Goal
Complete the OpenSSF Best Practices Silver assessment and provide clear evidence for every answer.
OpenShield already has the Passing badge. The Silver page currently shows 13% because many criteria are unanswered, although several requirements are already implemented.
Work needed
1. Add evidence for existing work
Use repository links to document existing CI, CodeQL, dependency scanning, SBOM generation, architecture, contribution standards, security reporting, tests, and the Code of Conduct.
2. Add missing project documentation
- Governance and maintainer responsibilities
- Access-continuity and bus-factor plan
- Twelve-month roadmap
- Security requirements, threat model, trust boundaries, and assurance case
- Supported-version and upgrade policy
- Release-signing and verification process
3. Close technical gaps
- Measure and raise automated statement coverage toward the required 80%
- Review allowlist-based input validation and security hardening
- Confirm regression-test and strict-warning policies
- Sign release artifacts and important version tags where applicable
4. Owner confirmation
Project owners must confirm maintainer access, continuity responsibilities, DCO/CLA approach, release-signing ownership, and any organization-level GitHub settings.
Completion
No Gold status should be claimed until the official assessment confirms it.
Goal
Complete the OpenSSF Best Practices Silver assessment and provide clear evidence for every answer.
OpenShield already has the Passing badge. The Silver page currently shows 13% because many criteria are unanswered, although several requirements are already implemented.
Work needed
1. Add evidence for existing work
Use repository links to document existing CI, CodeQL, dependency scanning, SBOM generation, architecture, contribution standards, security reporting, tests, and the Code of Conduct.
2. Add missing project documentation
3. Close technical gaps
4. Owner confirmation
Project owners must confirm maintainer access, continuity responsibilities, DCO/CLA approach, release-signing ownership, and any organization-level GitHub settings.
Completion
No Gold status should be claimed until the official assessment confirms it.