BadgeApp

Basics

General

What is the human-readable name of the project?
Note that other projects may use the same name.
What is a brief description of the project?
MkDocs plugin that keeps ](../path) links clickable in your IDE and on GitHub while rewriting them to forge blob/tree URLs in built HTML only.

Problem: Docs in docs/ often link to repo files via relative paths (../src/...). Those paths work in source viewers and editors, but break in a published MkDocs site. This plugin fixes published links without changing your markdown.
- Docs: https://filipchristiansen.github.io/mkdocs-source-links
- PyPI: https://pypi.org/project/mkdocs-source-links
What is the URL for the project (as a whole)?
https://filipchristiansen.github.io/mkdocs-source-links

What is the URL for the version control repository (it may be the same as the project URL)?
https://github.com/filipchristiansen/mkdocs-source-links

What license(s) is the project released under?
Please use SPDX license expression format; examples include "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", and "(BSD-2-Clause OR Ruby)". Do not include single quotes or double quotes.

What programming language(s) are used to implement the project?
If there is more than one language, list them as comma-separated values (spaces optional) and sort them from most to least used. If there is a long list, please list at least the first three most common ones. If there is no language (e.g., this is a documentation-only or test-only project), use the single character "-". Please use a conventional capitalization for each language, e.g., "JavaScript".

What is the Common Platform Enumeration (CPE) name for the project (if it has one)?
The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. It is used in a number of systems and databases when reporting vulnerabilities.

Other general comments about the project:

Controls 19/19 ●

Controls
Criterion [OSPS-AC-04.01]
Met

Unmet

N/A

?

When a CI/CD task is executed with no permissions specified, the CI/CD system MUST default the task's permissions to the lowest permissions granted in the pipeline. ^{[OSPS-AC-04.01]}
Configure the project's settings to assign the lowest available permissions to new pipelines by default, granting additional permissions only when necessary for specific tasks.
Justification: The repository’s default GitHub Actions workflow permission is set to read-only (default_workflow_permissions: read). Every workflow also declares explicit least-privilege permissions at workflow or job scope (e.g. contents: read for CI/docs; id-token: write only for PyPI OIDC and Pages deploy; contents: write only for release asset upload). Additional scopes are granted only where a specific job requires them.
URLs:
- GitHub Actions workflow permissions (repo default: Read): https://github.com/filipchristiansen/mkdocs-source-links/settings/actions
- CI workflow (workflow-level permissions: contents: read): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/.github/workflows/ci.yml
- Publish workflow (least-privilege defaults; elevated only where needed): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/.github/workflows/publish.yml
- SECURITY.md (CI/CD hardening): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/SECURITY.md
Criterion [OSPS-BR-02.01]
Met

Unmet

N/A

?

When an official release is created, that release MUST be assigned a unique version identifier. ^{[OSPS-BR-02.01]}
Assign a unique version identifier to each release produced by the project, following a consistent naming convention or numbering scheme. Examples include SemVer, CalVer, or git commit id.
Justification: Each official release uses a unique SemVer identifier (e.g. 0.4.0) declared in pyproject.toml, published to PyPI, and tagged in git as v0.4.0. GitHub Releases and PyPI both map one version to one immutable release artifact set. [version_unique]
URLs:
- GitHub Releases: https://github.com/filipchristiansen/mkdocs-source-links/releases
- Version declaration (SemVer in pyproject.toml): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/pyproject.toml
- PyPI releases: https://pypi.org/project/mkdocs-source-links/#history
- Release tagging workflow (signed v* tags): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/CONTRIBUTING.md#releases
Criterion [OSPS-BR-04.01]
Met

Unmet

N/A

?

When an official release is created, that release MUST contain a descriptive log of functional and security modifications. ^{[OSPS-BR-04.01]}
Ensure that all releases include a descriptive change log. It is recommended to ensure that the change log is human-readable and includes details beyond commit messages, such as descriptions of the security impact or relevance to different use cases. To ensure machine readability, place the content under a markdown header such as "## Changelog".
Justification: Every release has hand-written, human-readable notes in CHANGELOG.md (Keep a Changelog format), grouped by Added/Changed/Fixed/Security where relevant. GitHub Release bodies are sourced from the matching version section (not raw git logs). Security- and supply-chain-relevant changes (e.g. SLSA provenance, signed-tag verification) are called out explicitly. [release_notes]
URLs:
- CHANGELOG.md (Keep a Changelog format): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/CHANGELOG.md
- Published changelog (docs site): https://filipchristiansen.github.io/mkdocs-source-links/changelog/
- Example GitHub Release mirroring changelog: https://github.com/filipchristiansen/mkdocs-source-links/releases/tag/v0.4.0
Criterion [OSPS-BR-05.01]
Met

Unmet

N/A

?

