Issue
OpenSSF Scorecard identified no effort to earn an OpenSSF Best Practices badge, scoring 0/10.
Risk Level
Low - The badge itself doesn't directly improve security, but achieving it ensures adherence to industry best practices.
Current State
- No OpenSSF Best Practices badge application
- Project may already meet many criteria but lacks formal recognition
- Missing community signal of security commitment
Recommendation
Apply for and earn the OpenSSF Best Practices badge (formerly CII Best Practices).
What is the Badge?
The OpenSSF Best Practices badge demonstrates that the project follows security and quality best practices:
- Passing level: Basic open-source best practices
- Silver level: More rigorous requirements
- Gold level: Exemplary practices
Badge Criteria Categories:
- Basics - Documentation, licensing, version control
- Change Control - Public version control, unique version numbers
- Reporting - Bug reporting process, vulnerability disclosure
- Quality - Testing, code review, static analysis
- Security - Vulnerability response, secure development practices
- Analysis - SAST tools, dynamic analysis
Why Apply?
- Visibility: Shows commitment to security and quality
- Improvement: Identifies gaps in current practices
- Trust: Helps users/contributors assess project maturity
- Alignment: Many criteria likely already met by tar-diff
Steps to Implement
- Review badge criteria at https://bestpractices.coreinfrastructure.org/
- Create a project application
- Complete self-assessment questionnaire
- Address any gaps identified during assessment
- Submit for badge approval
- Add badge to README.md once earned
Likely Status
Based on OpenSSF Scorecard results, tar-diff likely already meets many criteria:
- ✅ Has public version control (GitHub)
- ✅ Has a license (Apache 2.0)
- ✅ Has CI/CD with tests
- ✅ Uses SAST tools (CodeQL)
- ✅ Has vulnerability scanning (govulncheck)
- ✅ Has security policy (SECURITY.md)
- ✅ Has automated releases
Missing areas to address:
Timeline
- Initial application: ~1-2 hours
- Addressing gaps: Varies (some already tracked in other issues)
- Badge approval: Typically fast once criteria met
References
Related
Part of OpenSSF Scorecard evaluation THEEDGE-4717 (overall score: 6.8/10)
Issue
OpenSSF Scorecard identified no effort to earn an OpenSSF Best Practices badge, scoring 0/10.
Risk Level
Low - The badge itself doesn't directly improve security, but achieving it ensures adherence to industry best practices.
Current State
Recommendation
Apply for and earn the OpenSSF Best Practices badge (formerly CII Best Practices).
What is the Badge?
The OpenSSF Best Practices badge demonstrates that the project follows security and quality best practices:
Badge Criteria Categories:
Why Apply?
Steps to Implement
Likely Status
Based on OpenSSF Scorecard results, tar-diff likely already meets many criteria:
Missing areas to address:
Timeline
References
Related
Part of OpenSSF Scorecard evaluation THEEDGE-4717 (overall score: 6.8/10)