Shapin

Projects that follow the best practices below can voluntarily self-certify and show that they've achieved an Open Source Security Foundation (OpenSSF) best practices badge.

There is no set of practices that can guarantee that software will never have defects or vulnerabilities; even formal methods can fail if the specifications or assumptions are wrong. Nor is there any set of practices that can guarantee that a project will sustain a healthy and well-functioning development community. However, following best practices can help improve the results of projects. For example, some practices enable multi-person review before release, which can both help find otherwise hard-to-find technical vulnerabilities and help build trust and a desire for repeated interaction among developers from different companies. To earn a badge, all MUST and MUST NOT criteria must be met, all SHOULD criteria must be met OR be unmet with justification, and all SUGGESTED criteria must be met OR unmet (we want them considered at least). If you want to enter justification text as a generic comment, instead of being a rationale that the situation is acceptable, start the text block with '//' followed by a space. Feedback is welcome via the GitHub site as issues or pull requests There is also a mailing list for general discussion.

We gladly provide the information in several locales, however, if there is any conflict or inconsistency between the translations, the English version is the authoritative version.
If this is your project, please show your baseline badge status on your project page! The baseline badge status looks like this: Baseline badge level for project 12470 is baseline-3 Here is how to embed the baseline badge:
You can show your baseline badge status by embedding this in your markdown file:
[![OpenSSF Baseline](https://www.bestpractices.dev/projects/12470/baseline)](https://www.bestpractices.dev/projects/12470)
or by embedding this in your HTML:
<a href="https://www.bestpractices.dev/projects/12470"><img src="https://www.bestpractices.dev/projects/12470/baseline"></a>


These are the Baseline Level 2 criteria. These criteria are from baseline version v2025.10.10 with updated criteria text from version v2026.02.19. Criteria that are new in version v2026.02.19 are labeled "future" and will begin to be enforced starting 2026-06-01. Please provide answers to the "future" criteria before that date.

Baseline Series: Baseline Level 1 Baseline Level 2 Baseline Level 3

        

 Basics

  • General

    Note that other projects may use the same name.

    Pin floating tags in CI workflow files to immutable SHAs, making your pipelines reproducible and immune to tag mutation attacks.

    Please use SPDX license expression format; examples include "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", and "(BSD-2-Clause OR Ruby)". Do not include single quotes or double quotes.
    If there is more than one language, list them as comma-separated values (spaces optional) and sort them from most to least used. If there is a long list, please list at least the first three most common ones. If there is no language (e.g., this is a documentation-only or test-only project), use the single character "-". Please use a conventional capitalization for each language, e.g., "JavaScript".
    The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. It is used in a number of systems and databases when reporting vulnerabilities.

 Controls 19/19

  • Controls


    Enough for a badge!

    When a CI/CD task is executed with no permissions specified, the CI/CD system MUST default the task's permissions to the lowest permissions granted in the pipeline. [OSPS-AC-04.01]
    Configure the project's settings to assign the lowest available permissions to new pipelines by default, granting additional permissions only when necessary for specific tasks.

    The CI/CD pipeline sets permissions: read-all at the top level of both ci.yml and release.yml, establishing a read-only default for all jobs. Individual jobs then explicitly declare only the minimum permissions they require (e.g. security-events: write for SARIF upload, contents: write for release creation, id-token: write for cosign signing). Any job without an explicit permissions block inherits the restrictive read-all default.


    Enough for a badge!

    When an official release is created, that release MUST be assigned a unique version identifier. [OSPS-BR-02.01]
    Assign a unique version identifier to each release produced by the project, following a consistent naming convention or numbering scheme. Examples include SemVer, CalVer, or git commit id.

    All releases are tagged with a unique semantic version identifier (e.g. v1.2.0) via Git tags. The release workflow is triggered exclusively on push: tags: "v*", ensuring every GitHub Release is tied to a unique, immutable version tag. The version is also embedded into the binary at build time via -X main.Version=${GITHUB_REF_NAME} ldflags.


