Gradle Plugin Portal Approval Policy Update

Gradle is updating the plugin approval policy for plugins submitted to the Gradle Plugin Portal, effective today, to begin adding stronger security safeguards for plugin consumers.

First off, this does not affect plugins already on the plugin portal — only new plugins. Gradle builds that use plugins will not be affected in any way.

Portal Acceptance Criteria in a Nutshell

Gradle will check the following for new plugins submitted to plugins.gradle.org to ensure that:

• Description and project URLs are valid and not misleading
• The group ID and artifact ID are valid and not misleading

In addition to these changes, plugins with a valid open-source repo URL will be prioritized over other plugins for approval. For those that apply for an SPDX-compatible license properly, this will be even more so.

If your plugin doesn’t meet these requirements, we’ll let you know as soon as possible and give you a chance to re-submit when it does. If your plugin cannot comply, please publish it to an alternative repository and use the pluginManagement {} DSL to configure where your plugins {} are resolved from.

What Happens to Plugins That Don’t Adhere to These Criteria?

At this moment in time, these checks do not apply for subsequent versions of a given plugin and aren’t going to be retroactively enforced.

In the longer term, we will begin showing warnings on the plugin portal for plugins that don’t adhere to this policy and may introduce additional automated checks to give plugin consumers information about plugins they’re viewing.

If you have questions or concerns, we encourage you to discuss in the plugin-portal category on the Gradle forum.