Security Tools
Every plugin version is automatically scanned using four complementary checks. The results
are available on the version detail page under the Security tab.
Severity Levels
-
CRITICAL
BLOCKING — Security
vulnerabilities that must be fixed before the plugin can be published (e.g. hardcoded
credentials, shell injection). The version cannot be downloaded or approved until a
new, clean version is uploaded.
-
WARNING
NON-BLOCKING — Issues that could
lead to problems and should be addressed (e.g. suspicious files, executable
permissions). Results are informational only.
-
INFO
NON-BLOCKING — Code quality
suggestions (e.g. PEP 8 violations, unused imports). Results are informational only.
Tools
1. Bandit
BLOCKING — CRITICAL
Bandit
performs static analysis for Python security issues. Findings at CRITICAL severity block
the plugin.
- Shell injection (
subprocess with shell=True)
- Use of unsafe built-ins (
eval, exec, pickle)
- SQL injection risks
- Hardcoded passwords and weak cryptography
- 100+ additional checks
Full Bandit test catalogue:
bandit.readthedocs.io
2. detect-secrets
BLOCKING — CRITICAL
detect-secrets
scans for hardcoded secrets and high-entropy strings that resemble credentials.
- AWS / cloud provider credentials
- API keys and OAuth tokens
- Private SSH keys
- Database connection strings
- High-entropy strings that resemble secrets
detect-secrets documentation:
github.com/Yelp/detect-secrets
3. Flake8
INFORMATIONAL
Flake8
checks Python code quality. Results never block the plugin.
- PEP 8 style violations
- Syntax errors and undefined names
- Unused imports and variables
4. File Analysis
INFORMATIONAL
Built-in package structure checks that flag potentially unsafe file inclusions.
- Executable and hidden files
- Suspicious file types (e.g. compiled binaries, scripts)
- Unusual file permissions
Understanding Scan Results
The Security tab on every version detail page shows:
- Summary card — Overall status, pass rate, and scan timestamp
- Stats grid — Total checks, passed checks, warnings, critical issues, files scanned
-
Per-check details — Expandable cards for each check showing:
- Affected file names and line numbers
- Issue descriptions and code snippets
Manual Re-scan
Plugin editors can trigger a manual re-scan at any time from the Security
tab. Re-scans are informational only — they refresh the displayed results
and scan timestamp but do not change the version's validation status or
approval state. To clear a Blocked status, upload a new version with the issues
resolved.
Check Your Plugin Locally
Run the same tools locally before uploading to catch issues early:
# Install the security tools
pip install bandit detect-secrets flake8
# Run checks on your plugin directory
bandit -r your_plugin_directory/
detect-secrets scan your_plugin_directory/
flake8 your_plugin_directory/
Tip: You can suppress persistent false positives by bundling config files
(.bandit, .secrets.baseline, .flake8) inside your
plugin ZIP — see the
Config Files guide.