{"id":14971813,"url":"https://github.com/grafana/plugin-validator","last_synced_at":"2026-03-10T10:07:25.665Z","repository":{"id":40542047,"uuid":"287891432","full_name":"grafana/plugin-validator","owner":"grafana","description":"Tool for validating Grafana community plugins","archived":false,"fork":false,"pushed_at":"2026-01-29T05:25:54.000Z","size":40889,"stargazers_count":34,"open_issues_count":8,"forks_count":6,"subscribers_count":135,"default_branch":"main","last_synced_at":"2026-01-29T18:48:09.321Z","etag":null,"topics":["keep","plugins-platform"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/grafana.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-08-16T06:58:43.000Z","updated_at":"2026-01-28T10:56:43.000Z","dependencies_parsed_at":"2023-10-24T03:29:02.399Z","dependency_job_id":"477288ac-c164-4c9e-8b25-5bd329553645","html_url":"https://github.com/grafana/plugin-validator","commit_stats":{"total_commits":261,"total_committers":25,"mean_commits":10.44,"dds":0.6704980842911877,"last_synced_commit":"ee3c97ad775682e11edc4236b36e7dfe3f9e0d41"},"previous_names":[],"tags_count":92,"template":false,"template_full_name":null,"purl":"pkg:github/grafana/plugin-validator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grafana%2Fplugin-validator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grafana%2Fplugin-validator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grafana%2Fplugin-validator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grafana%2Fplugin-validator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/grafana","download_url":"https://codeload.github.com/grafana/plugin-validator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grafana%2Fplugin-validator/sbom","scorecard":{"id":443168,"data":{"date":"2025-08-11","repo":{"name":"github.com/grafana/plugin-validator","commit":"f720abb05a69755a6856a955bb0a771ad16cb7a3"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.4,"checks":[{"name":"Code-Review","score":7,"reason":"Found 12/17 approved changesets -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"21 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":8,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/do-release.yml:19","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:12","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:54","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:84","Info: jobLevel 'contents' permission set to 'read': .github/workflows/test.yml:12","Warn: no topLevel permission defined: .github/workflows/do-release.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":4,"reason":"dependency not pinned by hash detected -- score normalized to 4","details":["Warn: containerImage not pinned by hash: Dockerfile:5","Warn: containerImage not pinned by hash: Dockerfile:29: pin your Docker image by updating alpine:3.21 to alpine:3.21@sha256:b6a6be0ff92ab6db8acd94f5d1b7a6c2f0f5d10ce3c24af348d333ac6da80685","Warn: downloadThenRun not pinned by hash: Dockerfile:18-23","Warn: downloadThenRun not pinned by hash: Dockerfile:18-23","Warn: pipCommand not pinned by hash: Dockerfile:18-23","Warn: downloadThenRun not pinned by hash: Dockerfile:38","Warn: pipCommand not pinned by hash: Dockerfile:41","Warn: npmCommand not pinned by hash: .github/workflows/release.yml:74","Info:   9 out of   9 GitHub-owned GitHubAction dependencies pinned","Info:   6 out of   6 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned","Info:   0 out of   3 downloadThenRun dependencies pinned","Info:   0 out of   2 pipCommand dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Branch-Protection","score":5,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Warn: 'stale review dismissal' is disabled on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Info: codeowner review is required on branch 'main'","Warn: 'last push approval' is disabled on branch 'main'","Warn: no status checks found to merge onto branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/grafana/.github/SECURITY.md:1","Info: Found linked content: github.com/grafana/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/grafana/.github/SECURITY.md:1","Info: Found text in security policy: github.com/grafana/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.28.1 not signed: https://api.github.com/repos/grafana/plugin-validator/releases/234284211","Warn: release artifact v0.28.0 not signed: https://api.github.com/repos/grafana/plugin-validator/releases/232206317","Warn: release artifact v0.27.2 not signed: https://api.github.com/repos/grafana/plugin-validator/releases/219740868","Warn: release artifact v0.27.1 not signed: https://api.github.com/repos/grafana/plugin-validator/releases/218304854","Warn: release artifact v0.27.0 not signed: https://api.github.com/repos/grafana/plugin-validator/releases/217001822","Warn: release artifact v0.28.1 does not have provenance: https://api.github.com/repos/grafana/plugin-validator/releases/234284211","Warn: release artifact v0.28.0 does not have provenance: https://api.github.com/repos/grafana/plugin-validator/releases/232206317","Warn: release artifact v0.27.2 does not have provenance: https://api.github.com/repos/grafana/plugin-validator/releases/219740868","Warn: release artifact v0.27.1 does not have provenance: https://api.github.com/repos/grafana/plugin-validator/releases/218304854","Warn: release artifact v0.27.0 does not have provenance: https://api.github.com/repos/grafana/plugin-validator/releases/217001822"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:9"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"SAST","score":9,"reason":"SAST tool is not run on all commits -- score normalized to 9","details":["Warn: 24 commits out of 25 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"131 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2023-1495 / GHSA-fxg5-wq6x-vr4w","Warn: Project is vulnerable to: GO-2022-1144 / GHSA-xrjj-mj9h-534m","Warn: Project is vulnerable to: GO-2023-1571 / GHSA-vvpx-j8f3-3w6h","Warn: Project is vulnerable to: GO-2023-1988 / GHSA-2wrh-6pvc-2jm9","Warn: Project is vulnerable to: GO-2023-2102 / GHSA-4374-p667-p6c8","Warn: Project is vulnerable to: GO-2023-2153 / GHSA-m425-mq94-257g / GHSA-qppj-fm5r-hxr3","Warn: Project is vulnerable to: GO-2024-2687 / GHSA-4v7x-pqxf-cx7m","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2025-3488 / GHSA-6v2p-p543-phr9","Warn: Project is vulnerable to: GO-2022-1059 / GHSA-69ch-w2m2-3vjp","Warn: Project is vulnerable to: GO-2024-2611 / GHSA-8r3f-844c-mc37","Warn: Project is vulnerable to: GO-2024-2918 / GHSA-m5vv-6r4h-3vj9","Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646","Warn: Project is vulnerable to: GO-2022-0344 / GHSA-crp2-qrr5-8pq7","Warn: Project is vulnerable to: GO-2024-2846 / GHSA-c9cp-9c75-9v8c","Warn: Project is vulnerable to: GO-2022-0482 / GHSA-5ffw-gxpp-mxpf","Warn: Project is vulnerable to: GO-2022-1147 / GHSA-2qjp-425j-52j9","Warn: Project is vulnerable to: GO-2023-1573 / GHSA-259w-8hf6-59c2","Warn: Project is vulnerable to: GO-2023-1574 / GHSA-hmfx-3pcx-653p","Warn: Project is vulnerable to: GO-2023-2412 / GHSA-7ww5-4wqc-m92c","Warn: Project is vulnerable to: GO-2025-3528 / GHSA-265r-hfxg-fhmg","Warn: Project is vulnerable to: GO-2024-3036","Warn: Project is vulnerable to: GO-2024-3250 / GHSA-29wx-vh33-7x7r","Warn: Project is vulnerable to: GO-2025-3553 / GHSA-mh63-6h87-95cp","Warn: Project is vulnerable to: GO-2025-3372 / GHSA-6wxm-mpqj-6jpf","Warn: Project is vulnerable to: GO-2024-3140 / GHSA-xxxw-3j6h-q7h6","Warn: Project is vulnerable to: GHSA-grj5-8x6q-hc9q","Warn: Project is vulnerable to: GO-2023-2020 / GHSA-v86x-5fm3-5p7j","Warn: Project is vulnerable to: GO-2022-1130 / GHSA-7rg2-cxvp-9p7p","Warn: Project is vulnerable to: GO-2022-0968 / GHSA-gwc9-m7rh-j2ww","Warn: Project is vulnerable to: GO-2021-0356 / GHSA-8c26-wmh5-6g9v","Warn: Project is vulnerable to: GO-2024-2961","Warn: Project is vulnerable to: GO-2023-2402 / GHSA-45x7-px36-x8w8","Warn: Project is vulnerable to: GO-2024-3321 / GHSA-v778-237x-gjrc","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77","Warn: Project is vulnerable to: GO-2022-0288","Warn: Project is vulnerable to: GO-2022-0969 / GHSA-69cg-p879-7622","Warn: Project is vulnerable to: GO-2022-0493 / GHSA-p782-xgp4-8hr8","Warn: Project is vulnerable to: GO-2024-2631 / GHSA-c5q2-7r4c-mv6g","Warn: Project is vulnerable to: GO-2022-0603 / GHSA-hp87-p4gw-j4gq","Warn: Project is vulnerable to: GO-2023-1765 / GHSA-2q89-485c-9j2x","Warn: Project is vulnerable to: GO-2024-2453 / GHSA-9763-4f94-gfch","Warn: Project is vulnerable to: GO-2025-3754 / GHSA-2x5j-vhc8-9cwm","Warn: Project is vulnerable to: GO-2024-2456 / GHSA-449p-3h89-pw88","Warn: Project is vulnerable to: GO-2024-2466 / GHSA-mw99-9chc-xw7r","Warn: Project is vulnerable to: GO-2025-3367 / GHSA-r9px-m959-cxf4","Warn: Project is vulnerable to: GO-2025-3368 / GHSA-v725-9546-7q7m","Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92","Warn: Project is vulnerable to: GHSA-q8gg-vj6m-hgmj","Warn: Project is vulnerable to: GHSA-593m-55hh-j8gv","Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx","Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-x9w5-v3q2-3rhw","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-36jr-mh4h-2g58","Warn: Project is vulnerable to: GHSA-434g-2637-qmqr","Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m","Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw","Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p","Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747","Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh","Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc","Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-pfq8-rq6v-vf5m","Warn: Project is vulnerable to: GHSA-c7qv-q95q-8v27","Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh","Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42","Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h","Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq","Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488","Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3","Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m","Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h","Warn: Project is vulnerable to: GHSA-wc69-rhjr-hc9g","Warn: Project is vulnerable to: GHSA-56x4-j7p9-fcf9","Warn: Project is vulnerable to: GHSA-v78c-4p63-2j6c","Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55","Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j","Warn: Project is vulnerable to: GHSA-h7cp-r72f-jxh6","Warn: Project is vulnerable to: GHSA-v62p-rq8g-8h59","Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j","Warn: Project is vulnerable to: GHSA-x7hr-w5r2-h6wg","Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6","Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3","Warn: Project is vulnerable to: GHSA-34q8-jcq6-mc37","Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7","Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q","Warn: Project is vulnerable to: GHSA-hpx4-r86g-5jrg","Warn: Project is vulnerable to: GHSA-prr3-c3m5-p7q2","Warn: Project is vulnerable to: GHSA-9vvw-cc9w-f27h","Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c","Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq","Warn: Project is vulnerable to: GHSA-3q56-9cc2-46j4","Warn: Project is vulnerable to: GHSA-82v2-mx6x-wq7q","Warn: Project is vulnerable to: GHSA-qrpm-p2h7-hrv2","Warn: Project is vulnerable to: GHSA-76p7-773f-r4q5","Warn: Project is vulnerable to: GHSA-cf4h-3jhx-xvhq","Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986","Warn: Project is vulnerable to: GHSA-f9xv-q969-pqx4","Warn: Project is vulnerable to: GHSA-f6v4-cf5j-vf3w","Warn: Project is vulnerable to: GHSA-9pv7-vfvm-6vr7","Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j","Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22","Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp","Warn: Project is vulnerable to: GHSA-8cf7-32gw-wr33","Warn: Project is vulnerable to: GHSA-hjrf-2m68-5959","Warn: Project is vulnerable to: GHSA-qwph-4952-7xr6","Warn: Project is vulnerable to: GHSA-9p95-fxvg-qgq2","Warn: Project is vulnerable to: GHSA-9w5j-4mwv-2wj8","Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36","Warn: Project is vulnerable to: GHSA-fhg7-m89q-25r3","Warn: Project is vulnerable