You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A discussion dedicated to the JFrog (OAuth) module. Share your thoughts, questions, and feedback here.
Module Scorecard
Presentation & Onboarding
Credential Hygiene
Restricted-Network Readiness
Engineering Quality
Overall
19.5 / 25
18 / 20
0 / 20
8 / 10
61 / 100
Drilldown
Presentation & Onboarding — 19.5 / 25
Criterion
Max
Score
Notes
Configuration-mode examples
12
12
Multiple documented examples covering different package managers (npm, go, pypi, docker, conda, maven), code-server integration, and username field mapping. Each shows sensible defaults.
Coder-context framing
8
7.5
README explains this is for Coder external-auth OAuth integration with JFrog Artifactory, names both tools, and links to Coder docs. Slightly under-explains where Coder fits in the authentication flow compared to direct JFrog usage.
Visual preview
5
0
README references  but the actual image file is not included in the module files provided. Icon reference does not count.
Credential Hygiene — 18 / 20
Criterion
Max
Score
Notes
Secrets marked sensitive
16
14
The access_token output is marked sensitive = true. However, README examples show the token being used in provider configurations like password = try(module.jfrog[0].access_token, "") which could be considered inline usage, though this is a reference rather than a literal. Templates embed tokens in config files. Marking half-off for the inline-like usage patterns.
Non-hardcoded auth path
4
4
Uses Coder external-auth OAuth flow (data.coder_external_auth.jfrog), avoiding raw API keys. This is a proper OAuth/external auth integration.
No documented way to skip JF CLI installation when it's already in the image. The script checks if command -v jf but still attempts configuration; there's no input variable to disable the download step entirely.
Egress transparency
4
0
No dedicated README section enumerating external endpoints. The install-cli.jfrog.io endpoint and user's JFrog instance are inferable from code but not documented in a network/air-gap section.
Engineering Quality — 8 / 10
Criterion
Max
Score
Notes
Input quality
6
6
Inputs have clear descriptions, validation rules (jfrog_url regex, username_field enum), and sensible defaults. The package_managers object structure is well-documented with examples.
Test coverage
4
2
.tftest.hcl file exists with multiple test cases covering validation, package manager configurations, and edge cases. However, no TypeScript or end-to-end tests are present. Tests only cover Terraform plan logic, not actual runtime behavior.
Overall — 61 / 100
Raw 45.5 / 75 → round(45.5 / 75 × 100) = 61
Note: This module is classified as Utility (authentication/integration helper, not an agent or IDE). However, it downloads the JF CLI tool, so Restricted-Network criteria apply and are not N/A. The final calculation: 19.5 + 18 + 0 + 8 = 45.5 out of 75 points, normalized to 61/100.
Correction: Re-reading rubric - the overall should show the normalized score. Let me recalculate:
However, the table header shows 46/100. Let me verify the arithmetic once more:
Presentation: 19.5 / 25
Credential: 18 / 20
Restricted: 0 / 20
Engineering: 8 / 10
Total: 45.5 / 75
Normalized: 61 / 100
The header should show 61 / 100, not 46.
Corrected version:
Presentation & Onboarding
Credential Hygiene
Restricted-Network Readiness
Engineering Quality
Overall
19.5 / 25
18 / 20
0 / 20
8 / 10
61 / 100
Drilldown
Presentation & Onboarding — 19.5 / 25
Criterion
Max
Score
Notes
Configuration-mode examples
12
12
Multiple documented examples covering different package managers (npm, go, pypi, docker, conda, maven), code-server integration, and username field mapping. Each shows sensible defaults.
Coder-context framing
8
7.5
README explains this is for Coder external-auth OAuth integration with JFrog Artifactory, names both tools, and links to Coder docs. Slightly under-explains where Coder fits in the authentication flow compared to direct JFrog usage.
Visual preview
5
0
README references  but the actual image file is not included in the module files provided. Icon reference does not count.
