compose-lint

Miradi inayofuata mazoea bora hapa chini inaweza kujihakikisha kwa hiari na kuonyesha kuwa wamepata nishani ya mazoea bora ya Open Source Security Foundation (OpenSSF).

Hakuna seti ya mazoea yawezayo kuhakikisha kuwa programu haitakuwa na kasoro au udhaifu; hata mbinu rasmi zinaweza kushindwa ikiwa vipimo au dhana ni sahihi. Wala hakuna seti ya mazoea yawezayo kuhakikisha kuwa mradi utaendelea kuwa na jamii ya maendeleo yenye afya na inayofanya kazi vizuri. Hata hivyo, kufuata mazoea bora kunaweza kusaidia kuboresha matokeo ya miradi. Kwa mfano, baadhi ya mazoea huwezesha ukaguzi wa watu wengi kabla ya kutolewa, ambayo inaweza kusaidia kupata udhaifu wa kiufundi ambao vinginevyo ni vigumu kupata na kusaidia kujenga uaminifu na hamu ya mwingiliano wa kurudia kati ya wasanidi programu kutoka makampuni tofauti. Ili kupata nishani, vigezo vyote vya LAZIMA na LAZIMA WALA USIWAHI lazima vifuatwe, vigezo vyote vya INAPASWA lazima vifuatwe AU visivyo fufufutiliana na thibitisho, na vigezo vyote vya PENDEKEZA lazima vifuatwe AU visivyo fufufutiliana (tunataka vifikiwe angalau). Ikiwa unataka kuingiza maandishi ya thibitisho kama maoni ya jumla, badala ya kuwa maelezo ya busara kwamba hali ni inakubaliwa, anza kifungu cha maandishi na '//' ikifuatiwa na nafasi. Maoni ni karibu kupitia tovuti ya GitHub kama masuala au maombi ya kuvuta Kuna pia orodha ya barua pepe kwa majadiliano ya jumla.

Tunafuraha kutoa habari katika lugha nyingi, hata hivyo, ikiwa kuna mgongano au kutokuwa na usawa kati ya tafsiri, toleo la Kiingereza ni toleo lenye mamlaka.
Ikiwa huu ni mradi wako, tafadhali onyesha hadhi ya nishani yako kwenye ukurasa wa mradi wako! Hadhi ya nishani inaonekana kama hii: Kiwango cha nishani kwa mradi 12472 ni silver Hapa ni jinsi ya kuiweka:
Unaweza kuonyesha hali ya nishani yako kwa kuweka hii katika faili yako ya markdown:
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/12472/badge)](https://www.bestpractices.dev/projects/12472)
au kwa kuweka hii katika HTML yako:
<a href="https://www.bestpractices.dev/projects/12472"><img src="https://www.bestpractices.dev/projects/12472/badge"></a>


Hizi ni vigezo vya kiwango cha Fedha. Unaweza pia kuangalia vigezo vya kiwango cha Kupita au Dhahabu.

Baseline Series: Kiwango cha Msingi 1 Kiwango cha Msingi 2 Kiwango cha Msingi 3

        

 Misingi 17/17

  • Jumla

    Kumbuka kwamba miradi mingine inaweza kutumia jina sawa.

    compose-lint is a security-focused linter for Docker Compose files. It catches dangerous misconfigurations — exposed Docker sockets, privileged containers, missing capability restrictions, unpinned images, and more — before they reach production. Rules are grounded in the OWASP Docker Security Cheat Sheet and CIS Docker Benchmark, with every finding including specific, actionable fix guidance. Distributed on PyPI and Docker Hub; runs locally, in CI, or as a pre-commit hook.

    Tafadhali tumia muundo wa maneno ya leseni ya SPDX; mifano ni pamoja na "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", na "(BSD-2-Clause OR Ruby)". Usitumie alama za nukuu za moja au mbili.
    Ikiwa kuna lugha zaidi ya moja, ziorodhe kama thamani zilizotengwa kwa koma (nafasi ni za hiari) na ziorodhe kuanzia iliyotumiwa zaidi hadi iliyotumiwa kidogo. Ikiwa kuna orodha ndefu, tafadhali orodhesha angalau tatu za kawaida zaidi. Ikiwa hakuna lugha (k.m., huu ni mradi wa nyaraka tu au wa majaribio tu), tumia herufi moja "-". Tafadhali tumia herufi kubwa za kawaida kwa kila lugha, k.m., "JavaScript".
    Common Platform Enumeration (CPE) ni mpango wa kuweka majina yenye muundo kwa mifumo ya teknolojia ya habari, programu, na vifurushi. Inatumika katika mifumo na hifadhidata nyingi wakati wa kuripoti udhaifu.

    Single-maintainer project, intentionally narrow in scope: a security linter for Docker Compose files with PyYAML as the only runtime dependency. Supply-chain posture above typical: PyPI Trusted Publishing (OIDC, no long-lived tokens), Sigstore build attestations on every release, signed commits and tags (SSH), SHA-pinned GitHub Actions, hash-pinned CI lockfiles, and a merge-blocking ci-ok aggregate check. Continuous scanning via CodeQL, OpenSSF Scorecard, and ClusterFuzzLite. All changes flow through PRs with squash-merge and linear history on main. No cryptography is implemented; no binary artifacts are tracked.

  • Mahitaji ya awali


    Ya kutosha kwa nishani!

    Mradi LAZIMA ufikie nishani ya kiwango cha kuhitimu. [achieve_passing]

  • Maudhui ya kimsingi ya tovuti ya mradi


    Ya kutosha kwa nishani!

    Habari juu ya jinsi ya kuchangia LAZIMA ijumuishe mahitaji ya michango inayokubalika (k.m., rejea kwa kiwango chochote kinachohitajika cha msimbo). (URL inahitajika) [contribution_requirements]

    https://github.com/tmatens/compose-lint?tab=contributing-ov-file#code-standards


  • Usimamizi wa mradi


    Ya kutosha kwa nishani!

    Mradi UNAPASWA kuwa na utaratibu wa kisheria ambapo wasanidi wote wa kiasi kisicho kidogo cha programu ya mradi wanathibitisha kwamba wameruhusiwa kisheria kufanya michango hii. Mbinu ya kawaida na rahisi ya kutekeleza hii ni kwa kutumia Cheti cha Msanidi cha Asili (DCO), ambapo watumiaji huongeza "signed-off-by" katika ahadi zao na mradi unaunganisha kwenye tovuti ya DCO. Hata hivyo, hii YAWEZA kutekelezwa kama Makubaliano ya Leseni ya Mchangiaji (CLA), au utaratibu mwingine wa kisheria. (URL inahitajika) [dco]
    DCO ni utaratibu unaopendekeza kwa sababu ni rahisi kutekeleza, kufuatilia katika msimbo wa chanzo, na git inasaidia moja kwa moja kipengele cha "signed-off" kwa kutumia "commit -s". Ili kuwa na ufanisi zaidi ni bora ikiwa nyaraka za mradi zinaeleza maana ya "signed-off" kwa mradi huo. CLA ni makubaliano ya kisheria yanayofafanua masharti ambayo kazi za kiakili zimetolewa leseni kwa shirika au mradi. Makubaliano ya mgawo wa mchangiaji (CAA) ni makubaliano ya kisheria yanayohamisha haki katika kazi ya kiakili kwa chama kingine; miradi haihitajiki kuwa na CAA, kwa kuwa kuwa na CAA huongeza hatari kwamba wachangiaji watarajiwa hawatachangia, hasa ikiwa mpokeaji ni shirika la faida. Apache Software Foundation CLAs (leseni ya mchangiaji wa mtu binafsi na CLA ya kampuni) ni mifano ya CLA, kwa miradi ambayo inaamua kwamba hatari za aina hizi za CLA kwa mradi ni chini ya manufaa yao.

    All non-bot commits must carry a Signed-off-by: trailer matching the commit author identity, certifying the Developer Certificate of Origin (https://developercertificate.org). A required CI job (Developer Certificate of Origin in .github/workflows/ci.yml) scans every commit in a PR and blocks merge if any non-bot commit lacks the trailer. Dependabot, Renovate, github-actions, and Mend bot commits are allow-listed. Policy documented in CONTRIBUTING.md: https://github.com/tmatens/compose-lint/blob/main/CONTRIBUTING.md#developer-certificate-of-origin [osps_le_01_01]


    Ya kutosha kwa nishani!

