slsa-github-generator

slsa-github-generator copied to clipboard

ianlewis

ianlewis

[discussion] Adopt OpenSSF Best Practices

1

Adopt OpenSSF best practices as described on the website. https://bestpractices.coreinfrastructure.org/en Basics: - #892 - #893 - #617 Change Control - #894 Reporting - #541 Quality - #895 - #896 -...

ianlewis

From [OpenSSF best practices](https://bestpractices.coreinfrastructure.org/en/criteria/0#0.crypto_published): *The software produced by the project MUST use, by default, only cryptographic protocols and algorithms that are publicly published and reviewed by experts (if cryptographic protocols...

ianlewis

Add simple code coverage metrics. From OpenSSF best practices: *It is SUGGESTED that the test suite cover most (or ideally all) the code branches, input fields, and functionality. [[test_most](https://bestpractices.coreinfrastructure.org/en/criteria/0#0.test_most)]*

ianlewis

- yamllint is not currently run in strict mode - shellcheck should explicitly set minimum severity - eslint should set max-warnings to 0

ianlewis

*The project MUST have a general policy (formal or not) that as major new functionality is added to the software produced by the project, tests of that functionality should be...

ianlewis

Add a CHANGELOG file so that changes across versions are easier to parse.

ianlewis

ianlewis

We could have a simple website with docs that are a bit easier to navigate. Maybe using [GitHub Pages](https://pages.github.com/).

ianlewis