--- name: enterprise-readiness description: "Assess and enhance software projects for enterprise-grade security, quality, and automation. This skill should be used when evaluating projects for production readiness, implementing supply chain security (SLSA, signing, SBOMs), hardening CI/CD pipelines, establishing quality gates, reviewing code or PRs, writing documentation (ADRs, changelogs, migration guides), or pursuing OpenSSF Best Practices Badge. Aligned with OpenSSF Scorecard, Best Practices Badge (all levels), SLSA, and S2C2F. By Netresearch." --- # Enterprise Readiness Assessment ## When to Use - Evaluating projects for production/enterprise readiness - Implementing supply chain security (SLSA, signing, SBOMs) - Hardening CI/CD pipelines - Establishing quality gates - Pursuing OpenSSF Best Practices Badge (Passing/Silver/Gold) - Reviewing code or PRs for quality - Writing ADRs, changelogs, or migration guides - Configuring Git hooks or CI pipelines --- ## MANDATORY Requirements **CRITICAL: The following are NOT optional. Every project MUST have ALL of these. Do not skip any.** ### README Badges (MANDATORY) Every project README.md MUST display these badges at the top, in this order: ```markdown [![CI](https://github.com/ORG/REPO/actions/workflows/ci.yml/badge.svg)](https://github.com/ORG/REPO/actions/workflows/ci.yml) [![codecov](https://codecov.io/gh/ORG/REPO/graph/badge.svg)](https://codecov.io/gh/ORG/REPO) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ORG/REPO/badge)](https://securityscorecards.dev/viewer/?uri=github.com/ORG/REPO) [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/PROJECT_ID/badge)](https://www.bestpractices.dev/projects/PROJECT_ID) ``` | Badge | URL Pattern | MANDATORY | |-------|-------------|-----------| | CI Status | `github.com/ORG/REPO/actions/workflows/ci.yml/badge.svg` | **YES** | | Codecov | `codecov.io/gh/ORG/REPO/graph/badge.svg` | **YES** | | OpenSSF Scorecard | `api.securityscorecards.dev/projects/github.com/ORG/REPO/badge` | **YES** | | OpenSSF Best Practices | `www.bestpractices.dev/projects/PROJECT_ID/badge` | **YES** | ### CI/CD Workflows (MANDATORY) Every GitHub project MUST have these workflows in `.github/workflows/`: | Workflow | File | Purpose | MANDATORY | |----------|------|---------|-----------| | CI | `ci.yml` | Build, test, lint | **YES** | | CodeQL | `codeql.yml` | Security scanning | **YES** | | Scorecard | `scorecard.yml` | OpenSSF Scorecard | **YES** | | Dependency Review | `dependency-review.yml` | PR CVE check | **YES** | ### CI Must Include (MANDATORY) | Requirement | Implementation | MANDATORY | |-------------|----------------|-----------| | Coverage upload | `codecov/codecov-action` after tests | **YES** | | Security audit | `composer audit` / `npm audit` / `govulncheck` | **YES** | | SHA-pinned actions | All actions use full SHA with version comment | **YES** | ### OpenSSF Registration (MANDATORY) 1. **Register at bestpractices.dev**: https://www.bestpractices.dev/en/projects/new 2. **Note the Project ID** assigned after registration 3. **Add badge to README** with correct PROJECT_ID 4. **Run Scorecard workflow** to generate initial score ### Codecov Setup (MANDATORY) 1. **Enable Codecov** for the repository at codecov.io 2. **Collect coverage from ALL test suites** (not just unit tests): | Test Suite | Coverage Command | Output File | MANDATORY | |------------|------------------|-------------|-----------| | Unit | `phpunit -c UnitTests.xml --coverage-clover` | `.Build/coverage/unit.xml` | **YES** | | Integration | `phpunit -c IntegrationTests.xml --coverage-clover` | `.Build/coverage/integration.xml` | **YES** | | E2E | `phpunit -c E2ETests.xml --coverage-clover` | `.Build/coverage/e2e.xml` | **YES** | | Functional | `phpunit -c FunctionalTests.xml --coverage-clover` | `.Build/coverage/functional.xml` | **YES** | | JavaScript | `npm run test:coverage` | `coverage/lcov.info` | **YES** (if JS exists) | 3. **Upload ALL coverage files** to Codecov: ```yaml - uses: codecov/codecov-action@SHA # vX.Y.Z with: token: ${{ secrets.CODECOV_TOKEN }} # MANDATORY - see below files: .Build/coverage/unit.xml,.Build/coverage/integration.xml,.Build/coverage/e2e.xml,coverage/lcov.info fail_ci_if_error: false ``` ### CODECOV_TOKEN (MANDATORY) **Never rely on tokenless uploads.