    Mradi LAZIMA ufafanue kwa uwazi na kuandika muundo wake wa utawala wa mradi (njia ya kufanya maamuzi, ikiwa ni pamoja na majukumu muhimu). (URL inahitajika) [governance]
    Kunahitaji kuwa na njia fulani iliyowekwa vyema ya kuandikwa ya kufanya maamuzi na kutatua migogoro. Katika miradi midogo, hii inaweza kuwa rahisi kama "mmiliki wa mradi na kiongozi hufanya maamuzi yote ya mwisho". Kuna miundo mbalimbali ya utawala, ikiwa ni pamoja na dictator wa wema na meritocracy rasmi; kwa maelezo zaidi, angalia Miundo ya utawala. Mbinu zote mbili za kati (k.m., mtunzaji mmoja) na zisizo za kati (k.m., watunzaji wa kikundi) zimetumika kwa mafanikio katika miradi. Habari za utawala hazihitajiki kuandika uwezekano wa kuunda uma wa mradi, kwa kuwa hiyo ni iwezekanavyo kila wakati kwa miradi ya FLOSS.

    URL: https://github.com/tmatens/compose-lint/blob/main/GOVERNANCE.md

    Justification: GOVERNANCE.md at the repo root documents the project's decision-making model end-to-end: a single maintainer role (with the bus factor honestly stated as 1), lazy-consensus decision rule with explicit reasonable-window guidance per change class, branch-protection rule that no change reaches main outside a PR (including the maintainer's), procedure for adding and removing maintainers, appeal procedure, and code-of-conduct enforcement chain. Cross-links to MAINTAINERS.md (canonical roster) and docs/CONTINUITY.md (access continuity).


    Ya kutosha kwa nishani!

    Mradi LAZIMA upitishe kanuni ya mwenendo na kuiweka mahali pa kawaida. (URL inahitajika) [code_of_conduct]
    Miradi inaweza kuweza kuboresha uadilifu wa jamii yao na kuweka matarajio kuhusu tabia inayokubalika kwa kupitisha kanuni ya mwenendo. Hii inaweza kusaidia kuepuka matatizo kabla hayajatokea na kufanya mradi kuwa mahali pa kukaribishwa zaidi ili kuhimiza michango. Hii inapaswa kuzingatia tu tabia ndani ya jamii/mahali pa kazi pa mradi. Mifano ya kanuni za mwenendo ni kanuni ya mwenendo ya kernel ya Linux, Kanuni ya Mwenendo ya Agano la Mchangiaji, Kanuni ya Mwenendo ya Debian, Kanuni ya Mwenendo ya Ubuntu, Kanuni ya Mwenendo ya Fedora, Kanuni ya Mwenendo ya GNOME, Kanuni ya Mwenendo ya Jamii ya KDE, Kanuni ya Mwenendo ya Jamii ya Python, Mwongozo wa Mwenendo wa Jamii ya Ruby, na Kanuni ya Mwenendo ya Rust.

    URL: https://github.com/tmatens/compose-lint/blob/main/.github/CODE_OF_CONDUCT.md

    Justification: The project adopts the Contributor Covenant v2.1, posted at the standard .github/CODE_OF_CONDUCT.md location that GitHub recognizes for the "Community Standards" panel. CONTRIBUTING.md links to it from the §"Maintainers" section.


    Ya kutosha kwa nishani!

    Mradi LAZIMA ufafanue kwa uwazi na kuandika hadharani majukumu muhimu katika mradi na wajibu wao, ikiwa ni pamoja na kazi zozote ambazo majukumu hayo lazima yafanywe. Lazima iwe wazi ni nani ana jukumu lipi, ingawa hii haiwezi kuandikwa kwa njia ile ile. (URL inahitajika) [roles_responsibilities]
    Nyaraka kwa utawala na majukumu na wajibu zinaweza kuwa mahali pamoja.

    CONTRIBUTING.md "Maintainers" section lists the single project maintainer (@tmatens) with repository admin, release, and security-response responsibilities. See https://github.com/tmatens/compose-lint/blob/main/CONTRIBUTING.md#maintainers [osps_gv_01_02]


    Ya kutosha kwa nishani!

    Mradi LAZIMA uweze kuendelea kwa usumbufu mdogo ikiwa mtu yeyote anakufa, anakuwa katika hali ya kudhoofika, au vinginevyo hawezi au hataki kuendelea kusaidia mradi. Hasa, mradi LAZIMA uweze kuunda na kufunga masuala, kukubali mabadiliko yaliyopendekezwa, na kutoa matoleo ya programu, ndani ya wiki moja ya uthibitishaji wa upotevu wa msaada kutoka kwa mtu yeyote mmoja. Hii INAWEZA kufanywa kwa kuhakikisha mtu mwingine ana funguo zozote zinazohitajika, nywila, na haki za kisheria ili kuendelea mradi. Watu binafsi wanaoendesha mradi wa FLOSS WANAWEZA kufanya hii kwa kuweka funguo katika sanduku la kufungia na wosia unaowezesha haki zozote zinazohitajika za kisheria (k.m., kwa majina ya DNS). (URL inahitajika) [access_continuity]

    URL: https://github.com/tmatens/compose-lint/blob/main/docs/CONTINUITY.md

    Justification: docs/CONTINUITY.md explicitly addresses the single-maintainer reality. The "short version" states that anyone can continue compose-lint by forking under the MIT license: hash-pinned requirements*.lock files, digest-pinned Docker base images, signed annotated tags, and the documented release process in docs/RELEASING.md are deliberately structured so a successor needs no private state from the original maintainer. The document then gives a per-asset access table (GitHub repo and Environments, PyPI Trusted Publisher binding, Docker Hub org composelint, repo secrets, signing keys) with recovery paths for each, plus a co-maintainer onboarding checklist and an honest "why bus factor is currently 1" section.


    Kwa shida ya kutosha kwa nishani.

    Mradi INAPASWA kuwa na "bus factor" ya 2 au zaidi. (URL inahitajika) [bus_factor]
    "Bus factor" (pia inajulikana kama "truck factor") ni idadi ya chini ya washiriki wa mradi ambao wanapaswa kutoweka ghafla kutoka kwenye mradi ("kupigwa na basi") kabla ya mradi kusimama kwa sababu ya ukosefu wa wafanyakazi wenye elimu au wenye uwezo. Zana ya truck-factor inaweza kukadiria hii kwa miradi kwenye GitHub. Kwa maelezo zaidi, angalia Kutathmini Bus Factor ya Hifadhi za Git na Cosentino et al.

    URL: https://github.com/tmatens/compose-lint/blob/main/docs/CONTINUITY.md

    Justification: Bus factor is 1. Acknowledged honestly in GOVERNANCE.md §Roles ("The bus factor is 1; we are honest about that."). Mitigated in docs/CONTINUITY.md, which documents reproducible-build provenance (hash-pinned lockfiles, digest-pinned base images, Sigstore attestations on every release), the fork path under the MIT license, and per-asset recovery procedures (GitHub repo and Environments, PyPI Trusted Publisher binding, Docker Hub org, signing keys) so the project can continue without the current maintainer's cooperation. The procedure to add a co-maintainer is defined in GOVERNANCE.md §"Adding a maintainer" and MAINTAINERS.md §"Adding or removing a maintainer".


  • Nyaraka


    Ya kutosha kwa nishani!

    Mradi LAZIMA uwe na ramani ya barabara iliyoandikwa inayoeleza kile mradi unakusudia kufanya na kutofanya kwa angalau mwaka unaofuata. (URL inahitajika) [documentation_roadmap]
    Mradi huenda usitimiza ramani ya barabara, na hiyo ni sawa; kusudi la ramani ya barabara ni kusaidia watumiaji na wachangiaji watarajiwa kuelewa mwelekeo unaokusudiwa wa mradi. Haihitaji kuwa na maelezo mengi.

    URL: https://github.com/tmatens/compose-lint/blob/main/docs/ROADMAP.md

    Justification: docs/ROADMAP.md lays out milestones 1 (shipped v0.3) through 4 (v1.0 GA) with explicit deferred items (.deb/.rpm packages, see ADR-008) and gating prerequisites (e.g., the drift-check job that must land before the real-world examples library). Milestone 2.5 (Trust Surface + Install Polish) and Milestone 3 (Remediation: --fix UX) define the next twelve-plus months of intended work; the document also names what is explicitly out of scope and why, which is the harder half of a roadmap.


    Ya kutosha kwa nishani!

