docs: add OpenSSF Best Practices badge guide and scorecard badge

[mohit-nagaraj]

Summary

• Adds OPENSSF_BADGE_GUIDE.md with step-by-step self-certification guide
• Pre-filled answers based on current project state (license, governance, security, testing, analysis)
• Adds OpenSSF Scorecard badge to org profile README
• Adds commented-out Best Practices badge placeholder (uncomment after registration at bestpractices.dev)

Related Issue

Closes #2

Action Required

A maintainer needs to register at https://www.bestpractices.dev/ and complete the questionnaire using this guide.

Test plan

• Guide is accurate against current project state
• Scorecard badge URL resolves

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the project's commitment to open-source security and transparency by introducing documentation and visual indicators for OpenSSF compliance. It provides a clear, step-by-step process for project maintainers to achieve the OpenSSF Best Practices badge, alongside immediately displaying the project's OpenSSF Scorecard status. This initiative aims to streamline security self-assessment and publicly showcase adherence to best practices.

Highlights

• OpenSSF Best Practices Guide: Added a detailed guide (OPENSSF_BADGE_GUIDE.md) for self-certifying the OpenSSF Best Practices badge, including pre-filled answers for various questionnaire sections.
• OpenSSF Scorecard Badge: Integrated the OpenSSF Scorecard badge into the organization's profile README to display the project's security posture.
• Best Practices Badge Placeholder: Included a commented-out placeholder for the OpenSSF Best Practices badge in the README, to be uncommented once the project is registered and certified.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a guide for OpenSSF Best Practices self-certification and adds OpenSSF badges to the organization's profile, which is a great initiative. My review includes two suggestions to improve clarity and correctness: one to clarify the scope of the certification guide to the KubeOrch/core project, and another to update the OpenSSF Scorecard badge to point to the core repository for a more accurate representation of the project's practices.

[gemini-code-assist]

The current phrasing "for KubeOrch" is a bit ambiguous, as the OpenSSF Best Practices badge is awarded on a per-project/repository basis. To improve clarity, it would be better to specify that this guide is for the KubeOrch/core project, which is also the repository URL used in Step 1.

Suggested change

	This guide walks through obtaining the OpenSSF Best Practices "passing" badge for KubeOrch.
	This guide walks through obtaining the OpenSSF Best Practices "passing" badge for the `KubeOrch/core` project.

[gemini-code-assist]

The OpenSSF Scorecard badge currently points to the .github repository. This repository typically contains metadata and configuration for the organization and may not be representative of the security and quality practices of the main project. It would be more informative to point the scorecard to the main project repository, which appears to be KubeOrch/core based on the OPENSSF_BADGE_GUIDE.md.

Suggested change

	[](https://scorecard.dev/viewer/?uri=github.com/KubeOrch/.github)
	[](https://scorecard.dev/viewer/?uri=github.com/KubeOrch/core)