Shapin

Miradi inayofuata mazoea bora hapa chini inaweza kujihakikisha kwa hiari na kuonyesha kuwa wamepata nishani ya mazoea bora ya Open Source Security Foundation (OpenSSF).

Hakuna seti ya mazoea yawezayo kuhakikisha kuwa programu haitakuwa na kasoro au udhaifu; hata mbinu rasmi zinaweza kushindwa ikiwa vipimo au dhana ni sahihi. Wala hakuna seti ya mazoea yawezayo kuhakikisha kuwa mradi utaendelea kuwa na jamii ya maendeleo yenye afya na inayofanya kazi vizuri. Hata hivyo, kufuata mazoea bora kunaweza kusaidia kuboresha matokeo ya miradi. Kwa mfano, baadhi ya mazoea huwezesha ukaguzi wa watu wengi kabla ya kutolewa, ambayo inaweza kusaidia kupata udhaifu wa kiufundi ambao vinginevyo ni vigumu kupata na kusaidia kujenga uaminifu na hamu ya mwingiliano wa kurudia kati ya wasanidi programu kutoka makampuni tofauti. Ili kupata nishani, vigezo vyote vya LAZIMA na LAZIMA WALA USIWAHI lazima vifuatwe, vigezo vyote vya INAPASWA lazima vifuatwe AU visivyo fufufutiliana na thibitisho, na vigezo vyote vya PENDEKEZA lazima vifuatwe AU visivyo fufufutiliana (tunataka vifikiwe angalau). Ikiwa unataka kuingiza maandishi ya thibitisho kama maoni ya jumla, badala ya kuwa maelezo ya busara kwamba hali ni inakubaliwa, anza kifungu cha maandishi na '//' ikifuatiwa na nafasi. Maoni ni karibu kupitia tovuti ya GitHub kama masuala au maombi ya kuvuta Kuna pia orodha ya barua pepe kwa majadiliano ya jumla.

Tunafuraha kutoa habari katika lugha nyingi, hata hivyo, ikiwa kuna mgongano au kutokuwa na usawa kati ya tafsiri, toleo la Kiingereza ni toleo lenye mamlaka.
Ikiwa huu ni mradi wako, tafadhali onyesha hali ya nishani yako ya msingi kwenye ukurasa wa mradi wako! Hali ya nishani ya msingi inaonekana kama hii: Kiwango cha nishani ya msingi kwa mradi 12470 ni baseline-3 Huu ndiyo jinsi ya kuweka nishani ya msingi:
Unaweza kuonyesha hali ya nishani yako ya msingi kwa kuweka hii katika faili yako ya markdown:
[![OpenSSF Baseline](https://www.bestpractices.dev/projects/12470/baseline)](https://www.bestpractices.dev/projects/12470)
au kwa kuweka hii katika HTML yako:
<a href="https://www.bestpractices.dev/projects/12470"><img src="https://www.bestpractices.dev/projects/12470/baseline"></a>


Hizi ni vigezo vya Kiwango cha Msingi 3. Vigezo hivi vinatoka toleo la msingi v2025.10.10 na maandishi ya vigezo yaliyosasishwa kutoka toleo v2026.02.19. Vigezo vipya katika toleo v2026.02.19 vimewekwa alama "mustakabali" na vitaanza kutekelezwa kuanzia 2026-06-01. Tafadhali toa majibu kwa vigezo vya "mustakabali" kabla ya tarehe hiyo.

Baseline Series: Kiwango cha Msingi 1 Kiwango cha Msingi 2 Kiwango cha Msingi 3

        

 Misingi

  • Jumla

    Kumbuka kwamba miradi mingine inaweza kutumia jina sawa.

    Pin floating tags in CI workflow files to immutable SHAs, making your pipelines reproducible and immune to tag mutation attacks.

    Tafadhali tumia muundo wa maneno ya leseni ya SPDX; mifano ni pamoja na "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", na "(BSD-2-Clause OR Ruby)". Usitumie alama za nukuu za moja au mbili.
    Ikiwa kuna lugha zaidi ya moja, ziorodhe kama thamani zilizotengwa kwa koma (nafasi ni za hiari) na ziorodhe kuanzia iliyotumiwa zaidi hadi iliyotumiwa kidogo. Ikiwa kuna orodha ndefu, tafadhali orodhesha angalau tatu za kawaida zaidi. Ikiwa hakuna lugha (k.m., huu ni mradi wa nyaraka tu au wa majaribio tu), tumia herufi moja "-". Tafadhali tumia herufi kubwa za kawaida kwa kila lugha, k.m., "JavaScript".
    Common Platform Enumeration (CPE) ni mpango wa kuweka majina yenye muundo kwa mifumo ya teknolojia ya habari, programu, na vifurushi. Inatumika katika mifumo na hifadhidata nyingi wakati wa kuripoti udhaifu.

