IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

QRadar App Validation Guide: How to Get Your App Approved Faster

By Pratik Surela posted 5 hours ago

  

Introduction

This blog provides a clear overview of how the App Validation team operates and the steps involved in the process. By understanding and following these guidelines, you can minimize the chances of your application being rejected and ensure a smoother submission experience.

QRadar App Validation – Step-by-Step Process:

When you submit a QRadar app or content pack, it goes through two main checks before it can be approved.

Step 1: App Validation – Check if Your App Works Properly
First, we make sure your app is built correctly and works well inside QRadar. This includes checking if it installs properly, follows packaging rules, and runs without issues.

Step 2: Security Review – Make Sure Your App is Safe
Next, your app is tested for safety. This means we look for any security issues using both tools and manual testing. We also run QRadar-specific checks to make sure your app is secure and trustworthy.

By passing both steps, your app will be ready to be used confidently in QRadar. This process helps keep the platform safe and ensures only high-quality apps get approved.

Here’s the process an application or content pack follows after it’s submitted by the developer or publisher:

App Validation Process Diagram
Note: If your app fails any of these phases, we will reject your application and notify you by email.
This is the entire process of validating an app before publishing. Let me give you a brief overview of each phase:
App Val 1:
Once you submit an app or content pack, the first step in the validation process is called App Validation 1 (App Val 1). In this phase, we perform a series of basic tests to check if your application is ready for deeper review.
To help speed up the validation and avoid early rejection, it’s strongly recommended that you run the following basic checks before submitting your app:
  • Details in the submission form (such as app name, version, etc.) should match the information in the manifest.txt file
  • Ensure the extension screenshot is clear and easy to understand
  • Hide or blur any IP addresses or sensitive details so they are not visible in the screenshot
  • Pre-validation report must pass
  • Fresh installation of the app should work without any issues
  • Update scenario should be tested (install an older version of your app, then update it with the new version and ensure everything works fine)
  • App must use the base image v4
  • Verify app certificate is valid (Developer signed)
Developer Certificates
  • Make sure the “What’s New” section is updated and clearly describes the changes.
    • Avoid starting any line with numbers, symbols, or a dash (-) as this may cause the submission to be rejected.
    • By default, the App Exchange automatically adds a dash (-) at the beginning of every new line you enter in this section, so make sure to remove it before submitting.
    • Below is the correct format
What's New content format
  • Logs should not expose sensitive data (e.g., tokens, passwords)
  • These checks are part of the standard requirements. If any of them fail, the application will be rejected at this stage. So, it's always a good idea to double-check these points before submitting-this will help make the validation process faster and smoother for your app.

Secure Coding checks:

You can follow the complete review process and best practices to avoid delays or rejection during app validation.

A helpful guide is available here: https://community.ibm.com/community/user/security/blogs/jawine-westland/2024/08/19/preparing-your-app-for-secure-coding?CommunityKey=4b5d78c9-2135-48b2-9bbb-0825224461c1

If your app passes the security review, it will be signed, any required certificates will be added, and it will move forward in the publishing process.

However, if any security issues are found, they will be explained in a detailed report, and the app will be returned for fixes. In that case, you’ll be notified of the changes needed before resubmitting.

By following the shared best practices, you can make the process faster and improve the chances of your app being approved.

Note: When submitting or re-submitting your application, it's highly recommended to include your plaintext (unminified) source code, UI files, and package.json / package-lock.json files (if applicable). This helps the secure coding team begin their review immediately, without delays, and ensures you receive feedback faster

Document Verification:

This phase is for IBM internal apps, where we publish the app documentation before releasing the apps, to ensure that the documentation is up to date prior to publication.

It is recommended to create a documentation ticket and share it with the content team either while submitting the app or shortly afterward. This ensures they are aware of the app’s details and can speed up the validation process.

App Val 2:

Once the secure coding team signs your app, we will then perform the App Validation 2 checks. During this step, we verify that the newly signed zip file is functioning correctly and works as expected.

If the app is working as expected, we will proceed with publishing it and send you an email notification once it's done.

Publish App:

In this step, we follow the app publishing process, which includes sending an email with details such as the app version, 'What’s New' information, and other relevant updates.

FAQ:

  • Is the Pre-Validation report mandatory?
    • Yes, the Pre-Validation report is mandatory every time you submit or re-submit your application. Make sure it’s the latest report and that your app passes all checks
  • My Pre-Validation report is failing at Extension Signing. What should I do?
    • Ensure your app is properly signed.
      If it's failing:
      • Check the folder structure of your application zip.
      • Make sure there are no hidden directories at the time of signing.
      • Once signed correctly, re-run the Pre-Validation tool
    • What is the Testing Information in the Submission portal?
      • It's a section where you provide login details, steps, and any setup info needed to test your app.
    • What type of testing information will be provided?
      • Include:
        • Test credentials (if needed)
        • Sample data or log sources
        • Steps to verify app functionality
        • Any specific user roles or settings required for testing

Summary:
In this blog, we learned how the QRadar App Validation team thoroughly checks applications and content packs to ensure they work correctly, are secure, and meet platform standards. By following best practices - such as validating installation and updates, ensuring secure coding, providing clear documentation, and submitting accurate pre-validation reports - developers can streamline the approval process and increase the chances of their apps being successfully published.

Written by: Pratik Surela (@Pratik Surela)
Reviewed by: Ashish Kothekar (@ASHISH KOTHEKAR)

For any queries, feel free to reach out to us at pratik.surela@ibm.com or ashish.kothekar@in.ibm.com

0 comments
6 views

Permalink

https://community.ibm.com/community/user/blogs/pratik-surela/2025/10/08/qradar-app-validation-guide-how-to-get-your-app-ap