PR Metrics

Miradi inayofuata mazoea bora hapa chini inaweza kujihakikisha kwa hiari na kuonyesha kuwa wamepata nishani ya mazoea bora ya Open Source Security Foundation (OpenSSF).

Hakuna seti ya mazoea yawezayo kuhakikisha kuwa programu haitakuwa na kasoro au udhaifu; hata mbinu rasmi zinaweza kushindwa ikiwa vipimo au dhana ni sahihi. Wala hakuna seti ya mazoea yawezayo kuhakikisha kuwa mradi utaendelea kuwa na jamii ya maendeleo yenye afya na inayofanya kazi vizuri. Hata hivyo, kufuata mazoea bora kunaweza kusaidia kuboresha matokeo ya miradi. Kwa mfano, baadhi ya mazoea huwezesha ukaguzi wa watu wengi kabla ya kutolewa, ambayo inaweza kusaidia kupata udhaifu wa kiufundi ambao vinginevyo ni vigumu kupata na kusaidia kujenga uaminifu na hamu ya mwingiliano wa kurudia kati ya wasanidi programu kutoka makampuni tofauti. Ili kupata nishani, vigezo vyote vya LAZIMA na LAZIMA WALA USIWAHI lazima vifuatwe, vigezo vyote vya INAPASWA lazima vifuatwe AU visivyo fufufutiliana na thibitisho, na vigezo vyote vya PENDEKEZA lazima vifuatwe AU visivyo fufufutiliana (tunataka vifikiwe angalau). Ikiwa unataka kuingiza maandishi ya thibitisho kama maoni ya jumla, badala ya kuwa maelezo ya busara kwamba hali ni inakubaliwa, anza kifungu cha maandishi na '//' ikifuatiwa na nafasi. Maoni ni karibu kupitia tovuti ya GitHub kama masuala au maombi ya kuvuta Kuna pia orodha ya barua pepe kwa majadiliano ya jumla.

Tunafuraha kutoa habari katika lugha nyingi, hata hivyo, ikiwa kuna mgongano au kutokuwa na usawa kati ya tafsiri, toleo la Kiingereza ni toleo lenye mamlaka.
Ikiwa huu ni mradi wako, tafadhali onyesha hali ya nishani yako ya msingi kwenye ukurasa wa mradi wako! Hali ya nishani ya msingi inaonekana kama hii: Kiwango cha nishani ya msingi kwa mradi 11987 ni baseline-3 Huu ndiyo jinsi ya kuweka nishani ya msingi:
Unaweza kuonyesha hali ya nishani yako ya msingi kwa kuweka hii katika faili yako ya markdown:
[![OpenSSF Baseline](https://www.bestpractices.dev/projects/11987/baseline)](https://www.bestpractices.dev/projects/11987)
au kwa kuweka hii katika HTML yako:
<a href="https://www.bestpractices.dev/projects/11987"><img src="https://www.bestpractices.dev/projects/11987/baseline"></a>


Hizi ni vigezo vya Kiwango cha Msingi 1. Vigezo hivi vinatoka toleo la msingi v2025.10.10 na maandishi ya vigezo yaliyosasishwa kutoka toleo v2026.02.19. Vigezo vipya katika toleo v2026.02.19 vimewekwa alama "mustakabali" na vitaanza kutekelezwa kuanzia 2026-06-01. Tafadhali toa majibu kwa vigezo vya "mustakabali" kabla ya tarehe hiyo.

Baseline Series: Kiwango cha Msingi 1 Kiwango cha Msingi 2 Kiwango cha Msingi 3

        

 Misingi

  • Jumla

    Kumbuka kwamba miradi mingine inaweza kutumia jina sawa.

    A GitHub Action & Azure Pipelines task for augmenting pull request titles to let reviewers quickly determine PR size and test coverage.

