What gets a listing QUARANTINED — and how to fix it
What gets a listing QUARANTINED — and how to fix it
A QUARANTINE result is the scanner's strongest finding. The listing is not visible, not installable, and cannot be acknowledged away by the buyer. The only path forward is: fix the root cause, upload a new version, and let the scanner run again.
This post covers the most common quarantine triggers and how to fix each one. Everything here is free to re-submit — there's no penalty fee for a failed scan.
Trigger 1: Hardcoded credential with high confidence
What it looks like:
# config.py
OPENAI_API_KEY = "sk-proj-xxxxxxxxxxxxxxxxxxxxxxxx"
DATABASE_URL = "postgresql://admin:password@prod-db.internal:5432/mydb"
Why it quarantines: These are high-entropy strings matching known credential patterns. Even a single match at HIGH confidence → QUARANTINE.
Fix:
import os
OPENAI_API_KEY = os.environ["OPENAI_API_KEY"]
DATABASE_URL = os.environ["DATABASE_URL"]
Then document the required env vars in your README. Check every file — test files and commented-out lines are scanned too.
Trigger 2: Pickle file executing non-standard code
What it looks like:
A .pkl or .pt file in your artifact that picklescan identifies as containing REDUCE opcodes calling non-standard builtins.
Why it quarantines: Pickle can execute arbitrary Python on load(). Even well-intentioned pickle that calls os.path unexpectedly trips this.
Fix: Convert all model artifacts to safetensors format:
from safetensors.torch import save_file, load_file
import torch
# Save
tensors = {"weight": model.state_dict()["weight"]}
save_file(tensors, "model.safetensors")
# Load
tensors = load_file("model.safetensors")
safetensors is format-safe, faster to load, and increasingly the standard. The platform scanner is explicitly configured to trust it.
Trigger 3: Critical CVE in a dependency
What it looks like:
osv-scanner found: CVE-2024-XXXXX (CRITICAL, CVSS 9.8)
in: requests==2.26.0
Why it quarantines: A CRITICAL severity CVE in a transitive dependency means buyers who install your capability are exposed to a known exploit.
Fix:
# Node
npm audit fix --force
npm audit --audit-level=critical
# Python
pip install pip-audit
pip-audit --fix
Then update your lockfile and re-upload. If the CVE has no fix yet (zero-day), annotate it in your README and the listing will likely land in REVIEW (buyer-acknowledgeable) rather than QUARANTINE.
Trigger 4: Shell injection via user input
What it looks like:
// Dangerous: user input flows into shell command
const { stdout } = await exec(`convert ${userInput} output.png`);
Why it quarantines: userInput containing ;rm -rf / or backtick sequences would execute on the server. The AST-level Opengrep pass detects taint flow from external input to exec/spawn.
Fix:
import { execFile } from 'child_process';
// execFile does not spawn a shell — arguments are passed directly
const { stdout } = await execFileAsync('convert', [sanitizedInput, 'output.png']);
Or better: use a library API instead of shelling out.
Trigger 5: PII in a dataset artifact
What it looks like: A CSV or JSONL dataset file containing rows with real email addresses, phone numbers, or names that match PII patterns.
Why it quarantines: Publishing a dataset with unanonymised personal data violates GDPR/CCPA and platform policy.
Fix: Run a PII scrubber like Presidio before packaging your dataset:
python -m presidio_analyzer --input dataset.csv --output anonymized.csv
Then re-upload the anonymised version. Synthetic replacements (fake names, generated emails) are fine.
Re-submitting after a fix
- Apply the fix.
- Upload the corrected artifact as a new version from your dashboard.
- The scanner runs automatically — usually under two minutes.
- If the result is
SAFEorREVIEW, the listing goes live immediately.
For a full explanation of the scanning layers, see the nine-layer scanner: a deep dive.