Plugin Ownership Verification
MDL Shield requires plugin developers to verify ownership before they can run security scans. This ensures that only authorised maintainers can access scan results and publish reviews.
Why verify?
Security scan results can reveal vulnerabilities in your plugin's code. We need to make sure that only the people responsible for maintaining a plugin can see these findings and decide whether to publish them. Verification protects both plugin developers and the Moodle community.
Verification methods
Automatic (Repository Owner)
If your GitHub username matches the owner of the plugin's repository, verification is instant — no action required. This is the fastest and easiest method.
GitHub Issue
We create an issue on the plugin's repository with a verification checkbox. A repository maintainer ticks the checkbox to confirm the request. This method is ideal for collaborators who don't own the repository but have write access.
Repository File
Add a .mdlshield file to the root of your repository's default branch containing a verification code we provide. Once verified, you can remove the file. Multiple developers can add their own verification codes to the same file, one per line.
Moodle.org Plugin Page
For plugins without a GitHub repository, you can verify ownership by adding a small invisible image tag to your plugin's description on the Moodle plugin directory. Only listed maintainers can edit plugin pages on moodle.org, so placing the tag proves you have maintainer access. The tag can be removed after verification.
Manual Verification
For special cases, our team can manually verify plugin ownership.Contact us if none of the above methods work for your situation.
What happens after verification?
Once verified, you can:
- Run AI-powered security scans on your plugin
- View detailed security reports with fix guidance
- Choose whether to publish your review results
- Display a security grade badge on your plugin page or repository
Received a verification request?
If you've received a GitHub issue titled "MDL Shield: Ownership verification", someone is requesting to manage your plugin on MDL Shield. If you recognise the user and want to approve their access, tick the checkbox in the issue. If you don't recognise the request or don't want to grant access, simply close the issue.
Questions about verification? Contact us.