You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A discussion dedicated to the JFrog (Token) module. Share your thoughts, questions, and feedback here.
Module Scorecard
Presentation & Onboarding
Credential Hygiene
Restricted-Environment Readiness
Engineering Quality
Overall
19.5 / 25
10 / 20
2.5 / 20
8 / 10
53 / 100
Drilldown
Presentation & Onboarding — 19.5 / 25
Criterion
Max
Score
Notes
Configuration-mode examples
12
12
Multiple examples cover major modes: basic multi-package-manager setup, local repositories only, code-server integration, custom token description, and using the token output in other resources. Each has sensible defaults.
Coder-context framing
8
7.5
README states "Install the JF CLI and authenticate package managers with Artifactory using Artifactory terraform provider" and links to Coder docs guide. Shows Coder fits in the authentication flow. Does not explicitly name "Coder" in the opening sentence, only "JF CLI" and "Artifactory". Minor deduction for not stating "Coder workspace" upfront.
Visual preview
5
0
README references  but the actual image file is not provided in the module files. Icon reference exists but icons don't count per rubric.
Credential Hygiene — 10 / 20
Criterion
Max
Score
Notes
Secrets marked sensitive
16
8
artifactory_access_token variable lacks sensitive = true in main.tf. The output access_token is marked sensitive. README examples show artifactory_access_token = var.artifactory_access_token which avoids inline secrets in the example itself, but the variable definition in the module does not enforce sensitivity. Half credit.
Non-hardcoded auth path
4
2
README shows using var.artifactory_access_token which suggests external variable management, but does not document ServiceAccount, IAM, OAuth, or API key helper patterns. The module generates a scoped token from an admin token, which is a credential derivation pattern but not a non-hardcoded auth path in the sense of the rubric (OAuth, OIDC, etc.). Half credit for the scoped token pattern.
The script checks if command -v jf > /dev/null 2>&1 and skips installation if present, but this is not documented in the README. No documented way to disable download when the tool is pre-baked.
Egress transparency
3
1.5
No dedicated README section for network endpoints. The install script contacts install-cli.jfrog.io and the configured jfrog_url. These are inferable from code and examples but not enumerated in a dedicated section. Half credit.
Runs without sudo
2
1
The install script uses sudo sh for JF CLI installation and sudo chmod 755 /usr/local/bin/jf. The script will fail without sudo for the core JF CLI installation. The check for existing jf command provides a workaround if pre-installed, but this is not the documented no-sudo path. Half credit for the implicit workaround.
Engineering Quality — 8 / 10
Criterion
Max
Score
Notes
Input quality
6
6
Variables have clear descriptions. jfrog_url has validation for HTTP/HTTPS. username_field has validation for email/username. package_managers has detailed description with example. Sensible defaults throughout (e.g., check_license = true, jfrog_server_id = "0").
Test coverage
4
2
main.test.ts exists with multiple test cases covering npmrc generation, pip config, docker, go, conda, and maven. Tests use a fake JFrog server. However, tests appear to focus on template rendering and resource generation rather than end-to-end behavior. No .tftest.hcl file present. Half credit.
Overall — 53 / 100
Raw 40 / 75 → round(40 / 75 × 100) = 53
Utility track (normalized from 75-point denominator)
Scored against SCORECARD.md on 2026-07-15 with claude-sonnet-4-5.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
A discussion dedicated to the JFrog (Token) module. Share your thoughts, questions, and feedback here.
Module Scorecard
Drilldown
Presentation & Onboarding — 19.5 / 25
but the actual image file is not provided in the module files. Icon reference exists but icons don't count per rubric.Credential Hygiene — 10 / 20
artifactory_access_tokenvariable lackssensitive = truein main.tf. The outputaccess_tokenis marked sensitive. README examples showartifactory_access_token = var.artifactory_access_tokenwhich avoids inline secrets in the example itself, but the variable definition in the module does not enforce sensitivity. Half credit.var.artifactory_access_tokenwhich suggests external variable management, but does not document ServiceAccount, IAM, OAuth, or API key helper patterns. The module generates a scoped token from an admin token, which is a credential derivation pattern but not a non-hardcoded auth path in the sense of the rubric (OAuth, OIDC, etc.). Half credit for the scoped token pattern.Restricted-Environment Readiness — 2.5 / 20
if command -v jf > /dev/null 2>&1and skips installation if present, but this is not documented in the README. No documented way to disable download when the tool is pre-baked.install-cli.jfrog.ioand the configuredjfrog_url. These are inferable from code and examples but not enumerated in a dedicated section. Half credit.sudo shfor JF CLI installation andsudo chmod 755 /usr/local/bin/jf. The script will fail without sudo for the core JF CLI installation. The check for existingjfcommand provides a workaround if pre-installed, but this is not the documented no-sudo path. Half credit for the implicit workaround.Engineering Quality — 8 / 10
jfrog_urlhas validation for HTTP/HTTPS.username_fieldhas validation for email/username.package_managershas detailed description with example. Sensible defaults throughout (e.g.,check_license = true,jfrog_server_id = "0").main.test.tsexists with multiple test cases covering npmrc generation, pip config, docker, go, conda, and maven. Tests use a fake JFrog server. However, tests appear to focus on template rendering and resource generation rather than end-to-end behavior. No.tftest.hclfile present. Half credit.Overall — 53 / 100
Raw 40 / 75 → round(40 / 75 × 100) = 53
Utility track (normalized from 75-point denominator)
Scored against SCORECARD.md on 2026-07-15 with
claude-sonnet-4-5.Beta Was this translation helpful? Give feedback.
All reactions