From 0e41e2b10ef2c94e435c1f1ca73f42454edd04e9 Mon Sep 17 00:00:00 2001 From: Tiago Peczenyj Date: Fri, 29 May 2026 15:05:06 +0200 Subject: [PATCH 1/2] chore: expand .bestpractices.json with repo-verified proposals MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add proposed answers for every passing-level criterion that is objectively true from the repository, so the next "Save 🤖" on bestpractices.dev proposes them for acceptance: - Met: documentation (basics/interface), english, maintained, repo_interim, version_unique/semver/tags, report_archive, vulnerability_report_private, build_floss_tools, test_most/policy, tests_are_added/documented, warnings/_fixed/_strict, delivery_unsigned, vulnerabilities_fixed_60_days, vulnerabilities_critical_fixed, no_leaked_credentials, static_analysis_common_vulnerabilities/fixed/often, dynamic_analysis_fixed. - N/A: all crypto_* (the tool performs no cryptography), release_notes_vulns (none fixed yet), dynamic_analysis_unsafe (Go is memory-safe). URLs included where met_url_required. Not auto-asserted (left for the maintainer to answer): know_secure_design, know_common_errors, report_responses, enhancement_responses, vulnerability_report_response. Co-Authored-By: Claude Opus 4.8 --- .bestpractices.json | 133 ++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 122 insertions(+), 11 deletions(-) diff --git a/.bestpractices.json b/.bestpractices.json index d437fac..855b070 100644 --- a/.bestpractices.json +++ b/.bestpractices.json @@ -6,10 +6,10 @@ "interact_justification": "Users can interact with the project and maintainers via GitHub issues, discussions, and pull requests.", "contribution_status": "Met", - "contribution_justification": "Contributing guidelines are clearly documented in CONTRIBUTING.md.", + "contribution_justification": "Contributing guidelines are clearly documented in CONTRIBUTING.md. https://github.com/peczenyj/structalign/blob/main/CONTRIBUTING.md", "contribution_requirements_status": "Met", - "contribution_requirements_justification": "CONTRIBUTING.md documents the requirements for contributions, including coding conventions, commit (Conventional Commits) format, and the pull-request process.", + "contribution_requirements_justification": "CONTRIBUTING.md documents the requirements for contributions, including coding conventions, commit (Conventional Commits) format, and the pull-request process. https://github.com/peczenyj/structalign/blob/main/CONTRIBUTING.md", "floss_license_status": "Met", "floss_license_justification": "The project is licensed under the MIT license, which is a recognized FLOSS license.", @@ -17,9 +17,57 @@ "floss_license_osi_status": "Met", "floss_license_osi_justification": "The MIT license is officially approved by the OSI (Open Source Initiative).", + "documentation_basics_status": "Met", + "documentation_basics_justification": "README.md documents how to install and use the tool, including a Quick start, usage, modes, and a full flag reference. https://github.com/peczenyj/structalign/blob/main/README.md", + + "documentation_interface_status": "Met", + "documentation_interface_justification": "README.md documents the complete external (CLI) interface: every flag, the package arguments, exit codes, configuration, and the JSON output format. https://github.com/peczenyj/structalign/blob/main/README.md", + + "english_status": "Met", + "english_justification": "All project documentation, code comments, issues, and commit messages are written in English.", + + "maintained_status": "Met", + "maintained_justification": "The project is actively maintained: see recent commits, tagged releases (latest v0.7.0), and ongoing issue/PR activity.", + + "repo_interim_status": "Met", + "repo_interim_justification": "Interim development versions are committed to the public git repository (the default 'devel' branch) between releases, not just at release points.", + + "version_unique_status": "Met", + "version_unique_justification": "Each release has a unique version identifier via SemVer git tags (vMAJOR.MINOR.PATCH); the version is embedded in the binary and shown by 'structalign -version'.", + + "version_semver_status": "Met", + "version_semver_justification": "Releases follow Semantic Versioning 2.0.0 (e.g. v0.7.0).", + + "version_tags_status": "Met", + "version_tags_justification": "Each release is identified by a git tag (vX.Y.Z) on the main branch, which also triggers the release workflow.", + + "release_notes_vulns_status": "N/A", + "release_notes_vulns_justification": "No vulnerabilities have been fixed to date, so there are none to enumerate in release notes.", + + "report_tracker_status": "Met", + "report_tracker_justification": "GitHub Issues is used as the authoritative bug tracking system.", + + "report_archive_status": "Met", + "report_archive_justification": "Bug reports and their discussion are publicly archived and searchable in GitHub