Date 2026/01/20
Author Lova Andriarimalala (@Xpirix)
Contact lova at kartoza dot com
Version QGIS Plugins Website
The QGIS Plugins Repository continues to grow and has recently surpassed 3,000 plugins, including those currently under review.
With this growth, it is increasingly important to strengthen our security measures and ensure that malicious or low-quality plugins are not distributed through QGIS infrastructure.
To address this, new Security and Quality Assurance (QA) checks have been introduced in the QGIS Plugins Website (see qgis/QGIS-Plugins-Website#219) as a soft validator.
This QEP proposes running all security and QA checks asynchronously after plugin upload as a blocking validator. Developers get instant upload confirmation, then receive email results when checks complete.
Important: Plugins won't be available for approval or download until:
- All checks complete successfully, AND
- No critical security issues found (Bandit or Secrets Detection)
For trusted users who normally get auto-approval, this still applies - auto-approval only happens if checks pass.
This approach gives fast uploads without compromising security, and approvers are automatically notified when plugins are ready for review.
There are currently five checks that will run when uploading a new plugin version:
- Bandit Security Analysis: Professional security vulnerability scanner for Python code (checks for SQL injection, hardcoded passwords, unsafe functions, etc.)
- Secrets Detection: Scans for hardcoded secrets, API keys, passwords, and tokens using detect-secrets
- Code Quality (Flake8): Python code quality and style checker.
- File Permissions: Checks for files with executable or unusual permissions
- Suspicious Files: Detects suspicious file types, hidden files, or unexpected executables
The result is detailed under the Plugin Version Details Page > Security Scan tab. More details about these are available at https://plugins.qgis.org/docs/security-scanning
The proposition for now is to make the Bandit Security Analysis and Secrets Detection a blocking validator if at least one critical issue is found. When critical issues are detected, the plugin version will be blocked from approval and public download until the issues are resolved.
Critical vulnerabilities found here block the plugin from approval and download until fixed. Email includes:
- Issue summary and severity
- File/line locations
- Remediation guidance
Hardcoded secrets block the plugin until removed. Email includes:
- Secret type (API key, password, token, etc.)
- File/line locations
- How to fix it
Code quality, file permissions, and suspicious files checks
All the checks mentioned above will run asynchronously after the plugin upload and their results are included in email notifications and displayed on the Plugin Version Details Page > Security Scan tab. These comprehensive checks provide maintainers with actionable feedback on code quality and potential issues to address in future updates.
Plugins aren't available during the check (usually a few minutes). This is mitigated by:
- Fast validation (most checks complete in minutes)
- Immediate email notifications
- Clear status indicators ("Validating" or "Blocked")
- Easy re-upload workflow
- No vulnerable plugins ever reach users
This balances fast uploads with strong security guarantees.
- Uploads complete instantly (no waiting for checks)
- All checks run in parallel via task queue
- Better server resource management
- Immediate upload confirmation for developers
The implementation uses a task queue-based architecture to process all checks asynchronously:
Upload Flow:
- Plugin uploaded and stored
- Status set to
validating(not yet available) - Validation task queued
- Instant confirmation email to maintainer
- All checks run in parallel
- Results stored in database
- Status updated:
validated(no critical issues) → Available for approval/download- For trusted users: auto-approved if checks pass
blocked(critical issues) → Unavailable until fixed
- Results email sent to maintainer (and approvers if ready for review)
Components:
- Task Queue: Celery or similar task broker for asynchronous job processing
- Workers: Background processes that execute validation checks in parallel
- Database: Stores validation results, check status, and issue details
- Email Service: Sends notifications at key stages (upload confirmation, results)
Email notifications are sent at two key stages:
Sent immediately upon successful upload to confirm receipt:
Subject: Plugin Upload Confirmation: [Plugin Name] v[Version]
Content:
- Plugin name and version
- Upload timestamp
- Validation status (Validating)
- Important notice: Plugin is not yet available for approval or download
- Estimated completion time
- Link to track progress on plugin details page
- What to expect in the next email
Subject: Plugin Validation Results: [Plugin Name] v[Version]
Content for Clean Validation (All Checks Passed):
- ✓ All checks passed
- Plugin status:
- Trusted users: Auto-approved and available for download
- Regular users: Ready for approval (approvers are notified)
- Summary of checks performed
- Link to detailed results
Recipients: Plugin maintainer(s) + Plugin approvers (when ready for review)
Content for Issues Found:
- Issues summary (count by severity)
- Availability status:
- Critical issues: BLOCKED - not available until fixed
- Non-critical only: Available for approval, but improvements recommended
- Critical issues details:
- Bandit/Secrets Detection findings
- File/line references
- How to fix
- Non-critical issues:
- Code quality suggestions
- Optional improvements
- Link to re-upload corrected version
- Support contact
Recipients: Plugin maintainer(s)
For each issue type in email:
- Clear title and severity badge
- Specific details (file names, line numbers, issue descriptions)
- Example fixes or remediation guidance
- Best practices documentation links
Emails link to the docs on:
- Fixing Bandit security issues
- Secret management
- Code quality (Flake8)
- File permissions
- Handling suspicious files
- Emails contain no sensitive data beyond what maintainers need to fix issues
- No API keys or passwords are included in emails
- Validation reports are also available via secure web interface
- Email access logs are maintained for audit purposes
- Plugins with critical security issues are never made publicly available, protecting end users from vulnerabilities
As the security and QA validation system matures, additional checks are planned to be added over time, all following the same asynchronous pattern:
- SPDX License Header Requirements: Validation of proper license headers in source files
- Binary Blob Detection: Identification of unexpected binary files that may pose security risks
- GPL Compliance Checks: Verification of GPL license compliance and proper attribution
- Additional Code Quality Metrics: Extended static analysis and code quality validations
- Dependency Vulnerability Scanning: Checking for known vulnerabilities in plugin dependencies
- Malware Signature Detection: Advanced scanning for known malicious patterns
All new checks will automatically integrate into the existing asynchronous validation pipeline and be included in validation result emails.
For plugin versions that existed before the implementation of the security and QA validation system, a manual check feature will be added. This allows:
- Plugin maintainers and administrators to trigger security and QA checks on existing plugin versions
- Review of older versions for security vulnerabilities and code quality issues
- Identification of potential issues across the plugin repository
Important limitations:
- Manual checks on existing plugin versions are informational only
- Running checks will not change the plugin's current status (approved, in review, etc.)
- Previously approved plugins remain approved regardless of check results
- This feature is intended for awareness and voluntary improvements, not enforcement