 Udhibiti 21/21

  • Udhibiti


    Ya kutosha kwa nishani!

    Ruhusa zinapopeana kwa kazi katika mfumo wa CI/CD, msimbo wa chanzo au usanidi LAZIMA upee tu ruhusa za chini zaidi zinazohitajika kwa shughuli zinazohusiana. [OSPS-AC-04.02]
    Sanidi mifumo ya CI/CD ya mradi ili kupea ruhusa za chini zinazopatikana kwa watumiaji na huduma kwa chaguomsingi, ukipandisha ruhusa tu inapohitajika kwa kazi maalum. Katika baadhi ya mifumo ya udhibiti wa toleo, hii inaweza kufanyika katika kiwango cha shirika au hifadhi. Ikiwa sivyo, weka ruhusa katika kiwango cha juu cha mfumo.

    Every job in ci.yml and release.yml declares only the minimum permissions required for its specific activity:

    test: contents: read only
    codeql: contents: read + security-events: write (SARIF upload)
    gosec: contents: read + security-events: write (SARIF upload)
    grype: contents: read + security-events: write (SARIF upload)
    dco: contents: read only
    release: contents: write + id-token: write + attestations: write (no packages: write — that is scoped exclusively to the docker job)
    docker: contents: read + packages: write + id-token: write
    A top-level permissions: read-all default ensures any job without an explicit block cannot silently inherit broad permissions.


    Ya kutosha kwa nishani!

    (Kigezo cha baadaye) Mifuko ya CI/CD inayokubali pembejeo za mshirika anayeaminika LAZIMA isafishe na kuthibitisha pembejeo hiyo kabla ya kutumia katika mfuko. [OSPS-BR-01.04]
    Mifuko ya CI/CD inapaswa kusafisha (kunukuu, kutoroka au kutoka kwa maadili yanayotarajiwa) pembejeo zote za mshirika kwenye utekelezaji wa mtiririko wa kazi wa wazi. Ingawa washirika kwa ujumla wanaaminika, pembejeo za mwongozo kwa mtiririko wa kazi haiwezi kukaguliwa na inaweza kutumiwa vibaya na utekaji wa akaunti au tishio la ndani.

    None of the CI/CD pipelines accept manual workflow_dispatch inputs — all workflows are triggered exclusively by push (tags or main) and pull_request events. There are no ${{ inputs.* }} expressions used anywhere in the pipeline. Consequently there is no collaborator-supplied input that could be injected into shell commands or pipeline logic.


    Ya kutosha kwa nishani!

    Toleo rasmi linapobuniwa, mali zote ndani ya toleo hilo LAZIMA zihusianishwe wazi na kitambulisho cha toleo au kitambulisho kingine cha kipekee kwa mali hiyo. [OSPS-BR-02.02]
    Panga kitambulisho cha kipekee cha toleo kwa kila mali ya programu inayozalishwa na mradi, ukifuata kawaida ya uainishaji thabiti au mpango wa nambari. Mifano ni pamoja na SemVer, CalVer, au kitambulisho cha git commit.

    All release assets include the semantic version identifier in their filename (e.g. shapin-v1.2.0-linux-amd64, shapin-v1.2.0-darwin-arm64). The version is also embedded in the binary at build time via -X main.Version. Assets are grouped under the corresponding GitHub Release tag (e.g. v1.2.0), and a checksums.txt SHA-256 manifest ties all assets to the release.


    Ya kutosha kwa nishani!

    Mradi LAZIMA ufafanue sera ya kudhibiti siri na ushahidi unaotumika na mradi. Sera inapaswa kujumuisha mwongozo wa kuhifadhi, kufikia, na kuzungusha siri na ushahidi. [OSPS-BR-07.02]
    Eleza jinsi siri na ushahidi vinavyodhibitiwa na kutumika ndani ya mradi. Hii inapaswa kujumuisha maelezo ya jinsi siri zinavyohifadhiwa (k.m., kwa kutumia zana ya usimamizi wa siri), jinsi ufikiaji unavyodhibitiwa, na jinsi siri zinavyozungushwa au kusasishwa. Hakikisha kwamba habari nyeti haziingizwi kwa msimbo katika msimbo wa chanzo au kuhifadhiwa katika mifumo ya udhibiti wa toleo.

