InstallHub
Certification
Certified status is earned through a multi-step review that goes beyond automated scanning. It signals to installers that the package has been human-reviewed, is well-documented, and meets BizFirstGO quality standards.
Phase 3 — PENDING This feature is planned but not yet implemented.
Why Pursue Certification?
- Certified packages appear first in marketplace search results and featured lists
- Installers can deploy Certified packages in production without the explicit
acknowledgeCommunityPackageconfirmation flag - Certified packages are eligible for marketplace featuring and promotion campaigns
- The Certified badge significantly increases install conversion rates
- Future versions of Certified packages undergo lighter review (no repeat full review for minor/patch versions)
Certification Requirements
| Requirement | Threshold | Verified By |
|---|---|---|
| Security scan result | PASS (zero findings) | Automated |
| Test coverage | ≥70% line coverage | Human (coverage report review) |
| README completeness | All 7 required sections present and substantive | Human |
| Publisher domain verification | Verified | Automated (DNS/file) |
| Artifact quality | Reviewer approval | Human |
| License field | Valid SPDX identifier | Automated |
| No deprecated dependencies | Zero deprecated package dependencies | Automated |
Submitting for Certification
Include requestCertification: true in your submission and attach the test coverage report:
POST /api/marketplace/submit
Authorization: Bearer {publisherToken}
Content-Type: multipart/form-data
Fields:
package — the .installhub.zip file
description — marketplace description
category — package category
tags — comma-separated tags
changelog — release notes
requestCertification — "true"
coverageReport — (file) lcov.info or coverage.xml
// Response:
{
"submissionId": "sub-a1b2c3d4",
"status": "Queued",
"trustLevelTarget": "Certified",
"estimatedMinutes": 5,
"humanReviewEstimatedDays": 3
}Test Coverage Report Formats
| Format | File | Generated By |
|---|---|---|
| LCOV | lcov.info | Most JS/TS test runners, Jest, Istanbul |
| Cobertura XML | coverage.xml | .NET (Coverlet), Python (pytest-cov) |
| JaCoCo XML | jacoco.xml | Java (Maven Surefire, Gradle) |
| OpenCover XML | opencover.xml | .NET (OpenCover, Coverlet OpenCover format) |
Certification Lifecycle
| Version Type | Review Required | Timeline |
|---|---|---|
| Initial Certified submission | Full review (all criteria) | 2–5 business days |
| Patch version (x.y.Z) | Automated only — inherits Certified status | 5–15 minutes |
| Minor version (x.Y.0) | Automated + artifact diff review | 1 business day |
| Major version (X.0.0) | Full review (all criteria re-checked) | 2–3 business days |
Certification Suspension
A Certified package can have its trust level suspended if:
- A security vulnerability is discovered in a listed version
- The package's average rating drops below 3.0 stars with 10+ reviews
- The publisher's domain verification lapses
- The publisher is found to have violated marketplace terms
During suspension, the package remains installable by tenants who already have it installed but no longer appears in new marketplace search results. The publisher is notified with specific remediation instructions.
Certification API — Check Status
GET /api/marketplace/packages/{packageId}/certification
{
"packageId": "mkt-pkg-a1b2c3",
"trustLevel": "Certified",
"certifiedAt": "2026-03-15T00:00:00Z",
"certifiedBy": "BizFirstGO Review Team",
"nextReview": "2026-09-15T00:00:00Z",
"coverageReport": {
"lineCoverage": 82.4,
"branchCoverage": 71.2,
"reportedAt": "2026-03-14T00:00:00Z"
}
}