Red Hat Developer Hub 1.8

Understand and visualize Red Hat Developer Hub project health using Scorecards

Setting up, configuring, and managing customizable Project Health Scorecards

Red Hat Customer Content Services

Abstract

When using Red Hat Developer Hub (RHDH), you can understand and visualize the health, security posture, and compliance of your software components so that you can centrally monitor Key Performance Indicators (KPIs) collected from third-party systems like GitHub and Jira without consulting multiple external tools.

1. Understanding and visualizing Red Hat Developer Hub project health using Scorecards

1. Understanding and visualizing Red Hat Developer Hub project health using Scorecards

1.1. Understand Scorecard plugins in Red Hat Developer Hub

Important

This section describes Developer Preview features in the Scorecard plugin. Developer Preview features are not supported by Red Hat in any way and are not functionally complete or production-ready. Do not use Developer Preview features for production or business-critical workloads. Developer Preview features provide early access to functionality in advance of possible inclusion in a Red Hat product offering. Customers can use these features to test functionality and provide feedback during the development process. Developer Preview features might not have any documentation, are subject to change or removal at any time, and have received limited testing. Red Hat might provide ways to submit feedback on Developer Preview features without an associated SLA.

For more information about the support scope of Red Hat Developer Preview features, see Developer Preview Support Scope.

The Scorecard plugin offers comprehensive, customizable insights into the health, security posture, and compliance of your components, services, and APIs. It centralizes Key Performance Indicators (KPIs) within Red Hat Developer Hub (RHDH), so you do not have to consult multiple external systems.

The Scorecard plugin offers the following benefits:

Accelerated decision-making: Scorecards provide an at-a-glance view of component readiness. Engineering and platform teams can use this data to quickly identify risks and prioritize remediation efforts, enabling faster, more effective decisions.
Improved security and compliance: The plugin automatically surfaces compliance gaps against predefined standards (such as required security checks). This capability enforces best practices and helps maintain a stronger overall security posture.
Reduced context switching: Centralizing all KPIs in RHDH reduces the time developers spend hunting for data across different tools. Developers can then focus more on building and shipping features.
Standardization and consistency: Scorecards help drive organizational consistency by clearly defining and measuring what "good" looks like for every service. This process fosters a more uniform and reliable ecosystem.

1.1.1. Supported metric providers in Red Hat Developer Hub

The Scorecard plugin collects metrics from third-party data sources using metric providers.

The Scorecard node plugin provides the scorecardMetricsExtensionPoint extension point that is used to connect your backend plugin module that exports custom metrics via metric providers to the Scorecard backend plugin.

The following metric providers are available:

Provider	Metric ID	Title	Description	Type
GitHub	`github.open_prs`	GitHub open PRs	Count of open Pull Requests in GitHub	number
Jira	`jira.open_issues`	Jira open issues	The number of opened issues in Jira	number

1.2. Setting up Scorecards to monitor your Red Hat Developer Hub project health

1.2.1. Installing the Scorecard plugin in your Red Hat Developer Hub instance

You must manually install and enable the plugin in your Red Hat Developer Hub instance.

Prerequisites

You have installed your RHDH instance.
You have provisioned your custom dynamic plugins config map.

Procedure

Add the following configuration in your RHDH dynamic-plugin-config.yaml file:

plugins:
  - package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-scorecard:bs_1.42.5__1.0.0!red-hat-developer-hub-backstage-plugin-scorecard
    disabled: false
    pluginConfig:
      dynamicPlugins:
        frontend:
          red-hat-developer-hub.backstage-plugin-scorecard:
            entityTabs:
              - path: '/scorecard'
                title: Scorecard
                mountPoint: entity.page.scorecard
            mountPoints:
              - mountPoint: entity.page.scorecard/cards
                importName: EntityScorecardContent
                config:
                  layout:
                    gridColumn: 1 / -1
                  if:
                    allOf:
                      - isKind: component
  - package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-scorecard-backend:bs_1.42.5__1.0.0!red-hat-developer-hub-backstage-plugin-scorecard-backend
    disabled: false

1.2.2. Authenticating and managing Scorecard plugins to control who sees the metrics

As an administrator, you can secure the connection to your metric providers by managing user access to the Scorecards using the Role-Based Access Control (RBAC) permissions. For users to view the Scorecard metrics, you must grant users with read access to the Scorecard metrics. You can configure these permissions either by modifying your RBAC CSV file directly or by using the RBAC Web UI.

