Learn about the commercetools Connect certification process.

Scope of certification

Certification is a semi-automated process that your ConnectorStaged must pass to become a publicly available Connector. The certification process ensures that your Connect applications are:

  • Functionally complete
  • Stable and secure
  • Compatible with commercetools Connect's deployment requirements
  • Fully documented

Only certified Connectors are available publicly. Certification is not required for private Connectors.

What is needed for certification

You must provide the following in your GitHub repository for the certification process:

  • Source code for your Connect applications
  • Unit tests and self-contained integration tests
  • Installation guide and documentation
  • License files

How to request certification

You can request certification for a ConnectorStaged by using the Publish update action with certification set to true.

When to request re-certification

If you make any changes to your Connect applications, such as fixing bugs or adding new features, you must re-certify the ConnectorStaged before the changes go live.

To re-certify your ConnectorStaged, follow these steps:

  1. Push the changes to the application GitHub repository.
  2. Generate a new Git tag.
  3. Use the Set Repository update action to reference the new tag.
  4. Use the Publish update action with certification set to true.

Requirements for certification

When developing your Connect applications, be aware of the following requirements for certification.

General requirements

Your Connect applications:

  • Must follow language-specific configurations to support buildpack. commercetools Connect uses it to build container images.
  • Must use open-source libraries which Google Cloud Platform supports.
  • Must be stateless in nature and not store previous session information in-memory.
  • Must have self-contained dependencies, with global dependencies referenced in package.json.
  • Should follow test-driven development principles.
  • Should be lightweight and not need excessive memory or CPU-intensive operations. For example, do not use long-running recursive operations.

GitHub repository requirements

The GitHub repository of your Connect applications:

  • Must have a specific directory structure.
  • Must contain a configured connect.yaml file in the root directory.
  • Must have a Git tag that remains the same during the certification process.

If the GitHub repository of your Connect applications is private, you must grant read access to the connect-mu machine user.

Security requirements

Your Connect applications:

  • Must not contain any hardcoded URLs, tokens, credentials, or passwords in the application code and configuration.
  • Must not use outdated or insecure dependency libraries.
  • Must not use protected third-party trademarks, copyrights, patents, or code.
  • Should not include logs or any code/configuration which are not intended for production use.

Handling security vulnerabilities

Once your Connector passes certification and becomes publicly available, you must acknowledge any security vulnerabilities found in your Connect applications within 1 business day.

Based on their severity, you must fix security vulnerabilities in your Connect applications within the following response times.

SeverityResponse time
Critical15 business days
High30 business days