When a build and release pipeline ingests dependencies, it MUST use standardized tooling where available. ^{[OSPS-BR-05.01]}
Use a common tooling for your ecosystem, such as package managers or dependency management tools to ingest dependencies at build time. This may include using a dependency file, lock file, or manifest to specify the required dependencies, which are then pulled in by the build system.
Justification: Dependencies are managed with ecosystem-standard tooling: runtime deps in [project] and dev/docs groups in pyproject.toml, resolved and pinned in uv.lock. CI and publish pipelines install from the lockfile with uv sync --frozen, ensuring reproducible builds. Dependabot keeps the lockfile and GitHub Actions up to date.
URLs:
- Dependency manifest (pyproject.toml): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/pyproject.toml
- Lockfile (uv.lock): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/uv.lock
- CI ingest (uv sync --group dev --frozen): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/.github/workflows/ci.yml
- Publish build (uv build): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/.github/workflows/publish.yml
- Dependabot (uv + GitHub Actions): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/.github/dependabot.yml
Criterion [OSPS-BR-06.01]
Met

Unmet

N/A

?

When an official release is created, that release MUST be signed or accounted for in a signed manifest including each asset's cryptographic hashes. ^{[OSPS-BR-06.01]}
Sign all released software assets at build time with a cryptographic signature or attestations, such as GPG or PGP signature, Sigstore signatures, SLSA provenance, or SLSA VSAs. Include the cryptographic hashes of each asset in a signed manifest or metadata file.
Justification: Official releases are attested with SLSA Level 3 provenance (mkdocs-source-links.intoto.jsonl) generated by the SLSA GitHub generator. Build artifacts (.whl, .tar.gz) include SHA-256 digests in the provenance subjects; a post-release job verifies provenance with slsa-verifier. Release tags must be maintainer-signed and GitHub-verified before PyPI upload. PyPI publishing uses OIDC trusted publishing (no long-lived tokens).
URLs:
- Publish workflow (SLSA provenance + SHA-256 hashes): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/.github/workflows/publish.yml
- Example release with .intoto.jsonl provenance and distribution assets: https://github.com/filipchristiansen/mkdocs-source-links/releases/tag/v0.4.0
- Signed-tag verification before publish: https://github.com/filipchristiansen/mkdocs-source-links/blob/main/.github/scripts/verify-release-tag.sh
- Post-release slsa-verifier job: https://github.com/filipchristiansen/mkdocs-source-links/blob/main/.github/workflows/publish.yml
Criterion [OSPS-DO-06.01]
Met

Unmet

N/A

?

When the project has made a release, the project documentation MUST include a description of how the project selects, obtains, and tracks its dependencies. ^{[OSPS-DO-06.01]}
It is recommended to publish this information alongside the project's technical & design documentation on a publicly viewable resource such as the source code repository, project website, or other channel.
Justification: CONTRIBUTING.md documents how dependencies are selected (minimal runtime deps, permissive licenses), obtained (uv sync / uv sync --frozen from uv.lock), and tracked (runtime in [project], dev/docs in [dependency-groups], weekly Dependabot lockfile-only updates for uv and GitHub Actions).
URLs:
- Dependencies section (CONTRIBUTING.md): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/CONTRIBUTING.md#dependencies
- Dependency manifest (pyproject.toml): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/pyproject.toml
- Lockfile (uv.lock): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/uv.lock
- Dependabot config: https://github.com/filipchristiansen/mkdocs-source-links/blob/main/.github/dependabot.yml
Criterion [OSPS-DO-07.01]
Met

Unmet

N/A

?

The project documentation MUST include instructions on how to build the software, including required libraries, frameworks, SDKs, and dependencies. ^{[OSPS-DO-07.01]}
It is recommended to publish this information alongside the project's contributor documentation, such as in CONTRIBUTING.md or other developer task documentation. This may also be documented using Makefile targets or other automation scripts.
Justification: CONTRIBUTING.md documents required tooling (uv, pre-commit, ShellCheck), setup (make install), and how to build/test locally (make ci, make lint, make test, make docs). The Makefile automates install, sync, lint, test, and strict docs build. Required Python version and dependencies are declared in pyproject.toml.
URLs:
- Build/dev instructions (CONTRIBUTING.md): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/CONTRIBUTING.md#development-setup
- Makefile targets (install, lint, test, docs, ci): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/Makefile
- Python/runtime requirement (>=3.10): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/pyproject.toml
- Docs build in CI: https://github.com/filipchristiansen/mkdocs-source-links/blob/main/.github/workflows/docs.yml
Criterion [OSPS-GV-01.01]
Met

Unmet

N/A

?