    Tafadhali tumia muundo wa maneno ya leseni ya SPDX; mifano ni pamoja na "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", na "(BSD-2-Clause OR Ruby)". Usitumie alama za nukuu za moja au mbili.
    Ikiwa kuna lugha zaidi ya moja, ziorodhe kama thamani zilizotengwa kwa koma (nafasi ni za hiari) na ziorodhe kuanzia iliyotumiwa zaidi hadi iliyotumiwa kidogo. Ikiwa kuna orodha ndefu, tafadhali orodhesha angalau tatu za kawaida zaidi. Ikiwa hakuna lugha (k.m., huu ni mradi wa nyaraka tu au wa majaribio tu), tumia herufi moja "-". Tafadhali tumia herufi kubwa za kawaida kwa kila lugha, k.m., "JavaScript".
    Common Platform Enumeration (CPE) ni mpango wa kuweka majina yenye muundo kwa mifumo ya teknolojia ya habari, programu, na vifurushi. Inatumika katika mifumo na hifadhidata nyingi wakati wa kuripoti udhaifu.

 Udhibiti 24/25

  • Udhibiti


    Ya kutosha kwa nishani!

    Wakati mtumiaji anajaribu kusoma au kurekebisha rasilimali nyeti katika hifadhi ya mamlaka ya mradi, mfumo LAZIMA uhitaji mtumiaji kukamilisha mchakato wa uthibitishaji wa vipengele vingi. [OSPS-AC-01.01]
    Tekeleza uthibitishaji wa vipengele vingi kwa mfumo wa udhibiti wa toleo wa mradi, ikihitaji washirika kutoa aina ya pili ya uthibitishaji wakati wa kufikia data nyeti au kurekebisha mipangilio ya hifadhi. Funguo za kupitisha zinakubaliwa kwa udhibiti huu.

    GitHub has required two-factor authentication for all contributors since March 2023. The Microsoft GitHub organisation enforces additional authentication policies. See GitHub's 2FA requirement announcement: https://github.blog/news-insights/product-news/raising-the-bar-for-software-security-github-2fa-begins-march-13/.


    Ya kutosha kwa nishani!

    Wakati mshirika mpya anaongezwa, mfumo wa udhibiti wa toleo LAZIMA uhitaji mgawanyo wa ruhusa wa mikono, au kuzuia ruhusa za mshirika kwa upendeleo wa chini unapatikana kwa chaguo-msingi. [OSPS-AC-02.01]
    Mifumo mingi ya umma ya udhibiti wa toleo imesanidiwa kwa njia hii. Hakikisha mfumo wa udhibiti wa toleo wa mradi daima unapeana ruhusa za chini zinazopatikana kwa washirika kwa chaguo-msingi wanapongezwa, ikitoa ruhusa za ziada tu zinapohitajika.

    GitHub assigns read-only access by default to new collaborators on public repositories. The Microsoft GitHub organisation enforces least-privilege policies for collaborator access. Additional permissions require manual assignment by repository administrators.


    Ya kutosha kwa nishani!

    Wakati ahadi ya moja kwa moja inajaribiwa kwenye tawi kuu la mradi, utaratibu wa kutekeleza LAZIMA uzuie mabadiliko yasitekelezwe. [OSPS-AC-03.01]
    Ikiwa VCS ni ya kati, weka ulinzi wa tawi kwenye tawi kuu katika VCS ya mradi. Vinginevyo, tumia mbinu isiyokuwa ya kati, kama ile ya kernel ya Linux, ambapo mabadiliko kwanza hupendekeza katika hifadhi nyingine, na kuunganisha mabadiliko katika hifadhi kuu kunahitaji kitendo tofauti mahususi.

    The repository has multiple rulesets protecting the main branch (default-ruleset, microsoft-production-ruleset), which prevent direct commits and require pull request reviews. See repository rulesets: https://github.com/microsoft/PR-Metrics/rules.


    Ya kutosha kwa nishani!

    Wakati jaribio linafanywa kufuta tawi kuu la mradi, mfumo wa udhibiti wa toleo LAZIMA uichukulie hii kama shughuli nyeti na kuhitaji uthibitishaji wa wazi wa nia. [OSPS-AC-03.02]
    Weka ulinzi wa tawi kwenye tawi kuu katika mfumo wa udhibiti wa toleo wa mradi ili kuzuia ufutaji.

