OpenSSF Best Practices Evidence¶
This page maps the repository evidence used for the OpenSSF Best Practices checklist. Keep it current whenever project governance, security, release, testing, or reporting workflows change.
Current target¶
The project has achieved the Silver badge and maintains a Silver evidence map. Silver evidence is tracked in openssf-silver-evidence.md. Baseline Level 1 is a separate OSPS series and is intentionally handled in a separate pass.
Evidence map¶
| Area | Status | Evidence |
|---|---|---|
| Project name and description | Met | README.md, pyproject.toml, server.json |
| Public source repository | Met | Canonical repository: https://github.com/oaslananka/kicad-mcp |
| FLOSS license | Met | LICENSE, package metadata in pyproject.toml |
| Basic project website | Met | Documentation site: https://oaslananka.github.io/kicad-mcp/ |
| Contribution process | Met | CONTRIBUTING.md, pull request template, issue templates |
| Code of conduct | Met | CODE_OF_CONDUCT.md |
| Support / reporting channels | Met | SUPPORT.md, GitHub Issues, GitHub Discussions, private GitHub Security Advisories |
| Vulnerability reporting | Met | SECURITY.md, GitHub private vulnerability report URL |
| Governance and maintainer continuity | Met | GOVERNANCE.md, MAINTAINERS.md |
| Documentation | Met | docs/index.md, docs/tools-reference.generated.md, workflow docs |
| Automated tests | Met | tests/, package.json, .github/workflows/ci.yml |
| Static analysis | Met | Ruff, mypy, CodeQL, Bandit, workflow-security checks in package.json and GitHub workflows |
| Fuzzing | Met | Atheris fuzz target in fuzz/fuzz_sexpr.py and scheduled fuzz workflow in .github/workflows/fuzz.yml |
| Dependency and container scanning | Met | scripts/audit_dependencies.py, Trivy workflow steps, Gitleaks workflow |
| Release process | Met | docs/release-process.md, release-please workflow, publish workflows |
| Release integrity | Met | docs/security/release-integrity.md, SBOM/checksum/attestation release steps |
| Branch protection policy as code | Met | .github/rulesets/main.json, docs/branch-protection.md, Scorecard exceptions in docs/security/scorecard-exceptions.md |
| Branch protection active in GitHub | Met | Repository ruleset main is active on refs/heads/main; verify with gh api /repos/oaslananka/kicad-mcp/rulesets |
| OpenSSF Silver evidence | Met | docs/openssf-silver-evidence.md, Silver badge for project 13377 |
| HTTPS project URLs | Met | GitHub repository, documentation site, package URLs, and badges use HTTPS |
| English documentation and reports | Met | Repository documentation, issue templates, security policy, and support documents are written in English |
Form-filling guidance¶
Use stable public URLs when completing the OpenSSF Best Practices form. Prefer repository URLs that point to main for living policy documents and release-tag URLs for release-specific evidence.
Recommended evidence URLs:
https://github.com/oaslananka/kicad-mcp/blob/main/README.mdhttps://github.com/oaslananka/kicad-mcp/blob/main/LICENSEhttps://github.com/oaslananka/kicad-mcp/blob/main/CONTRIBUTING.mdhttps://github.com/oaslananka/kicad-mcp/blob/main/CODE_OF_CONDUCT.mdhttps://github.com/oaslananka/kicad-mcp/blob/main/SECURITY.mdhttps://github.com/oaslananka/kicad-mcp/blob/main/SUPPORT.mdhttps://github.com/oaslananka/kicad-mcp/blob/main/GOVERNANCE.mdhttps://github.com/oaslananka/kicad-mcp/blob/main/MAINTAINERS.mdhttps://github.com/oaslananka/kicad-mcp/blob/main/docs/release-process.mdhttps://github.com/oaslananka/kicad-mcp/blob/main/docs/security/release-security.mdhttps://github.com/oaslananka/kicad-mcp/blob/main/docs/workflow-security.mdhttps://github.com/oaslananka/kicad-mcp/actions/workflows/ci.ymlhttps://github.com/oaslananka/kicad-mcp/actions/workflows/codeql.ymlhttps://github.com/oaslananka/kicad-mcp/actions/workflows/fuzz.ymlhttps://github.com/oaslananka/kicad-mcp/actions/workflows/gitleaks.ymlhttps://github.com/oaslananka/kicad-mcp/actions/workflows/scorecard.yml
Maintenance checklist¶
Before a release or OpenSSF resubmission:
- Run
corepack pnpm run check:cior the documented full CI equivalent. - Confirm
gh api /repos/oaslananka/kicad-mcp/rulesetsshows an activemainruleset. - Confirm private vulnerability reporting is enabled in repository settings.
- Confirm issue templates and discussion links render in GitHub.
- Confirm release artifacts include checksums, SBOMs, and attestations when the workflow supports them.
- Update this evidence page when policies, workflow names, package names, or release gates change.