Skip to main content
Security is not optional; it’s a baseline. Every plugin in the Lerian ecosystem must be designed with security, compliance, and regulatory obligations in mind. These requirements protect end-users, maintain trust, and ensure interoperability across environments. This section covers mandatory standards for secure development, audits, data protection, and regulatory alignment.
Plugins that fail to meet these security and compliance standards will not be approved for publication in the Lerian Marketplace.

Security by design

All plugins must comply with:
  • OWASP ASVS Level 3
  • CIS Benchmarks for container, K8s, and OS hardening
  • Integration with secret managers like Vault or AWS Secrets Manager

Pentests and security audits

A pentest is mandatory before publication and must be repeated at least every 6–12 months or whenever major changes are introduced.
Don’t have a provider? We can recommend trusted security partners.

Data protection and LGPD

All plugins must fully comply with the LGPD and equivalent data protection laws.
  • Personal data must be encrypted at rest and in transit.
  • No exceptions are allowed.

Regulatory compliance

Your plugin must follow all applicable regulations, including:
  • BACEN circulars
  • Other relevant governing bodies