Learn how Connect validates the code quality and security of your Connect applications before they are previewed or published.
connect.yaml file is also validated. These checks help ensure that Connect applications meet the required standards for running in a production environment.commercetools connect validate CLI command.Check validation status
You can check the validation status of a preview build or published Connector using the Connect API or Merchant Center. The Merchant Center provides a complete report of the validation results, while the Connect API provides a summary of the validation status.
Connect API
Merchant Center
- Query the Get ConnectorStaged endpoint.
- Check the
previewableReportorpublishingReportfields of the ConnectorStaged.- The
isPreviewablefield indicates if the ConnectorStaged has passed validation for the preview build. - If the
statusfield isPublished, the ConnectorStaged has passed validation for publishing.
- The
Pipeline steps
The validation pipeline runs each time a Connector is previewed or published. It executes the following steps and reports their status.
Fetch Connector repository
The pipeline fetches your Connector's Git repository at the configured tag into the Connect build environment.
Connect requires a clean, verifiable copy of your source code. If this step fails, common causes include missing repository access due to permissions, an incorrect repository URL, or a tag that no longer exists. Resolving repository access allows the remaining pipeline steps to run.
Verify Connector
connect.yaml file exists, conforms to the Connector specification schema, and that every application declared in connect.yaml has a corresponding source folder. It also verifies that each Connect application has the proper configuration and source structure for the build process.connect.yaml, saving debugging time downstream.Build Connector applications
If this step fails, the pipeline skips the security scans. You must fix earlier steps first.
Software composition analysis (SCA)
The SCA step scans your Connector's open-source dependencies and development dependencies. Any critical finding fails the SCA. To pass, you must update the flagged package to a fixed version or remove the dependency.
Static application security testing (SAST)
node_modules folders are excluded from this analysis.This step catches security weaknesses in your written code without executing it. The step fails on critical issues, which must be remediated in your source code before the Connector can be published or deployed.