    Documented in SECURITY.md. Shapin does not manage secrets — it accepts tokens as ephemeral runtime inputs only. The policy clarifies that the project repository contains no committed secrets, the CI/CD pipeline uses only the ephemeral GitHub-provisioned GITHUB_TOKEN with per-job minimum permissions, and users are responsible for secure handling of any tokens they pass to the tool.

    https://github.com/Kirskov/Shapin/blob/main/SECURITY.md


    Ya kutosha kwa nishani!

    Mradi ulipotoa toleo, nyaraka za mradi LAZIMA ziwe na maelekezo ya kuthibitisha uadilifu na uhalali wa mali za toleo. [OSPS-DO-03.01]
    Maelekezo katika mradi yanapaswa kuwa na habari kuhusu teknolojia iliyotumika, amri za kuendesha, na matokeo yanayotarajiwa. Inapowezekana, epuka kuhifadhi nyaraka hizi katika mahali pamoja na mfumo wa ujenzi na utoaji wa toleo ili kuepuka ukiukaji mmoja kuhatarisha programu na nyaraka za kuthibitisha uadilifu wa programu.

    README.md includes a "Verify release integrity" section under Installation documenting three independent verification methods with exact commands and expected output: (1) SHA-256 checksum verification via checksums.txt, (2) cosign bundle signature verification with the expected certificate identity and OIDC issuer, (3) SLSA provenance attestation via gh attestation verify. This is in the README, separate from the release workflow in .github/workflows/release.yml.


    Ya kutosha kwa nishani!

    Mradi unapotoa toleo, nyaraka za mradi LAZIMA ziwe na maelekezo ya kuthibitisha utambulisho unaotarajiwa wa mtu au mchakato unaothibitisha toleo la programu. [OSPS-DO-03.02]
    Utambulisho unaotarajiwa unaweza kuwa katika muundo wa vitambulisho vya funguo vilivyotumika kusaini, mtoa na utambulisho kutoka cheti cha sigstore, au aina nyingine zinazofanana. Inapowezekana, epuka kuhifadhi nyaraka hii mahali palipo sawa na mirija ya kujenga na kutoa ili kuepuka ukiukaji mmoja kuhatarisha programu na nyaraka za kuthibitisha uadilifu wa programu.

    The "Verify release integrity" section in README.md documents the expected signer identity for both binary and Docker image verification:

    Certificate identity: https://github.com/Kirskov/Shapin/.github/workflows/release.yml@refs/tags/vX.Y.Z
    OIDC issuer: https://token.actions.githubusercontent.com
    These identify the exact GitHub Actions workflow and tag that must have produced the signature, preventing acceptance of signatures from any other identity. This is stored in the README, separate from the release workflow.


    Ya kutosha kwa nishani!

    Mradi unapotoa toleo, nyaraka za mradi LAZIMA zijumuishe kauli ya maelezo kuhusu wigo na muda wa msaada kwa kila toleo. [OSPS-DO-04.01]
    Ili kuwasilisha wigo na muda wa msaada kwa rasilimali za programu zilizotolewa za mradi, mradi unapaswa kuwa na faili ya SUPPORT.md, sehemu ya "Msaada" katika SECURITY.md, au nyaraka nyingine zinazoweka wazi mzunguko wa maisha wa msaada, ikijumuisha muda unaotarajiwa wa msaada kwa kila toleo, aina za msaada zinazotolewa (k.m., marekebisho ya hitilafu, sasisho za usalama), na sera au taratibu yoyote husika ya kupata msaada.

    The README.md includes a Support section documenting that only the latest release receives security and bug fixes, no backports are made to older releases, and there is no LTS program. Links to GitHub Issues for bug reports and SECURITY.md for vulnerability disclosure are included.


    Ya kutosha kwa nishani!

    Mradi unapotoa toleo, nyaraka za mradi LAZIMA zitoe kauli ya maelezo ya wakati matoleo au matoleo hayatapokea tena sasisho za usalama. [OSPS-DO-05.01]
    Ili kuwasilisha wigo na muda wa msaada kwa marekebisho ya usalama, mradi unapaswa kuwa na SUPPORT.md au nyaraka nyingine zinazoweka wazi sera ya mradi ya sasisho za usalama.

    The Support section in README.md explicitly states: "A release stops receiving security updates as soon as a newer version is published." This makes the end-of-support trigger unambiguous — only the latest release is ever supported for security fixes.


