<div dir="auto">I think it might be "detect-secrets" instead of bandit in his situation, so you can refer to it's documentation: <a href="https://github.com/Yelp/detect-secrets#inline-allowlisting">https://github.com/Yelp/detect-secrets#inline-allowlisting</a><div dir="auto"><br></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">Le ven. 12 juin 2026, 15:32, John Stevenson - BGS via QGIS-Developer <<a href="mailto:qgis-developer@lists.osgeo.org">qgis-developer@lists.osgeo.org</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You can put `# nosec` as a comment at the end of the line to skip that line.<br>
<br>
See documentation for the Bandit scanner used by the QGIS Plugin repository here:<br>
<br>
<a href="https://bandit.readthedocs.io/en/latest/config.html#suppressing-individual-lines" rel="noreferrer noreferrer" target="_blank">https://bandit.readthedocs.io/en/latest/config.html#suppressing-individual-lines</a><br>
<br>
The scanner implementation, with details of the exact command that it runs (and that you can replicate locally or in CI), is here:<br>
<br>
<a href="https://github.com/qgis/QGIS-Plugins-Website/blob/18bf205e1c0733bc1f09f15430eff52c1a78a1a3/qgis-app/plugins/security_scanner.py" rel="noreferrer noreferrer" target="_blank">https://github.com/qgis/QGIS-Plugins-Website/blob/18bf205e1c0733bc1f09f15430eff52c1a78a1a3/qgis-app/plugins/security_scanner.py</a><br>
<br>
Cheers,<br>
John<br>
<br>
-----Original Message-----<br>
From: QGIS-Developer <<a href="mailto:qgis-developer-bounces@lists.osgeo.org" target="_blank" rel="noreferrer">qgis-developer-bounces@lists.osgeo.org</a>> On Behalf Of Greg Troxel via QGIS-Developer<br>
Sent: 12 June 2026 00:59<br>
To: C Hamilton via QGIS-Developer <<a href="mailto:qgis-developer@lists.osgeo.org" target="_blank" rel="noreferrer">qgis-developer@lists.osgeo.org</a>><br>
Subject: Re: [QGIS-Developer] How do I get rid of the security warning on my plugin?<br>
<br>
C Hamilton via QGIS-Developer <<a href="mailto:qgis-developer@lists.osgeo.org" target="_blank" rel="noreferrer">qgis-developer@lists.osgeo.org</a>> writes:<br>
<br>
> My Lat Lon Tools plugin is getting two "Secrets Detection" warnings on<br>
> these two lines of code.<br>
><br>
> lontile_ = "ABCDEFGHJKLMNPQRSTUVWXYZ"<br>
><br>
> __base32 = '0123456789bcdefghjkmnpqrstuvwxyz'<br>
><br>
> Those are certainly scarry, hazardous lines of code (sorry for the<br>
> sarchasm). But really how do I resolve this with your plugin scanners.<br>
> Those lines of code are probably the best way to represent the<br>
> geohash, and georef coordinate conversions. However, I also don't want<br>
> my plugins to be flagged with "Critical security issues found".<br>
<br>
By posting here, you request that the scanners be fixed. They are heuristics, which means they need tweaks when they are wrong.<br>
<br>
<br>
_______________________________________________<br>
QGIS-Developer mailing list<br>
<a href="mailto:QGIS-Developer@lists.osgeo.org" target="_blank" rel="noreferrer">QGIS-Developer@lists.osgeo.org</a><br>
List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
<br>
<br>
This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. UK Research and Innovation (UKRI) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. UKRI does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses.<br>
<br>
_______________________________________________<br>
QGIS-Developer mailing list<br>
<a href="mailto:QGIS-Developer@lists.osgeo.org" target="_blank" rel="noreferrer">QGIS-Developer@lists.osgeo.org</a><br>
List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
</blockquote></div>