InstallHub
Security Scan
Every package submitted to the marketplace undergoes a mandatory security scan before listing. A scan result of PASS is required. Packages that receive FAIL are rejected immediately and must be fixed before resubmission.
Phase 3 — PENDING This feature is planned but not yet implemented.
Scan Results
| Result | Meaning | Can List? | Shown to Installers? |
|---|---|---|---|
| PASS | No security issues detected | Yes | Green shield badge |
| WARN | Low-severity findings — non-blocking | Yes | Yellow shield badge with warning count |
| FAIL | Critical security findings — listing blocked | No | Not listed |
Scan Checks Performed
| Check | Severity on Detection | What It Scans |
|---|---|---|
| Expression Injection | FAIL | All expression fields across all artifact types for environment variable exfiltration patterns, raw code eval, data extraction patterns |
| SQL Injection | FAIL | Any EntitySchema or RuleSet fields containing raw SQL fragments, UNION attacks, drop table patterns |
| Credential Exposure | FAIL | README, descriptions, and config fields for API keys, passwords, connection strings, PEM keys |
| Dependency Vulnerability (CVE) | FAIL (critical CVE) / WARN (medium CVE) | Package dependencies listed in manifest against NVD and OSV databases |
| Content Policy | FAIL (prohibited) / WARN (borderline) | README and description text for prohibited content types |
| Malicious URL | FAIL | All URLs in manifest and README against threat intelligence feeds |
| Unsafe File Types | FAIL | ZIP contents for executable files, scripts, binary blobs outside of expected artifact JSON files |
Scan Report
GET /api/marketplace/submissions/{submissionId}/scan-report
{
"submissionId": "sub-a1b2c3d4",
"overallResult": "FAIL",
"scannedAt": "2026-05-25T14:05:00Z",
"durationMs": 3421,
"checks": [
{
"check": "ExpressionInjection",
"result": "FAIL",
"severity": "Critical",
"findings": [
{
"artifactType": "ProcessDefinition",
"artifactName": "EmployeeOnboarding",
"field": "nodes[2].config.expression",
"value": "{{env.DATABASE_PASSWORD}}",
"rule": "EnvironmentVariableExfiltration",
"message": "Expression accesses environment variable 'DATABASE_PASSWORD' — this pattern is blocked in marketplace packages"
}
]
},
{
"check": "CredentialExposure",
"result": "PASS",
"findings": []
},
{
"check": "DependencyVulnerability",
"result": "WARN",
"findings": [
{
"dependency": "acme-corp/form-utils@1.0.0",
"cve": "CVE-2026-12345",
"severity": "Medium",
"message": "Dependency 'acme-corp/form-utils' version 1.0.0 has a medium-severity XSS vulnerability. Update to 1.0.1 or later."
}
]
}
]
}Common Scan Failures and Fixes
| Failure | Common Cause | Fix |
|---|---|---|
EnvironmentVariableExfiltration | Using {{env.X}} expressions in workflow nodes | Remove all env.* expression references. Use tenant-configured parameters instead. |
CredentialExposure | API key or password left in a config field or README example | Replace real credentials with <YOUR_API_KEY> placeholders in all documentation and configs. |
MaliciousUrl | A screenshot or documentation URL flagged by threat intelligence | Review all URLs in manifest and README. Use only your organization's verified domain. |
UnsafeFileType | A .sh, .exe, or .dll file accidentally included in the ZIP | Rebuild the package using the standard export pipeline. Do not manually modify the ZIP contents. |
Requesting a False Positive Review
If you believe a scan result is a false positive, include a
falsePositiveExplanation field with your resubmission explaining why the flagged pattern is not a security risk. The review team will assess the explanation before listing the package.