Portal Community
InstallHub

Security Scanning

Every package is scanned for malicious content before any artifact is installed. A FAIL result blocks the import entirely. A WARN requires explicit administrator acknowledgment.

When Scanning Runs

Security scanning runs immediately after checksum verification passes and before ID remapping or installation begins. This order ensures we never process potentially malicious content further than necessary.

Scan Results

ResultMeaningImport Behavior
PASS No issues detected Import proceeds automatically
WARN Potential issues — not definitively malicious Import blocked unless allowSecurityWarnings: true is set by an authorized user
FAIL Definitive security issue detected Import blocked — cannot be overridden

What is Scanned

Expression Injection Detection

All expression strings in workflow node configurations and form field bindings are scanned for dangerous patterns:

// Examples that trigger FAIL:
"expression": "user.__proto__.isAdmin = true"      // Prototype pollution
"expression": "eval(atob('aGFja2Vk'))"             // eval() usage
"expression": "constructor.constructor('hack')()"   // Constructor chain attack
"expression": "${process.env.SECRET_KEY}"          // Environment access attempt

// Examples that trigger WARN:
"expression": "require('child_process').exec(cmd)" // Node.js require (unusual pattern)
"expression": "window.location.href = url"        // DOM manipulation attempt

SQL Injection Pattern Detection

SQL query strings in datasource configurations are checked for injection patterns:

// FAIL patterns:
"query": "SELECT * FROM users; DROP TABLE users; --"
"query": "SELECT * FROM users WHERE id = ' OR '1'='1"

// WARN patterns (parameterized queries missing):
"query": "SELECT * FROM users WHERE id = " + userId  // String concatenation

Content Policy Check

Artifact content is checked against a blocklist of forbidden keywords, domains, and patterns. This prevents packages containing:

Full Scan Report in Response

{
  "securityScanResult": "WARN",
  "checks": [
    {
      "checkName": "ExpressionInjection",
      "result":    "PASS",
      "findings":  []
    },
    {
      "checkName": "SqlInjection",
      "result":    "WARN",
      "findings": [
        {
          "artifactId":  "form-2005",
          "artifactType": "AtlasForm",
          "field":       "fields[2].dataSource.query",
          "pattern":     "String concatenation in SQL query",
          "severity":    "Warning",
          "suggestion":  "Use parameterized queries instead"
        }
      ]
    },
    {
      "checkName": "ContentPolicy",
      "result":    "PASS",
      "findings":  []
    }
  ]
}

For full details on the security scanning system, see Guide 8: Security Scanning.

← Package Validation Next: ID Remapping →