QGIS Plugins

QGIS Plugins
Security Scanning
Overview
Every plugin version uploaded to the QGIS Plugins Website is automatically scanned using
industry-standard open-source security tools
. Scans run asynchronously in
the background immediately after upload. Checks are divided into two tiers:
Blocking (CRITICAL)
— Bandit and Secrets
Detection. A plugin version is
blocked
from download and approval until
critical findings are resolved by uploading a new, clean version.
Non-blocking (INFO / WARNING)
— Flake8, file
permissions, and suspicious file detection. Results are informational and do not affect
availability.
Validation Statuses
Validating
— The scan is queued or running. The version is not yet
available for download or approval.
Validated
— All checks passed (no critical issues). The version is
available for approval; trusted users are approved automatically.
Blocked
— One or more critical issues were
found. The version cannot be downloaded or approved until a new, fixed version is
uploaded.
Upload Flow
You upload a plugin ZIP file.
The plugin passes structural validation (metadata, package format, size limits) and is
saved to the database with status
Validating
You receive a
confirmation email
acknowledging receipt and noting that
checks are running.
Security and quality checks run asynchronously in the background.
You receive a
results email
once checks complete:
All checks passed
— your plugin is now available. Trusted users are
auto-approved; others await staff approval.
Critical issues found
— your plugin is blocked. The email lists the
specific findings so you can fix them.
Full scan details are always available on the version detail page under the
Security
tab.
Security Tools Used
Bandit
BLOCKING
— Static analysis for Python security issues:
Shell injection (
subprocess
with
shell=True
Use of unsafe built-ins (
eval
exec
pickle
SQL injection risks
Hardcoded passwords and weak cryptography
100+ additional checks
detect-secrets
BLOCKING
— Detects hardcoded secrets:
AWS / cloud provider credentials
API keys and OAuth tokens
Private SSH keys
Database connection strings
High-entropy strings that resemble secrets
Flake8
INFORMATIONAL
— Python code quality:
PEP 8 style violations
Syntax errors and undefined names
Unused imports and variables
File Analysis
INFORMATIONAL
— Package structure checks:
Executable and hidden files
Suspicious file types (e.g. compiled binaries, scripts)
Unusual file permissions
Understanding Scan Results
The
Security
tab on every version detail page shows:
Summary card
— Overall status, pass rate, and scan timestamp
Stats grid
— Total checks, passed checks, warnings, critical issues, files scanned
Per-check details
— Expandable cards for each check showing:
Affected file names and line numbers
Issue descriptions and code snippets
Manual Re-scan
Plugin editors can trigger a manual re-scan at any time from the
Security
tab. Re-scans are
informational only
— they refresh the displayed results
and the scan timestamp but do not change the version's validation status or approval state.
To clear a
Blocked
status, upload a new version with the issues resolved.
Trusted Users & Auto-approval
Users who have been granted the
trusted
permission (
can_approve
) have
their plugin versions
automatically approved
once validation passes. Staff
approvers are notified by email only after a version reaches
Validated
status and
requires manual approval.
Severity Levels
CRITICAL
— Blocking. Security vulnerabilities
that must be fixed before the plugin can be published (e.g. hardcoded credentials, shell
injection).
WARNING
— Non-blocking. Issues that could lead
to problems and should be addressed (e.g. suspicious files, executable permissions).
INFO
— Non-blocking. Code quality suggestions
(e.g. PEP 8 violations, unused imports).
Important Notes
⚠️ False positives:
Some findings may be false positives. For example,
a password-manager plugin may legitimately handle credentials. If you believe a critical
finding is incorrect, contact the site administrators.
🔒 Privacy:
All scans run locally on the server. No plugin code is
sent to external services.
📊 Transparency:
Full scan results are always visible to plugin authors
and administrators on the version detail page.
Resolving a Blocked Plugin
Open the
Security
tab on the blocked version's detail page.
Review the critical findings and fix them in your local copy of the plugin.
Upload a new version — the new version will be scanned automatically.
