Conversation
…RAN-55) Adapt the codeiq RAN-46/RAN-52 recipe to vigil's PowerShell + WPF tree: - Add CLAUDE.md (architecture, conventions, OpenSSF observability target) - Add SECURITY.md (private disclosure, scope, hardening references) - Add AGENTS.md (agent collaborator entry-point) - Add .bestpractices.json (project_id 12648, level: passing, evidence map) - Add .github/workflows/scorecard.yml (push to main + Mondays 06:00 UTC, SHA-pinned actions, SARIF + artifact) - Add .github/workflows/security.yml — (B) OSS-CLI stack: Semgrep / OSV-Scanner / Trivy / Gitleaks / jscpd / Syft SBOM, language-adapted (PowerShell tokenization for jscpd, no Maven/npm bits) - Add .github/dependabot.yml (github-actions only — vigil has no language lockfile) - README.md: add OpenSSF Best Practices + Scorecard badges - LICENSE: align copyright with project precedent (Amit Kumar) Per board ruling: Scorecard is observational only (stretch >= 8.0/10); the OpenSSF Best Practices `passing` badge is the only hard gate. Final flip from `in_progress` to `passing` on bestpractices.dev is admin-UI work and stays board-owned. Board action items (cannot land via workflow file): - Enable signed-commit branch protection on main - Enable secret scanning + push protection - Enable Dependabot security updates - Flip bestpractices.dev project 12648 from in_progress to passing Closes RAN-55 (after the board-side toggles + bestpractices.dev flip). Co-Authored-By: Paperclip <noreply@paperclip.ing>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
The pinned `google/osv-scanner-action@c5185470…` (v2.3.5) ships an `action.yml` that is composite-only and missing the top-level `runs:` section, so GitHub rejects it as a job step with: Top level 'runs:' section is required for google/osv-scanner-action/.../action.yml Codeiq hit the same trap on its RAN-52 follow-up and switched to installing the official `osv-scanner` binary via `gh release download`. Mirroring that pattern here, adapted for vigil: - env: OSV_SCANNER_VERSION=2.3.5, GH_TOKEN=github.token - gh release download `osv-scanner_linux_amd64` from `google/osv-scanner` v2.3.5 (pattern match → mv to stable name) - Smoke `./osv-scanner --version` so future regressions surface clearly instead of exit 127 - Recursive source scan (`--recursive --skip-git ./`); vigil has no language lockfile today, so the run exits with no findings. Coverage activates automatically once a `*.lock` lands in-tree. Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replace custom group structure (status / evidence / audit blocks) with bestpractices.dev's canonical flat per-criterion schema so the autofill robot pre-fills the criteria page on board flip. All 67 passing-level criteria (43 MUST, 10 SHOULD, 14 SUGGESTED) carry _status, _justification, and (where required by upstream criteria.yml) _url. Status distribution: 62 Met, 4 N/A (release_notes / release_notes_vulns / version_semver / version_tags — vigil ships no formal release line), 1 Unmet (test_continuous_integration — Test-Vigil.ps1 not yet wired into GHA), 2 ? (dynamic_analysis, dynamic_analysis_enable_assertions). Schema source: criteria/criteria.yml top-level '0:' block on coreinfrastructure/best-practices-badge. Companion to RAN-57 (codeiq), RAN-58 (otelcontext), RAN-59 (snipIT). Co-Authored-By: Paperclip <noreply@paperclip.ing>
aksOps
changed the title
4 tasks
aksOps
added a commit
that referenced
this pull request
Apr 26, 2026
…a (RAN-55) (#3) Closes the last two `Unmet` blockers from the bestpractices.dev/projects/12648 audit (board comment on RAN-55): - `release_notes` Unmet → Met. Add CHANGELOG.md (Keep a Changelog 1.1.0 format) with an [Unreleased] section that catalogues what landed in PR #1: OpenSSF scaffolding, OSV-Scanner CI fix, debounced-search-on-close fix, deep-review fixes, LICENSE attribution, Security adoption notes. Pre-1.0 the commit SHA on `main` is the version identifier; the [Unreleased] block rolls into a versioned heading when the first tag is cut. - `documentation_basics` Unmet ("No appropriate folder found") → Met. Add docs/ folder with: docs/README.md (index), docs/architecture.md (5-phase startup, repo shape, runtime invariants, stack), docs/install.md (requirements, run + flags, tests, update path), docs/troubleshooting.md (preflight bitmap, CLM / AppLocker / EDR blockers, DPAPI store recovery), docs/security.md (threat model, hardened invariants, crypto, distribution integrity). - Update .bestpractices.json: * documentation_basics_status: Met (now backed by docs/ folder; URL added pointing at the tree) * release_notes_status: N/A → Met (URL added pointing at CHANGELOG.md) * release_notes_vulns_status: N/A → Met (URL added pointing at CHANGELOG.md#security) Co-authored-by: Paperclip <noreply@paperclip.ing>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Lands the codeiq RAN-46 / RAN-52 OpenSSF recipe on vigil, language-adapted for the PowerShell + WPF stack (no Maven, no npm, no language lockfile — vigil has no package manager). Bundles the RAN-60 canonical-schema rewrite of
.bestpractices.jsonon top so the autofill robot pre-fills the criteria page on board flip — skipping the custom-group-structure intermediate state.RAN-55 — scaffolding
CLAUDE.md,SECURITY.md,AGENTS.md,.bestpractices.json(project_id12648, levelpassing).github/workflows/scorecard.yml— OpenSSF Scorecard, push-to-main + Mondays 06:00 UTC, SHA-pinned actions, SARIF → Security tab.github/workflows/security.yml— (B) OSS-CLI stack: Semgrep / OSV-Scanner / Trivy / Gitleaks / jscpd (PowerShell tokenization) / Syft SBOM. PR + push + weekly cron, all actions SHA-pinned, harden-runner egress audit on every job.github/dependabot.yml—github-actionsecosystem only (no Maven / npm targets exist)README.md— OpenSSF Best Practices + Scorecard badges at the topLICENSE— copyright nowAmit Kumar(matches codeiq precedent + RAN-55 AC)RAN-60 — canonical-schema
.bestpractices.jsonstatus/evidence/auditblocks) with bestpractices.dev's canonical flat per-criterion schema so the autofill robot pre-fills the criteria page on board flip<key>_status,<key>_justification, and (where required by upstreamcriteria.yml)<key>_urlna_allowedupstream), 5?placeholders (version_semver / version_tags / test_continuous_integration / dynamic_analysis / dynamic_analysis_enable_assertions)criteria/criteria.ymltop-level'0':block oncoreinfrastructure/best-practices-badgeScorecard is observational per board ruling (stretch ≥ 8.0/10). The OpenSSF Best Practices
passingbadge is the only hard gate. Final flip fromin_progresstopassingon https://www.bestpractices.dev/en/projects/12648 stays board-owned admin-UI work.Board action items (cannot land via workflow file)
These are repo Settings toggles and
bestpractices.devadmin-UI work that I do not have access to from a workflow:main, require PR before merging, require status checks (Scorecard analysis+Securityworkflow), require linear historyactionslanguage (PowerShell isn't supported by CodeQL default setup; Semgrep covers the PowerShell tree).bestpractices.json— review/save each section, flip badgein_progress → passing, post@TechLead approvedon RAN-60Test plan
.bestpractices.jsonvalidates as JSON; all 67 criteria carry_status+_justification; 7 carry_urlpermet_url_requiredupstream flagsPinned-Dependenciescheck)🤖 Generated with Claude Code