Certification
Learn about the commercetools Connect certification process.
Scope of certification
To become a publicly available Connector on the Connect marketplace, your Connector must pass a semi-automated certification process that is managed by the commercetools Connect team. This process is triggered when you publish your Connector. The certification process ensures that your Connect applications are:
- Functionally complete, with no critical bugs
- Stable and secure, with no security vulnerabilities
- Compatible with commercetools Connect's deployment requirements
- Fully documented, with a clear installation guide and usage instructions
Certification is not required when creating private Connectors or Connectors for use in your own Projects.
What is needed for certification
Before starting the certification process, you must ensure that the following are in your GitHub repository:
- Source code for your Connect applications
- Unit tests and self-contained integration tests
- Installation guide and documentation
- License files
- Creator information and contact details
How to request certification
The certification request process is the responsibility of the creator.
Using the Connect API
You can request certification for a ConnectorStaged by using the Publish update action with certification set to true.
Using the Merchant Center
You can request certification by selecting List on Marketplace when publishing the Organization Connector.
When to request re-certification
If you make any changes to your Connect applications, such as fixing bugs or adding new features, you must re-certify the ConnectorStaged before the changes go live.
To re-certify your ConnectorStaged, follow these steps:
- Push the changes to the application GitHub repository.
- Generate a new Git tag.
- Use the Set Repository update action to reference the new tag.
- Use the Publish update action with
certificationset totrue.
Requirements for certification
When developing your Connect applications, be aware of the following requirements for certification.
General requirements
Your Connect applications:
- Must follow language-specific configurations to support buildpack. commercetools Connect uses it to build container images.
- Must use open-source libraries which Google Cloud Platform supports.
- Must be stateless in nature and not store previous session information in-memory.
- Must have self-contained dependencies, with global dependencies referenced in
package.json. - Should follow test-driven development principles.
- Should be lightweight and not need excessive memory or CPU-intensive operations. For example, do not use long-running recursive operations.
GitHub repository requirements
The GitHub repository of your Connect applications:
- Must have a specific directory structure.
- Must contain a configured
connect.yamlfile in the root directory. - Must have a Git tag that remains the same during the certification process.
If the GitHub repository of your Connect applications is private, you must grant read access to the connect-mu machine user.
Security requirements
Your Connect applications:
- Must not contain any hardcoded URLs, tokens, credentials, or passwords in the application code and configuration.
- Must not use outdated or insecure dependency libraries.
- Must not use protected third-party trademarks, copyrights, patents, or code.
- Should not include logs or any code/configuration which are not intended for production use.
Handling issues
Functional errors
If your Connect applications have functional errors, the certification process will fail. You must fix these errors and request certification again.
The commercetools Connect team will email a detailed report of the functional errors found in your Connect applications to the creator of your ConnectorStaged.
Security vulnerabilities
If your Connect applications have security vulnerabilities, the certification process will fail. You must fix these vulnerabilities and request certification again.
Once your Connector passes certification and is listed on the Connect marketplace, you must acknowledge any security vulnerabilities found in your Connect applications within 1 business day.
Based on their severity, you must fix security vulnerabilities in your Connect applications within the following response times.
| Severity | Response time |
|---|---|
| Critical | 15 business days |
| High | 30 business days |
Infrastructure
All infrastructure-related issues are the responsibility of the commercetools Connect team. If you have any questions about the infrastructure, contact the Connect support team.
Contact support
If you have any questions about the certification process or other aspects of commercetools Connect, contact the Connect support team.