{"id":13558182,"url":"https://github.com/coreinfrastructure/best-practices-badge","last_synced_at":"2025-05-14T13:07:44.945Z","repository":{"id":35267713,"uuid":"39528049","full_name":"coreinfrastructure/best-practices-badge","owner":"coreinfrastructure","description":"🏆Open Source Security Foundation (OpenSSF) Best Practices Badge (formerly Core Infrastructure Initiative (CII) Best Practices Badge)","archived":false,"fork":false,"pushed_at":"2025-04-02T09:32:48.000Z","size":73536,"stargazers_count":1253,"open_issues_count":223,"forks_count":200,"subscribers_count":55,"default_branch":"main","last_synced_at":"2025-04-05T11:01:55.680Z","etag":null,"topics":["badge","best-practices","floss","foss","open-source","openssf","ossf","rails","security","supply-chain"],"latest_commit_sha":null,"homepage":"https://www.bestpractices.dev","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/coreinfrastructure.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":"docs/governance.md","roadmap":"docs/roadmap.md","authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-07-22T20:14:25.000Z","updated_at":"2025-04-01T01:43:28.000Z","dependencies_parsed_at":"2024-07-30T04:10:00.705Z","dependency_job_id":"9f95965b-a933-4789-ba68-693ad5a5936d","html_url":"https://github.com/coreinfrastructure/best-practices-badge","commit_stats":{"total_commits":4239,"total_committers":47,"mean_commits":90.19148936170212,"dds":"0.22363765038924277","last_synced_commit":"a7ff9f4aec62e339220a466816410e60612e386c"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coreinfrastructure%2Fbest-practices-badge","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coreinfrastructure%2Fbest-practices-badge/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coreinfrastructure%2Fbest-practices-badge/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/coreinfrastructure%2Fbest-practices-badge/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/coreinfrastructure","download_url":"https://codeload.github.com/coreinfrastructure/best-practices-badge/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248572777,"owners_count":21126698,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["badge","best-practices","floss","foss","open-source","openssf","ossf","rails","security","supply-chain"],"created_at":"2024-08-01T12:04:47.874Z","updated_at":"2025-04-12T13:26:36.545Z","avatar_url":"https://github.com/coreinfrastructure.png","language":"Ruby","funding_links":[],"categories":["Ruby","Happy Exploring 🤘","open-source"],"sub_categories":[],"readme":"# OpenSSF Best Practices Badge (formerly CII Best Practices Badge)\n\n\u003c!-- SPDX-License-Identifier: (MIT OR CC-BY-3.0+) --\u003e\n\n[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/1/badge)](https://bestpractices.coreinfrastructure.org/projects/1)\n[![CircleCI Build Status](https://circleci.com/gh/coreinfrastructure/best-practices-badge.svg?\u0026style=shield)](https://app.circleci.com/pipelines/github/coreinfrastructure/best-practices-badge)\n[![codecov](https://codecov.io/gh/coreinfrastructure/best-practices-badge/branch/master/graph/badge.svg)](https://codecov.io/gh/coreinfrastructure/best-practices-badge)\n[![License](https://img.shields.io/:license-mit-blue.svg)](https://badges.mit-license.org)\n[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/coreinfrastructure/best-practices-badge/badge)](https://scorecard.dev/viewer/?uri=github.com/coreinfrastructure/best-practices-badge)\n\nThis project identifies best practices for\nFree/Libre and Open Source Software (FLOSS)\nand implements a badging system for those best practices.\nThe \"BadgeApp\" badging system is a simple web application\nthat lets projects self-certify that they meet the criteria\nand show a badge.\nThe real goal of this project is to encourage projects to\napply best practices, and to help users determine which FLOSS projects do so.\nWe believe that FLOSS projects that implement best practices are more likely\nto produce better software, including more secure software.\n\nSee the\n*[OpenSSF Best Practices badge website](https://bestpractices.coreinfrastructure.org/)* if you want to try to actually get a badge.\n\nThis is the development site for the criteria and badge application\nsoftware that runs the website.