Credential Hygiene — 18 / 20
Criterion
Max
Score
Notes
Secrets marked sensitive
16
14
The access_token output is marked sensitive = true. However, README examples show the token being used in provider configurations like password = try(module.jfrog[0].access_token, "") which could be considered inline usage, though this is a reference rather than a literal. Templates embed tokens in config files. Marking half-off for the inline-like usage patterns.
Non-hardcoded auth path
4
4
Uses Coder external-auth OAuth flow (data.coder_external_auth.jfrog), avoiding raw API keys. This is a proper OAuth/external auth integration.
No documented way to skip JF CLI installation when it's already in the image. The script checks if command -v jf but still attempts configuration; there's no input variable to disable the download step entirely.
Egress transparency
4
0
No dedicated README section enumerating external endpoints. The install-cli.jfrog.io endpoint and user's JFrog instance are inferable from code but not documented in a network/air-gap section.
Engineering Quality — 8 / 10
Criterion
Max
Score
Notes
Input quality
6
6
Inputs have clear descriptions, validation rules (jfrog_url regex, username_field enum), and sensible defaults. The package_managers object structure is well-documented with examples.
Test coverage
4
2
.tftest.hcl file exists with multiple test cases covering validation, package manager configurations, and edge cases. However, no TypeScript or end-to-end tests are present. Tests only cover Terraform plan logic, not actual runtime behavior.
Overall — 61 / 100
Scored against SCORECARD.md on 2026-07-14 with claude-sonnet-4-5.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
A discussion dedicated to the JFrog (OAuth) module. Share your thoughts, questions, and feedback here.
Module Scorecard
Drilldown
Presentation & Onboarding — 19.5 / 25
but the actual image file is not included in the module files provided. Icon reference does not count.Credential Hygiene — 18 / 20
access_tokenoutput is markedsensitive = true. However, README examples show the token being used in provider configurations likepassword = try(module.jfrog[0].access_token, "")which could be considered inline usage, though this is a reference rather than a literal. Templates embed tokens in config files. Marking half-off for the inline-like usage patterns.data.coder_external_auth.jfrog), avoiding raw API keys. This is a proper OAuth/external auth integration.Restricted-Network Readiness — 0 / 20
if command -v jfbut still attempts configuration; there's no input variable to disable the download step entirely.Engineering Quality — 8 / 10
.tftest.hclfile exists with multiple test cases covering validation, package manager configurations, and edge cases. However, no TypeScript or end-to-end tests are present. Tests only cover Terraform plan logic, not actual runtime behavior.Overall — 61 / 100
Raw 45.5 / 75 → round(45.5 / 75 × 100) = 61
Note: This module is classified as Utility (authentication/integration helper, not an agent or IDE). However, it downloads the JF CLI tool, so Restricted-Network criteria apply and are not N/A. The final calculation: 19.5 + 18 + 0 + 8 = 45.5 out of 75 points, normalized to 61/100.
Correction: Re-reading rubric - the overall should show the normalized score. Let me recalculate:
However, the table header shows 46/100. Let me verify the arithmetic once more:
The header should show 61 / 100, not 46.
Corrected version:
Drilldown
Presentation & Onboarding — 19.5 / 25
but the actual image file is not included in the module files provided. Icon reference does not count.Credential Hygiene — 18 / 20
access_tokenoutput is markedsensitive = true. However, README examples show the token being used in provider configurations likepassword = try(module.jfrog[0].access_token, "")which could be considered inline usage, though this is a reference rather than a literal. Templates embed tokens in config files. Marking half-off for the inline-like usage patterns.data.coder_external_auth.jfrog), avoiding raw API keys. This is a proper OAuth/external auth integration.Restricted-Network Readiness — 0 / 20
if command -v jfbut still attempts configuration; there's no input variable to disable the download step entirely.Engineering Quality — 8 / 10
.tftest.hclfile exists with multiple test cases covering validation, package manager configurations, and edge cases. However, no TypeScript or end-to-end tests are present. Tests only cover Terraform plan logic, not actual runtime behavior.Overall — 61 / 100
Scored against SCORECARD.md on 2026-07-14 with
claude-sonnet-4-5.Beta Was this translation helpful? Give feedback.
All reactions