While active, the project documentation MUST include a list of project members with access to sensitive resources. ^{[OSPS-GV-01.01]}
Document project participants and their roles through such artifacts as members.md, governance.md, maintainers.md, or similar file within the source code repository of the project. This may be as simple as including names or account handles in a list of maintainers, or more complex depending on the project's governance.
Justification: MAINTAINERS.md lists project members with access to sensitive resources (repository admin, pypi GitHub Environment for OIDC PyPI publish, release signing key). Currently a single maintainer; the table names the GitHub handle and each sensitive access granted.
URLs:
- MAINTAINERS.md (sensitive-resource access list): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/MAINTAINERS.md#members-with-access-to-sensitive-resources
- SECURITY.md (security contacts): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/SECURITY.md#security-contacts
- PyPI trusted publishing environment: https://github.com/filipchristiansen/mkdocs-source-links/settings/environments
Criterion [OSPS-GV-01.02]
Met

Unmet

N/A

?

While active, the project documentation MUST include descriptions of the roles and responsibilities for members of the project. ^{[OSPS-GV-01.02]}
Document project participants and their roles through such artifacts as members.md, governance.md, maintainers.md, or similar file within the source code repository of the project.
Justification: MAINTAINERS.md defines Maintainer, Contributor, and Security contact roles with responsibilities (PR merge authority, release cutting, issue triage, vulnerability response, Dependabot review). CONTRIBUTING.md and SECURITY.md cross-reference these roles for day-to-day and security workflows.
URLs:
- MAINTAINERS.md (roles and responsibilities): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/MAINTAINERS.md#roles-and-responsibilities
- CONTRIBUTING.md (contributor workflow): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/CONTRIBUTING.md
- SECURITY.md (security contact duties): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/SECURITY.md
Criterion [OSPS-GV-03.02]
Met

Unmet

N/A

?

While active, the project documentation MUST include a guide for code contributors that includes requirements for acceptable contributions. ^{[OSPS-GV-03.02]}
Extend the CONTRIBUTING.md or CONTRIBUTING/ contents in the project documentation to outline the requirements for acceptable contributions, including coding standards, testing requirements, and submission guidelines for code contributors. It is recommended that this guide is the source of truth for both contributors and approvers.
Justification: CONTRIBUTING.md is the source of truth for acceptable contributions: branch naming, conventional PR titles, 100% test coverage, make ci before PR, ruff/mypy/pylint/pydoclint via pre-commit, and static analysis in CI. The PR template reinforces the checklist. [contribution_requirements]
URLs:
- CONTRIBUTING.md (workflow, coding standards, testing): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/CONTRIBUTING.md
- Coding standards section: https://github.com/filipchristiansen/mkdocs-source-links/blob/main/CONTRIBUTING.md#coding-standards
- Makefile / local CI parity: https://github.com/filipchristiansen/mkdocs-source-links/blob/main/Makefile
- Pre-commit config (enforced hooks): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/.pre-commit-config.yaml
- PR template (checklist): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/.github/pull_request_template.md
- Published contributing docs: https://filipchristiansen.github.io/mkdocs-source-links/contributing/
Criterion [OSPS-LE-01.01]
Met

Unmet

N/A

?

While active, the version control system MUST require all code contributors to assert that they are legally authorized to make the associated contributions on every commit. ^{[OSPS-LE-01.01]}
Include a DCO in the project's repository, requiring code contributors to assert that they are legally authorized to commit the associated contributions on every commit. Use a status check to ensure the assertion is made. A CLA also satisfies this requirement. Some version control systems, such as GitHub, may include this in the platform terms of service.
Justification: Contributions are made via GitHub pull requests; GitHub’s Terms of Service grant the project a license to inbound contributions (satisfying legal-authorization requirements per OpenSSF guidance for GitHub-hosted projects). Additionally, main requires signed commits (required_signatures: enabled), and release tags must be signed and GitHub-verified before publish.
URLs:
- GitHub Terms of Service (inbound contribution license, §D): https://docs.github.com/en/site-policy/github-terms/github-terms-of-service
- Branch protection (required signed commits on main): https://github.com/filipchristiansen/mkdocs-source-links/settings/branch_protection_rules
- CONTRIBUTING.md (signed commits/tags): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/CONTRIBUTING.md#signed-tags-and-commits
Criterion [OSPS-QA-03.01]
Met

Unmet

N/A

?