You cannot unblock an existing version; each new upload starts a fresh scan.
Check Your Plugin Locally
Run the same tools locally before uploading to catch issues early:
# Install the security tools
pip install bandit detect-secrets flake8

# Run checks on your plugin directory
bandit -r your_plugin_directory/
detect-secrets scan your_plugin_directory/
flake8 your_plugin_directory/
Support
Review the detailed scan results on your plugin's version detail page.
Check the linked documentation for each security tool.
Ask questions on the QGIS Developers mailing list.
File issues on the
QGIS-Plugins-Website GitHub repository
Remember:
The security scanner is here to help you create safer,
higher-quality plugins. Critical findings must be resolved, but non-blocking results are
purely advisory — use them as a guide for continuous improvement.
QGIS sustaining members
Add your logo here?
Flagship membership
Flagship membership
Flagship membership
Large membership
Large membership
Large membership
Large membership
Large membership
Large membership
Large membership
Large membership
Large membership
360
3d
4g
5g
accretion
accuracy
accuracy assessment
actions
acurácia posicional
address
addresses
adresse
aerial
affine
africa
agent
agriculture
ahp
ai
air quality
alert
algorithm
alkis
als
analysis
analytics
andalucía
android
angle
animal
animation
annotation
api
append
arcgis
archaeology
archive
area
argentina
army
artificial intelligence
asset
assistant
atlas
atom
attribute
attribute edit
attributes
attribute table
audit
australia
auto
automatic
automation
autosave
aviation
azimuth
backup
ban
basemap
basemaps
batch
bathymetry
bbox
bdoo
bdot
bdot10k
beachball
bearing
bebauungsplan
bgt
bim
bing
biodiversity
biomasse
borehole
boundary
bounding box
bplan
brasil
brazil
brgm
browser
buffer
builder
building
building detection
buildings
cad
cadastral
cadastre
calculation
calculator
calibration
canopy
canvas
capas
capture
car
cartografia
cartography
catalog
catalonia
catasto
catastro
catchment
catchment area
cbers
census
centroid
cesium
chainage
change
change detection
changes
channel
channel network
chart
charts
chat
chatgpt
check
china
chm
circle
citizen science
cityjson
civc
ckan
classification
claude
click
client
climate
climate change
clip
clipboard
closest
cloud
cloud removal
cluster
clustering
cn
coastal erosion
coastline
cog
collaboration
collaborative
collection
collections
colombia
color
comments
community
compare
compass
composer
computer vision
configuration
conflict
confusion matrix
connection
connectivity
connector
conservation
console
contamination
contour
contour lines
contrast
control
controle de qualidade cartográfica
conversion
convert
converter
convex hull
coordenadas
coordinate
coordinates
coordinate system
coords
copernicus
copy
cost
coverage
create
crop
cross section
cross-section
crs
css
csv
curve number
custom
customization
d3
dam
danish
danmark
dansk
data
database
data collection
dataforsyningen
data management
data migration
datasets
datasource
dataviz
date
datos
db
debug
debugging
declination
deep learning
deforestation
deformation
delete
delimitation
dem
democracy
denmark
densify
density
design
detection
development
diamètre
diff
difference
digital elevation model
digital surface model
digital twin
digitising
digitization
digitize
digitizing
direction
disaster
discharge
diseases
displacement
dissolve
distance
distribution
districting
diversity
divide
dji
dms
dock
dockable
document
documentation
dop
downloader
download service
drainage
draw
drawing
drillhole
drilling
drone
drones
drought
dsm
dtm
duckdb
duplicate
duplicates
dutch
dxf
dynamic
dynamic segmentation
earth
earth engine
