Apart from the manual business review we have to do an (automated) security review. In the current marketplace an API request is made to OSS index to see if there are no known security vulnerabilities with the plugin. In practice the security review never fails because the plugins get a relatively low amount of downloads (compared to express e.g.) and thus will never have known vulnerabilities.
In the marketplace 2.0 we have to rethink how we go about an automated security review. Maybe we can use AI for this? Going through the code and seeing if strange things are happening (e.g. random http requests). Apart from that I would like to see us doing a vulnerability scan of the dependencies used by the plugin, basically a yarn audit . That should give more insight.
The result of this automated security review should be stored in the Strapi application. Ideally with a human readable message we can send to the plugin developer when the review did not pass.
Apart from the manual business review we have to do an (automated) security review. In the current marketplace an API request is made to OSS index to see if there are no known security vulnerabilities with the plugin. In practice the security review never fails because the plugins get a relatively low amount of downloads (compared to express e.g.) and thus will never have known vulnerabilities.
In the marketplace 2.0 we have to rethink how we go about an automated security review. Maybe we can use AI for this? Going through the code and seeing if strange things are happening (e.g. random http requests). Apart from that I would like to see us doing a vulnerability scan of the dependencies used by the plugin, basically a
yarn audit. That should give more insight.The result of this automated security review should be stored in the Strapi application. Ideally with a human readable message we can send to the plugin developer when the review did not pass.