** They fail for protected branches and are unreliable. | Requirement | Implementation | Why | |-------------|----------------|-----| | Token in secrets | Add `CODECOV_TOKEN` to repo or org secrets | Authentication | | Token in workflow | `token: ${{ secrets.CODECOV_TOKEN }}` | Required for protected branches | | Org-level secret | Preferred for consistency across repos | Single point of management | **Failure without token:** ``` Upload failed: {"message":"Token required because branch is protected"} ``` **Get token from:** https://app.codecov.io/gh/ORG/REPO/settings **Add as org secret (recommended):** ```bash # Organization-level (covers all repos) gh secret set CODECOV_TOKEN --org netresearch --visibility all # Or repository-level gh secret set CODECOV_TOKEN --repo OWNER/REPO ``` ### JavaScript Coverage (MANDATORY for projects with JS/TS) When a project contains JavaScript or TypeScript files: 1. **vitest.config.js** MUST include lcov reporter for Codecov: ```javascript coverage: { provider: 'v8', reporter: ['text', 'json', 'html', 'lcov'], // lcov REQUIRED for Codecov reportsDirectory: 'coverage', } ``` 2. **CI workflow** MUST include JavaScript test job: ```yaml - uses: actions/setup-node@SHA # vX.Y.Z with: node-version: '22' - run: npm install - run: npm run test:coverage ``` 3. **Codecov upload** MUST include `coverage/lcov.info` ### Verification Checklist Before marking enterprise-readiness complete, verify ALL: - [ ] README has CI badge linking to workflow - [ ] README has Codecov badge (not "unknown") - [ ] README has OpenSSF Scorecard badge (correct URL with `api.securityscorecards.dev`) - [ ] README has OpenSSF Best Practices badge (correct PROJECT_ID, not placeholder) - [ ] `.github/workflows/ci.yml` exists and uploads coverage - [ ] `.github/workflows/codeql.yml` exists - [ ] `.github/workflows/scorecard.yml` exists - [ ] Codecov shows actual coverage percentage - [ ] Scorecard shows actual score **If any badge shows "unknown", "invalid", or placeholder ID - FIX IT. Do not proceed.** --- ## Assessment Workflow 1. **Discovery**: Identify platform (GitHub/GitLab), languages, existing CI/CD 2. **Scoring**: Apply checklists from references based on stack 3. **Badge Assessment**: Check OpenSSF criteria status 4. **Gap Analysis**: List missing controls by severity 5. **Implementation**: Apply fixes using scripts and templates ## Dependency CVE Workflow When assessing enterprise readiness, **always run dependency audit** as part of discovery: ```bash # PHP/Composer composer audit # Node.js npm audit # Python pip-audit # Go govulncheck ./... ``` ### CVE Handling Best Practice **Separate dependency updates from code changes:** | PR Type | Content | Why | |---------|---------|-----| | Code changes | Business logic, bug fixes, features | Reviewable, testable in isolation | | Dependency updates | `composer update`, version bumps | Clear diff, easy rollback if issues | **Real-world example from t3x-cowriter review:** - Found 4 CVEs during enterprise assessment - CVE fixes required `composer update typo3/cms-core typo3/cms-backend` - Kept separate from code fixes (JS bug, AGENTS.md updates) for clean PR history ### CVE Severity Response | Severity | Response Time | Action | |----------|---------------|--------| | CRITICAL | Immediate | Hotfix PR, expedited review | | HIGH | 24-48 hours | Priority PR, security review | | MEDIUM | 1 week | Normal PR cycle | | LOW | Next release | Batch with other updates | ### CI Integration Add dependency audit to CI pipeline: ```yaml # .github/workflows/ci.yml - name: Security audit run: composer audit --format=plain ``` ## Reference Files (Load Based on Stack) | Reference | When to Load | |-----------|--------------| | `references/general.md` | Always (universal 60 pts) | | `references/github.md` | GitHub-hosted projects (40 pts) | | `references/go.md` | Go projects (20 pts) | | `references/openssf-badge-silver.md` | Pursuing Silver badge | | `references/openssf-badge-gold.md` | Pursuing Gold badge | ## Quality & Process References (Language-Agnostic) | Reference | When to Load | |-----------|--------------| | `references/code-review.md` | Code review, PR quality checks | | `references/documentation.md` | ADRs, API docs, migration guides, changelogs | | `references/ci-patterns.md` | CI/CD pipelines, Git hooks, quality gates | ### Explicit Content Triggers When reviewing PRs or code, load `references/code-review.md` for the comprehensive checklist covering test resource management, state mutation, defensive enum handling, documentation accuracy, and defensive code coverage. When