-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.bestpractices.json
More file actions
171 lines (152 loc) · 13 KB
/
Copy path.bestpractices.json
File metadata and controls
171 lines (152 loc) · 13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
{
"$schema": "https://bestpractices.coreinfrastructure.org/projects.schema.json",
"_comment": "OpenSSF Best Practices autofill metadata for RandomCodeSpace/code-signal. Project page: https://www.bestpractices.dev/projects/13445.",
"project_id": 13445,
"name": "code-signal",
"description": "Built-in, offline code quality scanner that reports aggregate static-analysis signals for polyglot repositories without external analyzers or telemetry.",
"homepage_url": "https://github.com/RandomCodeSpace/code-signal",
"repo_url": "https://github.com/RandomCodeSpace/code-signal",
"license": "MIT",
"level": "passing",
"description_good_status": "Met",
"description_good_justification": "README.md describes code-signal as a standalone offline scanner, explains the problem it solves, and lists the built-in aggregate signals it reports.",
"interact_status": "Met",
"interact_justification": "README.md documents how to obtain, build, run, and configure the CLI. GitHub Issues and Pull Requests are used for feedback and changes.",
"contribution_status": "Met",
"contribution_justification": "CONTRIBUTING.md documents the branch strategy, PR process, required checks, and test policy.",
"contribution_url": "https://github.com/RandomCodeSpace/code-signal/blob/main/CONTRIBUTING.md",
"contribution_requirements_status": "Met",
"contribution_requirements_justification": "CONTRIBUTING.md requires feature branches, pull requests, conventional commit subjects, Go tests, vet, scanner self-checks, and behavior tests for changes.",
"contribution_requirements_url": "https://github.com/RandomCodeSpace/code-signal/blob/main/CONTRIBUTING.md",
"floss_license_status": "Met",
"floss_license_justification": "The project is released under the MIT License, an OSI-approved FLOSS license.",
"floss_license_osi_status": "Met",
"floss_license_osi_justification": "MIT is OSI-approved.",
"license_location_status": "Met",
"license_location_justification": "The full MIT License text is in the top-level LICENSE file.",
"license_location_url": "https://github.com/RandomCodeSpace/code-signal/blob/main/LICENSE",
"documentation_basics_status": "Met",
"documentation_basics_justification": "README.md covers installation, build from source, quickstart commands, exit-code policy, configuration, supported languages, and privacy/security constraints.",
"documentation_interface_status": "Met",
"documentation_interface_justification": "README.md documents the external CLI interface: scan, diff, detect, doctor, JSON mode, timeout/config options, config schema, and report contract.",
"sites_https_status": "Met",
"sites_https_justification": "The project website, repository, Best Practices page, and GitHub release/download URLs use HTTPS.",
"discussion_status": "Met",
"discussion_justification": "GitHub Issues and Pull Requests provide searchable, URL-addressable public discussion.",
"english_status": "Met",
"english_justification": "README.md, CONTRIBUTING.md, SECURITY.md, CHANGELOG.md, workflows, code comments, and public project communication are in English.",
"maintained_status": "Met",
"maintained_justification": "The repository is actively maintained on main, with CI/security checks and SECURITY.md response targets.",
"repo_public_status": "Met",
"repo_public_justification": "Source is publicly readable on GitHub at https://github.com/RandomCodeSpace/code-signal.",
"repo_track_status": "Met",
"repo_track_justification": "Git records who changed what and when. Main is protected after bootstrap.",
"repo_interim_status": "Met",
"repo_interim_justification": "CONTRIBUTING.md requires feature branches and pull requests for review before merge to main.",
"repo_distributed_status": "Met",
"repo_distributed_justification": "The project uses Git, a distributed version control system.",
"version_unique_status": "Met",
"version_unique_justification": "Releases use immutable SemVer git tags such as v0.1.0 and GitHub Releases generated by release-go.yml.",
"version_semver_status": "Met",
"version_semver_justification": "The release workflow is tag-triggered on vX.Y.Z SemVer tags.",
"version_tags_status": "Met",