to: GHSA-5r9g-qh6m-jxff","Warn: Project is vulnerable to: GHSA-r6ch-mqf9-qc9w","Warn: Project is vulnerable to: GHSA-wqq4-5wpv-mx2g","Warn: Project is vulnerable to: GHSA-3787-6prv-h9w3","Warn: Project is vulnerable to: GHSA-9qxr-qj54-h672","Warn: Project is vulnerable to: GHSA-m4v8-wqvr-p9f7","Warn: Project is vulnerable to: GHSA-c76h-2ccp-4975","Warn: Project is vulnerable to: GHSA-cxrh-j4jr-qwg3","Warn: Project is vulnerable to: GHSA-hc6q-2mpp-qw7j"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-19T06:01:40.567Z","repository_id":40542047,"created_at":"2025-08-19T06:01:40.567Z","updated_at":"2025-08-19T06:01:40.567Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29046503,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-03T10:09:22.136Z","status":"ssl_error","status_checked_at":"2026-02-03T10:09:16.814Z","response_time":96,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["keep","plugins-platform"],"created_at":"2024-09-24T13:45:52.446Z","updated_at":"2026-02-13T13:09:52.972Z","avatar_url":"https://github.com/grafana.png","language":"Go","readme":"# Grafana Plugin Validator\n\n[![License](https://img.shields.io/github/license/grafana/plugin-validator)](LICENSE)\n[![Go Report Card](https://goreportcard.com/badge/github.com/grafana/plugin-validator)](https://goreportcard.com/report/github.com/grafana/plugin-validator)\n\nThis tool helps speed up the process of publishing plugins to [Grafana.com](https://grafana.com/grafana/plugins/). It runs a series of [analyzers](#analyzers) to ensure plugins are following best practices, checking for security and structural issues, as well as specific requirements related to publishing. A general overview of these requirements can be found here: \u003chttps://grafana.com/docs/grafana/latest/developers/plugins/publishing-and-signing-criteria/\u003e.\n\nIt requires a path to a remote or local ZIP archive of the plugin to be specified, for example:\n\n- **Remote**: `https://github.com/grafana/clock-panel/releases/download/v2.1.2/grafana-clock-panel-2.1.2.zip`\n- **Local**: `file://Users/me/Downloads/grafana-clock-panel-2.1.2.zip`\n\nYou can _additionally_ provide a link to the source code for the project with `-sourceCodeUri` to enable additional analyzers such as the Vulnerability Scan.\n\n## Installation and usage\n\nEnsure that your version of Go matches the one specified in the `go.mod` file to avoid compatibility issues\n\n### Docker (recommended)\n\nIt is easiest to run the tool using the Docker image as it contains all the [security scanning tools](#security-tools) needed for the full set of analyzers - so you don't need to have these additional tools installed on your system.\n\n```SHELL\ndocker run --pull=always grafana/plugin-validator-cli [options] [http://yourdomain/plugin_archive.zip]\n```\n\n#### Example 1 (basic)\n\n```SHELL\ndocker run --pull=always grafana/plugin-validator-cli https://github.com/grafana/clock-panel/releases/download/v2.1.2/grafana-clock-panel-2.1.2.zip\n```\n\n#### Example 2 (specifying source code location)\n\n```SHELL\ndocker run --pull=always grafana/plugin-validator-cli -sourceCodeUri https://github.com/grafana/clock-panel/tree/v2.1.2 https://github.com/grafana/clock-panel/releases/download/v2.1.2/grafana-clock-panel-2.1.2.zip\n```\n\n#### Using a local archive file with Docker\n\nTo run the tool with a local archive you will need to mount it as a docker volume. Here's an example:\n\n```SHELL\ndocker run --pull=always -v /path/to/plugin_archive.zip:/archive.zip grafana/plugin-validator-cli /archive.zip\n```\n\n\u003e [!NOTE]\n\u003e If using relative paths your path must start with `./`\n\n#### Using a local archive file and local source code\n\n```SHELL\ndocker run --pull=always -v /path/to/plugin_archive.zip:/archive.zip -v /path/to/source_code:/source_code grafana/plugin-validator-cli -sourceCodeUri file:///source_code /archive.zip\n```\n\n\u003e [!NOTE]\n\u003e If using relative paths your path must start with `./`\n\n### NPX\n\n```SHELL\nnpx -y @grafana/plugin-validator@latest -sourceCodeUri [options] [path/to/plugin_archive.zip]\n```\n\n### Locally\n\nFirst you must compile and install it:\n\n```SHELL\ngit clone git@github.com:grafana/plugin-validator.git\ncd plugin-validator/pkg/cmd/plugincheck2\ngo install\n```\n\nThen you can run the utility:\n\n```SHELL\nplugincheck2 -sourceCodeUri [source_code_location/] [plugin_archive.zip]\n```\n\n### Generating local files For validation\n\nYou must create a `.zip` archive containing the `dist/` directory but named as your plugin ID:\n\n```SHELL\nPLUGIN_ID=$(grep '\"id\"' \u003c src/plugin.json | sed -E 's/.