[QGIS-Developer] How do I get rid of the security warning on my plugin?
Etienne Trimaille
etienne.trimaille at gmail.com
Fri Jun 12 13:06:40 PDT 2026
I think it might be "detect-secrets" instead of bandit in his situation, so
you can refer to it's documentation:
https://github.com/Yelp/detect-secrets#inline-allowlisting
Le ven. 12 juin 2026, 15:32, John Stevenson - BGS via QGIS-Developer <
qgis-developer at lists.osgeo.org> a écrit :
> You can put `# nosec` as a comment at the end of the line to skip that
> line.
>
> See documentation for the Bandit scanner used by the QGIS Plugin
> repository here:
>
>
> https://bandit.readthedocs.io/en/latest/config.html#suppressing-individual-lines
>
> The scanner implementation, with details of the exact command that it runs
> (and that you can replicate locally or in CI), is here:
>
>
> https://github.com/qgis/QGIS-Plugins-Website/blob/18bf205e1c0733bc1f09f15430eff52c1a78a1a3/qgis-app/plugins/security_scanner.py
>
> Cheers,
> John
>
> -----Original Message-----
> From: QGIS-Developer <qgis-developer-bounces at lists.osgeo.org> On Behalf
> Of Greg Troxel via QGIS-Developer
> Sent: 12 June 2026 00:59
> To: C Hamilton via QGIS-Developer <qgis-developer at lists.osgeo.org>
> Subject: Re: [QGIS-Developer] How do I get rid of the security warning on
> my plugin?
>
> C Hamilton via QGIS-Developer <qgis-developer at lists.osgeo.org> writes:
>
> > My Lat Lon Tools plugin is getting two "Secrets Detection" warnings on
> > these two lines of code.
> >
> > lontile_ = "ABCDEFGHJKLMNPQRSTUVWXYZ"
> >
> > __base32 = '0123456789bcdefghjkmnpqrstuvwxyz'
> >
> > Those are certainly scarry, hazardous lines of code (sorry for the
> > sarchasm). But really how do I resolve this with your plugin scanners.
> > Those lines of code are probably the best way to represent the
> > geohash, and georef coordinate conversions. However, I also don't want
> > my plugins to be flagged with "Critical security issues found".
>
> By posting here, you request that the scanners be fixed. They are
> heuristics, which means they need tweaks when they are wrong.
>
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
>
> This email and any attachments are intended solely for the use of the
> named recipients. If you are not the intended recipient you must not use,
> disclose, copy or distribute this email or any of its attachments and
> should notify the sender immediately and delete this email from your
> system. UK Research and Innovation (UKRI) has taken every reasonable
> precaution to minimise risk of this email or any attachments containing
> viruses or malware but the recipient should carry out its own virus and
> malware checks before opening the attachments. UKRI does not accept any
> liability for any losses or damages which the recipient may sustain due to
> presence of any viruses.
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20260612/fbf0aeb7/attachment.htm>
More information about the QGIS-Developer
mailing list