Issues. https://github.com/peczenyj/structalign/issues", + + "vulnerability_report_process_status": "Met", + "vulnerability_report_process_justification": "The SECURITY.md file outlines the clear process for private/responsible disclosure of vulnerabilities. https://github.com/peczenyj/structalign/blob/main/SECURITY.md", + + "vulnerability_report_private_status": "Met", + "vulnerability_report_private_justification": "SECURITY.md documents a private vulnerability reporting channel (e-mail) and explicitly asks reporters not to use public GitHub issues. https://github.com/peczenyj/structalign/blob/main/SECURITY.md", + "build_status": "Met", "build_justification": "The project uses a standard Go toolchain and Taskfile.yml/Makefile for automated builds.", + "build_floss_tools_status": "Met", + "build_floss_tools_justification": "The build uses only FLOSS tools: the Go toolchain, Task (Taskfile), and golangci-lint.", + + "coding_standards_status": "Met", + "coding_standards_justification": "We enforce strict coding standards using golangci-lint, go-consistent, and gofumpt formatting in CI.", + + "coding_standards_enforced_status": "Met", + "coding_standards_enforced_justification": "All styling, consistency, and syntax audits are fully automated using standard static analysis tools in CI.", + "test_status": "Met", "test_justification": "The project includes a robust test suite covering over 190 tests (unit, integration, coverage, and fuzz tests).", @@ -29,21 +77,84 @@ "test_continuous_integration_status": "Met", "test_continuous_integration_justification": "GitHub Actions runs all tests on every push and pull request (defined in ci.yml).", - "coding_standards_status": "Met", - "coding_standards_justification": "We enforce strict coding standards using golangci-lint, go-consistent, and gofumpt formatting in CI.", + "test_most_status": "Met", + "test_most_justification": "The automated test suite covers the majority of the code (tracked via Codecov), including unit, integration, golden-output, and fuzz tests.", - "coding_standards_enforced_status": "Met", - "coding_standards_enforced_justification": "All styling, consistency, and syntax audits are fully automated using standard static analysis tools in CI.", + "test_policy_status": "Met", + "test_policy_justification": "CONTRIBUTING.md requires changes to be made 'with tests', establishing a policy that new functionality is accompanied by tests. https://github.com/peczenyj/structalign/blob/main/CONTRIBUTING.md", - "report_tracker_status": "Met", - "report_tracker_justification": "GitHub Issues is used as the authoritative bug tracking system.", + "tests_are_added_status": "Met", + "tests_are_added_justification": "Recent pull requests add tests alongside new or changed functionality (e.g. the align and ui packages' unit, golden, and fuzz tests).", - "vulnerability_report_process_status": "Met", - "vulnerability_report_process_justification": "The SECURITY.md file outlines the clear process for private/responsible disclosure of vulnerabilities.", + "tests_documented_added_status": "Met", + "tests_documented_added_justification": "The policy of adding tests with changes is documented in CONTRIBUTING.md. https://github.com/peczenyj/structalign/blob/main/CONTRIBUTING.md", + + "warnings_status": "Met", + "warnings_justification": "Compiler/linter warnings are enabled and extensive: golangci-lint (many linters), go vet, go-consistent, and gofumpt all run in CI.", + + "warnings_fixed_status": "Met", + "warnings_fixed_justification": "CI fails on any lint/vet warning, so warnings are addressed before merge; the default branch is warning-clean.", + + "warnings_strict_status": "Met", + "warnings_strict_justification": "A strict, broad golangci-lint configuration is enforced as a required CI gate.", + + "crypto_published_status": "N/A", + "crypto_published_justification": "The software performs no cryptographic operations; it is a static Go source analyzer that makes no network calls.", + + "crypto_call_status": "N/A", + "crypto_call_justification": "The software implements and calls no cryptographic functionality.", + + "crypto_floss_status": "N/A", + "crypto_floss_justification": "The software uses no cryptography.", + + "crypto_keylength_status": "N/A", + "crypto_keylength_justification": "The software uses no cryptography and therefore no cryptographic keys.", + + "crypto_working_status": "N/A", + "crypto_working_justification": "The software uses no cryptographic algorithms or modes.", + + "crypto_weaknesses_status": "N/A", + "crypto_weaknesses_justification": "The software uses no cryptography.", + + "crypto_pfs_status": "N/A", + "crypto_pfs_justification": "The software has no network/key-agreement protocols; perfect forward secrecy is not applicable.", + + "crypto_password_storage_status": "N/A", + "crypto_password_storage_justification": "The software stores no passwords or user