Skip to content

docs: OpenSSF Best Practices passing-readiness + answer sheet#714

Merged
blove merged 1 commit into
mainfrom
blove/ossf-best-practices
Jun 20, 2026
Merged

docs: OpenSSF Best Practices passing-readiness + answer sheet#714
blove merged 1 commit into
mainfrom
blove/ossf-best-practices

Conversation

@blove

@blove blove commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Summary

Prep for the OpenSSF Best Practices badge (the last clean OSSF Scorecard CII-Best-Practices point).

  • Closes 2 passing-level gaps in CONTRIBUTING.md: a "How to contribute" process section (contribution + report_process) and a "Testing" policy (test_policy).
  • Adds an answer sheet (docs/superpowers/audits/2026-06-20-ossf-best-practices-answers.md) mapping every passing criterion → Met/N-A + evidence, plus submission steps.

The repo already satisfies the rest (MIT/FLOSS, public VCS, signed releases, SECURITY.md + private reporting, CodeQL, build + test suites, HTTPS, active maintenance). One owner judgment call remains (the crypto criteria — the libs only verify Ed25519 signatures); noted in the sheet.

Owner action (not automatable)

Register at bestpractices.dev under your GitHub account, fill the form from the answer sheet, add the badge to README. OSSF Scorecard reads it on the next scan.

🤖 Generated with Claude Code

@blove @claude
docs: OpenSSF Best Practices passing-readiness (contribution + test p…
30bd4c0 
…olicy + answer sheet)

Close the two passing-level gaps in CONTRIBUTING.md (contribution process +
testing policy) and add a fill-in-ready answer sheet mapping every passing
criterion to repo evidence, so the bestpractices.dev badge submission passes
first try. Adds the last clean OSSF Scorecard point (CII-Best-Practices).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@blove blove enabled auto-merge (squash) June 20, 2026 01:46
@vercel

vercel Bot commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
threadplane Ready Ready Preview, Comment Jun 20, 2026 1:48am

Request Review

github-actions[bot]
github-actions Bot approved these changes Jun 20, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated approval: this PR received an intelligent (AI) code review. See the review comments on this PR.

@github-actions

github-actions Bot commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Claude finished @blove's task in 53s —— View job

PR Review

  • Read CLAUDE.md for repo guidelines
  • Review PR diff and changed files
  • Post findings

This is a documentation-only PR — no code changes, no risk of regressions. The additions are well-targeted to fill two specific OSSF Best Practices passing-level gaps.

CONTRIBUTING.md additions look correct and accurate:

  • "How to contribute" flow (issue → branch → PR) matches actual project practice
  • "Testing" policy correctly references npx nx test <project> which aligns with the Nx CI setup in ci.yml
  • The SECURITY.md cross-reference is accurate (file exists)

Answer sheet is thorough. A few things worth the owner's attention:

  1. crypto_random shows "Met/N/A¹" — the bestpractices.dev form requires a single selection per criterion. The footnote correctly flags this, but the owner must pick one before submitting. The cleanest answer is probably N/A with the justification "published libs only verify Ed25519 signatures; key generation is out of scope."

  2. release_notes_vulns marked N/A — OSSF's description for this criterion is "If there have been vulnerabilities fixed, are they documented in release notes?" N/A is technically defensible (no CVEs fixed yet), but some evaluators expect "Met" + a note that no CVEs have been issued. Low risk either way.

  3. vulnerabilities_fixed_60_days claim ("dependency-free") — the answer sheet asserts the published packages are dependency-free. Worth a quick npm ls --prod across publishable packages before submission to confirm this is still true, since it's a factual claim reviewers may check.

  4. Badge URL placeholder in step 4 (<ID>) — this is intentional and correct; the project ID is assigned after registration. Fine as-is.

Nothing blocks merge. The CONTRIBUTING.md additions are correct, and the answer sheet gives the owner a clear, honest path to submission with the one judgment call (crypto) explicitly flagged.

@blove blove merged commit d32a43f into main Jun 20, 2026
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@blove