When a commit is made to the primary branch, any automated status checks for commits MUST pass or be manually bypassed. ^{[OSPS-QA-03.01]}
Configure the project's version control system to require that all automated status checks pass or require manual acknowledgement before a commit can be merged into the primary branch. It is recommended that any optional status checks are NOT configured as a pass or fail requirement that approvers may be tempted to bypass.
Justification: main requires passing status checks before merge (lint, build, and all test matrix jobs across Python 3.10–3.13 plus Windows/macOS smoke jobs). Branch protection also requires at least one approving review, signed commits, linear history, and resolved conversations. Checks must pass or be explicitly bypassed by an admin. [test_continuous_integration]
URLs:
- Branch protection rules (required status checks): https://github.com/filipchristiansen/mkdocs-source-links/settings/branch_protection_rules
- CI workflow: https://github.com/filipchristiansen/mkdocs-source-links/blob/main/.github/workflows/ci.yml
- Docs workflow (required “build” check): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/.github/workflows/docs.yml
- CI run history: https://github.com/filipchristiansen/mkdocs-source-links/actions/workflows/ci.yml
Criterion [OSPS-QA-06.01]
Met

Unmet

N/A

?

Prior to a commit being accepted, the project's CI/CD pipelines MUST run at least one automated test suite to ensure the changes meet expectations. ^{[OSPS-QA-06.01]}
Automated tests should be run prior to every merge into the primary branch. The test suite should be run in a CI/CD pipeline and the results should be visible to all contributors. The test suite should be run in a consistent environment and should be run in a way that allows contributors to run the tests locally. Examples of test suites include unit tests, integration tests, and end-to-end tests.
Justification: An automated pytest suite (unit + integration) runs in CI on every pull request and push to main, across Python 3.10–3.13 and OS smoke jobs. Contributors can run the same suite locally via make test or make ci with identical tooling (uv + lockfile). Results are visible on GitHub Actions. [test_continuous_integration]
URLs:
- CI workflow (pytest on every PR/push to main): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/.github/workflows/ci.yml
- Local test target (make test / make ci): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/Makefile
- Test suite: https://github.com/filipchristiansen/mkdocs-source-links/tree/main/tests
- CI run history: https://github.com/filipchristiansen/mkdocs-source-links/actions/workflows/ci.yml
Criterion [OSPS-SA-01.01]
Met

Unmet

N/A

?

When the project has made a release, the project documentation MUST include design documentation demonstrating all actions and actors within the system. ^{[OSPS-SA-01.01]}
Include designs in the project documentation that explains the actions and actors. Actors include any subsystem or entity that can influence another segment in the system. Ensure this is updated for new features or breaking changes.
Justification: Published documentation describes the system’s actors (MkDocs build, plugin, local git repo/filesystem, git forges) and actions (detect ../ links, resolve branch/forge, rewrite to blob/tree URLs, preserve fragments). Configuration and limitations document resolution order, forge autodetection, and behavioral boundaries—sufficient design documentation for this build-time MkDocs plugin.
URLs:
- Usage (actors, inputs/outputs, link rewrite behavior): https://filipchristiansen.github.io/mkdocs-source-links/usage/
- Configuration (branch resolution, plugin options): https://filipchristiansen.github.io/mkdocs-source-links/configuration/
- Forges (external forge interfaces): https://filipchristiansen.github.io/mkdocs-source-links/forges/
- Limitations (edge cases and system boundaries): https://filipchristiansen.github.io/mkdocs-source-links/limitations/
Criterion [OSPS-SA-02.01]
Met

Unmet

N/A

?

When the project has made a release, the project documentation MUST include descriptions of all external software interfaces of the released software assets. ^{[OSPS-SA-02.01]}
Document all software interfaces (APIs) of the released software assets, explaining how users can interact with the software and what data is expected or produced. Ensure this is updated for new features or breaking changes.
Justification: External interfaces are documented: MkDocs plugin entry point (source-links), configuration schema and options, usage examples, and mkdocstrings API reference for public plugin methods. Users can see expected inputs (repo_url, plugin options, markdown link syntax) and outputs (rewritten forge URLs in built HTML). [documentation_interface]
URLs:
- API reference (plugin public interface): https://filipchristiansen.github.io/mkdocs-source-links/api/
- Configuration options: https://filipchristiansen.github.io/mkdocs-source-links/configuration/
- Usage / mkdocs.yml integration: https://filipchristiansen.github.io/mkdocs-source-links/usage/
- Entry point declaration: https://github.com/filipchristiansen/mkdocs-source-links/blob/main/pyproject.toml
Criterion [OSPS-SA-03.01]
Met

Unmet

N/A

?