    Enough for a badge!

    When an official release is created, that release MUST contain a descriptive log of functional and security modifications. [OSPS-BR-04.01]
    Ensure that all releases include a descriptive change log. It is recommended to ensure that the change log is human-readable and includes details beyond commit messages, such as descriptions of the security impact or relevance to different use cases. To ensure machine readability, place the content under a markdown header such as "## Changelog".

    Every release automatically generates a changelog via orhun/git-cliff-action using conventional commits, grouped by type (Features, Bug Fixes, Refactoring, CI, etc.) and published as the GitHub Release body. The changelog includes a full diff link to the previous version. This is configured in cliff.toml and executed as part of the release workflow on every tag push.


    Enough for a badge!

    When a build and release pipeline ingests dependencies, it MUST use standardized tooling where available. [OSPS-BR-05.01]
    Use a common tooling for your ecosystem, such as package managers or dependency management tools to ingest dependencies at build time. This may include using a dependency file, lock file, or manifest to specify the required dependencies, which are then pulled in by the build system.

    The build pipeline uses standard Go tooling (go build, go mod) to resolve and ingest dependencies declared in go.mod and go.sum. The Docker image is built via docker/build-push-action. All dependency versions are pinned — Go module checksums are verified by the Go toolchain via go.sum, and GitHub Actions dependencies are pinned to immutable commit SHAs. Dependabot is configured to keep both Go module and Actions dependencies up to date.


    Enough for a badge!

    When an official release is created, that release MUST be signed or accounted for in a signed manifest including each asset's cryptographic hashes. [OSPS-BR-06.01]
    Sign all released software assets at build time with a cryptographic signature or attestations, such as GPG or PGP signature, Sigstore signatures, SLSA provenance, or SLSA VSAs. Include the cryptographic hashes of each asset in a signed manifest or metadata file.

    Every release asset is signed using two complementary mechanisms:

    cosign sign-blob — each binary is signed with a Sigstore bundle (.bundle file) uploaded alongside the release assets, providing keyless signing via the Sigstore transparency log.
    actions/attest-build-provenance — SLSA provenance attestations are generated for all build artifacts, cryptographically linking each binary to its source commit and build environment.
    checksums.txt — a SHA-256 manifest of all release assets is included in every release, allowing users to verify integrity independently. The Docker image is additionally signed with cosign sign against its digest.


    Enough for a badge!

    When the project has made a release, the project documentation MUST include a description of how the project selects, obtains, and tracks its dependencies. [OSPS-DO-06.01]
    It is recommended to publish this information alongside the project's technical & design documentation on a publicly viewable resource such as the source code repository, project website, or other channel.

    Documented in the Dependencies section of README.md. Dependencies are selected for minimal footprint, declared and pinned in go.mod/go.sum, verified by the Go checksum database on every build, and tracked weekly by Dependabot with automated PRs for updates.


    Enough for a badge!

    (Future criterion) The project documentation MUST include instructions on how to build the software, including required libraries, frameworks, SDKs, and dependencies. [OSPS-DO-07.01]
    It is recommended to publish this information alongside the project's contributor documentation, such as in CONTRIBUTING.md or other developer task documentation. This may also be documented using Makefile targets or other automation scripts.

    The README.md includes a Build from source section documenting the only prerequisite (Go 1.24+) and the exact build command. The go.mod file specifies the minimum Go version. No additional libraries, frameworks, or SDKs beyond the standard Go toolchain are required.


    Enough for a badge!

    While active, the project documentation MUST include a list of project members with access to sensitive resources. [OSPS-GV-01.01]
    Document project participants and their roles through such artifacts as members.md, governance.md, maintainers.md, or similar file within the source code repository of the project. This may be as simple as including names or account handles in a list of maintainers, or more complex depending on the project's governance.