credentials.", + + "crypto_random_status": "N/A", + "crypto_random_justification": "The software has no security-relevant need for random values.", + + "delivery_unsigned_status": "Met", + "delivery_unsigned_justification": "Releases and source are delivered over HTTPS (GitHub) and via the Go module proxy with checksum-database verification; release archives are additionally signed (cosign) with SLSA build-provenance attestations.", + + "vulnerabilities_fixed_60_days_status": "Met", + "vulnerabilities_fixed_60_days_justification": "There are no known unpatched vulnerabilities; any reported would be addressed well within 60 days, per SECURITY.md.", + + "vulnerabilities_critical_fixed_status": "Met", + "vulnerabilities_critical_fixed_justification": "There are no known critical vulnerabilities outstanding.", + + "no_leaked_credentials_status": "Met", + "no_leaked_credentials_justification": "The repository contains no leaked valid credentials; releases use GitHub's ephemeral GITHUB_TOKEN and keyless OIDC signing, and the repo is scanned via CodeQL and dependency review.", "static_analysis_status": "Met", "static_analysis_justification": "Static application security testing (SAST) is fully automated using GitHub CodeQL.", + "static_analysis_common_vulnerabilities_status": "Met", + "static_analysis_common_vulnerabilities_justification": "GitHub CodeQL covers common vulnerability classes (CWE/OWASP categories) for Go.", + + "static_analysis_fixed_status": "Met", + "static_analysis_fixed_justification": "CodeQL findings are triaged and fixed; there are no open static-analysis security findings.", + + "static_analysis_often_status": "Met", + "static_analysis_often_justification": "CodeQL static analysis runs automatically on every push and pull request, plus on a schedule.", + "dynamic_analysis_status": "Met", - "dynamic_analysis_justification": "Dynamic analysis is performed via Go's native fuzzing (go test -fuzz) applied to the parsing/AST inputs, which exercises the code with generated inputs at runtime. (This criterion does not permit an N/A answer.)" + "dynamic_analysis_justification": "Dynamic analysis is performed via Go's native fuzzing (go test -fuzz) applied to the parsing/AST inputs, which exercises the code with generated inputs at runtime. (This criterion does not permit an N/A answer.)", + + "dynamic_analysis_unsafe_status": "N/A", + "dynamic_analysis_unsafe_justification": "The software is written entirely in Go, a memory-safe language, so memory-safety dynamic analysis tools (e.g. valgrind/ASAN) are not applicable; tests additionally run with the Go race detector.", + + "dynamic_analysis_fixed_status": "Met", + "dynamic_analysis_fixed_justification": "Defects found via Go fuzzing are fixed; there are no outstanding issues from dynamic analysis." } From 2afe6a2efffecb22637dcf025d0beb7242a26afa Mon Sep 17 00:00:00 2001 From: Tiago Peczenyj Date: Fri, 29 May 2026 15:10:11 +0200 Subject: [PATCH 2/2] docs(security): commit to a vulnerability response time; mark report_response Met Add explicit acknowledgement (7 days) and initial-assessment (14 days) commitments to SECURITY.md, satisfying the OpenSSF Best Practices vulnerability_report_response criterion, and propose it as Met. Co-Authored-By: Claude Opus 4.8 --- .bestpractices.json | 3 +++ SECURITY.md | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.bestpractices.json b/.bestpractices.json index 855b070..ca06ee0 100644 --- a/.bestpractices.json +++ b/.bestpractices.json @@ -56,6 +56,9 @@ "vulnerability_report_private_status": "Met", "vulnerability_report_private_justification": "SECURITY.md documents a private vulnerability reporting channel (e-mail) and explicitly asks reporters not to use public GitHub issues. https://github.com/peczenyj/structalign/blob/main/SECURITY.md", + "vulnerability_report_response_status": "Met", + "vulnerability_report_response_justification": "SECURITY.md commits to acknowledging a vulnerability report within 7 days and providing an initial assessment and remediation plan within 14 days. https://github.com/peczenyj/structalign/blob/main/SECURITY.md", + "build_status": "Met", "build_justification": "The project uses a standard Go toolchain and Taskfile.yml/Makefile for automated builds.", diff --git a/SECURITY.md b/SECURITY.md index ef33556..065c560 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,7 +4,10 @@ If you discover a security vulnerability within this project, please send an e-mail to **tiago.peczenyj+github@gmail.com**. -All security vulnerabilities will be promptly addressed. We request that you do not report security-related issues through public GitHub issues. +We aim to acknowledge your report within **7 days** and to provide an initial +assessment and remediation plan within **14 days**. All security vulnerabilities +will be promptly addressed. We request that you do not report security-related +issues through public GitHub issues. ## Scope