    Mradi LAZIMA ujumuishe nyaraka za muundo (pia inajulikana kama muundo wa kiwango cha juu) wa programu inayozalishwa na mradi. Ikiwa mradi hauzalishi programu, chagua "haihusiki" (N/A). (URL inahitajika) [documentation_architecture]
    Muundo wa programu unaeleza miundo ya msingi ya programu, yaani, vipengele vikuu vya programu, uhusiano kati yao, na mali muhimu za vipengele na uhusiano hivi.

    Architecture is documented in CLAUDE.md (Parser, Rules, Findings, Formatters, Engine components and their data flow) and supplemented by Architecture Decision Records in docs/adr/. Actors: end users running the CLI, rule authors, CI systems consuming SARIF. Actions: compose file loading, rule evaluation, finding emission, formatter selection. See https://github.com/tmatens/compose-lint/blob/main/CLAUDE.md#architecture [osps_sa_01_01]


    Ya kutosha kwa nishani!

    Mradi LAZIMA uandike kile mtumiaji anaweza na asiweze kutarajia kwa suala la usalama kutoka kwa programu inayozalishwa na mradi ("mahitaji yake ya usalama"). (URL inahitajika) [documentation_security]
    Haya ni mahitaji ya usalama ambayo programu inakusudiwa kukidhi.

    URL:https://github.com/tmatens/compose-lint/blob/main/docs/SECURITY-EXPECTATIONS.md
    docs/SECURITY-EXPECTATIONS.md (137 lines) is the user-facing "what compose-lint will and will not do" document:

    Promises: no execution of YAML contents (SafeLoader only, no eval/exec/subprocess against parsed values); no network I/O (verifiable under --network none); no mutation of inputs (read-only).
    Non-promises: not a Compose schema validator; not a runtime/image scanner; not exhaustive (rules cover known patterns from OWASP/CIS/Docker docs).
    How to verify each claim (concrete commands).
    .github/SECURITY.md header now links to docs/ASSURANCE.md and docs/SECURITY-EXPECTATIONS.md. The trio of SECURITY.md (vuln-reporting policy) + ASSURANCE.md (formal assurance case) + SECURITY-EXPECTATIONS.md (user-facing promises) covers the criterion comprehensively.


    Ya kutosha kwa nishani!

    Mradi LAZIMA utoe mwongozo wa "kuanza haraka" kwa watumiaji wapya kuwasaidia kufanya kitu haraka na programu. (URL inahitajika) [documentation_quick_start]
    Wazo ni kuonyesha watumiaji jinsi ya kuanza na kufanya programu ifanye chochote. Hii ni muhimu sana kwa watumiaji watarajiwa kuanza.

    URL: https://github.com/tmatens/compose-lint/blob/main/docs/SECURITY-EXPECTATIONS.md

    Justification: docs/SECURITY-EXPECTATIONS.md is the user-facing "what compose-lint will and will not do in security terms" document. It enumerates explicit promises (will not execute YAML contents — SafeLoader only, no eval/exec/subprocess against parsed values; will not connect to the network — verifiable under --network none; will not modify your Compose files — read-only) and explicit non-promises (not a Compose schema validator, not an image/runtime scanner, not exhaustive — rules cover known patterns from OWASP/CIS/Docker docs), with concrete commands to verify each claim. The trio of .github/SECURITY.md (vuln-reporting policy) + docs/ASSURANCE.md (formal assurance case) + docs/SECURITY-EXPECTATIONS.md (user-facing promises) is cross-linked from the SECURITY.md header.


    Ya kutosha kwa nishani!

    Mradi LAZIMA ufanye jitihada ya kuweka nyaraka kulingana na toleo la sasa la matokeo ya mradi (ikiwa ni pamoja na programu inayozalishwa na mradi). Kasoro yoyote inayojulikana ya nyaraka inayofanya isilingane LAZIMA irekebishwe. Ikiwa nyaraka kwa ujumla ni za sasa, lakini kwa makosa inajumuisha baadhi ya maelezo ya zamani ambayo sio ya kweli tena, ichukue tu kama kasoro, kisha ifuatilie na urekebishe kama kawaida. [documentation_current]
    Nyaraka ZINAWEZA kujumuisha habari kuhusu tofauti au mabadiliko kati ya matoleo ya programu na/au kuunganisha kwa matoleo ya zamani ya nyaraka. Kusudi la kigezo hiki ni kwamba jitihada inafanywa ili kuweka nyaraka kulingana, siyo kwamba nyaraka lazima ziwe kamili.

    URL: https://github.com/tmatens/compose-lint/blob/main/.github/workflows/ci.yml

    Justification: Documentation currency is enforced by CI rather than by convention. The version-consistency job in ci.yml asserts that pyproject.toml and src/compose_lint/init.py declare the same version. The changelog-gate job asserts that CHANGELOG.md has a section for the version being released. docs/RELEASING.md lists every documentation surface (README copy-paste pins, action SHA pins, marketplace pin, CHANGELOG) that must move with a release; recent merge history (commits 4473fd3, 447c416, 23da963) shows those pins bumped in lockstep with each release.


    Ya kutosha kwa nishani!

    Ukurasa wa mbele wa hifadhi ya mradi na/au tovuti LAZIMA utambulishe na kuunganisha kiungo kwa mafanikio yoyote, ikiwa ni pamoja na nishani hii ya mazoea bora, ndani ya masaa 48 ya kutambua hadharani kwamba ufanikio umepatikana. (URL inahitajika) [documentation_achievements]
    Ufanikio ni seti yoyote ya vigezo vya nje ambavyo mradi umefanya kazi mahususi kukidhi, ikiwa ni pamoja na nishani fulani. Habari hii haihitaji kuwa kwenye ukurasa wa mbele wa tovuti ya mradi. Mradi unaotumia GitHub unaweza kuweka mafanikio kwenye ukurasa wa mbele wa hifadhi kwa kuyaongeza kwenye faili ya README.

    URL: https://github.com/tmatens/compose-lint#compose-lint

    Justification: The README header carries badges that hyperlink to every active achievement: CI status, PyPI version, Docker Hub presence, supported Python versions, MIT license, OpenSSF Scorecard, OpenSSF Best Practices Baseline level 2, and the OpenSSF Best Practices badge for this project (12472). Each badge links to the source of truth (the corresponding GitHub Actions workflow, the PyPI page, the Scorecard viewer, or the bestpractices.dev project page).


  • Ufikiaji na kimataifa


    Ya kutosha kwa nishani!

    Mradi (tovuti zote za mradi na matokeo ya mradi) INAPASWA kufuata mazoea bora ya ufikiaji ili watu wenye ulemavu bado waweze kushiriki katika mradi na kutumia matokeo ya mradi ambapo ni busara kufanya hivyo. [accessibility_best_practices]
    Kwa programu za wavuti, angalia Miongozo ya Ufikiaji wa Maudhui ya Wavuti (WCAG 2.0) na hati yake inayosaidia Kuelewa WCAG 2.0; angalia pia habari za ufikiaji za W3C. Kwa programu za GUI, zingatia kutumia miongozo ya ufikiaji ya mazingira maalum (kama vile Gnome, KDE, XFCE, Android, iOS, Mac, na Windows). Baadhi ya programu za TUI (k.m., programu za `ncurses`) zinaweza kufanya mambo fulani ili kuzifanya kufikika zaidi (kama mpangilio wa `force-arrow-cursor` wa `alpine`). Programu nyingi za mstari wa amri zinafikika vizuri kama zilivyo. Kigezo hiki mara nyingi ni N/A, k.m., kwa maktaba za programu. Hapa kuna baadhi ya mifano ya hatua za kuchukua au masuala ya kuzingatia:
    • Toa mbadala za maandishi kwa maudhui yoyote yasiyo ya maandishi ili yaweze kubadilishwa kuwa aina nyingine watu wanahitaji, kama vile chapa kubwa, braille, hotuba, alama au lugha rahisi zaidi ( mwongozo wa WCAG 2.0 1.1)
    • Rangi haitumiwi kama njia pekee ya kuona ya kuwasilisha habari, kuashiria kitendo, kuchochea jibu, au kutofautisha kipengele cha kuona. ( mwongozo wa WCAG 2.0 1.4.1)
    • Uwasilishaji wa kuona wa maandishi na picha za maandishi una uwiano wa tofauti wa angalau 4.5:1, isipokuwa kwa maandishi makubwa, maandishi ya bahati mbaya, na nembo ( mwongozo wa WCAG 2.0 1.4.3)
    • Fanya kazi zote zipatikane kutoka kwenye kibodi (mwongozo wa WCAG 2.1)
    • Mradi wa GUI au wa wavuti INAPASWA kupima na angalau kipaza sauti kimoja cha skrini kwenye jukwaa la lengo (k.m., NVDA, Jaws, au WindowEyes kwenye Windows; VoiceOver kwenye Mac & iOS; Orca kwenye Linux/BSD; TalkBack kwenye Android). Programu za TUI ZINAWEZA kufanya kazi kupunguza uchanganyiko wa ziada ili kuzuia usomaji wa ziada na vipaza sauti vya skrini.