    The list of project members with access to sensitive resources is publicly visible on the GitHub repository at https://github.com/Kirskov/Shapin/graphs/contributors and via the repository's collaborators page. As a single-maintainer project, only the repository owner (Kirskov) has access to sensitive resources such as secrets, release publishing, and package registry credentials.


    Enough for a badge!

    While active, the project documentation MUST include descriptions of the roles and responsibilities for members of the project. [OSPS-GV-01.02]
    Document project participants and their roles through such artifacts as members.md, governance.md, maintainers.md, or similar file within the source code repository of the project.

    MAINTAINERS.md at the repository root lists all project members with their roles and responsibilities. It defines the Maintainer role (merge access, release publishing, sensitive resource access) and Contributor role (no privileged access), and identifies the current maintainer.


    Enough for a badge!

    While active, the project documentation MUST include a guide for code contributors that includes requirements for acceptable contributions. [OSPS-GV-03.02]
    Extend the CONTRIBUTING.md or CONTRIBUTING/ contents in the project documentation to outline the requirements for acceptable contributions, including coding standards, testing requirements, and submission guidelines for code contributors. It is recommended that this guide is the source of truth for both contributors and approvers.

    CONTRIBUTING.md documents requirements for acceptable contributions including: coding standards (gofmt, go vet, no new dependencies without discussion), testing requirements (all new code must have tests, bug fixes need regression tests, full suite must pass), security requirements (no hardcoded credentials, HTTPS-only HTTP calls), and PR submission guidelines (single concern per PR, all CI checks must pass before review).


    Enough for a badge!

    While active, the version control system MUST require all code contributors to assert that they are legally authorized to make the associated contributions on every commit. [OSPS-LE-01.01]
    Include a DCO in the project's repository, requiring code contributors to assert that they are legally authorized to commit the associated contributions on every commit. Use a status check to ensure the assertion is made. A CLA also satisfies this requirement. Some version control systems, such as GitHub, may include this in the platform terms of service.

    The DCO file is included in the repository root containing the Developer Certificate of Origin v1.1. The .github/workflows/dco.yml workflow runs on every PR and fails if any commit is missing a Signed-off-by trailer. Instructions for contributors are documented in CONTRIBUTING.md.


    Enough for a badge!

    When a commit is made to the primary branch, any automated status checks for commits MUST pass or be manually bypassed. [OSPS-QA-03.01]
    Configure the project's version control system to require that all automated status checks pass or require manual acknowledgement before a commit can be merged into the primary branch. It is recommended that any optional status checks are NOT configured as a pass or fail requirement that approvers may be tempted to bypass.

    Branch protection on main requires all CI status checks (test, codeql, gosec, grype, dco) to pass before a PR can be merged. Manual bypass is restricted by the "Do not allow bypassing the above settings" option, which applies to administrators as well.


    Enough for a badge!

    Prior to a commit being accepted, the project's CI/CD pipelines MUST run at least one automated test suite to ensure the changes meet expectations. [OSPS-QA-06.01]
    Automated tests should be run prior to every merge into the primary branch. The test suite should be run in a CI/CD pipeline and the results should be visible to all contributors. The test suite should be run in a consistent environment and should be run in a way that allows contributors to run the tests locally. Examples of test suites include unit tests, integration tests, and end-to-end tests.

    The ci.yml workflow runs go test ./... on every push to main and every pull request targeting main. The test suite covers unit and integration tests across all providers and the scanner package. Results are publicly visible in the GitHub Actions tab. Contributors can run the same suite locally with go test ./... — no special environment or secrets required, as all tests use fake HTTP servers via net/http/httptest.


    Enough for a badge!

    When the project has made a release, the project documentation MUST include design documentation demonstrating all actions and actors within the system. [OSPS-SA-01.01]
    Include designs in the project documentation that explains the actions and actors. Actors include any subsystem or entity that can influence another segment in the system. Ensure this is updated for new features or breaking changes.

