Skip to content

docs: complete OpenSSF Best Practices Silver criteria #199

Description

@TFT444

Goal

Complete the OpenSSF Best Practices Silver assessment and provide clear evidence for every answer.

OpenShield already has the Passing badge. The Silver page currently shows 13% because many criteria are unanswered, although several requirements are already implemented.

Work needed

1. Add evidence for existing work

Use repository links to document existing CI, CodeQL, dependency scanning, SBOM generation, architecture, contribution standards, security reporting, tests, and the Code of Conduct.

2. Add missing project documentation

  • Governance and maintainer responsibilities
  • Access-continuity and bus-factor plan
  • Twelve-month roadmap
  • Security requirements, threat model, trust boundaries, and assurance case
  • Supported-version and upgrade policy
  • Release-signing and verification process

3. Close technical gaps

  • Measure and raise automated statement coverage toward the required 80%
  • Review allowlist-based input validation and security hardening
  • Confirm regression-test and strict-warning policies
  • Sign release artifacts and important version tags where applicable

4. Owner confirmation

Project owners must confirm maintainer access, continuity responsibilities, DCO/CLA approach, release-signing ownership, and any organization-level GitHub settings.

Completion

  • Every Silver criterion is marked Met, N/A, or Unmet with an honest justification
  • Required repository changes are reviewed and merged
  • Evidence URLs point to current public documentation
  • Owner-only actions are confirmed
  • The official assessment awards the Silver badge

No Gold status should be claimed until the official assessment confirms it.

Metadata

Metadata

Assignees

Labels

coreCore team ownership not for studentsenhancementNew feature or request

Type

Fields

No fields configured for Task.

Projects

Status
📋 Backlog

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions