line numbers
    • Issue descriptions and code snippets
Manual Re-scan

Plugin editors can trigger a manual re-scan at any time from the Security tab. Re-scans are informational only — they refresh the displayed results and scan timestamp but do not change the version's validation status or approval state. To clear a Blocked status, upload a new version with the issues resolved.

Check Your Plugin Locally

Run the same tools locally before uploading to catch issues early:

# Install the security tools
pip install bandit detect-secrets flake8

# Run checks on your plugin directory
bandit -r your_plugin_directory/
detect-secrets scan your_plugin_directory/
flake8 your_plugin_directory/

Tip: You can suppress persistent false positives by bundling config files (.bandit, .secrets.baseline, .flake8) inside your plugin ZIP — see the Config Files guide.