Prerequisite

You have enabled RBAC, have a policy administrator role in RHDH, and have added scorecard to plugins with permission.

Procedure

Use any of the following methods to set the required RBAC permissions:

To use the CSV file, in your CSV file, you can directly add the following code:

g, user:default/<YOUR_USERNAME>, role:default/scorecard-viewer
p, role:default/scorecard-viewer, scorecard.metric.read, read, allow
p, role:default/scorecard-viewer, catalog.entity.read, read, allow

See Permission policies reference.

To use the RBAC Web UI, complete the following steps:
1. In your Red Hat Developer Hub menu, go to Administration > RBAC.
2. Select or create the Role to which you want to grant access to the Scorecards.
3. To enable read access for the Scorecard plugin, in Add permission policies, select Scorecard from the plugins dropdown.
4. Expand Scorecard, select policy with the following details, and click Next:
  - Name: scorecard.metric.read
  - Permission: read

1.3. Installing and configuring Scorecards to view metrics in your Red Hat Developer Hub instance

You can install and configure the following Scorecards to display metrics and visual health status for software components in the RHDH catalog:

GitHub Scorecards
Jira Scorecards

1.3.1. Configuring GitHub Scorecards to view GitHub metrics in your Red Hat Developer Hub instance

To achieve enhanced visibility and control over your software components, you must configure the GitHub Scorecards plugin to integrate GitHub metrics directly into your RHDH catalog. This allows engineering teams to centralize development data, quickly identify risks, and accelerate decision-making related to component health and security.

To enable the GitHub metrics integration, you must create and configure a GitHub App to grant RHDH access to the GitHub API.

Prerequisites

You have installed your RHDH instance.
You have installed the Scorecard images.
You must have permissions in GitHub to create and manage a GitHub App.
You must have added a custom RHDH application configuration and have enough permissions to change it.

Procedure

To install and configure GitHub Scorecards in your RHDH instance, complete the following steps:

To allow RHDH to access the GitHub API, you must create and configure a GitHub App and add the necessary integration to your configuration file:
1. Create a GitHub App with the required permissions (Read-only for Contents to allow reading repositories).
2. In the General > Clients secrets section, click Generate a new client secret.
3. In the General > Private keys section, click Generate a private key.
4. In the Install App tab, choose an account to install your GitHub App on.
5. Enter the following values and click Save:
  - App ID
  - Client ID
  - Client Secret
  - Private key
6. To add your GitHub credentials to RHDH, add the following key/value pairs to your your RHDH secrets. You can use these secrets in the RHDH configuration files by using their respective environment variable names.
  GITHUB_INTEGRATION_APP_ID
  Enter the saved App ID.
  GITHUB_INTEGRATION_CLIENT_ID
  Enter the saved Client ID.
  GITHUB_INTEGRATION_CLIENT_SECRET
  Enter the saved Client Secret.
  GITHUB_INTEGRATION_HOST_DOMAIN
  Enter the GitHub host doman: github.com
  GITHUB_INTEGRATION_ORGANIZATION
  Enter your GitHub organization name, such as, <your_github_organization_name>
  GITHUB_INTEGRATION_PRIVATE_KEY_FILE
  Enter the saved Private key.

Configure the GitHub integration in your RHDH app-config.yaml file by adding the integrations.github section:

integrations:
  github:
    - host: ${GITHUB_INTEGRATION_HOST_DOMAIN}
      apps:
        - appId: ${GITHUB_INTEGRATION_APP_ID}
          clientId: ${GITHUB_INTEGRATION_CLIENT_ID}
          clientSecret: ${GITHUB_INTEGRATION_CLIENT_SECRET}
          privateKey: |
            ${GITHUB_INTEGRATION_PRIVATE_KEY_FILE}

Install the GitHub Scorecard plugin by adding the following code to your RHDH dynamic-plugins-config.yaml file:

plugins:
  - package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-scorecard-backend-module-github:bs_1.42.5__1.0.0!red-hat-developer-hub-backstage-plugin-scorecard-backend-module-github
    disabled: false