    Ya kutosha kwa nishani!

    Inapokuwa hai, nyaraka za mradi LAZIMA ziwe na sera kwamba washirikiano wa msimbo wanapimwa kabla ya kupewa ruhusa zilizopandishwa kwa rasilimali nyeti. [OSPS-GV-04.01]
    Chapisha sera inayoweza kutekelezwa katika nyaraka za mradi inayohitaji washirikiano wa msimbo kupimwa na kuidhinishwa kabla ya kupewa ruhusa zilizopandishwa kwa rasilimali nyeti, kama vile idhini ya kuunganisha au ufikiaji kwa siri. Inashauriwa kwamba upimaji ujumuishe kuanzisha mfululizo wa utambulisho unaoweza kuhalalishwa kama vile kuthibitisha ushirikiano wa mchangiaji na shirika linalojulikana na kuaminika.

    MAINTAINERS.md documents that this is a single-maintainer project and that no collaborator will receive escalated permissions (write access, merge approval, secrets access) without explicit review and approval by the maintainer, including a demonstrated contribution history and verified identity.


    Ya kutosha kwa nishani!

    Mradi unapotoa toleo, rasilimali zote za programu zilizotolewa na zilizokusanywa LAZIMA zikabidhi pamoja na orodha ya bili ya programu. [OSPS-QA-02.02]
    Inashauriwa kuzalisha SBOM kiotomatiki wakati wa kujenga kwa kutumia zana ambayo imepimwa kwa usahihi. Hii huwezesha watumiaji kuingiza data hii kwa njia ya kiwango pamoja na miradi mingine katika mazingira yao.

    An SBOM in SPDX-JSON format (sbom.spdx.json) is auto-generated by Syft (anchore/sbom-action) at release time and published as a release asset alongside the binaries. It is included in checksums.txt and signed with cosign.


    Ya kutosha kwa nishani!

    Mradi unapotoa toleo linalojumuisha hifadhi nyingi za chanzo cha msimbo, miradi yote midogo LAZIMA ilazimishe mahitaji ya usalama ambayo ni kali au kali zaidi kuliko msimbo wa msingi. [OSPS-QA-04.02]
    Hifadhi yoyote ya ziada ya msimbo wa miradi midogo iliyozalishwa na mradi na kukusanywa katika toleo lazima ilazimishe mahitaji ya usalama kama inavyolingana na hali na nia ya msimbo husika. Kwa kuongeza kufuata mahitaji ya msingi wa OSPS yanayolingana, hii inaweza kujumuisha kuhitaji ukaguzi wa usalama, kuhakikisha kuwa haina udhaifu, na kuhakikisha kuwa haina masuala ya usalama yanayojulikana.

    Shapin is a single-repository project. There are no subprojects or additional source code repositories compiled into the release. This criterion does not apply.


    Ya kutosha kwa nishani!

    Inapokuwa hai, nyaraka za mradi LAZIMA ziweke wazi lini na jinsi majaribio yanavyotekelezwa. [OSPS-QA-06.02]
    Ongeza sehemu kwenye nyaraka za kuchangia inayoweka wazi jinsi ya kutekeleza majaribio kienyeji na jinsi ya kutekeleza majaribio katika mirija ya CI/CD. Nyaraka zinapaswa kuweka wazi majaribio yanajaribu nini na jinsi ya kutafsiri matokeo.

    CONTRIBUTING.md now includes a "Running tests" section documenting how to run the full suite locally (go test ./...), per-package, with verbose output, and fuzz tests. It explains what each package tests, what a passing run looks like, and how CI runs the tests automatically on every push and PR via the test job in ci.yml.


    Ya kutosha kwa nishani!

    Inapokuwa hai, nyaraka za mradi LAZIMA zijumuishe sera kwamba mabadiliko yote makubwa kwa programu inayozalishwa na mradi yanapaswa kuongeza au kusasisha majaribio ya utendaji katika seti ya majaribio ya kiatomati. [OSPS-QA-06.03]
    Ongeza sehemu kwenye nyaraka za kuchangia inayoweka wazi sera ya kuongeza au kusasisha majaribio. Sera inapaswa kuweka wazi ni nini kinachojumuisha mabadiliko makubwa na majaribio yapi yanapaswa kuongezwa au kusasishwa.