When the project has made a release, the project MUST perform a security assessment to understand the most likely and impactful potential security problems that could occur within the software. ^{[OSPS-SA-03.01]}
Performing a security assessment informs both project members as well as downstream consumers that the project understands what problems could arise within the software. Understanding what threats could be realized helps the project manage and address risk. This information is useful to downstream consumers to demonstrate the security acumen and practices of the project. Ensure this is updated for new features or breaking changes.
Justification: SECURITY.md includes a security assessment of the build-time MkDocs plugin: scope and trust boundaries (authors, MkDocs, plugin, forges), likely threats (path handling, URL generation, supply chain, malicious contributions) with mitigations, and documented residual risks. Updated alongside existing CI/CD hardening and disclosure policy.
URLs:
- SECURITY.md (security assessment / threat model): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/SECURITY.md#security-assessment
- Limitations (residual functional risks): https://filipchristiansen.github.io/mkdocs-source-links/limitations/
- CI static analysis (bandit via ruff): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/.github/workflows/ci.yml
Criterion [OSPS-VM-01.01]
Met

Unmet

N/A

?

While active, the project documentation MUST include a policy for coordinated vulnerability disclosure (CVD), with a clear timeframe for response. ^{[OSPS-VM-01.01]}
Create a SECURITY.md file at the root of the directory, outlining the project's policy for coordinated vulnerability disclosure. Include a method for reporting vulnerabilities. Set expectations for how the project will respond and address reported issues.
Justification: SECURITY.md is the coordinated vulnerability disclosure policy: private reporting channel, supported versions (latest release only), and a clear response timeframe (initial response within 14 days). Public issues are explicitly disallowed for security reports. [vulnerability_report_process]
URLs:
- SECURITY.md: https://github.com/filipchristiansen/mkdocs-source-links/blob/main/SECURITY.md
- GitHub security policy UI: https://github.com/filipchristiansen/mkdocs-source-links/security/policy
Criterion [OSPS-VM-03.01]
Met

Unmet

N/A

?

While active, the project documentation MUST provide a means for private vulnerability reporting directly to the security contacts within the project. ^{[OSPS-VM-03.01]}
Provide a means for security researchers to report vulnerabilities privately to the project. This may be a dedicated email address, a web form, VCS specialized tools, email addresses for security contacts, or other methods.
Justification: Reporters are directed to GitHub Private Vulnerability Reporting (web form), not public issues. This provides a private channel directly to repository security contacts. [vulnerability_report_private]
URLs:
- SECURITY.md: https://github.com/filipchristiansen/mkdocs-source-links/blob/main/SECURITY.md
- GitHub private vulnerability reporting form: https://github.com/filipchristiansen/mkdocs-source-links/security/advisories/new
Criterion [OSPS-VM-04.01]
Met

Unmet

N/A

?

While active, the project documentation MUST publicly publish data about discovered vulnerabilities. ^{[OSPS-VM-04.01]}
Provide information about known vulnerabilities in a predictable public channel, such as a CVE entry, blog post, or other medium. To the degree possible, this information should include affected version(s), how a consumer can determine if they are vulnerable, and instructions for mitigation or remediation.
Justification: No security vulnerabilities have been discovered or published to date (zero published GitHub Security Advisories). This control applies when vulnerabilities exist. When a vulnerability is confirmed, it will be published via GitHub Security Advisories with affected versions, impact, and remediation guidance, per SECURITY.md.
URLs:
- GitHub Security Advisories (publication channel): https://github.com/filipchristiansen/mkdocs-source-links/security/advisories
- SECURITY.md (disclosure and fix process): https://github.com/filipchristiansen/mkdocs-source-links/blob/main/SECURITY.md

This data is available under the Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). This means that a Data Recipient may share the Data, with or without modifications, so long as the Data Recipient makes available the text of this agreement with the shared Data. Please credit Filip Christiansen and the OpenSSF Best Practices badge contributors.

MkDocs Source Links

Basics

General

Controls 19/19 ●

Controls