To link a component to the GitHub data source, edit the catalog-info.yaml file for your RHDH entity and add the required annotations as shown in the following code.
```
apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
  name: my-service
  annotations:
    # Required: GitHub project slug in format "owner/repository"
    github.com/project-slug: myorg/my-service
    # Required: Entity source location
    backstage.io/source-location: url:https://github.com/myorg/my-service
spec:
  type: service
  lifecycle: production
  owner: _<your_team_name>_
```
where:
annotations:github.com/project-slug
The GitHub repository format, for example, owner/repository.
annotations:backstage.io/source-location
The entity source location format, for example, url:https://github.com/owner/repository.
spec:owner
Your team name.
Note
You must add the team entity to the Catalog to ensure the provided permissions are applicable.
Statically ingest the catalog entity by adding the catalog.locations section in your RHDH app-config.yaml file that links to the catalog-info.yaml file:
```
catalog:
  locations:
    - type: url
      target: https://github.com/owner/repo/catalog-info.yaml
```
(Optional) To customize the thresholds for the GitHub Open Pull Requests (github.open_prs) metric, add the following section to your RHDH app-config.yaml file:
```
scorecard:
  plugins:
    github:
      open_prs:
        thresholds:
          rules:
            - key: success
              expression: '<10'
            - key: warning
              expression: '10-50'
            - key: error
              expression: '>50'
```
where:
scorecard:plugins:github:open_prs:thresholds
Lists the default threshold values for the GitHub open PRs metric.

Note

To read more information about how to customize the threshold values, see Thresholds in Scorecard plugins.

1.3.2. Configuring Jira Scorecards to view Jira metrics in your Red Hat Developer Hub instance

To bring critical project tracking and workflow data from Atlassian Jira directly into your RHDH instance, you must configure the Jira Scorecards plugin. This integration provides engineering teams with a centralized view of development status and reduces context switching, enabling faster assessment of component readiness and delivery velocity.

The following Jira versions are supported:

Jira Cloud: API version 3
Jira Data Center: API version 2

Prerequisites

You must have administrator privileges for Jira and RHDH.
You have installed your RHDH instance.
You have installed the Scorecard images.
You must have added a custom RHDH application configuration and have sufficient permissions to change it.

Procedure

To install and configure Jira Scorecards in your RHDH instance, complete the following steps:

Note

You must use the proxy setup to ensure configuration compatibility if the Roadie Jira Frontend Plugin is also in use.

Create a Jira configuration token using one of the following methods, depending on your Jira product:
- Jira Cloud: Create a personal token. You must then create a Base64-encoded string using the following plain text format: your-atlassian-email:your-jira-api-token.
```
echo -n 'your-atlassian-email:your-jira-api-token' | base64
```
- Jira datacenter: Create and use a Personal Access Token (PAT) in your Jira datacenter account. For more information, see the Atlassian documentation.
Add your Jira configuration (${JIRA_TOKEN}) to your RHDH secrets using the following key/value pairs:
JIRA_TOKEN
Enter your Jira token.
JIRA_BASE_URL
Enter your Jira base URL.
Install the Jira Scorecard plugin in your RHDH dynamic-plugins-config.yaml file using either a direct setup or a proxy setup.
- Use a direct setup:
  1. Add the following code to your RHDH dynamic-plugins-config.yaml file:
    plugins: - package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-scorecard-backend-module-jira:pr_1499__0.1.0!red-hat-developer-hub-backstage-plugin-scorecard-backend-module-jira disabled: false
  2. In your RHDH app-config.yaml file, add the following direct setup settings:
    jira: baseUrl: ${JIRA_BASE_URL} token: ${JIRA_TOKEN} product: _<jira_product>_
    where:
    baseUrl
    The base URL of your Jira instance, configured under ${JIRA_BASE_URL} in your RHDH secrets.
    token
    The Jira token (Base64 string for Cloud, PAT for Data Center), configured under ${JIRA_TOKEN} in your RHDH secrets.
    product
    Enter the supported product: cloud or datacenter.
- Use a proxy setup:
  1. In your RHDH dynamic-plugins-config.yaml file, add the following code:
    plugins: - package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/red-hat-developer-hub-backstage-plugin-scorecard-backend-module-jira:pr_1499__0.1.0!red-hat-developer-hub-backstage-plugin-scorecard-backend-module-jira disabled: false
  2. In your RHDH app-config.yaml file, add the following proxy settings:
    proxy: endpoints: '/jira/api': target: ${JIRA_BASE_URL} headers: Accept: 'application/json' Content-Type: 'application/json' X-Atlassian-Token: 'no-check' Authorization: ${JIRA_TOKEN} # Must be configured in your environment jira: proxyPath: /jira/api product: cloud # Change to 'datacenter' if using Jira Datacenter
    where:
    target
    The base URL of your Jira instance, configured under ${JIRA_BASE_URL} in your RHDH secrets.
    Authorization
    The Jira token, configured under ${JIRA_TOKEN} in your RHDH secrets. Set the token value as one of the following values:
    For Cloud: Basic YourCreatedCloudToken
    For Data Center: Bearer YourJiraToken
Annotate the component entity in the catalog-info.yaml file.
1. Link the component to the Jira data source by adding the necessary annotations:
```
apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
  name: my-service
  annotations:
    jira/project-key: PROJECT
    jira/component: Component
    jira/label: UI
    jira/team: 9d3ea319-fb5b-4621-9dab-05fe502283e
    jira/custom-filter: 'reporter = "abc@xyz.com" AND resolution is not EMPTY'
spec:
  type: website
  lifecycle: experimental
  owner: guests
  system: examples
  providesApis: [example-grpc-api]
```
  where:
  jira/project-key
  Required: Enter the Jira project key.
  jira/component
  Optional: Enter the Jira component name.
  jira/label
  Optional: Enter the Jira label.
  jira/team
  Optional: Enter the Jira team ID (not the team title).
  jira/custom-filter
  Optional: Enter a custom Jira Query Language (JQL) filter.
Statically ingest the catalog entity by adding the catalog.locations section in your RHDH app-config.yaml file that links to the catalog-info.yaml file:
```
catalog:
  locations:
    - type: url
      target: https://github.com/owner/repo/catalog-info.yaml
```

