Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Pre-requisites for applying for the permission to opt into security advisory coverage
Last updated on
4 May 2025
Before opening an application, you need to:
- Set up your Git username
- Create your project and commit code in that project or, if you are using an existing project for which you are co-maintainer/maintainer, commit code in the existing project.
In the latter case, you need to be the person who made most of the commits, but preferably all the commits, in at least one project branch, which should be the branch used for your application. - Be sure you enabled GitLab CI on the project used for the application; if the project uses a composer.json file, be sure that file has been validated. Fixing the PHP_CodeSniffer errors/warnings is a further step which can make the application approval faster.
When you make commits in drupal.org repositories, you agree on the terms listed in Drupal Git Contributor Agreement & Repository Usage Policy.
This also means that all code that is a derivative work of Drupal (typically PHP code) must be licensed as GPL version 2.0 and later (GPL-2.0-or-later). It cannot be licensed under GPLv3, as described on Licensing / Point 6 (I want to release my work under GPL version 3 or under GPL version 2-only. Can I do so and host it on Drupal.org?)
Before entering the project application process, the following conditions must be met.
- You did not create other, still open, applications. This includes postponed applications.
- You are not yet able to opt projects into security advisory coverage.
- You have committed code in the project used for the application (not an issue fork created to fix an issue in an existing project). Those commits must be (preferably) the only ones done in the branch used for the application or be most of the commits for that branch.
- You created the application (and committed code in the project) using an account that is not shared, since shared accounts are not allowed to commit code on Drupal.org repositories.
- There is sufficient PHP code to see what you understand of Drupal coding standards, Drupal APIs, and Drupal best practice; a project that only implements a hook or two to, for example, add a library (CSS or JavaScript) to most or all the Drupal pages does not contain sufficient PHP code for these applications.
- The code needs to be as close as possible to release candidate quality code. The project is not required to have releases, nor do releases need to be created during the application process. The project just needs to have all the necessary code implemented (which means there should not be empty functions/methods or with a comment that says the code will be implemented later) and without debugging lines.
Help improve this page
Page status: No known problems
You can:
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
