You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A discussion dedicated to the JFrog Xray module. Share your thoughts, questions, and feedback here.
Module Scorecard
Presentation & Onboarding
Credential Hygiene
Restricted-Environment Readiness
Engineering Quality
Overall
13 / 25
18 / 20
N/A
10 / 10
75 / 100
Drilldown
Presentation & Onboarding — 13 / 25
Criterion
Max
Score
Notes
Configuration-mode examples
12
12
README provides two documented examples: standard local repository usage and remote repository usage with use_cache_repo = true. Each example includes sensible defaults and clear context for when to use each mode.
Coder-context framing
8
1
The README mentions Coder only in "Use the outputs to display security information as workspace metadata" and shows a coder_metadata resource. It does not explain what the module adds on top of Coder, does not name JFrog Xray in relation to Coder's workflow, and does not show where Coder fits in the security scanning flow. Minimal Coder context.
Visual preview
5
0
No image, GIF, or video in the README. Only an icon reference in frontmatter.
Credential Hygiene — 18 / 20
Criterion
Max
Score
Notes
Secrets marked sensitive
16
16
The xray_token variable is marked sensitive = true in main.tf. README examples use var.artifactory_access_token rather than inline literal secrets.
Non-hardcoded auth path
4
2
README mentions generating tokens in "JFrog Platform under User Management > Access Tokens" but does not document OAuth, ServiceAccount, IAM roles, or other non-token auth paths. The module only supports access token authentication. Partial guidance on token generation earns half.
Restricted-Environment Readiness — N/A
Criterion
Max
Score
Notes
Mirrorable artifact source
10
N/A
This module downloads nothing. It only queries the JFrog Xray API using the xray Terraform provider. The xray_url variable specifies the API endpoint to query, not a download source.
Bring-your-own binary
5
N/A
No installation or binary download occurs.
Egress transparency
3
N/A
No downloads or installs; the module only makes API calls to the user-provided xray_url.
Runs without sudo
2
N/A
No scripts are executed by this module.
Engineering Quality — 10 / 10
Criterion
Max
Score
Notes
Input quality
6
6
All inputs have clear descriptions. xray_url has validation for URL format. image has validation for minimum path segments. Defaults are sensible (use_cache_repo = false, empty string overrides). Descriptions explain when and why to use each variable.
Test coverage
4
4
Comprehensive TypeScript test suite in main.test.ts covers business logic: required variable validation, local repository scanning, empty results handling, cache repository behavior, and custom overrides. Mock servers simulate different Xray API responses. Tests verify output values match expected vulnerability counts.
Overall — 75 / 100
Raw 41 / 55 → round(41 / 55 × 100) = 75
Scored against SCORECARD.md on 2026-07-15 with claude-sonnet-4-5.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
A discussion dedicated to the JFrog Xray module. Share your thoughts, questions, and feedback here.
Module Scorecard
Drilldown
Presentation & Onboarding — 13 / 25
use_cache_repo = true. Each example includes sensible defaults and clear context for when to use each mode.coder_metadataresource. It does not explain what the module adds on top of Coder, does not name JFrog Xray in relation to Coder's workflow, and does not show where Coder fits in the security scanning flow. Minimal Coder context.Credential Hygiene — 18 / 20
xray_tokenvariable is markedsensitive = truein main.tf. README examples usevar.artifactory_access_tokenrather than inline literal secrets.Restricted-Environment Readiness — N/A
xrayTerraform provider. Thexray_urlvariable specifies the API endpoint to query, not a download source.xray_url.Engineering Quality — 10 / 10
xray_urlhas validation for URL format.imagehas validation for minimum path segments. Defaults are sensible (use_cache_repo = false, empty string overrides). Descriptions explain when and why to use each variable.Overall — 75 / 100
Raw 41 / 55 → round(41 / 55 × 100) = 75
Scored against SCORECARD.md on 2026-07-15 with
claude-sonnet-4-5.Beta Was this translation helpful? Give feedback.
All reactions