OpenSSF evidence
This file consolidates evidence for OpenSSF Best Practices and Scorecard-style repository maturity checks. It does not claim Gold readiness.
Project identity
Passing / Silver evidence map
| OpenSSF area |
Status |
Evidence |
| Basic project description |
Passed |
README.md, docs site, package metadata. |
| How to obtain/use |
Passed |
README.md, docs/installation.md, docs/tutorials/getting-started.md. |
| Feedback / contribution process |
Passed |
SUPPORT.md, issue templates, CONTRIBUTING.md. |
| License |
Passed |
LICENSE, package metadata. |
| Documentation and reference |
Passed |
MkDocs site, generated tools reference, MCP docs. |
| Versioned source repository |
Passed |
Public GitHub repo with release tags. |
| Release notes |
Passed |
CHANGELOG.md, release-please workflow, publish workflows. |
| Bug reporting |
Passed |
GitHub issue templates and support policy. |
| Private security reports |
Passed |
SECURITY.md exists and GitHub private reporting is enabled. |
| Automated build/test |
Passed |
ci.yml, package.json scripts, Taskfile.yml. |
| New functionality tests |
Passed |
PR template and testing policy require tests or documented justification. |
| Static analysis |
Passed |
Ruff, mypy, CodeQL, Bandit, workflow-security checks. |
| Fuzzing / dynamic analysis |
Passed / Partial |
Fuzz workflow exists; expand as parsers grow. |
| Governance and roles |
Passed / Partial |
Governance docs exist; single-maintainer model blocks Gold. |
| Roadmap |
Passed |
ROADMAP.md and docs roadmap. |
| Architecture |
Passed |
ARCHITECTURE.md, docs/development/architecture.md, ADRs. |
| Security requirements |
Passed |
docs/security/requirements.md, threat model, assurance case. |
| Coverage threshold |
Passed |
pyproject.toml coverage fail-under is 83. |
Scorecard evidence map
| Scorecard check |
Status |
Evidence / note |
| Branch-Protection |
Passed / accepted solo-maintainer exception |
Active GitHub ruleset protects main; required human approval is intentionally not enforced while solo-maintained. |
| Code-Review |
Partial |
PR template exists; recent sampled PRs had no recorded reviews. |
| Maintained |
Passed |
Recent pushes and active PR history. |
| Security-Policy |
Passed |
SECURITY.md. |
| License |
Passed |
MIT. |
| CI-Tests |
Passed |
ci.yml and supporting workflows. |
| Dependency-Update-Tool |
Passed |
Renovate is configured with vulnerability alerts and lockfile maintenance. |
| Pinned-Dependencies |
Passed / Partial |
Actions are pinned to SHAs; continue workflow-security checks. |
| Token-Permissions |
Passed / Partial |
Minimal default permissions; release jobs escalate intentionally. |
| Dangerous-Workflow |
Passed / Partial |
Workflow security checks and no pull_request_target evidence in audit. |
| SAST |
Passed |
CodeQL, Bandit, Ruff, mypy. |
| Fuzzing |
Passed |
Fuzz workflow and target exist. |
Evidence maintenance
Update this file when workflow names, release process, OpenSSF badge status, governance, GitHub settings, or published artifact classes change.