Review Process
Every submitted package passes through an automated review pipeline. Packages requesting Certified status also enter a human review queue. Automated review completes in minutes; human review takes 2–5 business days.
Community Review Pipeline
Security Scan
The package is scanned for expression injection, SQL injection, unsafe content, and known vulnerable dependencies. A PASS is required to proceed. WARN does not block listing but is noted in the package trust badge.
Manifest Validation
All required fields validated: packageId uniqueness, valid SemVer version not previously published, publisher slug matches your profile, platformVersion parseable, artifact list non-empty, checksums verified.
Content Policy Check
README and description are checked for prohibited content (personal data, competitor disparagement, misleading claims, malware links). Fully automated NLP scan.
Listed as Community
The package receives the Community trust badge and is immediately discoverable in the marketplace. Install count and ratings begin accumulating.
Certified Review Pipeline (Additional Steps)
Documentation Completeness
A reviewer checks that the README contains all required sections (What's Included, Prerequisites, Installation Notes, Configuration, Changelog, Support). The review tool highlights missing or thin sections.
Artifact Quality Review
A BizFirstGO reviewer inspects the artifacts for quality: sensible naming, no debug artifacts, ProcessDefinitions have meaningful node labels, forms have proper validation rules, rule sets are coherent.
Test Coverage Verification
Test coverage report must be attached with the Certified submission. Minimum 70% line coverage across all artifact types. Integration tests demonstrating end-to-end install and execution are strongly recommended.
Certified Badge Granted
On approval, the package trust level is promoted to Certified. Future versions require a lighter review: automated checks + spot review for major versions only.
Review Criteria
| Criterion | Community | Certified | Auto or Human |
|---|---|---|---|
| Security scan PASS | Required | Required | Automated |
| Valid manifest | Required | Required | Automated |
| Content policy | Required | Required | Automated (NLP) |
| README all sections present | Not checked | Required | Human |
| Test coverage ≥70% | Not checked | Required | Human (report review) |
| Artifact quality review | Not checked | Required | Human |
| Domain verification | Required | Required | Automated (DNS) |
| No personally identifiable data | Required | Required | Automated + Human |
Review Rejection and Resubmission
When a package is rejected, the publisher receives an email and in-app notification with the detailed rejection reason. The rejection reason is also available via the submission status API.
// Rejection during human review:
{
"status": "Rejected",
"reason": "InsufficientDocumentation",
"details": "README is missing the 'Configuration' and 'Support' sections required for Certified status. The 'Installation Notes' section exists but provides insufficient detail (4 sentences — expected at least 2 paragraphs).",
"reviewedBy": "BizFirstGO Review Team",
"reviewedAt": "2026-05-27T14:30:00Z",
"resubmitAfterFix": true,
"fastTrackReview": true // Fixed Certified submissions get priority queue re-review
}Review Timelines
| Review Type | Typical Time | SLA |
|---|---|---|
| Community automated review | 5–15 minutes | 1 hour |
| Certified initial human review | 2–3 business days | 5 business days |
| Certified re-review (after fix) | 1 business day | 2 business days |
| Certified major version spot review | 1 business day | 2 business days |