/best-practices-badge

🏆Core Infrastructure Initiative Best Practices Badge

Primary LanguageRubyMIT LicenseMIT

Core Infrastructure Initiative Best Practices Badge

CII Best Practices CircleCI Build Status codecov License

This project identifies best practices for Free/Libre and Open Source Software (FLOSS) and implements a badging system for those best practices. The "BadgeApp" badging system is a simple web application that lets projects self-certify that they meet the criteria and show a badge. The real goal of this project is to encourage projects to apply best practices, and to help users determine which FLOSS projects do so. We believe that FLOSS projects that implement best practices are more likely to produce better software, including more secure software.

See the Core Infrastructure Initiative (CII) Best Practices badge website if you want to try to actually get a badge.

This is the development site for the criteria and badge application software that runs the website. Feedback is very welcome via the GitHub site as issues or pull (merge) requests. There is also a mailing list for general discussion. This project was originally developed under the CII, but it is now part of the Open Source Security Foundation (OpenSSF) Best Practices Working Group (WG).

Interesting pages include:

Summary of Best Practices Criteria "passing" level

This is a summary of the passing criteria, with requirements in bold:

Summary of Best Practices Criteria for higher levels

Getting a passing badge is a significant achievement; on average only about 10% of pursuing projects have a passing badge. That said, some projects would like to meet even stronger criteria, and many users would like projects to do so. We have established two higher levels beyond passing: silver and gold. The higher levels strengthen some of the passing criteria and add new criteria of their own.

Silver

Here is a summary of the silver criteria, with requirements in bold (for details, see the full list of silver criteria):

Gold

Here is a summary of the gold criteria, with requirements in bold (for details, see the full list of gold criteria):

License

All material here is released under the MIT license. All material that is not executable, including all text when not executed, is also released under the Creative Commons Attribution 3.0 International (CC BY 3.0) license or later. In SPDX terms, everything here is licensed under MIT; if it's not executable, including the text when extracted from code, it's "(MIT OR CC-BY-3.0+)".

Like almost all software today, this software depends on many other components with their own licenses. Not all components we depend on are MIT-licensed, but all required components are FLOSS. We prevent licensing issues using various processes (see CONTRIBUTING).