earth observation
earthquake
ecology
ecosystem
edge
edit
editing
editor
egib
egms
elevation
ellipse
emergency
energy
engineering
enhancement
envi-met
environment
environmental
environmental monitoring
envirosolutions
epanet
epsg
equirectangular
e.re.c.a
erosion
esda
españa
esri
estonia
etl
evapotranspiration
events
evi
ewidencja
ewkt
excel
exif
exploration
export
expression
expressions
extent
extract
extraction
fault
feature
feature extraction
features
fiber
field
field calculator
field-calculator
fields
fieldwork
file
filter
find
fire
fit
flächennutzungsplan
flight
flood
flooding
flow
fnp
foncier
food security
forest
forestry
form
format
forms
france
french
ftp
ftth
function
functions
fuzzy
gamma
garmin
gazetteer
gbif
gdal
gdi
gee
generalization
generator
geoai
geochemistry
geocode
geocoder
geocoding
geodata
geodatabase
geodesic
geodesy
geographic mcda
geohash
geojson
geology
geometry
geomorphology
geonetwork
geonorge
geoone
geopackage
geopaparazzi
geophysics
geoplateforme
géoplateforme
geoportal
geoprocessing
georeference
georeferencer
georeferencing
georural
geoscience
geoserver
geospatial
geospatial analytics
geotag
geotagged
geotiff
germany
gesut
gfd
gis
gltf
gml
gnss
google
google earth
google earth engine
google maps
gpkg
gps
gpx
graph
graphab
graph analysis
grass
gravity model
greek
grib
grid
grids
groundwater
group
grouping
gsi
gtfs
gugik
h3
habitat
hazard
health
heatmap
hec-ras
height
hemmi
here
hexagon
hide
hidrologia
hiking
hillshade
histogram
history
hole
home range
hotspot
html
hydraulic
hydraulic modelling
hydraulics
hydrogeology
hydrographic network
hydrography
hydrology
hyperspectral
ibama
ibge
icao
icon
icons
ideogram
idw
ign
image
image classification
image processing
imagery
images
import
importer
inaturalist
incra
index
index map
ineffable
inference
infrastructure
inp
inpe
insar
inspection
inspire
instance segmentation
integration
interactive
interface
interlis
internet
interpolation
intersection
inundation
ios
isochrone
isochrones
italia
italy
item
japan
japanese
javascript
jhemmi.eu
join
jpeg
jpg
json
jupyter
kanal
kanalkataster
kartverket
kataster
kernel
k-means
kml
kmz
korea
kp
kriging
label
labeling
labels
land
land administration
land cover
landcover
landsat
landscape
landslide
land surface temperatures
land use
landuse
las
latitude
layer
layers
layer tree
layout
laz
leaflet
legend
length
library
lidar
line
linear referencing
lines
link
linked data
linux
lizmap
llm
load
loader
local
location
locator
log
longitude
lrs
lst
machine learning
magnetic
management
manager
manholes
manning
map
mapbiomas
mapbox
mapillary
mapinfo
maplibre
mapping
maps
mapserver
map tool
maptool
mars
mask
match
matplotlib
matrix
mbtiles
mcda
measure
measurement
measurements
memorial
memory
merge
mesh
metadata
meteo
meteorology
mgrs
microclimate
military
mining
mnt
mobile
mobility
model
modeling
modelling
modis
moj
mongo
mongodb
monitoring
moon
morphology
mosaic
move
ms sql
multi
multilingual
multiple
multispectral
nas
nasa
natural language
nautical
navigate
nbr
ndvi
ndwi
nearest
nederland
netcdf
netherlands
network
network analysis
networkanalysis
network planning
neural network
nextgis
nodes
nominatim
norway
nrw
object detection
observations
occurrence
odk
ods
offline
ogc
ogr
online
onnx
opacity
open
openai
open data
opendata
open data kit
openeo
openlayers
openstreetmap
opentripplanner
optimization
oracle
order
ordnance survey
orientation
orthophoto
ortofoto
ortofotomapa
osm
overlap
overlay
overpass
palette
pan
panel
panorama
parallel
parcel
parcels
parquet
particelle
paste
patches
path
pca
pdf
pdok
performance
permeability
photo
photogrammetry
photos
physiocap
picture
pie
pip
pipeline
pipes
planning
