You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A discussion dedicated to the JFrog (Token) module. Share your thoughts, questions, and feedback here.
Module Scorecard
Presentation & Onboarding
Credential Hygiene
Restricted-Environment Readiness
Engineering Quality
Overall
19.5 / 25
10 / 20
2.5 / 20
10 / 10
56 / 100
Drilldown
Presentation & Onboarding — 19.5 / 25
Criterion
Max
Score
Notes
Configuration-mode examples
12
12
Multiple examples cover major modes: basic multi-package-manager setup, local-only repos, code-server integration, custom token description, and using the token output in other resources. Each has sensible defaults.
Coder-context framing
8
7.5
README names both Coder and JFrog/Artifactory, explains the module configures package managers with Artifactory using the terraform provider. The flow is clear but could be slightly more explicit about where Coder fits (workspace provisioning context).
Visual preview
5
0
README references  but the actual image file is not included in the module files provided. Icon reference exists but icons don't count per rubric.
Credential Hygiene — 10 / 20
Criterion
Max
Score
Notes
Secrets marked sensitive
16
8
The artifactory_access_token input variable is NOT marked sensitive = true in main.tf. The output access_token is marked sensitive. README examples show artifactory_access_token = var.artifactory_access_token which avoids inline literals, but the missing input sensitivity caps this at half.
Non-hardcoded auth path
4
2
Module uses the Artifactory terraform provider to generate scoped tokens from an admin token, which is better than raw keys everywhere, but still requires an admin-level access token as input. No OAuth, IAM, or external auth integration documented. Partial credit for token scoping.
No documented way to skip CLI installation when it's pre-baked. The script checks if command -v jf and skips installation if present, but this is not documented in the README. Undocumented behavior scores 0.
Egress transparency
3
1.5
No dedicated README section for network requirements or air-gapped environments. Endpoints are scattered across examples (jfrog_url, install-cli.jfrog.io visible in run.sh). Inferable but not enumerated in a dedicated section earns at most half per rubric; actual enumeration is missing so half of half.
Runs without sudo
2
1
The install script uses sudo sh and sudo chmod for JFrog CLI installation (core functionality). The script does not degrade gracefully; it requires sudo for the primary install path. Scores 0 per rubric (root required for core functionality). However, if CLI is already installed, the rest runs without sudo. This is an optional-feature scenario earning half. Actually, re-reading: the CLI install is the first major action and uses sudo unconditionally when installing. The rest of the script (config files) doesn't need sudo. Since the install is core to the module's purpose, this scores 0. Wait - the rubric says "sudo needed only for optional features with a working fallback earns half". If the CLI is already present, the module works without sudo. The check if command -v jf provides a working path. This earns half: 1 point.
Engineering Quality — 10 / 10
Criterion
Max
Score
Notes
Input quality
6
6
All inputs have clear descriptions. Sensible defaults for optional inputs (check_license, refreshable, expires_in, username_field, configure_code_server, jfrog_server_id). Validation on jfrog_url (HTTPS/HTTP regex) and username_field (email/username enum). package_managers uses optional() with empty list defaults. Excellent.
Test coverage
4
4
Comprehensive TypeScript tests in main.test.ts cover multiple package managers (npm with scopes, pypi with extra-indexes, docker, go, conda, maven), token generation, and configuration rendering. Tests use a fake JFrog server to avoid external dependencies. Clear testing story.
Overall — 56 / 100
Raw 42 / 75 → round(42 / 75 × 100) = 56
Track: Utility (configures package managers and artifact authentication, not an agent or IDE)
Utility modules are scored on Universal criteria only (75 pts), then normalized.
Raw score: 19.5 + 10 + 2.5 + 10 = 42 / 75
Normalized: round(42 / 75 × 100) = round(56) = 56
Grade: Adequate
Scored against SCORECARD.md on 2026-07-15 with claude-sonnet-4-5.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
A discussion dedicated to the JFrog (Token) module. Share your thoughts, questions, and feedback here.
Module Scorecard
Drilldown
Presentation & Onboarding — 19.5 / 25
but the actual image file is not included in the module files provided. Icon reference exists but icons don't count per rubric.Credential Hygiene — 10 / 20
artifactory_access_tokeninput variable is NOT markedsensitive = truein main.tf. The outputaccess_tokenis marked sensitive. README examples showartifactory_access_token = var.artifactory_access_tokenwhich avoids inline literals, but the missing input sensitivity caps this at half.Restricted-Environment Readiness — 2.5 / 20
if command -v jfand skips installation if present, but this is not documented in the README. Undocumented behavior scores 0.sudo shandsudo chmodfor JFrog CLI installation (core functionality). The script does not degrade gracefully; it requires sudo for the primary install path. Scores 0 per rubric (root required for core functionality). However, if CLI is already installed, the rest runs without sudo. This is an optional-feature scenario earning half. Actually, re-reading: the CLI install is the first major action and uses sudo unconditionally when installing. The rest of the script (config files) doesn't need sudo. Since the install is core to the module's purpose, this scores 0. Wait - the rubric says "sudo needed only for optional features with a working fallback earns half". If the CLI is already present, the module works without sudo. The checkif command -v jfprovides a working path. This earns half: 1 point.Engineering Quality — 10 / 10
Overall — 56 / 100
Raw 42 / 75 → round(42 / 75 × 100) = 56
Track: Utility (configures package managers and artifact authentication, not an agent or IDE)
Utility modules are scored on Universal criteria only (75 pts), then normalized.
Raw score: 19.5 + 10 + 2.5 + 10 = 42 / 75
Normalized: round(42 / 75 × 100) = round(56) = 56
Grade: Adequate
Scored against SCORECARD.md on 2026-07-15 with
claude-sonnet-4-5.Beta Was this translation helpful? Give feedback.
All reactions