Is there some protection against malicious plugins?

Are plugins running in some kind of sandbox? If I download and install any plugin from an unknown source, am I exposed to some attacks? Said in another way, can the plugin perform any action with the rights of the user who is running SonarQube? (reading or writing files, opening network connections, etc.)

I could not find any information on this topic, maybe I did not look at the right place.

Hi @vm666 , welcome to the SonarSource Community!

I would like to draw your attention to the documentation on this topic.