Skip to content

OpenSSF gap analysis

This file records gaps that prevent a stronger OpenSSF Gold / foundation-grade claim. These items are intentionally not marked as passed without evidence.

Current target

  • Target: Professional OSS / Mature OSS.
  • OpenSSF target: maintain Passing/Silver evidence and improve Scorecard readiness.
  • Gold status: not claimed.

Gold / foundation-grade blockers

Gap Classification Why it matters Recommended action
Single active maintainer Partial Bus factor is 1. Gold/foundation-grade needs continuity beyond one person. Recruit and onboard at least one trusted co-maintainer.
No independent human PR review evidence Missing Recent sampled merged PRs had zero recorded reviews. Bot checks do not replace human review. Require one human approval once there is a second maintainer.
Branch protection classic API mismatch Passed GitHub ruleset main is active; the classic endpoint is not the source of truth. Keep the ruleset enabled and re-check after CI job name changes.
Private reporting setting Passed GitHub private reporting was enabled during this hardening pass. Re-check before each security policy update.
Secret scanning and push protection Passed Repository settings report both controls enabled. Keep enabled.
SLSA level not formally defined Partial Attestations exist, but formal SLSA claim requires scoped evidence. Define per-artifact SLSA target before claiming.
REUSE/SPDX lint not enforced Partial Root license exists, but file-level license metadata has not been fully assessed. Run REUSE audit in report-only mode, then decide enforcement.
Dependency license report Partial Security audit exists; license inventory should be explicit for legal maturity. Add license-report generation to release evidence if needed.

Non-blocking improvements

  • Add non-blocking OSV Scanner scheduled workflow.
  • Add non-blocking hadolint/Trivy/grype container checks with tuned allowlist.
  • Add issue response metrics generated from GitHub API.
  • Add contributor recognition only if community participation grows.
  • Add a maintainer rotation and release shadowing process after a co-maintainer joins.

Do not overclaim

Do not advertise Gold, foundation-grade, or CNCF-graduated-style status while the project intentionally remains solo-maintained. Treat those items as optional future growth work, not current blockers.