    CONTRIBUTING.md defines an explicit testing policy that specifies what constitutes a major change (new provider, new CLI flag, regex/parsing changes, bug fixes, scanner logic changes) and requires tests for each. Bug fixes must include a regression test. PRs that reduce coverage without justification are rejected. The full suite must pass before submission.


    Ya kutosha kwa nishani!

    Wakati kuruhusu kumefanywa kwa tawi kuu, mfumo wa udhibiti wa toleo la mradi LAZIMA uhitaji angalau idhini moja ya binadamu asiye mwandishi ya mabadiliko kabla ya kuunganisha. [OSPS-QA-07.01]
    Sanidi mfumo wa udhibiti wa toleo la mradi kuhitaji angalau idhini moja ya binadamu asiye mwandishi ya mabadiliko kabla ya kuunganisha katika toleo au tawi kuu. Hii inaweza kupatikana kwa kuhitaji ombi la kuvuta kupimwa na kuidhinishwa na angalau mshirikiano mmoja mwingine kabla ya kunaweza kuunganishwa.

    This is a single-maintainer project with one contributor. Requiring a non-author approval is not feasible as there are no other collaborators with merge access. All changes are reviewed by the sole maintainer before merging.


    Ya kutosha kwa nishani!

    Mradi unapotoa toleo, mradi LAZIMA ufanye ufuatiliaji wa tisho na uchambuzi wa uso wa shambulio ili kuelewa na kulinda dhidi ya mashambulizi kwenye njia za msimbo muhimu, majukumu, na mwingiliano ndani ya mfumo. [OSPS-SA-03.02]
    Ufuatiliaji wa tisho ni shughuli ambapo mradi unaangalia msimbo, michakato na miundombinu inayohusiana, viunganishi, vipengele muhimu na "kufikiria kama kibogoyo" na kufanya mapendekezo ya jinsi mfumo unaweza kuvunjwa au kuhatarisha. Kila tisho iliyotambuliwa imeorodheshwa ili mradi uweze kufikiria jinsi ya kuepuka au kufunga pengo/udhaifu wowote unaoweza kutokea kwa kujihadhari. Hakikisha hii imesasishwa kwa vipengele vipya au mabadiliko ya kuvunja.

    SECURITY.md contains a threat model covering six identified threats across all critical attack surfaces: compromised upstream APIs (T1), directory traversal on file I/O (T2), token leakage via output channels (T3), regex DoS on content parsing (T4), malicious config file injection (T5), and supply chain compromise of Shapin itself (T6). Each threat includes impact rating, likelihood, specific mitigations applied in the code, and residual risk. The assessment also defines trust boundaries between the tool, the local filesystem, external APIs, and user-supplied credentials. It is updated with new features and breaking changes.


    Ya kutosha kwa nishani!

    Wakati uko hai, udhaifu wowote katika vipengele vya programu visivyoathiri mradi LAZIMA viwe vimeainishwa katika hati ya VEX, ikiendeleza ripoti ya udhaifu na maelezo ya kutokutumiwa vibaya. [OSPS-VM-04.02]
    Weka mfumo wa mlisho wa VEX unaowasiliana hali ya utumiaji vibaya wa udhaifu unaojulikana, ikiwa ni pamoja na maelezo ya tathmini au marekebisho yoyote yaliyowekwa kusimamisha msimbo ulio na udhaifu usiotekelezwa.

    A vex.json OpenVEX document is maintained in the repository and published as a release asset. It starts with an empty statements array — entries are added when Grype identifies vulnerabilities in the SBOM that are not exploitable in this project's context, with justification and impact statements per the OpenVEX spec.


    Ya kutosha kwa nishani!

    Wakati uko hai, nyaraka za mradi LAZIMA zijumuishe sera inayofafanua kiwango cha marekebisho ya matokeo ya SCA yanayohusiana na udhaifu na leseni. [OSPS-VM-05.01]
    Andika sera katika mradi inayofafanua kiwango cha marekebisho ya matokeo ya SCA yanayohusiana na udhaifu na leseni. Jumuisha mchakato wa kutambua, kutanguliza, na kurekebisha matokeo haya.

    SECURITY.md defines a SCA remediation policy with severity-based thresholds: Critical must be fixed before the next release, High within the next release cycle, Medium within 90 days or documented as not affected in vex.json. The process covers how Grype findings flow from CI SARIF upload to remediation or VEX justification. License policy requires OSI-approved licenses compatible with MIT.


    Ya kutosha kwa nishani!

