Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add section for OpenSSF Best Practices Badge criteria #93

Open
david-a-wheeler opened this issue Sep 6, 2024 · 1 comment
Open

Add section for OpenSSF Best Practices Badge criteria #93

david-a-wheeler opened this issue Sep 6, 2024 · 1 comment

Comments

@david-a-wheeler
Copy link
Contributor

david-a-wheeler commented Sep 6, 2024

The OpenSSF Best Practices Badge project has a set of criteria. It'd be really helpful if SECURITY-INSIGHTS could report which criteria they believe the project meets, and why.

I propose adding a new header, e.g.:

openssf-bp-badge:

From there:

  1. Keys inside this header would match the criteria ID in the OpenSSF badge, e.g., crypto_published would match that criterion. That criterion is "The software produced by the project MUST use, by default, only cryptographic protocols and algorithms that are publicly published and reviewed by experts (if cryptographic protocols and algorithms are used)." In the best practices badge, some criteria are "SHOULD" at lower tiers (like "passing") and become "MUST" at higher tiers (like "silver" or "gold"), but since the goal is to simply capture their values, I don't think we need to capture the claimed tier inside SECURITY-INSIGHTS. You can see the full set of criteria for all tiers in English, and from that quickly derive all current criteria names.
  2. Inside each of those keys would be two values, 'status' and 'justification'. The 'status' would be a string with one of the following values: "Met", "Unmet", "?", or "N/A". The optional 'justification' string would be a textual justification in markdown format.

I did a mapping between the OpenSSF Best Practices badge and SECURITY-INSIGHTS. Currently very little of the best practices badge is captured by SECURITY-INSIGHTS. This one change would switch from very little coverage to full coverage.

@eddie-knight - this was the idea I proposed earlier. This would make it much easier to round-trip data between the best practices badge & SECURITY-INSIGHTS, helping both.

@david-a-wheeler
Copy link
Contributor Author

@SecurityCRob - I mentioned this earlier, I think this would be an easy way to help integrate these two projects.

david-a-wheeler added a commit to david-a-wheeler/security-insights-spec that referenced this issue Sep 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant