Skip to content

OpenSSF Evidence

This file maps repository artifacts to OpenSSF Best Practices and Baseline-style evidence. It is evidence support, not a self-certification result.

Project metadata

Field Evidence
Project name ZapTrace
Repository https://github.com/oaslananka/zaptrace
License LICENSE, MIT
Languages Python, Rust, Dockerfile
Status Pre-1.0, human-review-required EDA kernel

Passing readiness evidence

Criterion family Status Evidence
Project description Passed README.md explains what ZapTrace is and is not.
Obtain software Passed README quickstart and source install instructions.
Provide feedback Passed GitHub issue templates and support policy.
Contribute Passed CONTRIBUTING.md, PR template, issue templates.
Contribution requirements Passed Coding standards, test policy, DCO-style assertion, CI requirements.
FLOSS license Passed MIT license in top-level LICENSE.
Basic documentation Passed README, docs site, getting started, CLI/SDK/MCP docs.
Interface documentation Partial CLI/SDK/MCP docs exist; API/reference docs should continue to be generated or kept synchronized.
HTTPS project sites Passed GitHub and docs URLs use HTTPS.
Discussion Passed GitHub issues and pull requests are URL-addressable and searchable.
Maintained Passed Recent releases, CI, and active dependency maintenance.

Silver readiness evidence

Criterion family Status Evidence / gap
Passing prerequisite Partial Requires BadgeApp completion.
DCO/legal contribution mechanism Passed DCO-style assertion documented in CONTRIBUTING.md.
Governance Passed GOVERNANCE.md.
Code of conduct Passed CODE_OF_CONDUCT.md.
Roles/responsibilities Passed GOVERNANCE.md, MAINTAINERS.md.
Access continuity Partial Documented, but real continuity requires another trusted maintainer.
Roadmap Passed ROADMAP.md, docs/ROADMAP.md.
Architecture Passed docs/ARCHITECTURE.md, docs/explanation/architecture.md.
Security requirements Passed SECURITY.md, docs/security/threat-model.md, docs/security/assurance-case.md.
Quick start Passed README and docs/tutorials/getting-started.md.
Current docs Partial MkDocs strict build helps; ongoing maintenance required.
Achievements Partial Badge should be added to README only after actual BadgeApp recognition.
Password storage for project site Not applicable GitHub-hosted repository; no project-operated password store identified.

Gold feasibility evidence

Criterion Status Evidence / gap
Bus factor >= 2 Missing Solo maintainer.
Two unassociated significant contributors Missing Not demonstrated.
Non-author human review Missing Review required is not enabled because the project is solo-maintainer.
Per-file copyright/license statements Partial Top-level MIT license exists; per-file SPDX headers are not complete.
Cryptographic 2FA Needs human confirmation GitHub supports passkeys/TOTP; exact maintainer method is account-level.

Baseline evidence highlights

Baseline area Status Evidence / gap
MFA for repository changes Passed GitHub requires 2FA; maintainers should use passkeys/TOTP.
Lowest collaborator privileges Needs human confirmation Repository settings must be verified when adding collaborators.
Branch protection Passed Main branch protection requires checks, disallows force push/delete, and requires linear history.
CI permissions Passed Workflows use explicit minimum permissions.
Untrusted metadata/code in CI Partial No pull_request_target workflow observed; workflow inputs should continue to be validated.
Secret prevention Passed Secret scanning/push protection should be kept enabled; gitleaks workflow added.
Release identifiers Passed SemVer-style tags and package version checks.
Release logs Passed CHANGELOG.md and GitHub Releases.
Dependency tracking Passed pyproject.toml, uv.lock, Cargo.lock, Dockerfile, Renovate, Dependabot.
Signed/attested release assets Passed Release workflow uses GitHub artifact attestations.
Build instructions Passed README, CONTRIBUTING, release process docs.
Member list and roles Passed MAINTAINERS.md, GOVERNANCE.md.
Vulnerability disclosure Passed SECURITY.md; private vulnerability reporting must be enabled in settings.