    Wakati uko hai, nyaraka za mradi LAZIMA zijumuishe sera ya kushughulikia ukiukaji wa SCA kabla ya toleo lolote. [OSPS-VM-05.02]
    Andika sera katika mradi wa kushughulikia matokeo ya Uchambuzi wa Muundo wa Programu yanayotumika kabla ya toleo lolote, na ongeza ukaguzi wa hali unaothibitisha kufuata sera hiyo kabla ya toleo.

    A sca-gate job runs Grype against the SBOM before every release, failing on Critical or High findings with fail-build: true and severity-cutoff: high. Both the release and docker jobs depend on sca-gate via needs:, so no release can proceed if the gate fails. Non-applicable findings are suppressed via vex.json. The policy and process are documented in SECURITY.md.


    Ya kutosha kwa nishani!

    Wakati uko hai, mabadiliko yote kwenye msingi wa msimbo wa mradi LAZIMA yaangaliwe kiatomati dhidi ya sera iliyoandikwa ya utegemezi mbaya na udhaifu unaojulikana katika utegemezi, kisha yazuiliwe katika hali ya ukiukaji, isipokuwa inapotangazwa na kuzuiliwa kama isiyotumiwa vibaya. [OSPS-VM-05.03]
    Unda ukaguzi wa hali katika mfumo wa kudhibiti toleo la mradi unaoendesha zana ya Uchambuzi wa Muundo wa Programu kwenye mabadiliko yote ya msingi wa msimbo. Hitaji kwamba ukaguzi wa hali upite kabla mabadiliko kusanywa.

    The grype job in ci.yml runs on every push to main and every PR. It scans the SBOM with Grype, uploads results as SARIF to GitHub Code Scanning, then runs a second gate step with fail-build: true and severity-cutoff: high. The vex.json is passed to suppress documented non-exploitable findings. Once added as a required status check in branch protection, this blocks any merge with unaddressed Critical or High vulnerabilities.


    Ya kutosha kwa nishani!

    Wakati uko hai, nyaraka za mradi LAZIMA zijumuishe sera inayofafanua kiwango cha marekebisho ya matokeo ya SAST. [OSPS-VM-06.01]
    Andika sera katika mradi inayofafanua kiwango cha marekebisho ya matokeo ya Upimaji wa Usalama wa Programu Tuli (SAST). Jumuisha mchakato wa kutambua, kutanguliza, na kurekebisha matokeo haya.

    SECURITY.md defines the SAST remediation policy: Critical/High findings block merges, Medium findings must be resolved within 30 days, false positives are dismissed in GitHub Code Scanning with a documented reason (never silently ignored), and unresolved findings are tracked as GitHub issues. VEX is not used for SAST — it applies only to SCA findings in dependencies.


    Ya kutosha kwa nishani!

    Wakati uko hai, mabadiliko yote kwenye msingi wa msimbo wa mradi LAZIMA yaangaliwe kiatomati dhidi ya sera iliyoandikwa ya udhaifu wa usalama na kuzuiliwa katika hali ya ukiukaji isipokuwa inapotangazwa na kuzuiliwa kama isiyotumiwa vibaya. [OSPS-VM-06.02]
    Unda ukaguzi wa hali katika mfumo wa kudhibiti toleo la mradi unaoendesha zana ya Upimaji wa Usalama wa Programu Tuli (SAST) kwenye mabadiliko yote ya msingi wa msimbo. Hitaji kwamba ukaguzi wa hali upite kabla mabadiliko kusanywa.

    The codeql and gosec jobs in ci.yml run automatically on every push to main and every pull request. Both upload SARIF to GitHub Code Scanning. Once codeql and gosec are added as required status checks in branch protection (Settings → Branches → required status checks), no PR can be merged if either fails. The gosec gate uses fail-build behaviour via the SARIF upload step, and CodeQL fails the job on any finding above the configured threshold.



Data hii inapatikana chini ya Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). Hii inamaanisha kuwa Mpokeaji wa Data anaweza kushiriki Data, na au bila marekebisho, mradi Mpokeaji wa Data anapatanisha maandishi ya mkataba huu na Data iliyoshirikiwa. Tafadhali tambua Antoine GRICOURT na wachangiaji wa nishani ya Mazoea Bora ya OpenSSF.

Ingizo la nishani ya mradi linamilikiwa na: Antoine GRICOURT.
Ingizo liliundwa siku 2026-04-12 08:01:17 UTC, iliyosasishwa mara ya mwisho siku 2026-04-18 15:04:37 UTC. Ilipata mara ya mwisho nishani ya kupita siku 2026-04-18 14:13:41 UTC.