OpenSSF Best Practices badge

ID

openssf_scorecard/cii_best_practices

Severity

low

Category

Levels

Optional

true

Tags

security, security-awareness, security-training

Description

Does the project have an OpenSSF Best Practices badge?

The Open Source Security Foundation (OpenSSF) Best Practices badge is a way to show that software projects follow recommended best practices, many of them to prevent security issues related to the software supply-chain.

This check determines whether the project has earned a OpenSSF Best Practices Badge, which indicates that the project uses a set of security-focused development best practices for open source software.

Reference: OpenSSF Scorecard - CII-Best-Practices.

Rationale

The OpenSSF Best Practices badge has 3 tiers: passing, silver, and gold. We give full credit to projects that meet the passing criteria, which is a significant achievement for many projects. Lower scores represent a project that is at least working to achieve a badge, with increasingly more points awarded as more criteria are met.

The OpenSSF Best Practices badge has 3 tiers: passing, silver, and gold, with increasing security criteria.

To earn the passing badge, the project MUST:

  • publish the process for reporting vulnerabilities on the project site provide a working build system that can automatically rebuild the software from source code (where applicable)

  • have a general policy that tests will be added to an automated test suite when major new functionality is added

  • meet various cryptography criteria where applicable

  • have at least one primary developer who knows how to design secure software

  • have at least one primary developer who knows of common kinds of errors that lead to vulnerabilities in this kind of software (and at least one method to counter or mitigate each of them)

  • apply at least one static code analysis tool (beyond compiler warnings and "safe" language modes) to any proposed major production release.

Verification

The check uses the URL for the Git repo and the OpenSSF API.

Highest compliance level (and PASS compliance) is given to projects that meet the passing criteria, which is a significant achievement for many projects.

Lower levels (PARTIAL compliance) is given to a project that is at least working to achieve a badge, with increasingly more points awarded as more criteria are met.

FAIL compliance is given to projects that had not enrolled yet with the badge program.

Remediation

  • Sign up for the OpenSSF Best Practices program (the easy part.)

  • Make adjustments to the project so the criteria for the chosen level are fulfilled (the hard part.)

Small Print

The Core Infrastructure Initiative (CII) was replaced by the Open Source Security Foundation (OpenSSF).

Please note that many criteria in the OpenSSF Best Practices badge program overlap with checkpoints in the OpenSSF Scorecard standard.