"version_tags_justification": "release-go.yml is triggered by pushed SemVer tags and publishes artifacts for that tag.",
"release_notes_status": "Met",
"release_notes_justification": "GitHub Releases are used for human-readable release notes. CHANGELOG.md records unreleased changes.",
"release_notes_url": "https://github.com/RandomCodeSpace/code-signal/releases",
"release_notes_vulns_status": "Met",
"release_notes_vulns_justification": "SECURITY.md requires confirmed security fixes to be documented through the security advisory and release process.",
"report_process_status": "Met",
"report_process_justification": "GitHub Issues are used for non-security bugs. SECURITY.md documents private vulnerability reporting.",
"report_process_url": "https://github.com/RandomCodeSpace/code-signal/issues",
"report_tracker_status": "Met",
"report_tracker_justification": "GitHub Issues tracks individual bug reports and enhancements.",
"report_responses_status": "Met",
"report_responses_justification": "SECURITY.md and CONTRIBUTING.md document response and triage expectations; there are no stale public reports at bootstrap.",
"enhancement_responses_status": "Met",
"enhancement_responses_justification": "Enhancements are tracked through GitHub Issues and Pull Requests; there are no stale enhancement requests at bootstrap.",
"report_archive_status": "Met",
"report_archive_justification": "GitHub Issues and Pull Requests remain publicly searchable and URL-addressable after closure.",
"report_archive_url": "https://github.com/RandomCodeSpace/code-signal/issues",
"vulnerability_report_process_status": "Met",
"vulnerability_report_process_justification": "SECURITY.md documents private vulnerability reporting through GitHub advisories or maintainer email.",
"vulnerability_report_process_url": "https://github.com/RandomCodeSpace/code-signal/blob/main/SECURITY.md",
"vulnerability_report_private_status": "Met",
"vulnerability_report_private_justification": "SECURITY.md directs reporters to GitHub private vulnerability reporting and a private email fallback.",
"vulnerability_report_response_status": "Met",
"vulnerability_report_response_justification": "SECURITY.md targets acknowledgement within 72 hours and triage within 7 days.",
"build_status": "Met",
"build_justification": "The project builds from source with the standard Go toolchain: go build ./cmd/scanner. CI and release-go.yml run the same build path.",
"build_common_tools_status": "Met",
"build_common_tools_justification": "The build uses Go modules and the Go toolchain, common FLOSS tools for Go projects.",
"build_floss_tools_status": "Met",
"build_floss_tools_justification": "Go, GitHub Actions, Goreleaser, Syft, Cosign, and the security scanners used by CI are FLOSS or free OSS tooling.",
"test_status": "Met",
"test_justification": "The repository includes Go unit/integration tests and documents go test ./... in README.md and CONTRIBUTING.md.",
"test_invocation_status": "Met",
"test_invocation_justification": "The standard Go command go test ./... runs the test suite locally and in CI.",
"test_most_status": "Met",
"test_most_justification": "Tests cover CLI exit behavior, config parsing, language detection, aggregate reporting, duplicate detection, scoring, local git snapshots, offline guards, and performance guards.",
"test_continuous_integration_status": "Met",
"test_continuous_integration_justification": ".github/workflows/go-ci.yml runs tests on push and pull_request to main.",
"test_policy_status": "Met",
"test_policy_justification": "CONTRIBUTING.md requires tests for behavior changes and scanner rule changes.",
"tests_are_added_status": "Met",
"tests_are_added_justification": "Recent scanner behavior changes include corresponding Go tests for config rejection, exit codes, language detection, and built-in rule behavior.",
"tests_documented_added_status": "Met",
"tests_documented_added_justification": "CONTRIBUTING.md documents the test policy for new behavior.",
"warnings_status": "Met",
"warnings_justification": "go-ci.yml runs go vet, staticcheck, gosec, and govulncheck.",
"warnings_fixed_status": "Met",
"warnings_fixed_justification": "CI gates require vet, tests, staticcheck, gosec, and govulncheck to pass before merge.",
"warnings_strict_status": "Met",
"warnings_strict_justification": "CI treats vet/staticcheck/gosec/govulncheck failures as job failures.",
"know_secure_design_status": "Met",