*\"id\" *: *\"(.*)\".*/\\1/')\ncp -r dist \"${PLUGIN_ID}\"\nzip -qr \"${PLUGIN_ID}.zip\" \"${PLUGIN_ID}\"\nnpx @grafana/plugin-validator@latest -sourceCodeUri file://. \"${PLUGIN_ID}.zip\"\n```\n\nYou can optionally remove the files that were generated:\n\n```SHELL\nrm -r \"${PLUGIN_ID}\" \"${PLUGIN_ID}.zip\"\n```\n\n## Options\n\nAdditional options can be passed to the tool:\n\n```BASH\n❯ plugincheck2 -help\nUsage plugincheck2:\n  -config string (optional)\n        Path to configuration file\n  -sourceCodeUri string (optional)\n        URI to the source code of the plugin. If set, the source code will be downloaded and analyzed. This can be a ZIP file URL, a URL to git repository or a local file (starting with `file://`)\n  -strict (optional)\n        If set, plugincheck returns non-zero exit code for warnings\n  -checksum string (optional)\n        If set, the checksum of the plugin archive will be checked against this value. MD5 and SHA256 are supported.\n  -analyzer string (optional)\n        If set, only an specific analyzer and it's dependencies will run.\n  -severity string (optional)\n        If used, it will set the severity of the analyzer (it has the highest priority).\n\n```\n\n### Using a configuration file\n\nYou can pass a configuration YAML file to the validator with the `-config` option. Several configuration examples are available to use here: \u003chttps://github.com/grafana/plugin-validator/tree/main/config\u003e.\n\n#### Enabling and disabling analyzers via config\n\nIf you want to disable an specific check (analyzer) you can define this in your [configuration file](#using-a-configuration-file), adding an `analyzers` section, and specifying which analyzer or analyzer rules to enable and disable.\n\nFor example, disable the `version` analyzer:\n\n```yaml\nglobal:\n  enabled: true\n  jsonOutput: false\n  reportAll: false\n\nanalyzers:\n  version:\n    enabled: false\n```\n\nYou can also disable specific rules or change their severity level:\n\n```yaml\nglobal:\n  enabled: true\n  jsonOutput: false\n  reportAll: false\n\nanalyzers:\n  readme:\n    rules:\n      missing-readme:\n        enabled: true\n        severity: warning\n```\n\nSeverity levels could be: `error`, `warning`, or `ok`.\n\n\u003e Note: Grafana Labs enforces its own configuration for plugins submissions and your own config file can't change these rules.\n\n#### Excluding a plugin from an analyzer or rule\n\nIt's also possible to exclude a specific plugin from an analyzer or a specific rule within an analyzer. This is useful when a particular check is not applicable to your plugin.\n\nTo disable an entire analyzer for a plugin, add an `exceptions` list with the plugin ID.\n\n```yaml\nanalyzers:\n  some-analyzer:\n    enabled: true\n    # This entire analyzer will be skipped for 'my-plugin-id'\n    exceptions:\n      - my-plugin-id\n```\n\nTo disable a single rule for a plugin, add the `exceptions` list to the rule's configuration.\n\n```yaml\nanalyzers:\n  some-analyzer:\n    rules:\n      some-rule:\n        enabled: true\n        # This rule will be skipped for 'my-plugin-id'\n        exceptions:\n          - my-plugin-id\n```\n\n\n### Source code\n\nYou can specify the location of the plugin source code to the validator with the `-sourceCodeUri` option. Doing so allows for additional [analyzers](#analyzers) to be run and for a more complete scan.\n\n### Supported remote Git services\n\nThe following **public** Git services are supported:\n\n- GitHub\n- GitLab\n- Bitbucket\n\nPrivate repositories are not currently supported.\n\nMake sure to include the `ref` (branch or tag) of the corresponding source code.