writing ADRs (Architecture Decision Records), load `references/documentation.md` for templates, file organization, and required sections (Context, Decision, Consequences, Alternatives). When writing changelogs or release notes, load `references/documentation.md` for Keep a Changelog format and conventional commit mapping. When writing API documentation or migration guides, load `references/documentation.md` for structure patterns and completeness checklists. When configuring CI/CD pipelines, load `references/ci-patterns.md` for comprehensive pipeline structure, job ordering, and quality gates. When setting up Git hooks (pre-commit/pre-push), load `references/ci-patterns.md` for the hook division strategy and Lefthook configuration. When enforcing coverage thresholds, load `references/ci-patterns.md` for threshold tables and enforcement patterns. When handling signed commits with rebase-only merge, load `references/ci-patterns.md` for the local fast-forward merge workflow. ## Implementation Guides | Guide | Purpose | |-------|---------| | `references/quick-start-guide.md` | Getting started | | `references/dco-implementation.md` | DCO enforcement | | `references/signed-releases.md` | Cosign/GPG signing | | `references/reproducible-builds.md` | Deterministic builds | | `references/security-hardening.md` | TLS, headers, validation | | `references/solo-maintainer-guide.md` | N/A criteria justification | | `references/branch-coverage.md` | Gold 80% branch coverage | ## Automation Scripts | Script | Purpose | |--------|---------| | `scripts/verify-badge-criteria.sh` | Verify OpenSSF badge criteria | | `scripts/check-coverage-threshold.sh` | Statement coverage check | | `scripts/check-branch-coverage.sh` | Branch coverage (Gold) | | `scripts/add-spdx-headers.sh` | Add SPDX headers (Gold) | | `scripts/verify-signed-tags.sh` | Tag signature verification | | `scripts/verify-review-requirements.sh` | PR review requirements | ## Document Templates Templates in `assets/templates/`: - `GOVERNANCE.md` - Project governance (Silver) - `ARCHITECTURE.md` - Technical docs (Silver) - `CODE_OF_CONDUCT.md` - Contributor Covenant v3.0 - `SECURITY_AUDIT.md` - Security audit (Gold) - `BADGE_EXCEPTIONS.md` - N/A justifications ## CI Workflow Templates GitHub Actions workflows in `assets/workflows/`: | Workflow | Purpose | |----------|---------| | `scorecard.yml` | OpenSSF Scorecard security analysis | | `codeql.yml` | Semantic code security scanning | | `dependency-review.yml` | PR dependency CVE/license check | | `slsa-provenance.yml` | SLSA Level 3 build attestation | | `dco-check.yml` | Developer Certificate of Origin | Copy workflows to `.github/workflows/` and pin action versions with SHA hashes. ## Scoring Interpretation | Score | Grade | Status | |-------|-------|--------| | 90-100 | A | Enterprise Ready | | 80-89 | B | Production Ready | | 70-79 | C | Development Ready | | 60-69 | D | Basic | | <60 | F | Not Ready | ## Code Review Quick Checklist Before approving PRs, verify (see `references/code-review.md` for details): - [ ] **One resource per test** - No duplicate instances - [ ] **State mutation complete** - Tracking fields updated after operations - [ ] **Defensive enum handling** - `Valid()` method, `default` case, tested - [ ] **Documentation accurate** - Claims match benchmarks, trade-offs noted - [ ] **Platform code marked** - Limitations documented, alternatives provided - [ ] **Defensive code tested** - Error paths and edge cases covered ## Critical Rules - **NEVER** interpolate `${{ github.event.* }}` in `run:` blocks (script injection) - **NEVER** guess action versions - always fetch from GitHub API - **ALWAYS** use SHA pins for actions with version comments - **ALWAYS** verify commit hashes against official tags ## Related Skills | Skill | Purpose | |-------|---------| | `go-development` | Go code patterns, Makefile interface, testing | | `github-project` | Repository setup, branch protection, auto-merge | | `security-audit` | Deep security audits (OWASP, XXE, SQLi) | | `git-workflow` | Git branching, commits, PR workflows | ## Resources - [OpenSSF Scorecard](https://securityscorecards.dev/) - [Best Practices Badge](https://www.bestpractices.dev/) - [SLSA Framework](https://slsa.dev/) - [S2C2F](https://github.com/ossf/s2c2f) --- > **Contributing:** Improvements to this skill should be submitted to the source repository: > https://github.com/netresearch/enterprise-readiness-skill