"know_secure_design_justification": "SECURITY.md documents the local-only threat model, no-network/no-telemetry constraint, aggregate-only output contract, and vulnerability response process.",
"know_common_errors_status": "Met",
"know_common_errors_justification": "Security CI runs Semgrep OWASP/security-audit/golang rules, gosec, govulncheck, OSV-Scanner, Trivy, and Gitleaks.",
"crypto_published_status": "N/A",
"crypto_published_justification": "code-signal does not implement cryptographic protocols or algorithms for application security.",
"crypto_call_status": "N/A",
"crypto_call_justification": "The project does not implement custom cryptography.",
"crypto_floss_status": "N/A",
"crypto_floss_justification": "No project-specific cryptographic functionality is shipped.",
"crypto_keylength_status": "N/A",
"crypto_keylength_justification": "The project does not configure cryptographic key lengths.",
"crypto_working_status": "Met",
"crypto_working_justification": "The scanner does not depend on broken cryptographic algorithms for security. It avoids runtime network transport entirely.",
"crypto_weaknesses_status": "Met",
"crypto_weaknesses_justification": "No weak cryptographic protocol is used by the scanner runtime.",
"crypto_pfs_status": "N/A",
"crypto_pfs_justification": "code-signal is a local CLI and does not terminate network sessions.",
"crypto_password_storage_status": "N/A",
"crypto_password_storage_justification": "code-signal does not authenticate users or store passwords.",
"crypto_random_status": "N/A",
"crypto_random_justification": "The scanner does not generate cryptographic keys or nonces.",
"delivery_mitm_status": "Met",
"delivery_mitm_justification": "Source and release artifacts are distributed over HTTPS by GitHub. Release checksums are signed with Sigstore keyless signing in .goreleaser.yml.",
"delivery_unsigned_status": "Met",
"delivery_unsigned_justification": "Release checksums are signed by Cosign and release artifacts include SHA-256 checksums.",
"vulnerabilities_fixed_60_days_status": "Met",
"vulnerabilities_fixed_60_days_justification": "SECURITY.md requires confirmed high/critical vulnerabilities to be fixed before normal feature work; CI includes OSV, Trivy, Semgrep, gosec, govulncheck, and Gitleaks gates.",
"vulnerabilities_critical_fixed_status": "Met",
"vulnerabilities_critical_fixed_justification": "High/critical findings from CI security tools block merge and SECURITY.md prioritizes confirmed high/critical issues.",
"no_leaked_credentials_status": "Met",
"no_leaked_credentials_justification": "Gitleaks scans the full git history in security.yml, and .gitignore excludes common secret file patterns.",
"static_analysis_status": "Met",
"static_analysis_justification": "go-ci.yml runs staticcheck, gosec, and govulncheck. security.yml runs Semgrep security-audit, OWASP Top 10, and Go rules. sonarcloud.yml analyzes project key RandomCodeSpace_code-signal when SONAR_TOKEN is configured.",
"static_analysis_common_vulnerabilities_status": "Met",
"static_analysis_common_vulnerabilities_justification": "SonarCloud, Semgrep OWASP/security-audit/golang, gosec, govulncheck, OSV-Scanner, and Trivy cover common vulnerability classes for Go and repository configuration.",
"static_analysis_fixed_status": "Met",
"static_analysis_fixed_justification": "Static-analysis jobs fail CI and must be fixed before protected-branch merge.",
"static_analysis_often_status": "Met",
"static_analysis_often_justification": "Static analysis runs on push, pull_request, and weekly scheduled security scans; SonarCloud runs on push and pull_request when SONAR_TOKEN is configured.",
"dynamic_analysis_status": "Unmet",
"dynamic_analysis_justification": "No fuzzing or DAST pipeline is currently configured. The project is a local CLI with no public network service.",
"dynamic_analysis_unsafe_status": "N/A",
"dynamic_analysis_unsafe_justification": "The project is written in memory-safe Go and CGO is disabled for release builds.",
"dynamic_analysis_enable_assertions_status": "N/A",
"dynamic_analysis_enable_assertions_justification": "Go does not use assertion-enable runtime modes comparable to C/C++ or JVM assertion flags for this project.",
"dynamic_analysis_fixed_status": "Met",
"dynamic_analysis_fixed_justification": "Any future exploitable vulnerability found by dynamic analysis would be handled under SECURITY.md and branch-protection remediation gates."
}