You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A discussion dedicated to the JFrog (Token) module. Share your thoughts, questions, and feedback here.
Module Scorecard
Presentation & Onboarding
Credential Hygiene
Restricted-Network Readiness
Engineering Quality
Overall
19.5 / 25
10 / 20
0 / 20
8 / 10
50 / 100
Drilldown
Presentation & Onboarding — 19.5 / 25
Criterion
Max
Score
Notes
Configuration-mode examples
12
12
Multiple examples cover different configuration modes: npm/go/pypi basic setup, code-server integration, custom token description, and using the token output in other resources. Each example shows sensible defaults and clear use cases.
Coder-context framing
8
7.5
README explains the module installs JF CLI and authenticates package managers with Artifactory using the Artifactory terraform provider. Links to Coder docs guide. Names both Coder and JFrog/Artifactory. Slightly under-documented on where Coder fits in the overall flow (workspace context is implicit but not explicitly explained).
Visual preview
5
0
README references  but the actual image file is not included in the module files provided. Icon reference exists but icons don't count per rubric.
Credential Hygiene — 10 / 20
Criterion
Max
Score
Notes
Secrets marked sensitive
16
10
The artifactory_access_token variable is NOT marked sensitive = true in main.tf. The output access_token is marked sensitive. README examples show artifactory_access_token = var.artifactory_access_token which avoids inline secrets in examples, but the variable definition itself lacks the sensitive flag. This caps the score at half (8), plus partial credit (2) for output sensitivity and example hygiene.
Non-hardcoded auth path
4
0
Module requires an admin-level access token to be provided. No documentation of alternative auth paths like OAuth, IAM roles, or external auth helpers. The token must be supplied directly.
No documented way to skip JF CLI installation when it's already in the image. The script checks if command -v jf and skips installation if found, but this is not documented in the README as a supported pattern.
Egress transparency
4
0
No dedicated README section enumerating external endpoints. Endpoints are scattered across code (install-cli.jfrog.io, user's jfrog_url) but not documented in a network/air-gap section.
Engineering Quality — 8 / 10
Criterion
Max
Score
Notes
Input quality
6
6
Variables have clear descriptions, sensible defaults (e.g., check_license = true, jfrog_server_id = "0"), and validation rules (jfrog_url regex for http/https, username_field enum validation). Package_managers uses optional() with empty list defaults.
Test coverage
4
2
TypeScript tests in main.test.ts cover business logic (npmrc generation, pip config, docker registration, go proxy, conda, maven). Tests use a fake JFrog server. No .tftest.hcl files present. Tests are end-to-end focused but lack Terraform-native unit tests.
Overall — 50 / 100
Raw 37.5 / 75 → round(37.5 / 75 × 100) = 50
Track: Utility (configures package managers and CLI tools; not an agent or IDE)
Scored against SCORECARD.md on 2026-07-14 with claude-sonnet-4-5.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
A discussion dedicated to the JFrog (Token) module. Share your thoughts, questions, and feedback here.
Module Scorecard
Drilldown
Presentation & Onboarding — 19.5 / 25
but the actual image file is not included in the module files provided. Icon reference exists but icons don't count per rubric.Credential Hygiene — 10 / 20
artifactory_access_tokenvariable is NOT markedsensitive = truein main.tf. The outputaccess_tokenis marked sensitive. README examples showartifactory_access_token = var.artifactory_access_tokenwhich avoids inline secrets in examples, but the variable definition itself lacks the sensitive flag. This caps the score at half (8), plus partial credit (2) for output sensitivity and example hygiene.Restricted-Network Readiness — 0 / 20
if command -v jfand skips installation if found, but this is not documented in the README as a supported pattern.Engineering Quality — 8 / 10
check_license = true,jfrog_server_id = "0"), and validation rules (jfrog_url regex for http/https, username_field enum validation). Package_managers uses optional() with empty list defaults.Overall — 50 / 100
Raw 37.5 / 75 → round(37.5 / 75 × 100) = 50
Track: Utility (configures package managers and CLI tools; not an agent or IDE)
Scored against SCORECARD.md on 2026-07-14 with
claude-sonnet-4-5.Beta Was this translation helpful? Give feedback.
All reactions