\nFeedback is very welcome via the\n[GitHub site](https://github.com/coreinfrastructure/best-practices-badge)\nas issues or pull (merge) requests.\nThere is also a\n[mailing list](https://lists.coreinfrastructure.org/mailman/listinfo/cii-badges)\nfor general discussion.\nThis project was originally developed under the CII, but it\nis now part of the\n[Open Source Security Foundation (OpenSSF)](https://openssf.org/)\n[Best Practices Working Group (WG)](https://github.com/ossf/wg-best-practices-os-developers).\nThe original name of the project was the CII Best Practices badge, but\nit is now the OpenSSF Best Practices badge project.\n\nInteresting pages include:\n\n* Badging **[Criteria for the passing level](https://bestpractices.coreinfrastructure.org/criteria/0)**\n* **[Criteria for all badging levels](https://bestpractices.coreinfrastructure.org/criteria)**\n* Information on how to **[contribute](./CONTRIBUTING.md)**\n* Information on **[our own security, including how to report vulnerabilities in our badge application](./SECURITY.md)**\n* [Up-for-grabs](https://github.com/coreinfrastructure/best-practices-badge/labels/up-for-grabs)\n  lists smaller tasks that may take 1-3 days, and are ideal for people\n  new to the project (or FLOSS in general)\n* **[Background](./docs/background.md)** on Badging\n* **[ChangeLog](./CHANGELOG.md)**\n* **[Requirements](./docs/requirements.md)** - our overall requirements\n* **[Design](./docs/design.md)** - our basic design\n* Current **[implementation](./docs/implementation.md)**  - notes about the\n  BadgeApp implementation\n* **[security](./docs/assurance-case.md)**  - notes about BadgeApp security, specifically its assurance case\n* **[testing](./docs/testing.md)**  - notes about BadgeApp automated tests\n* **[api](./docs/api.md)** - Application Programming Interface (API), including data downloads\n* **[Installation](./docs/INSTALL.md)**  - Installation and quick start\n* **[Vetting](./docs/vetting.md)**  - More about our vetting approach\n* **[Roadmap](./docs/roadmap.md)**  - Roadmap (future plans)\n\n## Summary of Best Practices Criteria \"passing\" level\n\nThis is a summary of the passing criteria, with requirements in bold:\n\n* **Have a [stable website](docs/criteria.md#homepage_url)**, which says:\n  - **[what it does](docs/criteria.md#description_good)**\n  - **[how to get it](docs/criteria.md#interact)**\n  - **[how to give feedback](docs/criteria.md#interact)**\n  - **[how to contribute](docs/criteria.md#contribution)** and\n    [preferred styles](docs/criteria.md#contribution_requirements)\n* **[Explicitly specify](docs/criteria.md#license_location) a\n  [FLOSS](docs/criteria.md#floss_license) [license](docs/criteria.md#floss_license_osi)**\n* **[Support HTTPS on the project sites](docs/criteria.md#sites_https)**\n* **[Document how to install and run (securely)](docs/criteria.md#documentation_basics),\n  and [any API](docs/criteria.md#documentation_interface)**\n* **Have a** [distributed](docs/criteria.md#repo_distributed)\n  **[public version control system](docs/criteria.md#repo_public),\n including [changes between releases](docs/criteria.md#repo_interim)**:\n  - **[Give each release a unique version](docs/criteria.md#version_unique)**, using\n    [semantic versioning format](docs/criteria.md#version_semver)\n  - **Give a [summary of changes for each release](docs/criteria.md#release_notes),\n    [identifying any fixed vulnerabilities](docs/criteria.md#release_notes_vulns)**\n* **Allow [bug reports to be submitted](docs/criteria.md#report_process),\n  [archived](docs/criteria.md#report_archive)** and\n  [tracked](docs/criteria.md#report_tracker):\n  - **[Acknowledge](docs/criteria.md#report_responses)**/respond to bugs \u0026\n    [enhancement requests](docs/criteria.md#enhancement_responses), rather than\n    ignoring them\n  - **Have a [secure](docs/criteria.md#vulnerability_report_private),\n    [documented process](docs/criteria.md#vulnerability_report_process) for\n    reporting vulnerabilities**\n  - **[Respond within 14 days](docs/criteria.md#vulnerability_report_response),\n    and [fix vulnerabilities](docs/criteria.md#vulnerabilities_critical_fixed),\n    [within 60 days if they're public](docs/criteria.md#vulnerabilities_fixed_60_days)**\n* **[Have a build that works](docs/criteria.md#build)**, using\n  [standard](docs/criteria.md#build_common_tools)\n  [open-source](docs/criteria.md#build_floss_tools) tools\n  - **Enable (and [fix](docs/criteria.md#warnings_fixed))\n    [compiler warnings and lint-like checks](docs/criteria.md#warnings)**\n  - **[Run other static analysis tools](docs/criteria.md#static_analysis) and\n    [fix exploitable problems](docs/criteria.md#static_analysis_fixed)**\n* **[Have an automated test suite](docs/criteria.md#test)** that\n  [covers most of the code/functionality](docs/criteria.md#test_most), and\n  [officially](docs/criteria.md#tests_documented_added)\n  **[require new tests for new code](docs/criteria.md#test_policy)**\n* [Automate running the tests on all changes](docs/criteria.md#test_continuous_integration),\n  and apply dynamic checks:\n  - [Run memory/behaviour analysis tools](docs/criteria.md#dynamic_analysis)\n    ([sanitizers/Valgrind](docs/criteria.md#dynamic_analysis_unsafe) etc.)\n  - [Run a fuzzer or web-scanner over the code](docs/criteria.md#dynamic_analysis)\n* **[Have a developer who understands secure software](docs/criteria.md#know_secure_design)\n  and [common vulnerability errors](docs/criteria.md#know_common_errors)**\n* If cryptography is used:\n  - **[Use public protocols/algorithm](docs/criteria.md#crypto_published)**\n  - **[Don't re-implement standard functionality](docs/criteria.md#crypto_call)**\n  - **[Use open-source cryptography](docs/criteria.md#crypto_floss)**\n  - **[Use key lengths that will stay secure](docs/criteria.md#crypto_keylength)**\n  - **[Don't use known-broken](docs/criteria.md#crypto_working)** or\n    [known-weak](docs/criteria.md#crypto_weaknesses) algorithms\n  - [Use algorithms with forward secrecy](docs/criteria.md#crypto_pfs)\n  - **[Store any passwords with iterated, salted, hashes using a key-stretching algorithm](docs/criteria.md#crypto_password_storage)**\n  - **[Use cryptographic random number sources](docs/criteria.md#crypto_random)**\n\n## Summary of Best Practices Criteria for higher levels\n\nGetting a passing badge is a significant achievement;\non average only about 10% of pursuing projects have a passing badge.\nThat said, some projects would like to meet even stronger criteria,\nand many users would like projects to do so.\nWe have established two higher levels beyond passing: silver and gold.\nThe higher levels strengthen some of the passing criteria and add new\ncriteria of their own.\n\n### Silver\n\nHere is a summary of the silver criteria, with requirements in bold\n(for details, see the [full list of silver criteria](docs/other.md)):\n\n* **[Use a DCO or similar](docs/other.md#dco)**\n* **[Define/document project governance](docs/other.md#governance)**\n* **[Another will have the necessary access rights if someone dies](docs/other.md#access_continuity)**\n* *[\"Bus factor\" of 2 or more](docs/other.md#bus_factor)*\n* **[Document security requirements](docs/other.md#documentation_security)**\n* **[Have an assurance case explaining why security requirements are met](docs/other.md#assurance_case)**\n* **[Have a quick start guide](docs/other.md#documentation_quick_start)**\n* *[Follow accessibility best practices](docs/other.md#accessibility_best_practices)*\n* **[Pick \u0026 follow coding standards](docs/other.md#coding_standards)**\n* **[Monitor external dependencies to detect/fix known vulnerabilities](docs/other.md#dependency_monitoring)**\n* **[Tests have 80%+ statement coverage](docs/other.md#test_statement_coverage80)**\n* **[Project releases for widespread use are cryptographically signed](docs/other.md#signed_releases)**\n* **[Check all inputs from potentially untrusted sources for validity (using an allowlist)](docs/other.md#input_validation)**\n* *[Use hardening mechanisms](docs/other.md#hardening)*\n\n### Gold\n\nHere is a summary of the gold criteria, with requirements in bold\n(for details, see the [full list of gold criteria](docs/other.md)):\n\n* **[At least 2 unassociated significant contributors](docs/other.md#contributors_unassociated)**\n* **[Per-file copyright and