    The GitHub rulesets protecting the main branch prevent branch deletion. GitHub treats branch deletion of protected branches as a sensitive activity requiring explicit administrator override. See repository rulesets: https://github.com/microsoft/PR-Metrics/rules.


    Ya kutosha kwa nishani!

    Wakati bomba la CI/CD linakubali kigezo cha ingizo, kigezo hicho LAZIMA kisafishwe na kuthibitishwa kabla ya kutumika katika bomba. [OSPS-BR-01.01]
    Mifuko ya CI/CD inapaswa kusafisha (kunukuu, kutoroka au kutoka kwa maadili yanayotarajiwa) pembejeo zote za metadata zinazohusiana na vyanzo visivyoaminika. Hii inajumuisha data kama vile majina ya matawi, ujumbe wa kujitolea, lebo, majina ya maombi ya kuvuta, na taarifa za mwandishi.

    The project's CI/CD workflows (build.yml, release-initiate.yml, release-publish.yml) do not define any user-controllable input parameters via workflow_dispatch inputs. All workflow triggers use event-based activation with no externally supplied parameters.


    Taarifa inayohitajika haijulikani, si ya kutosha kwa nishani.

    (Kigezo cha baadaye) Wakati mfuko wa CI/CD unafanya kazi kwenye picha za nambari za kanuni ambazo haziaminiki, LAZIMA uzuie upatikanaji wa vitambulisho vya CI/CD vilivyopendelewa na mali. [OSPS-BR-01.03]
    Mifuko ya CI/CD inapaswa kutenga picha za nambari za kanuni ambazo haziaminiki kutoka kwa vitambulisho vilivyopendelewa na mali. Hasa, miradi inapaswa kuwa makini kuhakikisha kwamba mtiririko wa kazi ambao hujenga au kutekeleza nambari kabla ya ukaguzi na mshirika hana upatikanaji wa vitambulisho vya CI/CD.

    Ya kutosha kwa nishani!

    Wakati mradi unaorodhesha URI kama njia rasmi ya mradi, URI hiyo LAZIMA itolewa pekee kwa kutumia njia zilizosimbwa. [OSPS-BR-03.01]
    Sanidi tovuti za mradi na mifumo ya udhibiti wa toleo ili kutumia njia zilizosimbwa kama SSH au HTTPS kwa maambukizi ya data. Hakikisha zana zote na vikoa vilivyorejelewa katika nyaraka za mradi vinaweza kufikika tu kupitia njia zilizosimbwa.

    All URIs referenced in project documentation, README, and configuration files use HTTPS exclusively. The project's GitHub repository URL is https://github.com/microsoft/PR-Metrics. All external links (e.g., aka.ms redirects, Microsoft documentation) use HTTPS.


    Ya kutosha kwa nishani!

    Wakati mradi unaorodhesha URI kama njia rasmi ya usambazaji, URI hiyo LAZIMA itolwe pekee kwa kutumia njia zilizosimbwa. [OSPS-BR-03.02]
    Sanidi mfumo wa kutolewa kwa mradi ili kuchukua data tu kutoka kwenye tovuti, majibu ya API, na huduma nyingine ambazo zinatumia njia zilizosimbwa kama SSH au HTTPS kwa maambukizi ya data.

    The release pipeline fetches all dependencies and tools via HTTPS (npm registry, GitHub API, GitHub Actions). Release artefacts are published via GitHub Releases and the Visual Studio Marketplace, both of which use HTTPS exclusively. Artefacts include build provenance attestations (https://github.com/microsoft/PR-Metrics/blob/main/docs/verification.md) and Sigstore cosign signatures.


    Ya kutosha kwa nishani!

