All plugins submitted to Appian for use on Appian Cloud require review and approval. This article aims to answer common questions about the plugin review process.
For more information on plugin and AppMarket policies, refer to the AppMarket Submission Policies documentation and the AppMarket Submissions Agreement.
Table of Contents:
How are plugin security reviews performed?
Security scanning is first performed during all submissions of new and updated plugins to Appian. Subsequent reviews are also performed on a routine basis after initial approval. Scans such as Static Application Security Testing (SAST), Software composition analysis (SCA), and other security related checks are in place.
What specific tooling is used?
Appian utilizes custom tooling, open source software, and commercial off the shelf software to perform the automated security scanning. Appian does not publish the specific software used to review plugins.
How often are reviews performed?
Reviews are always performed upon plugin submission. Post-approval, additional security reviews are performed regularly. Appian reserves the right to perform security reviews at any time.
Do security reviews apply to private plugins?
Yes. As stated in the AppMarket Submission Policies, All plug-ins, whether intended for public use on the AppMarket or private use within an organization, must receive approval before deployment.
Can Appian provide the scan results?
Appian does not publish or share the results of security scans. Plugin authors are notified directly when one of their submissions is flagged by a security scan.
What happens to plugins that are flagged by security scans?
Plugin authors are notified directly when one of their submissions is flagged by a security scan. Plugins which are not updated may be removed from the AppMarket. Appian reserves the right to reject or stop hosting plug-ins at any time.
How long do I have to remediate a finding in my plugin?
Appian will provide a timeline for remediation when notifying you of a finding. Appian reserves the right to modify plug-in remediation timelines at any time.
My plugin submission was previously approved. Why is my latest update not approved?
Every submitted version of a plugin is reviewed in full. Approval of a plugin does not guarantee approval of subsequent versions. Appian reserves the right to modify plugin security policies at any time.
I need to use my plugin on Appian Cloud ASAP. Can I bypass security review temporarily?
Plugin submissions cannot bypass security review; only fully approved submissions can be deployed on Appian Cloud. If a plug-in requires expedited review, please include that context and justification in the submission. If you subscribe to a Signature Appian Success Plan, let your Lead Engineer know of your urgent request.
This article applies to all versions of Appian.
Last Reviewed: May 2026