Validation pipeline

Ask about this Page
Copy for LLM
View as Markdown

Learn how Connect validates the code quality and security of your Connect applications before they are previewed or published.

When requesting a preview build or publishing a Connector, Connect checks the code quality and security of your Connect applications. The content of the connect.yaml file is also validated. These checks help ensure that Connect applications meet the required standards for running in a production environment.
You can perform the validation process locally using the commercetools connect validate CLI command.

Check validation status

You can check the validation status of a preview build or published Connector using the Connect API or Merchant Center. The Merchant Center provides a complete report of the validation results, while the Connect API provides a summary of the validation status.

Connect API

Merchant Center


  1. Query the Get ConnectorStaged endpoint.
  2. Check the previewableReport or publishingReport fields of the ConnectorStaged.
    • The isPreviewable field indicates if the ConnectorStaged has passed validation for the preview build.
    • If the status field is Published, the ConnectorStaged has passed validation for publishing.


  1. Open the Connector in the Merchant Center.
    • The labels Preview Accepted and Published indicate that the Connector has passed validation.
  2. Go to Preview Report or Publish Report to view detailed information about the validation results.

Pipeline steps

The validation pipeline runs each time a Connector is previewed or published. It executes the following steps and reports their status.

Fetch Connector repository

The pipeline fetches your Connector's Git repository at the configured tag into the Connect build environment.

Connect requires a clean, verifiable copy of your source code. If this step fails, common causes include missing repository access due to permissions, an incorrect repository URL, or a tag that no longer exists. Resolving repository access allows the remaining pipeline steps to run.

Verify Connector

This step validates that the fetched repository is a well-formed Connector. It checks that the connect.yaml file exists, conforms to the Connector specification schema, and that every application declared in connect.yaml has a corresponding source folder. It also verifies that each Connect application has the proper configuration and source structure for the build process.
Verifying the Connector catches misconfiguration errors early, before executing expensive build runs. Failures point to concrete fixes in your repository layout or connect.yaml, saving debugging time downstream.

Build Connector applications

The pipeline builds each application declared in your Connector into a container image. Applications are built in parallel. This step also resolves shared common modules.

If this step fails, the pipeline skips the security scans. You must fix earlier steps first.

Software composition analysis (SCA)

The SCA step scans your Connector's open-source dependencies and development dependencies. Any critical finding fails the SCA. To pass, you must update the flagged package to a fixed version or remove the dependency.

Static application security testing (SAST)

The SAST step analyzes the source code of your applications and shared libraries against a Connect-specific quality gate. It detects bugs, code-level security vulnerabilities like injection flaws or unsafe API usage, and code smells. Test files and node_modules folders are excluded from this analysis.

This step catches security weaknesses in your written code without executing it. The step fails on critical issues, which must be remediated in your source code before the Connector can be published or deployed.