\n\nFor example: you are validating version `v2.1.2` and your project is in GitHub. Make sure you create a corresponding tag or branch and use the URL `https://github.com/grafana/clock-panel/tree/v2.1.2`.\n\n## Debug mode\n\nYou can run the validator in debug mode to get more information about the running checks and possible errors.\n\nDocker:\n\n```SHELL\ndocker run --pull=always -e DEBUG=1 grafana/plugin-validator-cli -sourceCodeUri https://github.com/grafana/clock-panel/tree/v2.1.2 https://github.com/grafana/clock-panel/releases/download/v2.1.2/grafana-clock-panel-2.1.2.zip\n```\n\nNPX:\n\n```SHELL\nDEBUG=1 npx -y @grafana/plugin-validator@latest -sourceCodeUri https://github.com/grafana/clock-panel/tree/v2.1.2 https://github.com/grafana/clock-panel/releases/download/v2.1.2/grafana-clock-panel-2.1.2.zip\n```\n\nLocally:\n\n```SHELL\nDEBUG=1 plugincheck2 -sourceCodeUri https://github.com/grafana/clock-panel/tree/v2.1.2 https://github.com/grafana/clock-panel/releases/download/v2.1.2/grafana-clock-panel-2.1.2.zip\n```\n\n## Security tools\n\nThis validator makes uses of the following open source security tools:\n\n- [osv-scanner](https://github.com/google/osv-scanner)\n- [semgrep](https://github.com/returntocorp/semgrep)\n- [gosec](https://github.com/securego/gosec)\n\nIf you run the validator locally or via NPX you can benefit from installing these tools in your system to make them part of your validation checks.\n\n---\n\n## Analyzers\n\nThe tool runs a series of analyzers to ensure submitted plugins are following best practices, and speed up the process of approving a plugin for publishing, detailed in the table below. The _Analyzer_ column includes the name required for altering the behavior of a given check in a [configuration file](#using-a-configuration-file). The _Dependencies_ column specifies whether the analyzer requires the source code for the plugin to be provided with `sourceCodeUri` or for any additional [security scanning tools](#security-tools) to be present.\n\n\u003c!-- analyzers-table-start --\u003e\n\u003c!--\nTHE FOLLOWING SECTION IS GENERATED, DO NOT EDIT.\nRun \"mage gen:readme\" to regenerate this section.\n--\u003e\n| Analyzer | Description | Dependencies |\n|----------|-------------|--------------|\n| Archive Name / `archivename` | The name of the archive should be correctly formatted. | None |\n| Archive Structure / `archive` | Ensures the contents of the zip file have the expected layout. | None |\n| Backend Binary / `backendbinary` | Validates the consistency between the existence of a binary file and plugin.json declarations for backend or alerting. | None |\n| Backend Debug / `backenddebug` | Checks that the standalone debug files for backend plugins are not present. | None |\n| Binary Permissions / `binarypermissions` | For datasources and apps with binaries, this ensures the plugin can run when extracted on a system. | None |\n| Broken Links / `brokenlinks` | Detects if any URL doesn't resolve to a valid location. | None |\n| Build Tools / `buildtools` | Checks that the plugin uses Grafana's standard create-plugin build tooling. | None |\n| Changelog (exists) / `changelog` | Ensures a `CHANGELOG.md` file exists within the zip file. | None |\n| Checksum / `checksum` | Validates that the passed checksum (as a validator arg) is the one calculated from the archive file. | `checksum` |\n| Circular Dependencies / `circulardependencies` | Ensures that there aren't any circular dependencies between plugins (`plugin.json`, `dependencies.plugins` field). | None |\n| Code Diff / `codediff` |  | Google API Key with Generative AI access |\n| Code Rules / `code-rules` | Checks for forbidden access to environment variables, file system or use of syscall module. | [semgrep](https://github.com/returntocorp/semgrep), `sourceCodeUri` |\n| Developer Jargon / `jargon` | Generally discourages use of code jargon in the documentation. | None |\n| Discoverability / `discoverability` | Warns about missing keywords and description that are used for plugin indexing in the catalog. | None |\n| Go Manifest / `go-manifest` | Validates the build manifest. | None |\n| Go Security Checker / `go-sec` | Inspects source code for security problems by scanning the Go AST. | [gosec](https://github.com/securego/gosec), `sourceCodeUri` |\n| JS Source Map / `jsMap` | Checks for required `module.js.map` file(s) in archive. | `sourceCodeUri` |\n| Legacy Grafana Toolkit usage / `legacybuilder` | Detects the usage of the not longer supported Grafana Toolkit. | None |\n| Legacy Platform / `legacyplatform` | Detects use of Angular which is deprecated. | None |\n| License Type / `license` | Checks the declared license is one of: BSD, MIT, Apache 2.0, LGPL3, GPL3, AGPL3. | None |\n| LLM Review / `llmreview` | Runs the code through Gemini LLM to check for security issues or disallowed usage. | Gemini API key |\n| Logos / `logos` | Detects whether the plugin includes small and large logos to display in the plugin catalog. | None |\n| Manifest (Signing) / `manifest` | When a plugin is signed, the zip file will contain a signed `MANIFEST.txt` file. | None |\n| Metadata / `metadata` | Checks that `plugin.json` exists and is valid. | None |\n| Metadata Paths / `metadatapaths` | Ensures all paths are valid and images referenced exist. | None |\n| Metadata Validity / `metadatavalid` | Ensures metadata is valid and matches plugin schema. | None |\n| module.js (exists) / `modulejs` | All plugins require a `module.js` to be loaded. | None |\n| Nested includes metadata / `includesnested` | Validates that nested plugins have the correct metadata. | None |\n| Nested Metadata / `nestedmetadata` | Recursively checks that all `plugin.json` exist and are valid. | None |\n| No Tracking Scripts / `trackingscripts` | Detects if there are any known tracking scripts, which are not allowed. | None |\n| Organization (exists) / `org` | Verifies the org specified in the plugin ID exists. | None |\n| package.json / `packagejson` | Ensures that package.json exists and the version matches the plugin.json | None |\n| Plugin Name formatting / `pluginname` | Validates the plugin ID used conforms to our naming convention. | None |\n| Provenance attestation validation / `provenance` | Validates the provenance attestation if the plugin was built with a pipeline supporting provenance attestation (e.g Github Actions). | None |\n| Published / `published-plugin` | Detects whether any version of this plugin exists in the Grafana plugin catalog currently. | None |\n| Readme (exists) / `readme` | Ensures a `README.md` file exists within the zip file. | None |\n| Restrictive Dependency / `restrictivedep` | Specifies a valid range of Grafana versions that work with this version of the plugin. | None |\n| Safe Links / `safelinks` | Checks that links from `plugin.json` are safe. | None |\n| Screenshots / `screenshots` | Screenshots are specified in `plugin.json` that will be used in the Grafana plugin catalog. | None |\n| SDK Usage / `sdkusage` | Ensures that `grafana-plugin-sdk-go` is up-to-date. | None |\n| Signature / `signature` | Ensures the plugin has a valid signature. | None |\n| Source Code / `sourcecode` | A comparison is made between the zip file and the source code to ensure what is released matches the repo associated with it. | `sourceCodeUri` |\n| Sponsorship Link / `sponsorshiplink` | Checks if a sponsorship link is specified in `plugin.json` that will be shown in the Grafana plugin catalog for users to support the plugin developer. | None |\n| Type Suffix (panel/app/datasource) / `typesuffix` | Ensures the plugin has a valid type specified. | None |\n| Unique README.md / `templatereadme` | Ensures the plugin doesn't re-use the template from the `create-plugin` tool. | None |\n| Unsafe SVG / `unsafesvg` | Checks if any svg files are safe based on a whitelist of elements and attributes. | None |\n| Version / `version` | Ensures the version submitted is newer than the currently published plugin. If this is a new/unpublished plugin, this is skipped. | None |\n| Virus Scan / `virusscan` | Runs a virus scan on the plugin archive and source code using `clamscan` (`clamav`). | clamscan |\n| Vulnerability Scanner / `osv-scanner` | Detects critical vulnerabilities in Go modules and yarn lock files. | [osv-scanner](https://github.com/google/osv-scanner), `sourceCodeUri` |\n\u003c!