|
| 1 | +# Plugin Quality Guide |
| 2 | + |
| 3 | +If you received a scanner report on your repo, here's how to use the [codex-plugin-scanner](https://github.com/hashgraph-online/codex-plugin-scanner) to check your progress and fix issues. |
| 4 | + |
| 5 | +## Quick Start |
| 6 | + |
| 7 | +```bash |
| 8 | +# Install |
| 9 | +pip install codex-plugin-scanner |
| 10 | + |
| 11 | +# Run against your plugin |
| 12 | +codex-plugin-scanner lint . |
| 13 | + |
| 14 | +# Verbose output with explanations |
| 15 | +codex-plugin-scanner lint . --format text |
| 16 | +``` |
| 17 | + |
| 18 | +## GitHub Actions CI |
| 19 | + |
| 20 | +Add a quality gate to your CI so every PR is checked automatically: |
| 21 | + |
| 22 | +```yaml |
| 23 | +- name: Codex plugin quality gate |
| 24 | + uses: hashgraph-online/hol-codex-plugin-scanner-action@v1 |
| 25 | + with: |
| 26 | + plugin_dir: "." |
| 27 | + fail_on_severity: high |
| 28 | +``` |
| 29 | +
|
| 30 | +## Scoring |
| 31 | +
|
| 32 | +The scanner scores plugins 0-100 across these categories: |
| 33 | +
|
| 34 | +| Category | Max Points | What it checks | |
| 35 | +|----------|-----------|----------------| |
| 36 | +| Manifest Validation | 25 | Required fields, schema compliance | |
| 37 | +| Security | 16 | Hardcoded secrets, secure defaults | |
| 38 | +| Best Practices | 15 | SECURITY.md, LICENSE, Dependabot | |
| 39 | +| Code Quality | 10 | Lockfiles, .codexignore | |
| 40 | +
|
| 41 | +## Common Fixes |
| 42 | +
|
| 43 | +### Missing SECURITY.md |
| 44 | +
|
| 45 | +Create `SECURITY.md` in your repo root with a vulnerability disclosure policy: |
| 46 | + |
| 47 | +```markdown |
| 48 | +# Security |
| 49 | +
|
| 50 | +To report a security vulnerability, please open an issue with the `[security]` label. |
| 51 | +``` |
| 52 | + |
| 53 | +### Unpinned GitHub Actions |
| 54 | + |
| 55 | +Replace floating tags with pinned commit SHAs: |
| 56 | + |
| 57 | +```yaml |
| 58 | +# Before |
| 59 | +- uses: actions/checkout@v4 |
| 60 | + |
| 61 | +# After |
| 62 | +- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
| 63 | +``` |
| 64 | +
|
| 65 | +### Missing LICENSE |
| 66 | +
|
| 67 | +Add a LICENSE file. MIT or Apache-2.0 are standard choices for plugin repos. |
| 68 | +
|
| 69 | +### Missing dependency lockfile |
| 70 | +
|
| 71 | +If you have `package.json`, add `package-lock.json`. If you have `requirements.txt`, add `requirements-lock.txt` or use `pip freeze > requirements-lock.txt`. |
| 72 | + |
| 73 | +## Required Manifest Fields |
| 74 | + |
| 75 | +The minimum `.codex-plugin/plugin.json` must include: |
| 76 | + |
| 77 | +- `name` - Plugin display name |
| 78 | +- `version` - Semantic version |
| 79 | +- `description` - Short description |
| 80 | +- `author` - Author info with at least `name` |
| 81 | +- `skills` - Path to skills directory |
| 82 | + |
| 83 | +## Getting Listed |
| 84 | + |
| 85 | +If your plugin scores 60+ and has no critical or high findings, it's eligible for [awesome-codex-plugins](https://github.com/hashgraph-online/awesome-codex-plugins). Submit a PR following the [CONTRIBUTING.md](CONTRIBUTING.md) guide. |
| 86 | + |
| 87 | +## More Info |
| 88 | + |
| 89 | +- Scanner repo: [hashgraph-online/codex-plugin-scanner](https://github.com/hashgraph-online/codex-plugin-scanner) |
| 90 | +- Full schema docs: [schemas/](https://github.com/hashgraph-online/codex-plugin-scanner/tree/main/schemas) |
| 91 | +- HOL Plugin Registry: [hol.org/registry/plugins](https://hol.org/registry/plugins) |
0 commit comments