Security Scanning — Troubleshooting

Resolving a Blocked Plugin

A Blocked status means at least one critical security issue was found. You cannot unblock an existing version — each new upload starts a fresh scan.

  1. Open the Security tab on the blocked version's detail page.
  2. Review the critical findings listed there.
  3. Fix the issues in your local copy of the plugin.
  4. Upload a new version — it will be scanned automatically.

Note: Re-scanning an existing version (via the manual re-scan button) does not change the validation status. It only refreshes the displayed results. You must upload a new version to clear a blocked status.

Dealing with False Positives

Some findings may be false positives. For example, a password-manager plugin may legitimately handle credentials. You have three options:

  1. Skip a skippable rule during upload — available for rules that administrators have marked as skippable. See the Rule Skipping guide.
  2. Bundle a config file inside your plugin ZIP to suppress specific findings within a tool (.bandit, .secrets.baseline, .flake8). See the Config Files guide.
  3. Raise an issue if neither of the above is possible — see below.
Raising an Issue about a Security Check

If you believe a mandatory (non-skippable) rule is producing a genuine false positive for your plugin and neither config files nor rule skipping can resolve it, you can request a review from the site administrators.

Use the dedicated issue template on GitHub — it guides you through providing the information administrators need to make a decision quickly:

Administrators will review your request and may adjust the rule's skippability, update the rule configuration, or provide guidance. Raising an issue does not automatically unblock your plugin.

Important Notes
  • 🔒 Privacy: All scans run locally on the server. No plugin code is sent to external services.
  • 📊 Transparency: Full scan results are always visible to plugin authors and administrators on the version detail page.
  • 🔁 Re-scan: You can trigger a manual re-scan from the Security tab at any time. It refreshes the results display but does not change the validation status.
Getting Support
  • Review the detailed scan results on your plugin's version detail page.
  • Check the linked documentation for each security tool.
  • Ask questions on the QGIS Developers mailing list.
  • File a general issue on the QGIS-Plugins-Website GitHub repository .