Skip to content

chore(security): land OSS-CLI stack + wire OpenSSF Best Practices project (RAN-52)#94

Closed
aksOps wants to merge 1 commit into
mainfrom
chore/ran-52-best-practices-passing
Closed

chore(security): land OSS-CLI stack + wire OpenSSF Best Practices project (RAN-52)#94
aksOps wants to merge 1 commit into
mainfrom
chore/ran-52-best-practices-passing

Conversation

@aksOps
Copy link
Copy Markdown
Contributor

@aksOps aksOps commented Apr 26, 2026

Summary

Closes most of RAN-52 — the leftover-criteria + observability pass on top of RAN-46. Two acceptance items remain board-owned and are flagged at the bottom.

  • .github/workflows/security.yml (new) — consolidated (B) OSS-CLI security stack: Semgrep (SAST), OSV-Scanner (deps; second-source CVE feed cross-checking the existing OWASP Dependency-Check from ci-java.yml), Trivy (filesystem CVEs + IaC misconfig), Gitleaks (secret scan, run via the upstream Docker image to avoid the org GITLEAKS_LICENSE requirement), jscpd (copy-paste detection), and anchore/sbom-action (SPDX SBOM). Triggers: push to main, PR, weekly cron (Mon 06:00 UTC, same window as scorecard.yml), workflow_dispatch. Every job hardens egress with step-security/harden-runner and uploads SARIF to GitHub code scanning where supported plus raw reports as workflow artifacts. All actions SHA-pinned (Scorecard Pinned-Dependencies).
  • .bestpractices.json — registration unblocked between RAN-46 and RAN-52, so project_id is now wired to 12650 and the registration-blocker note is cleared.
  • README.md — replace the placeholder "pending registration" Best Practices badge with the live bestpractices.dev/projects/12650/badge (verified live via HTTP 200).
  • CLAUDE.md — new "Supply-chain observability (OpenSSF)" section documenting the Best Practices project, the Scorecard baseline + target (≥ 8.0/10 stretch), known floor reductions (Webhooks N/A, Signed-Releases partial), and the OSS-CLI stack pointer. Satisfies AC Remove Thymeleaf UI — consolidate to React SPA #7.
  • shared/runbooks/engineering-standards.md — §1 paragraph rewritten so the OSV row is no longer "planned, RAN-42" (it has landed inside security.yml); §5 gets a row pointing at security.yml and the new CLAUDE.md section.

Subsumes the previously planned standalone RAN-42 osv-scanner.yml. The OSS-CLI stack is observability-only at the bootstrap window — promotion to gate-blocking happens once a clean baseline exists.

RAN-52 acceptance status

AC Status Where
1. bestpractices.dev page = passing ⚠️ board-owned needs admin-UI flip from in_progress; repo-side criteria all evidenced via .bestpractices.json
2. Close every unmet Best Practices criterion ⚠️ board-owned same — admin-UI walkthrough on bestpractices.dev/projects/12650
3. .github/workflows/scorecard.yml lands ✅ already shipped (PR #74); verified push+cron+dispatch + SARIF + SHA-pinning
4. .github/workflows/security.yml mirroring (B) OSS-CLI stack ✅ this PR
5. SECURITY.md + signed-commit branch protection on main SECURITY.md already in repo; ⚠️ branch-protection toggle is GitHub-settings — board needs to verify the rule is enforced
6. OpenSSF Best Practices badge at top of README.md ✅ this PR (placeholder → live)
7. .bestpractices.json at repo root ✅ this PR (project_id wired)
8. Scorecard baseline + target documented in CLAUDE.md ✅ this PR

Auth-blocked items for the board

  • bestpractices.dev admin UI flip — the project page (https://www.bestpractices.dev/en/projects/12650) needs the badge level walked from in_progress to passing once the maintainer reviews the answers there. Repo-side evidence is in place.
  • Signed-commit branch protection on main — engineering-standards §1 says the rule is enforced; needs a one-time gh api repos/RandomCodeSpace/codeiq/branches/main/protection confirmation that required_signatures.enabled = true. If anything is missing, please add it.

