KB-2385 Plugin Review & Security Scanning FAQ

Ryan Good — Wed, 27 May 2026 18:11:29 GMT

Current Revision posted to Appian Knowledge Base by Ryan Good on 5/27/2026 6:11:29 PM

All plugins submitted to Appian for use on Appian Cloud require review and approval. This article aims to answer common questions about the plugin review process.

For more information on plugin and AppMarket policies, refer to the AppMarket Submission Policies documentation and the AppMarket Submissions Agreement.

Table of Contents:

How are plugin security reviews performed?
What specific tooling is used?
How often are reviews performed?
What happens to plugins that are flagged by security scans?
Can Appian provide the scan results?
What happens to plugins that are flagged by security scans?
How long do I have to remediate a finding in my plugin?
My plugin submission was previously approved. Why is my latest update not approved?
I need to use my plugin on Appian Cloud ASAP. Can I bypass security review temporarily?

How are plugin security reviews performed?

Security scanning is first performed during all submissions of new and updated plugins to Appian. Subsequent reviews are also performed on a routine basis after initial approval.
Scans such as Static Application Security Testing (SAST), Software composition analysis (SCA), and other security related checks are in place.

What specific tooling is used?

Appian utilizes custom tooling, open source software, and commercial off the shelf software to perform the automated security scanning.
Appian does not publish the specific software used to review plugins.

How often are reviews performed?

Reviews are always performed upon plugin submission. Post-approval, additional security reviews are performed regularly.
Appian reserves the right to perform security reviews at any time.

Do security reviews apply to private plugins?

Yes. As stated in the AppMarket Submission Policies, All plug-ins, whether intended for public use on the AppMarket or private use within an organization, must receive approval before deployment.

Can Appian provide the scan results?

Appian does not publish or share the results of security scans.
Plugin authors are notified directly when one of their submissions is flagged by a security scan.

What happens to plugins that are flagged by security scans?

Plugin authors are notified directly when one of their submissions is flagged by a security scan.
Plugins which are not updated may be removed from the AppMarket. Appian reserves the right to reject or stop hosting plug-ins at any time.

How long do I have to remediate a finding in my plugin?

Appian will provide a timeline for remediation when notifying you of a finding.
Appian reserves the right to modify plug-in remediation timelines at any time.

My plugin submission was previously approved. Why is my latest update not approved?

Every submitted version of a plugin is reviewed in full.
Approval of a plugin does not guarantee approval of subsequent versions.
Appian reserves the right to modify plugin security policies at any time.

I need to use my plugin on Appian Cloud ASAP. Can I bypass security review temporarily?

Plugin submissions cannot bypass security review; only fully approved submissions can be deployed on Appian Cloud.
If a plug-in requires expedited review, please include that context and justification in the submission.
If you subscribe to a Signature Appian Success Plan, let your Lead Engineer know of your urgent request.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: May 2026

Tags: FAQ, plugins

[DRAFT SUPP-1654] Plugin Review & Security Scanning FAQ

Ryan Good — Wed, 27 May 2026 15:36:59 GMT

Revision 5 posted to Appian Knowledge Base by Ryan Good on 5/27/2026 3:36:59 PM

All plugins submitted to Appian for use on Appian Cloud require review and approval. This article aims to answer common questions about the plugin review process.

For more information on plugin and AppMarket policies, refer to the AppMarket Submission Policies documentation and the AppMarket Submissions Agreement.

Table of Contents:

How are plugin security reviews performed?
What specific tooling is used?
How often are reviews performed?
What happens to plugins that are flagged by security scans?
Can Appian provide the scan results?
What happens to plugins that are flagged by security scans?
How long do I have to remediate a finding in my plugin?
My plugin submission was previously approved. Why is my latest update not approved?
I need to use my plugin on Appian Cloud ASAP. Can I bypass security review temporarily?

How are plugin security reviews performed?

What specific tooling is used?

How often are reviews performed?

Reviews are always performed upon plugin submission. Post-approval, additional security reviews are performed regularly.
Appian reserves the right to perform security reviews at any time.

Do security reviews apply to private plugins?

Yes. As stated in the AppMarket Submission Policies, All plug-ins, whether intended for public use on the AppMarket or private use within an organization, must receive approval before deployment.

Can Appian provide the scan results?

Appian does not publish or share the results of security scans.
Plugin authors are notified directly when one of their submissions is flagged by a security scan.

What happens to plugins that are flagged by security scans?

