Overview
MRCA (Moodle Risk & Compliance Analyzer) is a local Moodle plugin that performs automated security, privacy, and compliance audits of your Moodle installation. It scans installed third-party plugins across multiple risk dimensions and produces a unified Site Risk Index (0–100).
By default, MRCA only scans third-party plugins. Standard Moodle modules (maintained by Moodle HQ) are excluded to avoid false positives.
Why MRCA?
In the European Union, where GDPR has been fully enforceable since May 2018, educational institutions face strict obligations regarding the processing of personal data. Despite this, Moodle provides no built-in mechanism to audit installed plugins for:
- Privacy compliance
- Security risks
- Permission exposure
- Dependency health
Architecture Scanners
MRCA contains various scanners that produce the risk score:
- Privacy Scanner: Analyzes plugin databases for PII and Privacy API implementations.
- Dependency Scanner: Checks plugin health, missing dependencies, and use of outdated Moodle APIs.
- Structural Scanner: Evaluates code quality and identifies unsafe PHP functions (eval, exec).
- Capability Scanner: Analyzes role permissions for security risks and high-risk capability overrides.
Risk Scoring
Each plugin receives sub-scores for Privacy, Dependencies, and Capabilities. The Site Risk Index (SRI) is a normalized 0-100 score that defines whether a Moodle installation is Healthy (0-20) or Critical (81-100).