    Mradi LAZIMA uzuie uhifadhi wa bila makusudi wa data nyeti isiyo-imeimbwa, kama siri na vyeti, katika mfumo wa udhibiti wa toleo. [OSPS-BR-07.01]
    Sanidi .gitignore au sawa ili kutofautisha faili ambazo zinaweza kuwa na maelezo nyeti. Tumia vizuizi vya kabla ya kujitolea na zana za uchunguzi zilizosaidiwa na kompyuta ili kugundua na kuzuia ujumuishaji wa data nyeti katika michango.

    The .gitignore file excludes environment files (.env, .env.local, .env.*.local). The CI/CD pipeline includes gitleaks (https://github.com/microsoft/PR-Metrics/blob/main/.github/linters/gitleaks.toml) secret scanning via Super-Linter. No credentials or secrets are tracked in the repository. Access tokens are managed exclusively through GitHub Secrets.


    Ya kutosha kwa nishani!

    Wakati mradi umefanya utoaji, nyaraka za mradi LAZIMA zijumuishe miongozo ya watumiaji kwa utendaji wote wa kimsingi. [OSPS-DO-01.01]
    Unda miongozo ya watumiaji au nyaraka kwa utendaji wote wa kimsingi wa mradi, ikieleza jinsi ya kusakinisha, kusanidi, na kutumia vipengele vya mradi. Ikiwa kuna vitendo vinavyojulikana kuwa hatari au vya kuharibu, jumuisha maonyo yaliyo-wazi kabisa.

    The README.md (https://github.com/microsoft/PR-Metrics/blob/main/README.md) provides comprehensive documentation covering installation, configuration inputs, usage examples for both GitHub Actions and Azure DevOps Pipelines, and detailed descriptions of all parameters. Additional documentation is available in the docs/ folder (https://github.com/microsoft/PR-Metrics/tree/main/docs), including troubleshooting and platform-specific guides.


    Ya kutosha kwa nishani!

    Wakati mradi umefanya utoaji, nyaraka za mradi LAZIMA zijumuishe mwongozo wa kuripoti hitilafu. [OSPS-DO-02.01]
    Inashauriwa kwamba miradi itumie kifuatiliaji cha masuala cha chaguo-msingi cha VCS yao. Ikiwa chanzo cha nje kinatumiwa, hakikisha kwamba nyaraka za mradi na mwongozo wa kuchangia zinaeleza wazi na kwa uonekano jinsi ya kutumia mfumo wa kuripoti. Inashauriwa kwamba nyaraka za mradi pia ziweke matarajio ya jinsi hitilafu zitatolewa kipaumbele na kutatuliwa.

    The project uses GitHub Issues with structured templates for bug reports (https://github.com/microsoft/PR-Metrics/blob/main/.github/ISSUE_TEMPLATE/bug_report.md) and feature requests (https://github.com/microsoft/PR-Metrics/blob/main/.github/ISSUE_TEMPLATE/feature-request.md). The CONTRIBUTING.md (https://github.com/microsoft/PR-Metrics/blob/main/.github/CONTRIBUTING.md) directs contributors to use GitHub Issues for reporting defects and communicating with the team.


    Ya kutosha kwa nishani!

    Wakati ukiwa hai, mradi LAZIMA uwe na taratibu moja au zaidi za mijadala ya umma kuhusu mabadiliko yaliyopendekezwa na vizuizi vya matumizi. [OSPS-GV-02.01]
    Unda taratibu moja au zaidi za mijadala ya umma ndani ya mradi, kama orodha za barua, ujumbe wa papo hapo, au vifuatiliaji vya masuala, ili kuwezesha mawasiliano ya wazi na maoni.

    The project provides multiple public discussion channels: GitHub Issues (https://github.com/microsoft/PR-Metrics/issues) for bug reports and feature requests, GitHub Pull Requests (https://github.com/microsoft/PR-Metrics/pulls) for proposed changes, and GitHub Discussions (https://github.com/microsoft/PR-Metrics/discussions) for general community conversation. All channels are publicly accessible.


    Ya kutosha kwa nishani!