    Justification: compose-lint is a command-line tool with no GUI, no web frontend, and no user-facing visual interface. Output is plain ASCII text (text mode), JSON (machine-readable), or SARIF (consumable by GitHub Code Scanning, which carries its own accessibility testing). The CLI emits ANSI color only when stdout is detected as a TTY (auto-disables when piped or redirected), so screen-reader users never receive escape sequences. There is no accessibility surface to test against and no FLOSS accessibility-best-practices framework that applies.


    Ya kutosha kwa nishani!

    Programu iliyozalishwa na mradi INAPASWA kuwa kimataifa ili kuwezesha upatanifu wa lugha wa rahisi kwa utamaduni, eneo, au lugha ya hadhira lengo. Ikiwa kimataifa (i18n) haihusiki (k.m., programu haizalishi maandishi yanayokusudiwa kwa watumiaji wa mwisho na haipangi maandishi yanayosomeka na binadamu), chagua "haihusiki" (N/A). [internationalization]
    Upatanifu wa lugha "unarejelea upatanifu wa bidhaa, programu au maudhui ya hati ili kukidhi lugha, utamaduni na mahitaji mengine ya soko mahususi la lengo (eneo)." Kimataifa ni "muundo na maendeleo ya bidhaa, programu au maudhui ya hati ambayo huwezesha upatanifu wa lugha wa rahisi kwa hadhira lengo zinazotofautiana katika utamaduni, eneo, au lugha." (Ona "Upatanifu wa Lugha dhidi ya Kimataifa" ya W3C.) Programu inakidhi kigezo hiki kwa kuwa kimataifa tu. Hakuna upatanifu wa lugha kwa lugha nyingine mahususi unaohitajika, kwa kuwa mara tu programu imekuwa kimataifa inawezekana kwa wengine kufanya kazi kwenye upatanifu wa lugha.

    Justification: compose-lint targets developers reading technical findings whose authoritative grounding (OWASP Docker Security Cheat Sheet, CIS Docker Benchmark, Docker official documentation) is published exclusively in English. Localizing rule descriptions, fix guidance, and the references they cite would require translating the upstream sources, which is out of project scope. The tool emits no end-user-facing prose beyond rule findings.


  • Mengine


    Ya kutosha kwa nishani!

    Ikiwa tovuti za mradi (tovuti, hifadhi, na URL za kupakua) zinahifadhi nywila kwa ajili ya uthibitishaji wa watumiaji wa nje, nywila LAZIMA zihifadhiwe kama mificho iliyorudiwa na chumvi kwa-mtumiaji kwa kutumia kanuni ya upanuaji (iliyorudiarudia) wa funguo (k.m., Argon2id, Bcrypt, Scrypt, au PBKDF2). Ikiwa tovuti za mradi hazihifadhi nywila kwa kusudi hili, chagua "haihusiki" (N/A). [sites_password_security]
    Kumbuka kwamba matumizi ya GitHub yanakidhi kigezo hiki. Kigezo hiki kinatumika tu kwa nywila zinazotumika kwa ajili ya uthibitishaji wa watumiaji wa nje kwenye tovuti za mradi (pia inaitwa uthibitishaji wa ndani). Ikiwa tovuti za mradi lazima ziingie kwenye tovuti zingine (pia inaitwa uthibitishaji wa nje), zinaweza kuhitaji kuhifadhi ishara za uidhinishaji kwa kusudi hilo kwa njia tofauti (kwa kuwa kuhifadhi mficho hakuna maana). Hii inatumia kigezo cha crypto_password_storage kwa tovuti za mradi, sawa na sites_https.

    Justification: The project hosts no sites that store user passwords. Project presence is GitHub (https://github.com/tmatens/compose-lint), PyPI (https://pypi.org/project/compose-lint/), and Docker Hub (https://hub.docker.com/r/composelint/compose-lint) — every authentication surface is delegated to those parent platforms.


 Udhibiti wa Mabadiliko 1/1

  • Matoleo ya awali


    Ya kutosha kwa nishani!

    Mradi LAZIMA utunze matoleo ya zamani yaliyotumika mara nyingi ya bidhaa au kutoa njia ya usasishaji kwa matoleo mapya. Ikiwa njia ya usasishaji ni ngumu, mradi LAZIMA uandike jinsi ya kufanya usasishaji (k.m., violesura vilivyobadilika na hatua zilizoanishwa kwa undani ili kusaidia usasishaji). [maintenance_or_update]

    URL: https://github.com/tmatens/compose-lint/blob/main/.github/SECURITY.md#supported-versions

    Justification: .github/SECURITY.md §"Supported Versions" states: "Only the latest minor release receives security fixes." Pre-1.0 SemVer rules are documented in docs/RELEASING.md (PATCH = bug fixes only; MINOR = additive changes plus new rules at non-CRITICAL severity; MAJOR = breaking changes). The upgrade path is pip install --upgrade compose-lint (PyPI) or pulling the new tag from composelint/compose-lint (Docker Hub). Every release ships a CHANGELOG entry calling out anything that changes findings (rule additions, severity adjustments, parser fixes), so users can plan upgrades against a stable contract.


 Kuripoti 3/3

  • Mchakato wa kuripoti hitilafu


    Ya kutosha kwa nishani!

    Mradi LAZIMA utumie kifuatiliaji cha masuala kwa ajili ya kufuatilia masuala ya mtu binafsi. [report_tracker]

    The project uses GitHub Issues as its public issue tracker for bug reports and feature requests. The tracker is linked from README.md, CONTRIBUTING.md, and the PyPI project page.


  • Mchakato wa kuripoti udhaifu


    Ya kutosha kwa nishani!

    Mradi LAZIMA utoe sifa kwa waripoti wa ripoti zote za udhaifu zilizotatuliwa katika miezi 12 iliyopita, isipokuwa kwa waripoti wanaoomba kutojulikana. Ikiwa hakuna udhaifu uliotatuliwa katika miezi 12 iliyopita, chagua "haihusiki" (N/A). (URL inahitajika) [vulnerability_report_credit]

    URL: https://github.com/tmatens/compose-lint/blob/main/.github/SECURITY.md

    Justification: .github/SECURITY.md documents the process end-to-end. Reports are filed privately via GitHub Security Advisories at https://github.com/tmatens/compose-lint/security/advisories/new (public issues are explicitly disallowed for vulnerabilities). The maintainer commits to a 7-day acknowledgement SLA, then fix coordination and advisory publication with credit. Scope (in-scope: code execution / info disclosure via crafted Compose, supply-chain tampering, exploitable vulnerable dependencies; out-of-scope: rule false positives/negatives, vulnerable test fixtures) is defined explicitly. CONTRIBUTING.md §"Maintainers" reaffirms the 7-day security-ack SLA.


    Ya kutosha kwa nishani!

    Mradi LAZIMA uwe na mchakato ulioandikwa kwa ajili ya kujibu ripoti za udhaifu. (URL inahitajika) [vulnerability_response_process]
    Hii ina uhusiano mkubwa na vulnerability_report_process, ambayo inahitaji kuwa kuna njia iliyoandikwa ya kuripoti udhaifu. Pia inahusiana na vulnerability_report_response, ambayo inahitaji majibu kwa ripoti za udhaifu ndani ya kipindi fulani cha muda.

    SECURITY.md documents the CVD process: private reporting via GitHub Security Advisories, acknowledgement within 7 days, coordinated fix and advisory publication with credit. See https://github.com/tmatens/compose-lint/blob/main/SECURITY.md [osps_vm_01_01]


 Ubora 19/19

  • Viwango vya msimbo


    Ya kutosha kwa nishani!

    Mradi LAZIMA utambulishe miongozo mahususi ya mtindo wa kuandika msimbo kwa lugha kuu inazotumia, na uhitaji kwamba michango kwa ujumla ikidhi. (URL inahitajika) [coding_standards]
    Katika hali nyingi hii inafanywa kwa kurejelea baadhi ya miongozo ya mtindo iliyopo, huenda ikiorodhesha tofauti. Miongozo hii ya mtindo inaweza kujumuisha njia za kuboresha usomaji na njia za kupunguza uwezekano wa kasoro (ikiwa ni pamoja na udhaifu). Lugha nyingi za programu zina miongozo moja au zaidi ya mtindo inayotumika sana. Mifano ya miongozo ya mtindo ni pamoja na miongozo ya mtindo ya Google na Viwango vya Kuandika Msimbo wa SEI CERT.