(Optional) Configure Jira Open Issues metric thresholds by adding the following to your RHDH app-config.yaml file:

scorecard:
  plugins:
    jira:
      open_issues:
        thresholds:
          rules:
            - key: success
              expression: '<10'
            - key: warning
              expression: '10-50'
            - key: error
              expression: '>50'

where:

scorecard:plugins:jira:open_issues:thresholds: Lists the default threshold values for the Jira Open Issues metric.

(Optional) Define global or custom mandatory filters that entities can override by adding the following code to your RHDH app-config.yaml file:
```
scorecard:
  plugins:
    jira:
      open_issues:
        options:
          mandatoryFilter: Type = Task AND Resolution = Unresolved
          customFilter: priority in ("Critical", "Blocker")
```
where:
mandatoryFilter
Optional: Replaces the default filter (type = Bug and resolution = Unresolved).
customFilter
Optional: Specifies a global custom filter. The entity annotation jira/custom-filter overrides this value.

For more information about how to customize the threshold values, see Thresholds in Scorecard plugins.

1.4. Managing metric thresholds in your Scorecard plugin

The Scorecard plugin uses thresholds to translate raw metric values into visual health indicators (Success, Warning, or Error). Configuring these thresholds is the primary way platform engineers and developers define what constitutes a healthy component.

1.4.1. How Thresholds work

A threshold defines a condition or an expression that determines which visual category a metric value belongs to.

Evaluation Order: Threshold rules are evaluated in the order they are defined. The first matching rule is applied to the metric value.
Allowed Categories: Only three keys are supported: success, warning, and error.
Best Practice: Always order rules from the most restrictive to the least restrictive to ensure logical assignment.

1.4.2. Supported Threshold expressions in Red Hat Developer Hub

Threshold expressions are highly flexible and support standard mathematical and logical operators based on the data type of the metric.

Metric Type	Operator	Example Expression	Job Performed
Number	`>`, `>=`, `<`, `⇐`, `==`, `!=`	`>40`	Assigns category if the value is greater than 40.
Number	`-` (Range)	`80-100`	Assigns category if the value is between 80 and 100 (inclusive).
Boolean	`==`, `!=`	`==true`	Assigns category if the value is exactly true.

1.4.3. Threshold rules to metrics for your Scorecard plugin

Thresholds are merged based on a strict priority order, allowing you to set defaults while granting specific entities the ability to override rules.