    Wakati ukiwa hai, nyaraka za mradi LAZIMA zijumuishe maelezo ya mchakato wa kuchangia. [OSPS-GV-03.01]
    Unda CONTRIBUTING.md au saraka ya CONTRIBUTING/ ili kuainisha mchakato wa kuchangia ukijumuisha hatua za kuwasilisha mabadiliko, na kushirikiana na watunzaji wa mradi.

    The CONTRIBUTING.md (https://github.com/microsoft/PR-Metrics/blob/main/.github/CONTRIBUTING.md) file documents the contribution process, including the Contributor License Agreement (CLA) requirement, coding style guidelines, instructions for updating and adding extensions, and how to communicate with the team. A pull request template (https://github.com/microsoft/PR-Metrics/blob/main/.github/pull_request_template.md) is also provided.


    Ya kutosha kwa nishani!

    Wakati ukiwa hai, leseni kwa msimbo wa chanzo LAZIMA ikidhi Ufafanuzi wa Chanzo Wazi wa OSI au Ufafanuzi wa Programu Huria wa FSF. [OSPS-LE-02.01]
    Ongeza faili ya LICENSE kwenye hazina ya mradi na leseni ambayo ni leseni iliyoidhinishwa na Open Source Initiative (OSI), au leseni huria kama ilivyoidhinishwa na Free Software Foundation (FSF). Mifano ya leseni kama hizo ni pamoja na MIT, BSD 2-clause, BSD 3-clause revised, Apache 2.0, Lesser GNU General Public License (LGPL), na GNU General Public License (GPL). Kutolewa kwa umma kukidhi udhibiti huu ikiwa hakuna vizuizi vingine kama vile vimiliki.

    The project is licensed under the MIT License (https://github.com/microsoft/PR-Metrics/blob/main/LICENSE), which is approved by the Open Source Initiative (https://opensource.org/licenses/MIT).


    Ya kutosha kwa nishani!

    Wakati ukiwa hai, leseni kwa mali za programu iliyotolewa LAZIMA ikidhi Ufafanuzi wa Chanzo Wazi wa OSI au Ufafanuzi wa Programu Huria wa FSF. [OSPS-LE-02.02]
    Ikiwa leseni tofauti imejumuishwa na mali za programu zilizotolewa, hakikisha ni leseni iliyoidhinishwa na Open Source Initiative (OSI), au leseni huria kama ilivyoidhinishwa na Free Software Foundation (FSF). Mifano ya leseni kama hizo ni pamoja na MIT, BSD 2-clause, BSD 3-clause revised, Apache 2.0, Lesser GNU General Public License (LGPL), na GNU General Public License (GPL). Kumbuka kwamba leseni kwa mali za programu zilizotolewa inaweza kuwa tofauti na msimbo wa chanzo.

    Released software artefacts are distributed under the same MIT License as the source code. The licence is OSI-approved.


    Ya kutosha kwa nishani!

    Wakati ukiwa hai, leseni kwa msimbo wa chanzo LAZIMA itunzwe katika faili ya LICENSE ya hazina inayohusiana, faili ya COPYING, au saraka ya LICENSE/. [OSPS-LE-03.01]
    Jumuisha leseni ya msimbo wa chanzo wa mradi katika faili ya LICENSE ya mradi, faili ya COPYING, au saraka ya LICENSE/ ili kutoa uonekano na uwazi juu ya masharti ya leseni. Jina la faili LINAWEZA kuwa na kiendelezi. Ikiwa mradi una hazina nyingi, hakikisha kwamba kila hazina inajumuisha faili ya leseni.

    The LICENSE file (https://github.com/microsoft/PR-Metrics/blob/main/LICENSE) is present in the repository root, containing the full MIT License text with the Microsoft Corporation copyright notice.


    Ya kutosha kwa nishani!

