We want to share some updates we have made on the QGIS Plugin Repository. In January 2026 we shared QEP 409. The proposal seeks to improve the general working practices with QGIS plugins, adding some optional and some mandatory checks to every plugin that gets published in the QGIS plugin repo. This builds on initial work (see PR) we did to run ‘soft’ checks on every plugin when they are published.
We also ‘back ran’ the new security checks on every existing plugin in the plugin repository (latest versions only) and assigned them a security badge without blocking or removing any plugin from being published.
Now if your plugin has flagged issues you will see a badge like this (in red below):
If your plugin passes all checks, you will see a green badge like this:
If you see a small ‘i’ on the left there may still be some non-blocking checks to look at.
If you are the owner of a plugin, you can log in to https://plugins.qgis.org and review the issues that have been flagged for your plugin:
If you expand the detail blocks, you can see the individual issues that were flagged:
There are two blocking issue categories (that will prevent you from publishing your plugin) and additional non-blocking issue categories (that are advisories only). You can see all the details at the information page here:
https://plugins.qgis.org/docs/security-scanning
We would like to note that these security advisories and badges are only shown on the plugins website, the plugin manager in QGIS Desktop does not yet provide any indication of the security scan results.
What to do if you have a red badge on a plugin you manage?
Firstly, don’t panic. Almost all plugins initially have this badge, but we expect over time that the repository is populated with ‘green badged’ plugins as developers publish their updates. Then review the issues listed in the report and fix them systematically, refer to https://plugins.qgis.org/docs/security-scanning for the specific tools we use on the server if you want to run them locally too.
What to do if you see a red badge on your favourite plugin.
Again, don’t panic. In a year’s time when most plugins have been updated we expect green badges to be the norm, but for now, just know that we are working on improving the security of our plugin ecosystem.
What if my plugin has a flagged issue for something that is a feature?
We know that in some cases you may actually need to embed API keys or credentials or do things that raise a flag. QGIS does not play an enforcement role beyond requiring that all newly uploaded plugins are green flagged. You can use pragmas / overrides where needed. What we are trying to do is ensure that plugin developers have visited each reported issue, considered it and either consciously chosen to ignore it, or fixed it.
What if I still have questions?
Please file a ticket at https://github.com/qgis/QGIS-Plugins-Website/issues
I have an issue with XXX
We are aware that there are some teething problems with our ruleset e.g. hashlib.md5, xml library flagging etc. Please raise an issue if you think the rules are too strict and we will update them accordingly. If you want to review how the scanning is implemented, please see https://github.com/qgis/QGIS-Plugins-Website/blob/master/qgis-app/plugins/security_scanner.py
QGIS.org blog 