    URL: https://github.com/tmatens/compose-lint/blob/main/pyproject.toml

    Justification: The primary language is Python 3.10+. pyproject.toml [tool.ruff.lint] selects the active rule families: PEP 8 (E, W), pyflakes (F), isort (I), pyupgrade (UP), bugbear (B), simplify (SIM), and flake8-type-checking (TCH). pyproject.toml [tool.mypy] sets strict = true. target-version = "py310". Formatting is ruff format (Black-compatible). CONTRIBUTING.md §"Code standards" enumerates the additional contributor-facing rules (Python 3.10+ stdlib only, type annotations on all public functions, plain Python types in rule code, latest stable for new dependencies).


    Ya kutosha kwa nishani!

    Mradi LAZIMA utekeleze kiotomatiki mtindo wake wa kuandika msimbo uliochaguliwa ikiwa kuna angalau zana moja ya FLOSS inayoweza kufanya hivyo katika lugha zilizochaguliwa. [coding_standards_enforced]
    Hii INAWEZA kutekelezwa kwa kutumia zana za uchambuzi mkako na/au kwa kulazimisha msimbo kupitia vifaa vya kurekebisha msimbo. Katika hali nyingi usanidi wa zana umejumuishwa katika hifadhi ya mradi (kwa kuwa miradi tofauti inaweza kuchagua usanidi tofauti). Miradi INAWEZA kuruhusu vighairi vya mtindo (na kwa kawaida itaruhusu); ambapo vighairi vinatokea, LAZIMA viwe nadra na viandikwe katika msimbo katika maeneo yao, ili vighairi hivi viweze kukaguliwa na ili zana ziweze kuzishughulikia kiotomatiki baadaye. Mifano ya zana kama hizo ni pamoja na ESLint (JavaScript), Rubocop (Ruby), na devtools check (R).

    URL: https://github.com/tmatens/compose-lint/blob/main/.github/workflows/ci.yml

    Justification: Every standard above is enforced by CI on every push and pull request to main:

    lint job: ruff check src/ tests/ and ruff format --check src/ tests/.
    type-check job: mypy src/ (strict).
    test matrix: pytest on Python 3.10, 3.11, 3.12, 3.13, 3.14.
    coverage job: pytest --cov=compose_lint --cov-fail-under=80. Locally, the pre-push hook in .githooks/ blocks unsigned commits before they reach origin. Required-status-checks on main block merges if any CI gate fails.


  • Mfumo wa ujenzi unaofanya kazi


    Ya kutosha kwa nishani!

    Mifumo ya kujenga kwa binari za asili LAZIMA iheshimu vigezo (vya mazingira) vya mkusanyaji na vya kiunganishi vilivyopitishwa kwao (k.m., CC, CFLAGS, CXX, CXXFLAGS, na LDFLAGS) na kuvipitisha kwenye viito vya mkusanyaji na vya kiunganishi. Mfumo wa kujenga UNAWEZA kuvipanua na bendera za ziada; LAZIMA USIBADILISHE thamani zilizotolewa na zake mwenyewe. Ikiwa hakuna binari za asili zinazozalishwa, chagua "haihusiki" (N/A). [build_standard_variables]
    Inapaswa kuwa rahisi kuwezesha vipengele maalum vya kujenga kama Address Sanitizer (ASAN), au kutii mazoea bora ya ugumu wa usambazaji (k.m., kwa kuwezesha kwa urahisi bendera za mkusanyaji kufanya hivyo).

    Justification: compose-lint is pure Python; no native binaries are built. The Hatchling build backend produces a py3-none-any wheel. There are no compiler or linker invocations to honor CC/CFLAGS/etc.


    Ya kutosha kwa nishani!

    Mfumo wa kujenga na usakinishaji UNAPASWA kuhifadhi taarifa za utatuzi ikiwa zimeombwa katika bendera husika (k.m., "install -s" haitumiwa). Ikiwa hakuna mfumo wa kujenga au usakinishaji (k.m., maktaba za kawaida za JavaScript), chagua "haihusiki" (N/A). [build_preserve_debug]
    K.m., kuweka CFLAGS (C) au CXXFLAGS (C++) inapaswa kuunda taarifa husika za utatuzi ikiwa lugha hizo zinatumika, na hazipaswi kuondolewa wakati wa usakinishaji. Taarifa za utatuzi zinahitajika kwa msaada na uchambuzi, na pia ni muhimu kwa kupima uwepo wa vipengele vya ugumu katika binari zilizokusanywa.

    Justification: There is no compiler/linker step. Python source ships verbatim inside the wheel, so debugging information (source line numbers, identifiers) is inherently preserved.


    Ya kutosha kwa nishani!

    Mfumo wa kujenga kwa programu iliyozalishwa na mradi LAZIMA USIJENGA kwa njia ya kujirudia saraka ndogo ikiwa kuna utegemezi wa kukatana katika saraka ndogo. Ikiwa hakuna mfumo wa kujenga au usakinishaji (k.m., maktaba za kawaida za JavaScript), chagua "haihusiki" (N/A). [build_non_recursive]
    Taarifa ya utegemezi wa ndani ya mfumo wa kujenga wa mradi inahitaji kuwa sahihi, vinginevyo, mabadiliko ya mradi huenda yasijenge vizuri. Mijengo isiyo sahihi inaweza kusababisha kasoro (ikiwa ni pamoja na udhaifu). Kosa la kawaida katika mifumo mikubwa ya kujenga ni kutumia "ujenzi wa kujirudia" au "make ya kujirudia", yaani, mlingano wa saraka ndogo zinazojumuisha faili za chanzo, ambapo kila saraka ndogo inajengwa kwa uhuru. Isipokuwa kila saraka ndogo ni huru kabisa, hii ni kosa, kwa sababu taarifa ya utegemezi si sahihi.

    Justification: Hatchling traverses a single source tree (src/compose_lint/) to produce the wheel. There is no recursive Make, no sub-builds, and therefore no cross-dependency hazard.


    Ya kutosha kwa nishani!

    Mradi LAZIMA uweze kurudia mchakato wa kuzalisha taarifa kutoka faili za chanzo na kupata matokeo sawa ya biti-kwa-biti. Ikiwa hakuna ujenzi unaofanyika (k.m., lugha za uandishi ambapo msimbo wa chanzo unatumika moja kwa moja badala ya kukusanywa), chagua "haihusiki" (N/A). [build_repeatable]
    Watumiaji wa GCC na clang wanaweza kupata chaguo la -frandom-seed kuwa na manufaa; katika hali fulani, hii inaweza kutatuliwa kwa kulazimisha aina fulani ya mpangilio. Mapendekezo zaidi yanaweza kupatikana kwenye tovuti ya ujenzi unaorudiwa.

    URL: https://github.com/tmatens/compose-lint/blob/main/docs/RELEASING.md

    Justification:

    Hatchling produces deterministic wheels (declared input file lists, sorted output).
    PyPI publishes happen via Trusted Publishing (OIDC) with Sigstore build attestations attached to every release — anyone can independently verify provenance.
    Every CI install uses pip install --require-hashes -r requirements.lock (or requirements-dev.lock / requirements-build.lock); the lockfiles are regenerated reproducibly using the documented uv pip compile --generate-hashes invocations in AGENTS.md §"Regenerating lockfiles".
    Every GitHub Actions uses: reference is SHA-pinned with the tag in a trailing comment (Renovate manages the bumps).
    Docker base image is digest-pinned to the OCI manifest-list digest.


  • Mfumo wa usakinishaji


    Ya kutosha kwa nishani!

    Mradi LAZIMA utoe njia ya kusakinisha na kuondoa kwa urahisi programu iliyozalishwa na mradi kwa kutumia mkataba unaotumika sana. [installation_common]
    Mifano ni pamoja na kutumia meneja wa kifurushi (kwa mfumo au kiwango cha lugha), "make install/uninstall" (inasaidia DESTDIR), chombo katika muundo wa kawaida, au picha ya mashine pepe katika muundo wa kawaida. Mchakato wa usakinishaji na uondoaji (k.m., kifurushi chake) UNAWEZA kutekelezwa na mtu wa tatu mradi tu ni FLOSS.