-- analyzers-table-end --\u003e\n\n## Output\n\nBy default, the tool outputs results in plain text as shown below.\n\nDefault:\n\n```TEXT\nwarning: README.md: possible broken link: https://www.d3js.org (404 Not Found)\ndetail: README.md might contain broken links. Check that all links are valid and publicly accessible.\nwarning: README.md contains developer jargon: (yarn)\ndetail: Move any developer and contributor documentation to a separate file and link to it from the README.md. For example, CONTRIBUTING.md, DEVELOPMENT.md, etc.\nerror: osv-scanner detected a critical severity issue\ndetail: SEVERITY: CRITICAL in package immer, vulnerable to CVE-2021-23436\nerror: osv-scanner detected a critical severity issue\ndetail: SEVERITY: CRITICAL in package json-schema, vulnerable to CVE-2021-3918\nerror: Plugin version 0.0.9 is invalid.\ndetail: The submitted plugin version 0.0.9 is not greater than the latest published version 0.0.9 on grafana.com.\n```\n\nThis can be changed to JSON by passing a configuration file which includes:\n\n```yaml\nglobal:\n  jsonOutput: true\n```\n\nResulting in output similar to:\n\n```JSON\n{\n  \"id\": \"briangann-gauge-panel\",\n  \"version\": \"0.0.9\",\n  \"plugin-validator\": {\n    \"brokenlinks\": [\n      {\n        \"Severity\": \"warning\",\n        \"Title\": \"README.md: possible broken link: https://www.d3js.org (404 Not Found)\",\n        \"Detail\": \"README.md might contain broken links. Check that all links are valid and publicly accessible.\",\n        \"Name\": \"broken-link\"\n      }\n    ],\n    \"jargon\": [\n      {\n        \"Severity\": \"warning\",\n        \"Title\": \"README.md contains developer jargon: (yarn)\",\n        \"Detail\": \"Move any developer and contributor documentation to a separate file and link to it from the README.md. For example, CONTRIBUTING.md, DEVELOPMENT.md, etc.\",\n        \"Name\": \"developer-jargon\"\n      }\n    ],\n    \"osv-scanner\": [\n      {\n        \"Severity\": \"error\",\n        \"Title\": \"osv-scanner detected a critical severity issue\",\n        \"Detail\": \"SEVERITY: CRITICAL in package immer, vulnerable to CVE-2021-23436\",\n        \"Name\": \"osv-scanner-critical-severity-vulnerabilities-detected\"\n      },\n      {\n        \"Severity\": \"error\",\n        \"Title\": \"osv-scanner detected a critical severity issue\",\n        \"Detail\": \"SEVERITY: CRITICAL in package json-schema, vulnerable to CVE-2021-3918\",\n        \"Name\": \"osv-scanner-critical-severity-vulnerabilities-detected\"\n      },\n    ],\n    \"version\": [\n      {\n        \"Severity\": \"error\",\n        \"Title\": \"Plugin version 0.0.9 is invalid.\",\n        \"Detail\": \"The submitted plugin version 0.0.9 is not greater than the latest published version 0.0.9 on grafana.com.\",\n        \"Name\": \"wrong-plugin-version\"\n      }\n    ]\n  }\n}\n```\n\n### Severity\n\nBy default, the tool will show any warning or error level results from the analyzers. To see all results including successes, you can pass a configuration file which includes:\n\n```yaml\nglobal:\n  reportAll: true\n```\n\n## Getting Help\n\n- :open_book: Check out our plugin [documentation](https://grafana.com/developers/plugin-tools).\n- :handshake: Join the [community forum](https://community.grafana.com/tag/plugins).\n- :speech_balloon: Chat to us in the Grafana Slack [#plugins channel](https://grafana.slack.com/archives/C3HJV5PNE).\n- :memo: [File an issue](https://github.com/grafana/plugin-validator/issues) for any bugs or feature requests.\n\n## License\n\nGrafana Plugin Validator is distributed under the [Apache 2.0 License](https://github.com/grafana/plugin-validator/blob/master/LICENSE).\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgrafana%2Fplugin-validator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgrafana%2Fplugin-validator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgrafana%2Fplugin-validator/lists"}