How long do I have to remediate a finding in my plugin?

Appian will provide a timeline for remediation when notifying you of a finding.
Appian reserves the right to modify plug-in remediation timelines at any time.

My plugin submission was previously approved. Why is my latest update not approved?

I need to use my plugin on Appian Cloud ASAP. Can I bypass security review temporarily?

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: May 2026

Tags: FAQ, plugins

[DRAFT SUPP-1654] Plugin Review & Security Scanning FAQ

Daniel DeVeau — Wed, 20 May 2026 14:15:38 GMT

Revision 4 posted to Appian Knowledge Base by Daniel DeVeau on 5/20/2026 2:15:38 PM

All plugins submitted to Appian for use on Appian Cloud require review and approval. This article aims to answer common questions about the plugin review process.

For more information on plugin and AppMarket policies, refer to the AppMarket Submission Policies documentation and the AppMarket Submissions Agreement.

Table of Contents:

How are plugin security reviews performed?

What specific tooling is used?

How often are reviews performed?

What happens to plugins that are flagged by security scans?

Can Appian provide the scan results?

What happens to plugins that are flagged by security scans?

How long do I have to remediate a finding in my plugin?

My plugin submission was previously approved. Why is my latest update not approved?

I need to use my plugin on Appian Cloud ASAP. Can I bypass security review temporarily?

How are plugin security reviews performed?

What specific tooling is used?

How often are reviews performed?

Reviews are always performed upon plugin submission. Post-approval, additional security reviews are performed regularly.
Appian reserves the right to perform security reviews at any time.

Do security reviews apply to private plugins?

Yes. As stated in the AppMarket Submission Policies, All plug-ins, whether intended for public use on the AppMarket or private use within an organization, must receive approval before deployment.

Can Appian provide the scan results?

Appian does not publish or share the results of security scans.
Plugin authors are notified directly when one of their submissions is flagged by a security scan.

What happens to plugins that are flagged by security scans?

How long do I have to remediate a finding in my plugin?

Appian will provide a timeline for remediation when notifying you of a finding.
Appian reserves the right to modify plug-in remediation timelines at any time.

My plugin submission was previously approved. Why is my latest update not approved?

I need to use my plugin on Appian Cloud ASAP. Can I bypass security review temporarily?

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: May 2026

Tags: FAQ, plugins

[DRAFT SUPP-1654] Plugin Review & Security Scanning FAQ

Daniel DeVeau — Wed, 20 May 2026 14:12:16 GMT

Revision 3 posted to Appian Knowledge Base by Daniel DeVeau on 5/20/2026 2:12:16 PM

All plugins submitted to Appian for use on Appian Cloud require review and approval. This article aims to answer common questions about the plugin review process.

For more information on plugin and AppMarket policies, refer to the AppMarket Submission Policies documentation and the AppMarket Submissions Agreement.

Table of Contents:

How are plugin security reviews performed?

What specific tooling is used?

How often are reviews performed?

Can Appian provide the scan results?

What happens to plugins that are flagged by security scans?

How long do I have to remediate a finding in my plugin?

My plugin submission was previously approved. Why is my latest update not approved?

I need to use my plugin on Appian Cloud ASAP. Can I bypass security review temporarily?

How are plugin security reviews performed?

What specific tooling is used?

How often are reviews performed?

Reviews are always performed upon plugin submission. Post-approval, additional security reviews are performed regularly.
Appian reserves the right to perform security reviews at any time.

Do security reviews apply to private plugins?

Yes. As stated in the AppMarket Submission Policies, All plug-ins, whether intended for public use on the AppMarket or private use within an organization, must receive approval before deployment.

Can Appian provide the scan results?

Appian does not publish or share the results of security scans.
Plugin authors are notified directly when one of their submissions is flagged by a security scan.

What happens to plugins that are flagged by security scans?

How long do I have to remediate a finding in my plugin?

Appian will provide a timeline for remediation when notifying you of a finding.
Appian reserves the right to modify plug-in remediation timelines at any time.

My plugin submission was previously approved. Why is my latest update not approved?

I need to use my plugin on Appian Cloud ASAP. Can I bypass security review temporarily?

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: May 2026

Tags: FAQ, plugins

[DRAFT SUPP-1654] Plugin Review & Security Scanning FAQ

Daniel DeVeau — Wed, 20 May 2026 14:07:51 GMT

Revision 2 posted to Appian Knowledge Base by Daniel DeVeau on 5/20/2026 2:07:51 PM

All plugins submitted to Appian for use on Appian Cloud require review and approval. This article aims to answer common questions about the plugin review process.

