Last updated 8 March 2017.

You may go through a one-time review process to get permission to mark your projects as covered for security advisories.

This shows users they can be more confident in running your project on their site and re-affirms your agreement to work with the Drupal Security Team when necessary.

Before you enter the project application process, you should first make sure that your project is a release candidate (RC). You don’t have to make the tags and releases right away – your project should measure up to the RC standard. Entering the process too early with a poorly documented and buggy project will usually result in the review process taking a much longer time than necessary.

When you enter the process, the application review volunteers will review your code to ensure you are writing secure code, following the coding standards, generally following best practices, familiar with proper usage of the Drupal APIs, and promoting collaboration over competition (i.e., not duplicating functionality already available in other modules). For more details, read what to expect during a review.

Please note: there is currently a large backlog of projects waiting review. Projects that haven't completed the review bonus program can take up to a year to be reviewed. See step #7 below for more information.

Here is the process:

  1. Obtain basic Git access and Create a sandbox project for your code.
  2. Get your project into a state you feel is release-ready. Ideally, you would commit the project early and have a track record of several weeks/months of commits so that application reviewers can get an idea of your development and maintenance style.
  3. Have a look at the Project application checklist and try to resolve common issues.
  4. Once ready, create a new issue in the Project Applications queue [Note: Do NOT edit that page! Create a new issue.]
  5. Fill out the issue form:
    • Title:
      • [Dx] Your project name
      • Use [D6], [D7] or [D8] to specify which Drupal version your project uses.
      • e.g. [D7] Unicorn Integration
    • Project: Project applications
    • Category: task
    • Status: needs review
    • Component: 'module', 'theme' or 'feature' (depending on the application)
    • Description:
      1. A detailed description of what your project does, including how it is different from other, similar projects, if applicable.
      2. For themes it's helpful to include a screenshot.
      3. A link to your project page. As for the contents of your project page, you may want to use the Project page template as a guide, and it may be a good idea to also read tips for a great project page.
      4. A git clone command. You can find the correct git clone command for your sandbox by clicking on the Version control tab, removing the checkbox in front of "Maintainer", and clicking Show. You can then copy-paste the git clone command from the codeblock below "Setting up repository for the first time". The git clone command should be version specific, for example, 7.x-1.x branch for Drupal 7 version as below.
        git clone --branch 7.x-1.x module_name
      5. A list of links to reviews of other project applications that you did.
  6. Reviewers will then examine your code and provide feedback over the coming days/weeks (again see What to Expect). Please be patient, and make the changes requested of you. Also note that if your sandbox duplicates the features of an already existing, unsupported, or abandoned project, you may be asked to change your application into an abandoned project application.
  7. As the application process is fully volunteer driven, many of our most active reviewers use the review bonus program to prioritize which applications they review. This program gives priority to those who are also helping to review other applications. Participation is not mandatory, but it does provide a significant fast-track through the applications process. Due to limited resources, it could otherwise take a number of weeks between reviews of your own application. To participate in the Review Bonus program, review three other project applications and reference them in your own application. We are a community and we help each other, so we are counting on you!
  8. Once given the sign off, you will be granted permissions both to create full projects and to promote your sandbox projects to full projects.

    Once this comes into place there is no need to submit project applications for review as at this stage you are considered a trusted contributor. This makes it unnecessary for you to add to the project application queue but you should promote your projects to full projects when they are ready.

Comments’s picture

When filling out the issue form, the direct link to your git repository (git clone ...) mentioned in step 4 of part 6 above can be copied directly from an auto generated link on your Sandbox project 'Version Control' tab.

To generate the link, ensure that the Non-maintainer? checkbox in the 'Version to work from' dialog is checked. Next click the 'Show' button.

When the page has reloaded the panel immediately below titled, 'Setting up this repository locally for the first time' contains an http link.
'' for some and value n..###.

This is the link you should use as the direct link in your issue form.

cFreed’s picture

Since the above "git clone link - clarification" message was posted, the involved form has changed: the "Non-maintainer?" checkbox became "Maintainer?", so it now must be unchecked (as the current version of the article says).’s picture

Also, in order to be notified when someone responds to your review request you will need to set the notification settings - this step is entirely missing from the guide above.

Once you have submitted your issue to the Project Application issues project, navigate to
Click on the link to E-mail notifications.
On the page 'Manage e-mail notifications for Project applications issues' select the radial button to send e-mail for issue you follow and click 'Save'.

Check if you are automatically a follower of the issue you've created - idk, but then if you aren't you need to click 'Follow' on your issue page and then you will receive notification once someone had reviewed your module.


anil_89’s picture

I have check email notification option please review again

fatkinson’s picture

I keep getting this message when I set the Needs Review.

Git clone command for the sandbox is still missing in the issue summary,
please add it. Please follow [1] to fill out
your issue summary.

But I can't figure out where on that page the information to find the syntax for the Git clone command.

Can anyone help?


abhishek.kumar’s picture

Can some one provide me permission to promote and create a full project. I have already contributed as well as maintainer of some projects but still I don't have permission to promote my sandbox to full project.

AlexBorsody’s picture

Yes you can go through the process as outlined on this page, did you read it?

afteronelove’s picture

I thinks, Yes, i good

bkelly’s picture

Hi Folks -

I'm a little confused here. Wasn't this page formerly titled something like: "Approval to create full projects"?

If this changed, does anybody know when?

If there's been a dramatic change in the policies, were any of the project applicants notified of the change?


How were they notified?

I don't believe that I've received any notice of application policy changes and I don't remember seeing anything in the latest newsletter.

I'm just a little dumbfounded here. There are 500+ applications for projects and it appears that no one was notified about a policy change that directly affects their application.

I know, lots of useless questions. Feel free to ignore this.

- Bill Kelly

mrf’s picture

@bkelly this is all very new see for details and discussion about letting people know about the change

bkelly’s picture

Thank you @mrf. It was kind of you to respond so promptly.

I'm thinking this policy change is a move away from a bad situation.

I found the incentivized bike-shedding by applicants in search of review bonuses repugnant. I really couldn't feel good about participating, (in spite of the cost to my projects). I'm hoping the behavior on the application queue and my feelings about it change with this new policy.

Thank you for your time.

- Bill Kelly

bcgreen’s picture

I can't enter " Project applications" as the project name as described above; it's not found, and since it's not found, I can't enter a component type in the 'Component' dropdown.

Error message:

Component field is required.
There are no entities matching " Project applications"