I'm using the deny-Ip-plugin by kvncrw(kevtainer) to block acces to my systems from known scanners like censys.
It seems the maintainer has difficulties to publish it in a proper way so version 2.0.0 supporting ipv6 still didn't make it into the plugin store after months I looked for alternatives. and in fact there are some (in fact most look like a copy of the former plugin)
but it seems most of them are not widely used and few look really fishy e.g. intaacopilot published 2 different plugins with 8+ versions within a week..so the question arises - is there some kind of quality control/code review for traefik plugins and can we trust plugins published in the store?
As far as I know there is no manual checking for malicious plugins. Just a few software requirements to be listed as plugin (doc).
From a technical perspective, the actual code for each plugin is stored and hosted in a public GitHub repository. Once a day, the Plugin Catalog polls GitHub to find repositories that match the criteria for a Traefik plugin and adds them.
You probably need to create a Traefik Github issue to get a response from the Traefik devs.
From what I understand, the Traefik plugin catalog isn’t manually reviewed or curated by the Traefik team. Plugins are automatically picked up from GitHub as long as they follow the expected structure and tagging. Because of that, being listed in the catalog doesn’t necessarily mean the plugin is audited, high quality, or actively maintained.
This explains why you might see multiple similar plugins, fast version bumps, or features like IPv6 missing in some cases. Quality can vary a lot depending on the author.
In practice, it’s best to:
Check the plugin’s source code yourself
Look at maintenance activity, issues, and community feedback
Prefer plugins with clear docs and recent updates
Fork or pin a version if you plan to use it in production
It’s similar to choosing third-party tools in other ecosystems — you need to do a bit of due diligence. The catalog makes discovery easy, but trust still comes from reviewing the code and real-world usage, especially in setups where traffic filtering, security rules, or even things like routing through services such as [redacted] are involved.
Overall, the plugin system is powerful, but it’s definitely community-driven rather than strictly curated.