    Wakati mradi ukiwa hai, leseni kwa rasilimali za programu iliyotolewa LAZIMA ijumuishwe ndani ya msimbo wa chanzo uliotolewa, au katika faili ya LICENSE, faili ya COPYING, au saraka ya LICENSE/ pembeni na rasilimali za toleo linalohusiana. [OSPS-LE-03.02]
    Jumuisha leseni ya rasilimali za programu zilizotolewa za mradi katika msimbo wa chanzo uliotolewa, au katika faili ya LICENSE, faili ya COPYING, au saraka ya LICENSE/ pembeni na rasilimali za toleo linalohusiana ili kutoa mwonekano na uwazi wa masharti ya leseni. Jina la faili YAWEZA kuwa na kiendelezi. Ikiwa mradi una hazina nyingi, hakikisha kwamba kila hazina inajumuisha faili ya leseni.

    The release pipeline processes a LICENSE.txt for inclusion with release artefacts (via Update-Licenses.ps1). GitHub Releases automatically include the source code (with the LICENSE file) as downloadable archives alongside the VSIX artefact.


    Ya kutosha kwa nishani!

    Wakati mradi ukiwa hai, hazina ya msimbo wa chanzo wa mradi LAZIMA iweze kusomwa hadharani kwenye URL isiyobadilika. [OSPS-QA-01.01]
    Tumia VCS ya kawaida kama GitHub, GitLab, au Bitbucket. Hakikisha hazina inaweza kusomwa hadharani. Epuka kunakili au kuakisi hazina isipokuwa nyaraka zinazoonekana sana zinatoa wazi chanzo kikuu. Epuka mabadiliko ya mara kwa mara kwenye hazina ambayo ingeathiri URL ya hazina. Hakikisha hazina ni ya umma.

    The source code is publicly available at https://github.com/microsoft/PR-Metrics, a stable URL on GitHub.


    Ya kutosha kwa nishani!

    Mfumo wa udhibiti wa toleo LAZIMA uwe na kumbukumbu inayoweza kusomwa hadharani ya mabadiliko yote yaliyofanywa, nani alifanya mabadiliko, na mabadiliko yalifanywa lini. [OSPS-QA-01.02]
    Tumia VCS ya kawaida kama GitHub, GitLab, au Bitbucket ili kudumisha historia ya kuwasilisha inayoweza kusomwa hadharani. Epuka kusonga au kuandika upya miwasilisho kwa namna ambayo ingeweza kuficha mwandishi wa miwasilisho yoyote.

    The full Git commit history is publicly readable at https://github.com/microsoft/PR-Metrics, including author, date, and commit message for every change. Pull request history with review discussions is also publicly accessible.


    Ya kutosha kwa nishani!

    Wakati mfumo wa usimamizi wa kifurushi unaposaidia, hazina ya msimbo wa chanzo LAZIMA iwe na orodha ya utegemezi inayohesabu utegemezi wa moja kwa moja wa lugha. [OSPS-QA-02.01]
    Hii inaweza kuwa kwa namna ya faili ya usimamizi wa kifurushi au faili ya utegemezi wa lugha inayoorodhesha utegemezi wote wa moja kwa moja kama package.json, Gemfile, au go.mod.

    The package.json (https://github.com/microsoft/PR-Metrics/blob/main/package.json) and package-lock.json (https://github.com/microsoft/PR-Metrics/blob/main/package-lock.json) files enumerate all direct and transitive npm dependencies for the project.


    Ya kutosha kwa nishani!

    Wakati mradi ukiwa hai, nyaraka za mradi LAZIMA ziwe na orodha ya hazina zozote za msimbo zinazozingatiwa kama miradi midogo. [OSPS-QA-04.01]
    Weka kwenye nyaraka hazina zozote za ziada za msimbo wa miradi midogo zinazozalishwa na mradi na kukusanywa katika toleo. Nyaraka hii inapaswa kujumuisha hali na nia ya hazina ya msimbo husika.

    The project does not have any subprojects. It is a single codebase that produces artefacts for both GitHub Actions and Azure DevOps Pipelines via shared source code with platform-specific abstraction layers.


    Ya kutosha kwa nishani!