    URL: https://github.com/tmatens/compose-lint#installation

    Justification: README.md §"Installation" documents multiple install paths, all using widely-recognized conventions:

    pip install compose-lint (uninstall: pip uninstall compose-lint).
    docker run --rm -v "$(pwd):/src" composelint/compose-lint (the published image is multi-arch, distroless, nonroot).
    pre-commit hook (.pre-commit-hooks.yaml exposes the compose-lint ID for repos: use).
    GitHub Action (uses: tmatens/compose-lint@v0.7.0).


    Ya kutosha kwa nishani!

    Mfumo wa usakinishaji kwa watumiaji wa mwisho LAZIMA uheshimu mkataba wa kawaida kwa kuchagua eneo ambapo vitu vilivyojengwa vinaandikwa kwa wakati wa usakinishaji. Kwa mfano, ikiwa inasakinisha faili kwenye mfumo wa POSIX lazima iheshimu kigezo cha mazingira cha DESTDIR. Ikiwa hakuna mfumo wa usakinishaji au hakuna mkataba wa kawaida, chagua "haihusiki" (N/A). [installation_standard_variables]

    URL: https://github.com/tmatens/compose-lint/blob/main/pyproject.toml

    Justification: pip honors PEP 517 / PEP 668 conventions for install location (system, virtual environment, --user, pipx). The [project.scripts] entry in pyproject.toml — compose-lint = "compose_lint.cli:main" — installs the launcher to the standard bin/ of whatever environment pip is operating against. There is no custom prefix logic, no out-of-tree install hooks, no override of the standard build/install backend.


    Ya kutosha kwa nishani!

    Mradi LAZIMA utoe njia kwa wasanidi programu wanaoweza kusakinisha haraka matokeo yote ya mradi na mazingira ya msaada yanayohitajika kufanya mabadiliko, ikiwa ni pamoja na majaribio na mazingira ya majaribio. Hii LAZIMA ifanywe kwa kutumia mkataba unaotumika sana. [installation_development_quick]
    Hii INAWEZA kutekelezwa kwa kutumia chombo kilichozalishwa na/au hati za usakinishaji. Utegemezi wa nje kwa kawaida utasakinishwa kwa kuita mfumo na/au meneja wa kifurushi cha lugha, kwa external_dependencies.

    CONTRIBUTING.md "Development setup" documents the full build procedure (Python ≥3.10, virtualenv, editable install with dev extras). pyproject.toml declares build-system requirements. See https://github.com/tmatens/compose-lint/blob/main/CONTRIBUTING.md#development-setup [osps_do_07_01]


  • Vipengee vilivyotunzwa nje


    Ya kutosha kwa nishani!

    Mradi LAZIMA uorodheshe utegemezi wa nje kwa njia inayoweza kuchakatwa na kompyuta. (URL inahitajika) [external_dependencies]
    Kwa kawaida hii inafanywa kwa kutumia mkataba wa meneja wa kifurushi na/au mfumo wa ujenzi. Kumbuka kwamba hii inasaidia kutekeleza installation_development_quick.

    Dependencies are ingested via pip with hash-pinned lockfiles (requirements.lock, requirements-dev.lock, requirements-build.lock) generated by uv pip compile. CI installs use pip install --require-hashes. GitHub Actions are SHA-pinned. See https://github.com/tmatens/compose-lint/blob/main/CLAUDE.md#dependency-pinning [osps_br_05_01]


    Ya kutosha kwa nishani!

    Miradi LAZIMA ifuatilie au kwa muda mrefu iangalie utegemezi wao wa nje (ikiwa ni pamoja na nakala za urahisi) kugundua udhaifu unaojulikana, na kurekebisha udhaifu unaoweza kutumiwa vibaya au kuthibitisha kuwa hauwezi kutumiwa vibaya. [dependency_monitoring]
    Hii inaweza kufanywa kwa kutumia zana ya kichambua chanzo / zana ya kuangalia utegemezi / zana ya uchambuzi wa muundo wa programu kama OWASP's Dependency-Check, Sonatype's Nexus Auditor, Synopsys' Black Duck Software Composition Analysis, na Bundler-audit (kwa Ruby). Baadhi ya waendesha kifurushi wanajumuisha taratibu za kufanya hii. Ni kubaliwa ikiwa udhaifu wa vipengele hauwezi kutumiwa vibaya, lakini uchambuzi huu ni mgumu na wakati mwingine ni rahisi kusasisha au kurekebisha sehemu.

    URL: https://github.com/tmatens/compose-lint/tree/main/.github/workflows

    Justification: Multiple layers of dependency monitoring run continuously:

    Renovate (.github/renovate.json) opens dep-bump PRs weekly across runtime deps, dev tooling, GitHub Actions SHA pins, and Docker base image digests.
    pip-audit runs in the security job of ci.yml on every push and PR (reports all severities; gating reserved for critical).
    Bandit runs in the same job for Python source-level vulnerability patterns.
    CodeQL (.github/workflows/codeql.yml) runs on every push/PR and weekly on schedule.
    OpenSSF Scorecard (.github/workflows/scorecard.yml) runs weekly and publishes SARIF.
    Docker Scout (.github/workflows/scout-scan.yml) scans the published image; .vex/ ships OpenVEX statements for downstream consumers.
    ClusterFuzzLite (.clusterfuzzlite/, fuzz/fuzz_compose.py) fuzzes the parser on every PR.


    Ya kutosha kwa nishani!

    Mradi LAZIMA au:
    1. fanya iwe rahisi kutambua na kusasisha vipengele vinavyotumiwa tena vilivyotunzwa nje; au
    2. tumia vipengele vya kawaida vinavyotolewa na mfumo au lugha ya programu.
    Kisha, ikiwa udhaifu unapatikana katika kipengele kilichotumiwa tena, itakuwa rahisi kusasisha kipengele hicho. [updateable_reused_components]
    Njia ya kawaida ya kutimiza kigezo hiki ni kutumia mifumo ya usimamizi wa kifurushi ya mfumo na lugha ya programu. Programu nyingi za FLOSS zinasambazwa na "maktaba za urahisi" ambazo ni nakala za ndani za maktaba za kawaida (labda zilizoachana). Kwa yenyewe, hiyo ni sawa. Hata hivyo, ikiwa programu *lazima* itumie nakala hizi za ndani (zilizoachanishwa), basi kusasisha maktaba za "kawaida" kama sasisho la usalama litaacha nakala hizi za ziada bado zenye udhaifu. Hii ni suala hasa kwa mifumo ya wingu; ikiwa mtoa huduma ya wingu anasasisha maktaba zao za "kawaida" lakini programu haitazitumia, basi masasisho hayasaidii kweli. Angalia, k.m., "Chromium: Kwa nini bado haiko katika Fedora kama kifurushi sahihi" na Tom Callaway.

    Direct Python dependencies are declared in pyproject.toml (dependencies and the [project.optional-dependencies] table). Fully-resolved hash-pinned lockfiles (requirements.lock, requirements-dev.lock, requirements-build.lock) are committed for reproducible CI installs. See https://github.com/tmatens/compose-lint/blob/main/pyproject.toml [osps_qa_02_01]


    Ya kutosha kwa nishani!

    Mradi UNAPASWA kuepuka kutumia vitendakazi na API zilizokubaliwa kuwa hazitumiki tena au zilizopitwa na wakati ambapo mbadala wa FLOSS zinapatikana katika seti ya teknolojia inayotumia ("kifurushi cha teknolojia" yake) na kwa wengi wa watumiaji ambao mradi unasaidia (ili watumiaji wawe na ufikiaji wa haraka wa mbadala). [interfaces_current]

    URL: https://github.com/tmatens/compose-lint/blob/main/pyproject.toml

    Justification:

    pyproject.toml sets target-version = "py310"; ruff's UP (pyupgrade) rules auto-flag deprecated stdlib idioms (e.g., typing.List → list).
    The CI test matrix runs Python 3.10 through 3.14, so any deprecation surfacing at the latest interpreter fails CI.
    The parser uses yaml.SafeLoader (the safe, current API), never the deprecated yaml.load(..., Loader=...) shape.
    mypy strict catches use of deprecated typing aliases that have moved.


  • Seti ya majaribio otomatiki


    Ya kutosha kwa nishani!

    Seti ya majaribio ya kiotomatiki LAZIMA itumike kwenye kila ukaguzi wa kuingia kwenye hifadhi iliyoshirikiwa kwa angalau tawi moja. Seti hii ya majaribio LAZIMA itoe ripoti ya mafanikio au kushindwa kwa majaribio. [automated_integration_testing]
    Mahitaji haya yanaweza kuonekana kama sehemu ndogo ya test_continuous_integration, lakini yanazingatia majaribio tu, bila kuhitaji uunganisho wa kuendelea.

