Certification

Learn about the commercetools Connect certification process.

Scope of certification

To become a publicly available Connector on the Connect marketplace, your Connector must pass a semi-automated certification process that is managed by the commercetools Connect team. This process is triggered when you publish your Connector. The certification process ensures that your Connect applications are:

  • Functionally complete, with no critical bugs
  • Stable and secure, with no security vulnerabilities
  • Compatible with commercetools Connect's deployment requirements
  • Fully documented, with a clear installation guide and usage instructions

Certification is not required when creating private Connectors or Connectors for use in your own Projects.

What is needed for certification

Before starting the certification process, you must ensure that the following are in your GitHub repository:

  • Source code for your Connect applications
  • Unit tests and self-contained integration tests
  • Installation guide and documentation
  • License files
  • Creator information and contact details

How to request certification

The certification request process is the responsibility of the creator.

Using the Connect API

You can request certification for a ConnectorStaged by using the Publish update action with certification set to true.

Using the Merchant Center

You can request certification by selecting List on Marketplace when publishing the Organization Connector.

When to request re-certification

If you make any changes to your Connect applications, such as fixing bugs or adding new features, you must re-certify the ConnectorStaged before the changes go live.

To re-certify your ConnectorStaged, follow these steps:

  1. Push the changes to the application GitHub repository.
  2. Generate a new Git tag.
  3. Use the Set Repository update action to reference the new tag.
  4. Use the Publish update action with certification set to true.

Requirements for certification

When developing your Connect applications, be aware of the following requirements for certification.

General requirements

Your Connect applications:

  • Must follow language-specific configurations to support buildpack. commercetools Connect uses it to build container images.
  • Must use open-source libraries which Google Cloud Platform supports.
  • Must be stateless in nature and not store previous session information in-memory.
  • Must have self-contained dependencies, with global dependencies referenced in package.json.
  • Should follow test-driven development principles.
  • Should be lightweight and not need excessive memory or CPU-intensive operations. For example, do not use long-running recursive operations.

GitHub repository requirements

The GitHub repository of your Connect applications:

  • Must have a specific directory structure.
  • Must contain a configured connect.yaml file in the root directory.
  • Must have a Git tag that remains the same during the certification process.

If the GitHub repository of your Connect applications is private, you must grant read access to the connect-mu machine user.

Security requirements

Your Connect applications:

  • Must not contain any hardcoded URLs, tokens, credentials, or passwords in the application code and configuration.
  • Must not use outdated or insecure dependency libraries.
  • Must not use protected third-party trademarks, copyrights, patents, or code.
  • Should not include logs or any code/configuration which are not intended for production use.

Handling issues

Functional errors

If your Connect applications have functional errors, the certification process will fail. You must fix these errors and request certification again.

The commercetools Connect team will email a detailed report of the functional errors found in your Connect applications to the creator of your ConnectorStaged.

Security vulnerabilities

If your Connect applications have security vulnerabilities, the certification process will fail. You must fix these vulnerabilities and request certification again.

Once your Connector passes certification and is listed on the Connect marketplace, you must acknowledge any security vulnerabilities found in your Connect applications within 1 business day.

Based on their severity, you must fix security vulnerabilities in your Connect applications within the following response times.

SeverityResponse time
Critical15 business days
High30 business days

Infrastructure

All infrastructure-related issues are the responsibility of the commercetools Connect team. If you have any questions about the infrastructure, contact the Connect support team.

Contact support

If you have any questions about the certification process or other aspects of commercetools Connect, contact the Connect support team.