    Wakati mradi ukiwa hai, mfumo wa udhibiti wa toleo LAZIMA USIWE na vitu vilivyozalishwa vinavyoweza kutekelezwa. [OSPS-QA-05.01]
    Ondoa vitu vilivyozalishwa vinavyoweza kutekelezwa katika mfumo wa udhibiti wa toleo wa mradi. Inashauriwa kwamba hali yoyote ambapo kifaa kilichozalishwa kinachoweza kutekelezwa kinaonekana muhimu kwa mchakato kama vile majaribio, badala yake kinapaswa kuzalishwa wakati wa ujenzi au kuhifadhiwa kando na kuchukuliwa wakati wa hatua maalum ya mfumo wa kuendeshea iliyoandikwa vizuri.

    The repository does not contain generated executable binaries (e.g., .exe, .dll, .so, .jar). The dist/ folder contains text-based JavaScript files (index.mjs, exec-child.js) and metadata (lib.json, resources.resjson) required by the GitHub Actions runtime, which mandates committing compiled action code. These files are human-readable and reviewable. Build artefacts such as the VSIX package are generated at build time and published via CI/CD, not stored in version control.


    Ya kutosha kwa nishani!

    Wakati mradi ukiwa hai, mfumo wa udhibiti wa toleo LAZIMA USIWE na vitu vya binary visivyoweza kukaguliwa. [OSPS-QA-05.02]
    Usiongeze vitu vyovyote vya binary visivyoweza kukaguliwa katika mfumo wa udhibiti wa toleo wa mradi. Hii inajumuisha programu za binary za maombi, faili za maktaba, na vitu sawa. Haijumuishi mali kama picha za kigraphiki, faili za sauti au muziki, na maudhui sawa ambayo kwa kawaida huhifadhiwa katika muundo wa binary.

    The only binary files in the repository are PNG images used for documentation illustrations and UI icons (in docs/images/ and src/images/). These are graphical assets, which are explicitly excluded from this control. No executable binaries, library files, or similar unreviewable artefacts are present.


    Ya kutosha kwa nishani!

    Wakati mradi ukiwa hai, nyaraka za mradi LAZIMA ziwe na anwani za kuwasiliana za usalama. [OSPS-VM-02.01]
    Unda faili ya security.md (au inayoitwa sawa) inayohifadhi anwani za kuwasiliana za usalama kwa mradi.

    The SECURITY.md (https://github.com/microsoft/PR-Metrics/blob/main/SECURITY.md) file provides security vulnerability reporting instructions, directing reporters to the Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/create-report or via email at secure@microsoft.com. The file includes guidance on PGP encryption, expected response times, and the information to include in a report.


    Ya kutosha kwa nishani!

    (Kigezo kilichopitwa na wakati) Wakati bomba la CI/CD linatumia jina la tawi katika utendaji wake, thamani ya jina hiyo LAZIMA isafishwe na kuthibitishwa kabla ya kutumika katika bomba. [OSPS-BR-01.02]

    Where CI/CD workflows reference branch names in shell commands, values are passed through environment variables rather than direct expression interpolation. For example, in build.yml (https://github.com/microsoft/PR-Metrics/blob/main/.github/workflows/build.yml), github.head_ref is assigned to env.HEAD_REF and accessed via $Env:HEAD_REF in PowerShell, preventing script injection. Branch names used in action with: parameters (e.g., actions/checkout ref) are not subject to shell injection.



Data hii inapatikana chini ya Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). Hii inamaanisha kuwa Mpokeaji wa Data anaweza kushiriki Data, na au bila marekebisho, mradi Mpokeaji wa Data anapatanisha maandishi ya mkataba huu na Data iliyoshirikiwa. Tafadhali tambua Muiris Woulfe na wachangiaji wa nishani ya Mazoea Bora ya OpenSSF.

Ingizo la nishani ya mradi linamilikiwa na: Muiris Woulfe.
Ingizo liliundwa siku 2026-02-19 17:32:37 UTC, iliyosasishwa mara ya mwisho siku 2026-02-27 19:06:06 UTC. Ilipoteza mara ya mwisho nishani ya kupita siku 2026-02-23 14:15:17 UTC. Ilipata mara ya mwisho nishani ya kupita siku 2026-02-23 14:43:51 UTC.