Community Certification
Community is the baseline certification automatically granted to every package that successfully passes the submission review. No human review required — it is the floor, not the ceiling, of package trust.
How Community Certification Is Granted
When a publisher submits a package, the MarketHub system runs an automated review pipeline. If the package passes all automated checks and is subsequently approved by an admin (for content policy compliance), Community certification is granted automatically at the moment of approval.
Community certification happens in the background — the publisher does not need to request it or take any additional steps. It is simply the result of a successful submission.
Automated Check Requirements
| Check | Pass Condition | Fail Result |
|---|---|---|
| Security scan | No Critical or High severity findings in declared dependencies | Package blocked from submission until resolved |
| Manifest completeness | Name, version, description, category, publisher all present | Submission rejected with field errors listed |
| At least one artifact | Package contains at least one valid artifact | Submission rejected — empty packages not permitted |
| Content policy scan | No forbidden patterns detected in name, description, or tags | Package flagged for manual review or auto-rejected depending on pattern severity |
What Community Certification Means (and Doesn't)
What it means
The package passed automated security checks. The manifest is complete. No known dependency vulnerabilities at time of submission.
What it doesn't mean
No human has reviewed the code quality, documentation completeness, or test coverage. The publisher has not been vetted beyond account verification.
Enterprise organizations with strict governance requirements should not deploy Community-only packages without their own internal review. Restrict evaluation to Certified and Official packages using the trust level filter in search.