planx
plot
plotting
plugin
plugins
png
poi
point
point cloud
pointcloud
pointclouds
points
poland
pollution
polska
polygon
polygons
polyline
population
positional accuracy
postgis
PostGIS
postgres
postgresql
precipitation
precision agriculture
prediction
prevfogo
principal components analysis
printing
print template
processing
productivity
professional
profil
profile
profiles
project
projection
properties
property
provider
public
publication
public transport
publish
publishing
pyqgis
python
pytorch
qa
qc
qfield
qfieldcloud
qgeoai
qgis
QGIS
qgis3
qgis plugin
qgis server
qgis-web-client
qml
qt5
qt6
qualidade
quality
query
quick
radar
radiance
radioactivity
radius
rainfall
random forest
raster
rdf
real time
real-time
realtime
reclassification
rectangle
redistricting
reference
region
regression
relation
relations
relationship
reload
remote
remote sensing
remote-sensing
remove
rename
rendering
replace
report
reporting
reports
reproject
reprojection
resample
resolution
rest
results viewer
reverse
reverse geocoding
rf
rf planning
ring
risk
river
road
roadnetwork
roads
roi
rose diagram
roughness
route
routing
runoff
runway
saga
sam
sam2
sample
sampling
sampling design
sampling plan
sar
sarment
satellite
satellite data
satellite imagery
satellite images
scale
schema
schweiz
screenshot
script
scripts
scs
sdi
sdm
section
segment
segmentation
seismic
seismic hazard
seismic microzonation
seismology
select
selection
semantic segmentation
sensor
sensors
sentinel
sentinel-1
sentinel-2
server
service
service area
services
settings
sewer
shadow
shape
shapefile
shared
sharing
shell
shift
shortcut
shortcuts
shortest path
shp
sigef
similarity
simple
simplification
simplify
simulation
sisfogo
size
skeleton
sketching
sld
slope
slovakia
slovenia
smart city
smartphone
smoothing
snap
snapping
snapshot
soil
sort
space syntax
spain
sparql
spatial
spatial analysis
spatial-analysis
spatial data quality
spatial indicators
spatialite
spatial join
spatial planning
species
spectral
spectrometry
spelling
split
spreadsheet
sql
sqlite
stac
standard
statistics
stats
stl
stratigraphy
stream
street
street network
street view
streetview
string
structural geology
style
styles
subset
subsidence
suche
suisse
suitability analysis
sun
sunrise
sunset
supervised classification
surface
survey
surveying
sustainability
svg
swipe
swiss
switzerland
symbol
symbology
symbols
sync
synchronization
table
tablet
telecom
telecommunications
telemac
temperature
template
templates
temporal
terrain
terrain analysis
test
text
thematic
theme
themes
threshold
tif
tiff
tile
tiles
time
timeline
time series
timeseries
tin
tms
toc
toggle
tool
toolbar
toolbars
tools
topografia
topography
topojson
topology
tracker
tracking
traffic
training
transform
transformation
transit
translate
translation
transmission
transparency
transport
transportation
transport planning
tree
trigger
tuflow
turkey
txt
uav
ufv
ukraine
uldk
update
urban
urban climate
urban development
urban geometry
urbanisme
urban mobility
urban morphology
urban planning
urban sprawl
utilities
utility
utm
validation
value
vector
vectorization
vector layer
vector tile
vector tiles
vegetation
vegetation index
versioning
vertices
veterinary
vetor
video
vietnam
view
viewer
viewshed
visibility
visualization
vn2000
volume
voronoi
vrt
vulnerability
wastewater
water
water network analysis
water quality
watershed
watershed analysis
waterway
wcs
weather
web
webgis
webmap
web mapping
webmapping
webmaps
webservice
web services
webservices
well
wfs
wgs84
widget
wildlife
wincan
windows
wkb
wkt
wlc
wms
wmts
workflow
worldpop
wps
xls
xlsx
xml
xplan
xplanung
xyz
yandex
yolo
zip
zonal
zonal statistics
zones
zoning
zoology
zoom