Test plan

  • CI green on chore/ran-52-best-practices-passing (existing ci-java.yml + the new security.yml)
  • security.yml weekly cron fires Mondays 06:00 UTC
  • All security.yml jobs upload either SARIF (Semgrep / OSV / Trivy) or artifacts (Gitleaks / jscpd / SBOM)
  • README OpenSSF Best Practices badge renders (bestpractices.dev/projects/12650/badge → HTTP 200, verified)
  • No regression on ci-java.yml, scorecard.yml, beta-java.yml, release-java.ymlactionlint clean on all five workflows

🤖 Generated with Claude Code

@aksOps @claude @Paperclip-Paperclip
chore(security): land OSS-CLI stack + wire OpenSSF Best Practices pro…
50e28f4 
…ject (RAN-52)

- Add `.github/workflows/security.yml`: Semgrep, OSV-Scanner, Trivy fs,
  Gitleaks (Docker image, no license dep), jscpd, anchore/sbom-action.
  All actions SHA-pinned; SARIF → code scanning where supported, raw
  reports → workflow artifacts. Triggers: push/PR/weekly cron/dispatch.
  Subsumes the previously planned `osv-scanner.yml` (RAN-42).
- Wire `.bestpractices.json` to project_id 12650 (registration unblocked
  between RAN-46 and RAN-52).
- Replace the placeholder OpenSSF Best Practices README badge with the
  live `bestpractices.dev/projects/12650/badge`.
- Document Scorecard baseline + target and the OSS-CLI stack in
  `CLAUDE.md` (new "Supply-chain observability (OpenSSF)" section).
- Update `engineering-standards.md` §1 to reflect that OSV-Scanner has
  landed inside `security.yml`, and add a §5 row pointing at it.

Auth-blocked items deferred to the board (called out in the PR body):
final flip of the bestpractices.dev page from `in_progress` → `passing`
and verification that signed-commit branch protection is enforced on
`main`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Paperclip <noreply@paperclip.ing>
@aksOps
Copy link
Copy Markdown
Contributor Author

aksOps commented Apr 26, 2026

Closing as superseded.

While this PR was in flight, #91 (chore(security): revert to OSS-CLI stack (RAN-46 path B board ruling)) and #92 (docs(badge): wire OpenSSF Best Practices project_id 12650 (RAN-46 AC #8)) landed on `main` and shipped the bulk of RAN-52 AC #4#7:

  • `.github/workflows/security.yml` — six-job OSS-CLI stack with `Block merge` gating per the board's RAN-46 path-B ruling
  • `.bestpractices.json` — `project_id: 12650` wired with registration evidence
  • README — live Best Practices badge + Security workflow badge
  • `shared/runbooks/engineering-standards.md` — full `§1 Quality gates` rewrite around the OSS-CLI stack + explicit "do not re-introduce Sonar / CodeQL / OWASP Dependency-Check" guard

This PR's design conflicts with that ruling on three points:

  1. Observability-only (`continue-on-error: true`) vs the board's gate-blocking stance.
  2. Different tool mechanics (Gitleaks via Docker image; Semgrep via `p/default`; OSV-Scanner over the full tree) vs the path-B implementations on main.
  3. CLAUDE.md / engineering-standards prose still referencing CodeQL + OWASP DC + SonarCloud as live tools.

The only piece without overlap is the CLAUDE.md `Supply-chain observability (OpenSSF)` section (RAN-52 AC #7 — main's CLAUDE.md has zero OpenSSF mentions). I'll re-open that piece as a much smaller PR rebased on the post-#91 / #92 main, with prose aligned to the path-B ruling.

No code from this PR is being merged.

@aksOps aksOps closed this Apr 26, 2026
@aksOps aksOps mentioned this pull request Apr 26, 2026
Merged
2 tasks
@aksOps aksOps deleted the chore/ran-52-best-practices-passing branch April 26, 2026 05:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aksOps