Priority	Configuration Method	Location	Job Performed
1 (Highest)	Entity Annotations	`catalog-info.yaml`	Override specific rules for an individual component.
2 (Medium)	App Configuration	`app-config.yaml`	Set global rules that override provider defaults.
3 (Lowest)	Provider Defaults	Backend Plugin Code	Baseline rules defined by the metric source developer.

1.4.4. Set global standards for metric thresholds

To override the default thresholds set by a metric provider, you must update your RHDH app-config.yaml file under the configuration path of the specific metric.

The custom configuration completely replaces the provider’s defaults. If you omit a threshold category (such as success), that category is not assigned.

The following configuration defines a success threshold as 10 or fewer issues, which applies to all components using the jira.open_issues metric unless explicitly overridden by an entity annotation.

scorecard:
  plugins:
    jira:
      open_issues:
        thresholds:
          rules:
            - key: success
              expression: '<10'    # fewer than 10 open issues is Success
            - key: warning
              expression: '10-50'    # Between 10 and 50 is a Warning
            - key: error
              expression: '>50'      # More than 50 open issues is an Error

1.4.5. Override rules to configure entity-specific thresholds

You can override individual threshold rules for a specific component by using annotations in its catalog-info.yaml file. These annotations are merged with the existing global rules defined in your RHDH app-config.yaml file.

Annotation Format Reference

The annotation key follows a strict structure: scorecard.io/{providerId}.thresholds.rules.{thresholdKey}: '{expression}'

Element	Description	Example Annotation	Example Value
`{providerId}`	Unique identifier of the metric	`scorecard.io/jira.open_issues…`	`jira.open_issues`
`{thresholdKey}`	The overridden category	`…rules.warning`	`success`, `warning`, or `error`
`{expression}`	The new condition for the rule	`…: '>15'`	`>15`

Example: Entity Annotation Override

The following example describes the entity overriding; that is, only the warning and error rules for the jira.open_issues metric. The success defaults rule to the value defined in the global RHDH app-config.yaml file.

# catalog-info.yaml
apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
  name: critical-production-service
  annotations:
    # Overrides the global 'warning' rule (e.g., changing '11-50' to '10-15')
    scorecard.io/jira.open_issues.thresholds.rules.warning: '10-15'
    # Overrides the global 'error' rule (e.g., changing '>50' to '>15')
    scorecard.io/jira.open_issues.thresholds.rules.error: '>15'
    # The 'success' rule (<10) remains defined by the global app-config
spec:
  type: service

1.4.6. Best practices for threshold rules

Threshold rule evaluation is order-dependent. You must follow logical ordering to avoid unintended category assignments, as the system stops evaluation once a value matches the first rule.

1.4.6.1. Follow logical ordering

Rules must be sequenced logically. Order rules from the most strict (smallest range) to the least strict (largest range) or ensure all ranges are mutually exclusive.

1.4.6.1.1. Problematic rule order example

If rules are ordered incorrectly, a less restrictive rule can prevent stricter rules from being evaluated:

warning: <50: Any value less than 50 triggers the warning rule and stops evaluation.
success: <10: This rule is not evaluated because all values less than 10 have already matched the preceding warning rule.

1.4.6.1.2. Correct ordering example

Order the rules from the most restrictive value range to the least restrictive to ensure a logical flow.

# Correct Example: Order from most restrictive (Success) to least restrictive (Error)
rules:
  - key: success
    expression: '<10'     # Only values below 10
  - key: warning
    expression: '10-50'   # Only values between 10 and 50
  - key: error
    expression: '>50'     # All remaining values above 50

1.5. Viewing Scorecard metrics in Red Hat Developer Hub

As a developer, you can view the GitHub and Jira metrics using Scorecards in your RHDH instance to quickly gain at-a-glance visibility into the health and readiness of your software components. By accessing the Scorecard tab in your RHDH instance, you eliminate context switching and can immediately verify security, compliance, and development metrics (like GitHub and Jira data).

Prerequisites

You have installed your RHDH instance.
You have either the GitHub or Jira Scorecard (or both) configured in your RHDH instance.
You must have permissions to read the Scorecard metrics.

Procedure

In your RHDH navigation menu, go to Catalog.
Select the software component (catalog entity) that has Scorecard metrics configured.
On the component Service page, go to the Scorecard tab.
To view the desired metrics, select the corresponding tile.

Legal Notice

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.

The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.