    CI runs the full pytest suite across Python 3.10–3.14 on every PR via .github/workflows/ci.yml; the aggregate ci-ok check is required by the main branch ruleset, blocking merge unless tests pass. [osps_qa_06_01]


    Ya kutosha kwa nishani!

    Mradi LAZIMA uongeze majaribio ya kurudi nyuma kwa seti ya majaribio ya kiotomatiki kwa angalau 50% ya hitilafu zilizorekebisha ndani ya miezi sita iliyopita. [regression_tests_added50]

    URL: https://github.com/tmatens/compose-lint/blob/main/CONTRIBUTING.md

    Justification: CONTRIBUTING.md §"PR expectations" mandates: "Update tests. New rules need positive and negative tests. Bug fixes need a regression test." Reviewer-enforced; the maintainer rejects bug-fix PRs that don't include the regression test in the same commit. The pull-request template surfaces this expectation at PR-creation time. Bug-fix commits in git log consistently land with their regression test in the same commit, comfortably exceeding the 50% threshold.


    Ya kutosha kwa nishani!

    Mradi LAZIMA uwe na seti ya majaribio ya kiotomatiki ya FLOSS inayotoa angalau 80% ya usakinishaji wa taarifa ikiwa kuna angalau zana moja ya FLOSS inayoweza kupima kigezo hiki katika lugha iliyochaguliwa. [test_statement_coverage80]
    Zana nyingi za FLOSS zinapatikana kupima usakinishaji wa majaribio, ikiwa ni pamoja na gcov/lcov, Blanket.js, Istanbul, JCov, na covr (R). Kumbuka kwamba kutimiza kigezo hiki sio uhakika kwamba seti ya majaribio ni ya kina, badala yake, kushindwa kutimiza kigezo hiki ni kiashiria kizito cha seti ya majaribio mbaya.

    URL: https://github.com/tmatens/compose-lint/blob/main/.github/workflows/ci.yml

    Justification: Statement coverage is measured in CI on every push and PR and gated at ≥80%:

    pyproject.toml adds pytest-cov==7.1.0 to the [dev] extras and configures [tool.coverage.run] (source = compose_lint, statement coverage, parallel = true) plus [tool.coverage.report] (fail_under = 80, show_missing, sensible excludes for TYPE_CHECKING / NotImplementedError / # pragma: no cover).
    The coverage job in .github/workflows/ci.yml runs pytest --cov=compose_lint --cov-report=term-missing --cov-fail-under=80 on Python 3.13. The threshold is duplicated at the workflow level so a config drift cannot silently lower it. The job is in the ci-ok rollup so branch protection enforces it.
    A subprocess-coverage shim (coverage_subprocess.pth + COVERAGE_PROCESS_START) ensures coverage measures the python -m compose_lint subprocesses spawned by test_cli.py and test_integration.py. Measured statement coverage on Linux CI is approximately 93%.
    CONTRIBUTING.md §"Local quality checks" documents the local coverage command for contributors.


  • Upimaji wa utendaji mpya


    Ya kutosha kwa nishani!

    Mradi LAZIMA uwe na sera rasmi iliyoandikwa kwamba kadri utendakazi mkubwa mpya unaongezwa, majaribio ya utendakazi mpya LAZIMA yaongezwe kwenye seti ya majaribio ya kiotomatiki. [test_policy_mandated]

    URL: https://github.com/tmatens/compose-lint/blob/main/CONTRIBUTING.md

    Justification: CONTRIBUTING.md §"Adding a new rule" lists the test obligation as step 5 of the new-rule checklist: "Add test file tests/test_CL{NNNN}.py with both positive (triggers) and negative (clean) cases. Negative cases must include at least one hardened-but-unusual configuration the rule must not flag." §"PR expectations" generalizes the rule: tests required for new functionality, regression tests required for bug fixes. The PR template links back to CONTRIBUTING.md so contributors see the policy at PR-creation time.


    Ya kutosha kwa nishani!

    Mradi LAZIMA ujumuishe, katika maelekezo yake yaliyoandikwa kwa mapendekezo ya mabadiliko, sera kwamba majaribio yataongezwa kwa utendakazi mkubwa mpya. [tests_documented_added]
    Hata hivyo, hata sheria isiyo rasmi inakubaliwa mradi majaribio yaongezwe kimakosa.

    Documented in CONTRIBUTING.md §"Adding a new rule" (test file is step 5 of the checklist) and §"PR expectations" ("Update tests. New rules need positive and negative tests. Bug fixes need a regression test."). The PR template links back to CONTRIBUTING.md.


  • Bendera za maonyo


    Ya kutosha kwa nishani!

    Miradi LAZIMA iwe na ukali wa juu zaidi na maonyo katika programu iliyozalishwa na mradi, iwezekanavyo vitendo. [warnings_strict]
    Baadhi ya maonyo hayawezi kuwashwa kwa ufanisi kwenye miradi fulani. Kinachohitajika ni ushahidi kwamba mradi unajitahidi kuwasha bendera za onyo ambapo inaweza, ili makosa yagundulika mapema.

    mypy runs with strict = true (the maximum setting: enables all optional strict flags). ruff selects broad rule families including B (bugbear correctness checks) and UP (pyupgrade modernization) in addition to the defaults. Formatting drift is also an error (ruff format --check).


 Usalama 13/13

  • Maarifa ya maendeleo yenye usalama


    Ya kutosha kwa nishani!

    Mradi LAZIMA utekeleze kanuni za muundo salama (kutoka "know_secure_design"), pale inapohusika. Ikiwa mradi hauzalishi programu, chagua "haihusiki" (N/A). [implement_secure_design]
    Kwa mfano, matokeo ya mradi yanapaswa kuwa na mipangilio salama ya kuzuia makosa (maamuzi ya ufikiaji yanapaswa kukataa kwa chaguo-msingi, na usakinishaji wa mradi unapaswa kuwa salama kwa chaguo-msingi). Pia yanapaswa kuwa na kikuu cha kati kikamilifu (kila ufikiaji ambao unaweza kuwekwa kikomo lazima ufanyiwe ukaguzi wa mamlaka na usiweze kuvukwa). Kumbuka kwamba katika hali fulani kanuni zitagombana, na katika hali hiyo chaguo lazima lifanywe (k.m., taratibu nyingi zinaweza kufanya mambo kuwa magumu zaidi, kukiuka "uchumi wa utaratibu" / iweke rahisi).

    Secure design principles applied throughout:

    Least privilege: single runtime dep (PyYAML); CI workflows declare permissions: {} deny-all and per-job least-privilege scopes; published Docker image is distroless, runs as nonroot uid 65532, drops all capabilities by documented invocation.
    Input validation: LineLoader(yaml.SafeLoader) — never yaml.load() — rejects malformed/unsafe YAML and Python-object tags. Engine validates that services: exists and is a mapping (ADR-013). Rules receive plain Python primitives; parser-specific types never leak into rule code.
    Fail-secure: usage errors and parse failures exit 2 (distinct from "findings present" exit 1). Default --fail-on=HIGH errs on the side of breaking the build.
    Defense in depth: mypy strict + ruff B (bugbear) + Bandit + CodeQL + ClusterFuzzLite fuzzing + pip-audit + Scorecard, layered.
    Secure defaults: pre-commit hook fails closed; GitHub Action runs without arguments and lints repository defaults; Docker image entrypoint is the linter (no shell).
    Supply-chain security: Trusted Publishing (no long-lived PyPI tokens), Sigstore attestations, hash-pinned lockfiles, SHA-pinned actions, signed git tags, OIDC for Docker Hub.
    References: README §"Security posture", SECURITY.md §"Supply Chain", docs/adr/003-yaml-parsing.md, docs/adr/006-exit-codes.md, docs/adr/009-runtime-base-image.md.


  • Tumia mazoea mazuri ya msingi ya usimbuaji

    Kumbuka kwamba programu fulani haihitaji kutumia taratibu za usimbuaji. Ikiwa mradi wako unazalisha programu ambayo (1) inajumuisha, inaamilisha, au inafanya usimbuaji kuwa hai, na (2) inaweza kutolewa kutoka Marekani (US) kwenda nje ya Marekani au kwa raia asiye wa Marekani, inaweza kuwa ni lazima kisheria kuchukua hatua chache za ziada. Kawaida hii inahusisha tu kutuma barua pepe. Kwa maelezo zaidi, tazama sehemu ya usimbuaji ya Kuelewa Teknolojia ya Chanzo Wazi & Udhibiti wa Usafirishaji wa Marekani.