    ARCHITECTURE.md documents all actors (User, CLI, Scanner, Providers, Docker Resolver, external APIs), their responsibilities, and the complete data flow from invocation to file rewriting. It includes the provider interface contract, the concurrency model, and a table of all external API interactions. It is linked from the README and will be updated for new providers or breaking changes.


    Enough for a badge!

    When the project has made a release, the project documentation MUST include descriptions of all external software interfaces of the released software assets. [OSPS-SA-02.01]
    Document all software interfaces (APIs) of the released software assets, explaining how users can interact with the software and what data is expected or produced. Ensure this is updated for new features or breaking changes.

    All external software interfaces are documented in ARCHITECTURE.md under "External software interfaces": the CLI (all flags, inputs, outputs, exit codes), the .shapin.json config file schema, the JSON output schema, and the SARIF 2.1.0 output format. The README cross-references these with full usage examples. This documentation is updated alongside any new flags or breaking changes.


    Enough for a badge!

    When the project has made a release, the project MUST perform a security assessment to understand the most likely and impactful potential security problems that could occur within the software. [OSPS-SA-03.01]
    Performing a security assessment informs both project members as well as downstream consumers that the project understands what problems could arise within the software. Understanding what threats could be realized helps the project manage and address risk. This information is useful to downstream consumers to demonstrate the security acumen and practices of the project. Ensure this is updated for new features or breaking changes.

    SECURITY.md includes a full security assessment covering scope, trust boundaries, and six identified threats (compromised upstream API, directory traversal, token leakage, regex DoS, malicious config file, supply chain compromise of Shapin itself) with impact ratings, mitigations, and residual risk for each. Out-of-scope items are also documented.


    Enough for a badge!

    While active, the project documentation MUST include a policy for coordinated vulnerability disclosure (CVD), with a clear timeframe for response. [OSPS-VM-01.01]
    Create a SECURITY.md file at the root of the directory, outlining the project's policy for coordinated vulnerability disclosure. Include a method for reporting vulnerabilities. Set expectations for how the project will respond and address reported issues.

    SECURITY.md at the repository root defines the coordinated vulnerability disclosure policy: reporters must use private email (not public issues), must include description, reproduction steps, and impact. The project commits to a 7-day response SLA, a fix as soon as possible upon confirmation, and credit in release notes. GitHub also surfaces this file automatically via the "Report a vulnerability" button on the Security tab.


    Enough for a badge!

    While active, the project documentation MUST provide a means for private vulnerability reporting directly to the security contacts within the project. [OSPS-VM-03.01]
    Provide a means for security researchers to report vulnerabilities privately to the project. This may be a dedicated email address, a web form, VCS specialized tools, email addresses for security contacts, or other methods.

    SECURITY.md provides two private reporting channels: GitHub's native private vulnerability reporting (via the Security tab → "Report a vulnerability") and a dedicated private email address. Both are documented at the repository root where GitHub surfaces them automatically to security researchers.


    Enough for a badge!

    While active, the project documentation MUST publicly publish data about discovered vulnerabilities. [OSPS-VM-04.01]
    Provide information about known vulnerabilities in a predictable public channel, such as a CVE entry, blog post, or other medium. To the degree possible, this information should include affected version(s), how a consumer can determine if they are vulnerable, and instructions for mitigation or remediation.

    Vulnerability disclosures are published as GitHub Security Advisories at the repository's Security Advisories page, including affected versions, vulnerability description, and upgrade instructions. Fix releases reference the advisory in the changelog. This is documented in SECURITY.md.



This data is available under the Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). This means that a Data Recipient may share the Data, with or without modifications, so long as the Data Recipient makes available the text of this agreement with the shared Data. Please credit Antoine GRICOURT and the OpenSSF Best Practices badge contributors.

Project badge entry owned by: Antoine GRICOURT.
Entry created on 2026-04-12 08:01:17 UTC, last updated on 2026-04-12 09:20:06 UTC.