Scanner methodology

How the Chrome extension rejection checker works

See the static rules, limits, and review workflow behind the local Manifest V3 ZIP scanner.

Run local ZIP scan

Guide

What to check

Static package analysis

The scanner inspects the ZIP package structure and text files. It checks manifest location, manifest version, referenced files, extension pages, JavaScript patterns, CSP declarations, permissions, privacy signals, and icons.

Rule severity

High findings usually block or strongly affect submission readiness. Medium findings require permission, privacy, or listing review. Low findings are manual-review reminders for ambiguous remote URLs or context-dependent issues.

Limits

The scanner does not execute the extension, inspect Chrome Web Store Developer Dashboard fields, detect malware, audit runtime behavior, or guarantee approval. Always review the official policies and your final listing.

Checklist

Action checklist

  • Select the final production ZIP.
  • Fix High findings first.
  • Review Medium findings for permissions, privacy, icons, and listing clarity.
  • Use Low findings as manual review prompts.
  • Rebuild after changes and scan the rebuilt ZIP.
  • Keep reviewer notes aligned with the final package.

Examples

Common cases this page helps with

High severity example

A remote JavaScript URL in popup.html is high severity because executable extension code should be bundled into the package.

Medium severity example

Broad host permissions may be valid, but they need least-privilege review and clear user-facing justification.

Low severity example

A remote URL in a web resource may be an API, image, documentation link, or data endpoint. Confirm it does not load executable code.

FAQ

Frequently asked questions

Why scan the production ZIP?

Build tools can change paths, bundle dependencies, and generate files. Chrome Web Store reviews the submitted ZIP, so scan that final artifact.

Why are some findings not automatic violations?

Some permissions and remote URLs are context-dependent. The scanner flags them so you can review purpose, disclosure, and implementation.

How often should rules be reviewed?

Review scanner rules whenever Chrome extension policies or Manifest V3 guidance changes, and record the last reviewed date in the changelog or documentation.

Related guides

Continue review

Privacy notes Chrome Web Store rejection checker Permissions and privacy review Run local ZIP scan