license](docs/other.md#copyright_per_file)**\n* **[Use 2FA](docs/other.md#require_2FA)**\n* **[At least 50% of all modifications are reviewed by another](docs/other.md#two_person_review)**\n* **[Have a reproducible build](docs/other.md#reproducible_build)**\n* **[Use continuous integration](docs/other.md#test_continuous_integration)**\n* **[Statement coverage 90%+](docs/other.md#test_statement_coverage90)**\n* **[Branch coverage 80%+](docs/other.md#test_branch_coverage80)**\n* **[Support secure protocols \u0026 disable insecure protocols by default](docs/other.md#crypto_used_network)**\n* **[Use TLS version 1.2 or higher](docs/other.md#crypto_tls12)**\n* **[Have a hardened project website, repo, and download site](docs/other.md#hardened_site)**\n* **[Have a security review (internal or external)](docs/other.md#security_review)**\n\n## Directory \"doc\" is now \"docs\"\n\nIf you've used this system in the past, you may have referred to our `doc`\nsubdirectory for documentation. We have renamed that to a `docs` subdirectory.\n\n## Main site\n\nWe have recently moved to the new main site\n\u003chttps://www.bestpractices.dev\u003e.\nFor many years the main site was at\n\u003chttps://bestpractices.coreinfrastructure.org\u003e.\nHowever, the Core Infrastructure Initiative (CII) has ended, and we have\nbecome part of the Open Source Security Foundation (OpenSSF).\nTherefore, it made sense to change the domain name so it's no longer tied\nto the CII. The domain name is much shorter, too.\nWe use the \"www\" subdomain because there are technical challenges using\na top-level domain with our CDN; it's more efficient to use the subdomain.\n\n## License\n\nAll material in this repository is released under the [MIT license](./LICENSE).\nAll material in this repository that is not executable,\nincluding all text when not executed,\nis also released under the\n[Creative Commons Attribution 3.0 International (CC BY 3.0) license](https://creativecommons.org/licenses/by/3.0/) or later.\nIn SPDX terms, everything here is licensed under MIT;\nif it's not executable, including the text when extracted from code, it's\n\"(MIT OR CC-BY-3.0+)\".\n\nLike almost all software today, this software depends on many\nother components with their own licenses.\nNot all components we depend on are MIT-licensed, but all\n*required* components are FLOSS. We prevent licensing issues\nusing various processes (see [CONTRIBUTING](./CONTRIBUTING.md)).\n\nThe data *managed* by this software is under different highly-permissive\n[open data](https://opendefinition.org/od/2.1/en/) licenses,\ndepending on when the data was last updated:\n\n* Data updated on or after 2024-08-23T12:00:00Z is released under the\n  [Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0)](https://cdla.dev/permissive-2-0/).\n  This means that a Data Recipient\n  may share the Data, with or without modifications, so long as the\n  Data Recipient makes available the text of this agreement with\n  the shared Data.\n  This agreement does *not* impose any restriction or obligations\n  with respect to the use, modification, or sharing of Results.\n* Otherwise, data updated on or after 2017-02-20T12:00:00Z is released under the\n  [Creative Commons Attribution 3.0 International (CC BY 3.0) license or later (CC-BY-3.0+)](https://creativecommons.org/licenses/by/3.0/).\n* Otherwise, data is released under the\n  [Creative Commons Attribution 3.0 International (CC BY 3.0) license (CC-BY-3.0)](https://creativecommons.org/licenses/by/3.0/).\n\nThe *complete* collection of data *managed* by this application is thus\nlicensed with the SPDX license expression \"(CC-BY-3.0 AND CDLA-Permissive-2.0)\".\nOnly a few old entries are under the CC-BY-3.0, so if you omitted those\noldest data values, the dataset is released under the expression\n\"(CC-BY-3.0+ AND CDLA-Permissive-2.0)\".\n\nSubmitters of data retain copyright (if any), and\nthe project license is unaffected.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcoreinfrastructure%2Fbest-practices-badge","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcoreinfrastructure%2Fbest-practices-badge","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcoreinfrastructure%2Fbest-practices-badge/lists"}