[QGIS-Developer] How do I get rid of the security warning on my plugin?

John Stevenson - BGS jostev at bgs.ac.uk
Fri Jun 12 06:32:28 PDT 2026 

You can put `# nosec` as a comment at the end of the line to skip that line.

See documentation for the Bandit scanner used by the QGIS Plugin repository here:

https://bandit.readthedocs.io/en/latest/config.html#suppressing-individual-lines

The scanner implementation, with details of the exact command that it runs (and that you can replicate locally or in CI), is here:

https://github.com/qgis/QGIS-Plugins-Website/blob/18bf205e1c0733bc1f09f15430eff52c1a78a1a3/qgis-app/plugins/security_scanner.py

Cheers,
John

-----Original Message-----
From: QGIS-Developer <qgis-developer-bounces at lists.osgeo.org> On Behalf Of Greg Troxel via QGIS-Developer
Sent: 12 June 2026 00:59
To: C Hamilton via QGIS-Developer <qgis-developer at lists.osgeo.org>
Subject: Re: [QGIS-Developer] How do I get rid of the security warning on my plugin?

C Hamilton via QGIS-Developer <qgis-developer at lists.osgeo.org> writes:

> My Lat Lon Tools plugin is getting two "Secrets Detection" warnings on
> these two lines of code.
>
> lontile_ = "ABCDEFGHJKLMNPQRSTUVWXYZ"
>
> __base32 = '0123456789bcdefghjkmnpqrstuvwxyz'
>
> Those are certainly scarry, hazardous lines of code (sorry for the
> sarchasm). But really how do I resolve this with your plugin scanners.
> Those lines of code are probably the best way to represent the
> geohash, and georef coordinate conversions. However, I also don't want
> my plugins to be flagged with "Critical security issues found".

By posting here, you request that the scanners be fixed.  They are heuristics, which means they need tweaks when they are wrong.


_______________________________________________
QGIS-Developer mailing list
QGIS-Developer at lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer


This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. UK Research and Innovation (UKRI) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. UKRI does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses.

More information about the QGIS-Developer mailing list