For more information on plugin and AppMarket policies, refer to the AppMarket Submission Policies documentation and the AppMarket Submissions Agreement.

Table of Contents:

How are plugin security reviews performed?

What specific tooling is used?

How often are reviews performed?

Can Appian provide the scan results?

What happens to plugins that are flagged by security scans?

How long do I have to remediate a finding in my plugin?

My plugin submission was previously approved. Why is my latest update not approved?

I need to use my plugin on Appian Cloud ASAP. Can I bypass security review temporarily?

How are plugin security reviews performed?

Security scanning is first performed during the submission of new and updated plugins to Appian.

Subsequent reviews are also performed on a routine basis after initial approval.

Scans such as Static Application Security Testing (SAST), Software composition analysis (SCA), and other security related checks are in place.

What specific tooling is used?

Appian utilizes custom tooling, open source software, and commercial off the shelf software to perform the automated security scanning.

Appian does not publish the specific software used to review plugins.

How often are reviews performed?

Reviews are always performed upon plugin submission. Post-approval, additional security reviews are performed regularly .

Appian reserves the right to perform security reviews at any time.

Can Appian provide the scan results?

Appian does not publish or share the results of security scans.

Plugin authors are notified directly when one of their submissions is flagged by a security scan.

Do security reviews apply to private plugins?

Yes. As stated in the AppMarket Submission Policies, All plug-ins, whether intended for public use on the AppMarket or private use within an organization, must receive approval before deployment.

What happens to plugins that are flagged by security scans?

Plugin authors are notified directly when one of their submissions is flagged by a security scan.

Plugins which are not updated may be removed from the AppMarket.

Appian reserves the right to reject or stop hosting plug-ins at any time.

How long do I have to remediate a finding in my plugin?

Appian will provide a timeline for remediation when notifying you of a finding.

Appian reserves the right to modify plug-in remediation timelines at any time.

My plugin submission was previously approved. Why is my latest update not approved?

Every submitted version of a plugin is reviewed in full.

Approval of a plugin does not guarantee approval of subsequent versions.

Appian reserves the right to modify plugin security policies at any time.

I need to use my plugin on Appian Cloud ASAP. Can I bypass security review temporarily?

Plugin submissions cannot bypass security review; only fully approved submissions can be deployed on Appian Cloud.

If a plug-in requires expedited review, please include that context and justification in the submission.

If you subscribe to a Signature Appian Success Plan, let your Lead Engineer know of your urgent request.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: May 2026

Tags: FAQ, plugins

[DRAFT SUPP-1654] Plugin Review & Security Scanning FAQ

Ryan Good — Tue, 16 Sep 2025 20:14:38 GMT

Revision 1 posted to Appian Knowledge Base by Ryan Good on 9/16/2025 8:14:38 PM

This article serves as a template that you can copy/paste into a new article for use later on. This template should be used to provide extra details about a certain topic. It can either be internal or external.

The title of the article must be under 256 characters (less depending on the types of characters used in the title as this is a limitation of Telligent). It must be as concise as possible. Those using the Knowledge Base should get a good idea of what the article is about just by reading the title.

This description is for informational purposes only. Besides a Table of Contents, there should be no text above the Q and A when using this template, unless it is a brief statement about the article purpose. All FAQ articles should begin with a Table of Contents. Detailed instructions on how to create a Table of Contents can be found in INT-0000.

Table of Contents:

How should the Q and A be formatted?

How should the Q and A be formatted?

Format each question as shown here. The question should be bold with the corresponding answer below.

Examples:

Affected Versions

This section includes any relevant version information for Appian or other third/party configurations. Some examples of valid affected versions are as follows:

This article applies to all versions of Appian.
This article applies to all self-managed versions of Appian.
This article applies to all versions of Appian Cloud.
This article applies to Appian 7.11 and later.
This article applies to Appian 16.2 and earlier.
This article applies to Appian 7.11 and 16.1.
This article applies to Appian 16.1, 16.2, and 16.3.
This article applies to self-managed Appian 19.3 and earlier.
This article applies to all versions of Appian from Appian 7.10 to Appian 16.2.
This article applies to all versions of Appian using JBoss EAP 6.4.9 as an application server and Internet Explorer 9 as a web browser.

Last Reviewed: Month YYYY