OpenSSF Silver Evidence¶
This page maps OpenSSF Silver criteria to repository evidence. It should be updated before completing or resubmitting the Silver form.
Status¶
Silver has been achieved for OpenSSF Best Practices project 13377. Baseline Level 1 is a separate OSPS series and should be handled in a separate hardening pass.
Evidence map¶
| Criterion area | Proposed status | Evidence |
|---|---|---|
| Achieve Passing | Met | OpenSSF project 13377 has achieved the Silver badge, which includes Passing as a prerequisite |
| Contribution requirements | Met | CONTRIBUTING.md, PR template, coding standards |
| DCO / contribution authorization | Met | CONTRIBUTING.md Developer Certificate of Origin section |
| Governance | Met | GOVERNANCE.md |
| Code of conduct | Met | CODE_OF_CONDUCT.md |
| Roles and responsibilities | Met | GOVERNANCE.md, MAINTAINERS.md |
| Continuity | Met | GOVERNANCE.md succession and release authority sections |
| Bus factor | Unmet with justification | Single-maintainer status is documented in GOVERNANCE.md and docs/security/scorecard-exceptions.md |
| Roadmap | Met | docs/development/roadmap-2026.md |
| Architecture | Met | docs/development/architecture.md, ADRs |
| Security requirements | Met | docs/security/requirements.md |
| Quick start | Met | README.md, docs/installation.md, agent install docs |
| Documentation currency | Met | Docs build, generated tool references, and release checklist |
| Achievements linked | Met | README badges and docs/openssf-best-practices.md |
| Accessibility | Met / partial | docs/accessibility.md documents the current policy and limitations |
| Internationalization | Met / partial | docs/internationalization.md documents English-first policy and localization readiness |
| Password storage for project sites | N/A | Project does not operate custom project-site authentication or password storage |
| Previous-version maintenance | Met | docs/maintenance-policy.md, release notes, changelog |
| Issue tracker | Met | GitHub Issues and issue templates |
| Vulnerability credit | Met | SECURITY.md |
| Vulnerability response process | Met | SECURITY.md response targets and disclosure process |
| Coding standards | Met | docs/development/coding-standards.md |
| Style enforcement | Met | Ruff, mypy, TypeScript, metadata checks, CI |
| Build variables and build hardening | N/A / Met where applicable | Python/TypeScript project; native compiler variables mostly N/A, Docker and workflow hardening documented |
| Installation system | Met | docs/installation.md, docs/development/installation-policy.md |
| External dependencies | Met | docs/development/dependency-management.md, lockfiles, dependency audit |
| Automated integration testing | Met | GitHub Actions CI on pull requests and main |
| Regression testing | Met | docs/development/testing-policy.md |
| Coverage 80% | Met | Python coverage is configured with tool.coverage.report.fail_under = 83 in pyproject.toml, and the testing policy documents the 80% Silver target. |
| Mandatory new functionality tests | Met | docs/development/testing-policy.md, CONTRIBUTING.md |
| Strict warnings | Met | Ruff, mypy, TypeScript, CodeQL, security jobs, workflow checks |
| Secure design implementation | Met | docs/security/requirements.md, docs/security/assurance-case.md |
| Crypto requirements | N/A where custom crypto is absent; Met for release verification | docs/security/release-signing.md, docs/security/release-integrity.md |
| Signed releases | Met | Sigstore/GitHub attestations, npm provenance, cosign-signed container images, checksums, SBOMs |
| Input validation | Met | docs/security/input-validation.md |
| Hardening | Met / partial | Workflow hardening, pinned Actions, digest-pinned containers, minimal permissions, Scorecard exceptions |
| Assurance case | Met | docs/security/assurance-case.md |
| SAST common vulnerabilities | Met | CodeQL, Bandit, Ruff, mypy, Gitleaks, dependency audit, workflow-security checks |
| Dynamic unsafe-language analysis | N/A | Project is primarily Python/TypeScript and does not ship C/C++ memory-unsafe code |
Submission guidance¶
Use the Silver edit URL:
https://www.bestpractices.dev/en/projects/13377/silver/edit
Silver claims have been submitted and accepted for project 13377. Keep this evidence page current before any Silver resubmission or Gold preparation pass.