How secure are community built Grafana plugins?

Hi, I’m trying to understand how the plugin framework in Grafana works when it comes to securing customer’s data. Is there anything in the plugin framework that prevents plugins from sending data to an external end-point - as an example?

6 Likes

Thanks plsalvado for raising this question.

Dear Grafana team, How we came know any of the installed plugin has any vulnerability and out-dated?

Wondering same, would be interested to know if there’s a mechanism of officially endorsed community plugins.

Good question.
I am interesting to know how the plugins are secured from connecting to outside world

It will be helpful if anybody can answer plsalvado question, am also waiting for an answer.

Thanks

That is an incredibly broad question. Are you talking about plugins hosted on the Grafana site specifically? @marcusolsson can give you the specifics regarding what checks they go through.

Hi @dianapayton,

Any update on this request?

There’s nothing in the framework that stops a panel plugin from making external requests, this applies to both panel and data source plugins.

When we review each plugin, we do our best to look for tracking scripts and other suspicious activity, but I strongly recommend that you configure your network to only allow traffic you’ve approved.

Data source plugins have the option to encrypt configuration in the Grafana database and only decrypt on the Grafana server. You can read more about this in Add authentication for data source plugins.

Panel options and configuration are saved as part of your dashboard definition. Never enter secrets into panel options, as they can be viewed in cleartext by examining the dashboard JSON.

Commercial plugins get extra attention, along with verified signatures.