    Ya kutosha kwa nishani!

    Mifumo ya usalama ya chaguo-msingi ndani ya programu inayozalishwa na mradi LAZIMA ISITEGEMEE algoriti za kriptologia au hali zenye udhaifu mkubwa unaojulikana (k.m., algoriti ya hash ya kriptologia ya SHA-1 au hali ya CBC katika SSH). [crypto_weaknesses]
    Wasiwasi kuhusu hali ya CBC katika SSH unajadiliwa katika CERT: SSH CBC vulnerability.

    N/A — compose-lint is a static Docker Compose linter. The software produced implements no cryptographic protocols, algorithms, password storage, or key/nonce generation. Sole runtime dependency is PyYAML.


    Ya kutosha kwa nishani!

    Mradi INAPASWA kusaidia algoriti nyingi za kriptologia, ili watumiaji waweze kubadilisha haraka ikiwa moja imevunjwa. Algoriti za kawaida za funguo za simetria ni pamoja na AES, Twofish, na Serpent. Mbadala wa algoriti za hash za kriptologia za kawaida ni pamoja na SHA-2 (ikiwa ni pamoja na SHA-224, SHA-256, SHA-384 NA SHA-512) na SHA-3. [crypto_algorithm_agility]

    compose-lint implements no cryptographic algorithms in its product code. PyYAML, the sole runtime dependency, performs no crypto. Mark N/A.


    Ya kutosha kwa nishani!

    Mradi LAZIMA usaidie kuhifadhi vitambulisho vya uthibitishaji (kama vile nywila na ishara za nguvu) na funguo za kibinafsi za kriptologia katika mafaili ambayo yametengwa na habari nyingine (kama vile mafaili ya usanidi, hifadhidata, na kumbukumbu), na kuruhusu watumiaji kusasisha na kubadilisha bila ukusanyaji upya wa msimbo. Ikiwa mradi haufanyi usindikaji wa vitambulisho vya uthibitishaji na funguo za kibinafsi za kriptologia, chagua "haihusiki" (N/A). [crypto_credential_agility]

    compose-lint implements no cryptographic algorithms in its product code. PyYAML, the sole runtime dependency, performs no crypto. Mark N/A.


    Ya kutosha kwa nishani!

    Programu iliyozalishwa na mradi INAPASWA kusaidia itifaki salama kwa mawasiliano yake yote ya mtandao, kama vile SSHv2 au zaidi, TLS1.2 au zaidi (HTTPS), IPsec, SFTP, na SNMPv3. Itifaki zisizo salama kama vile FTP, HTTP, telnet, SSLv3 au mapema zaidi, na SSHv1 ZINAPASWA kuzimwa kwa chaguo-msingi, na kuzimwa tu ikiwa mtumiaji anaisanidi mahususi. Ikiwa programu iliyozalishwa na mradi haiesaidii mawasiliano ya mtandao, chagua "haihusiki" (N/A). [crypto_used_network]

    compose-lint performs no network communication at runtime. The CLI reads files from disk and writes findings to stdout/stderr. Mark N/A.


    Ya kutosha kwa nishani!

    Programu iliyozalishwa na mradi INAPASWA, ikiwa inasaidia au inatumia TLS, kusaidia angalau toleo la TLS 1.2. Kumbuka kuwa kilichotangulia TLS kiliitwa SSL. Ikiwa programu haitumii TLS, chagua "haihusiki" (N/A). [crypto_tls12]

    No TLS use. Mark N/A.


    Ya kutosha kwa nishani!

    Programu iliyozalishwa na mradi LAZIMA, ikiwa inasaidia TLS, ifanye uthibitishaji wa cheti cha TLS kwa chaguo-msingi inapotumia TLS, ikiwa ni pamoja na rasilimali ndogo. Ikiwa programu haitumii TLS, chagua "haihusiki" (N/A). [crypto_certificate_verification]
    Kumbuka kuwa uthibitishaji usio sahihi wa cheti cha TLS ni kosa la kawaida. Kwa maelezo zaidi, angalia "The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software" na Martin Georgiev et al. na "Do you trust this application?" na Michael Catanzaro.

    No TLS use. Mark N/A.


    Ya kutosha kwa nishani!

    Programu iliyozalishwa na mradi LAZIMA, ikiwa inasaidia TLS, ifanye uthibitishaji wa cheti kabla ya kutuma vichwa vya HTTP na habari ya kibinafsi (kama vile vidakuzi salama). Ikiwa programu haitumii TLS, chagua "haihusiki" (N/A). [crypto_verification_private]

    No TLS use. Mark N/A.


  • Kutolewa kwa usalama


    Ya kutosha kwa nishani!

    Mradi LAZIMA uweke saini kwa kriptologia matoleo ya matokeo ya mradi yanayokusudiwa kwa matumizi ya kila mahali, na LAZIMA kuwe na mchakato ulioandikwa unaoweleza watumiaji jinsi wanaweza kupata funguo za umma za saini na kuthibitisha saini. Funguo ya kibinafsi kwa saini hizi LAZIMA ISIWE kwenye tovuti zinazosambaza moja kwa moja programu kwa umma. Ikiwa matoleo hayakusudiwa kwa matumizi ya kila mahali, chagua "haihusiki" (N/A). [signed_releases]
    Matokeo ya mradi ni pamoja na msimbo wa chanzo na matokeo yoyote yaliyozalishwa pale inapohusika (k.m., mifumo inayotekelezeka, vifurushi, na vyombo). Matokeo yaliyozalishwa YANAWEZA kuwekwa saini tofauti na msimbo wa chanzo. Hizi ZINAWEZA kutekelezwa kama lebo za git zilizowekwa saini (kwa kutumia saini za kidijitali za kriptologia). Miradi YAWEZA kutoa matokeo yaliyozalishwa tofauti na zana kama vile git, lakini katika hali hizo, matokeo tofauti LAZIMA yawekwe saini tofauti.

    PyPI releases include Sigstore build attestations generated via Trusted Publishing (OIDC) — each wheel and sdist is accompanied by a signed attestation. Git tags are SSH-signed. Verify via PyPI's attestation viewer or python -m sigstore verify. See https://github.com/tmatens/compose-lint/blob/main/SECURITY.md [osps_br_06_01]


    Ya kutosha kwa nishani!

    INAPENDEKEZWA kuwa katika mfumo wa udhibiti wa toleo, kila lebo muhimu ya toleo (lebo ambayo ni sehemu ya toleo kuu, toleo dogo, au kurekebishwa udhaifu uliotangazwa hadharani) iwekwe saini kwa kriptologia na iweze kuthibitishwa kama ilivyoelezwa katika signed_releases. [version_tags_signed]

    Every release tag is git tag -s SSH-signed annotated. publish.yml verify-tag job now performs three checks (the previously-noted "follow-up" is closed):

    Annotated tag (git cat-file -t returns tag, not commit).
    Reachable from origin/main.
    SSH signature verifies against .github/allowed_signers (added in PR #202; key namespace-scoped to git so it cannot be reused for arbitrary SSH signing if leaked). Pre-flight handles missing/empty allowed_signers with an explicit error pointing at the rotation procedure in GOVERNANCE.md.
    End-to-end provenance chain is now: SSH-verified annotated tag → reachable-from-main → CI build → Sigstore attestation → PyPI / Docker Hub.


  • Masuala mengine ya usalama


    Ya kutosha kwa nishani!

    Matokeo ya mradi LAZIMA yafanye ukaguzi wa pembejeo zote kutoka vyanzo visivyoaminika ili kuhakikisha ni halali (*orodha zinazokubalika*), na kukataa pembejeo zisizo halali, ikiwa kuna vizuizi vyovyote kwenye data kabisa. [input_validation]
    Kumbuka kuwa kulinganisha ingizo dhidi ya orodha ya "miundo mibaya" (aka *orodha za kukataza*) kwa kawaida haitoshi, kwa sababu washambuliaji mara nyingi wanaweza kuepuka orodha ya kukataza. Hasa, nambari zinabadilishwa kuwa miundo ya ndani na kisha kuangaliwa ikiwa ziko kati ya chini na juu zao (ikiwa ni pamoja), na vifungu vya maandishi vinaangaliwa ili kuhakikisha kuwa ni ruwaza halali za maandishi (k.m., UTF-8 halali, urefu, sintaksia, n.k.). Baadhi ya data inaweza kuhitaji kuwa "chochote kabisa" (k.m., kipakia faili), lakini hizi kwa kawaida zingekuwa nadra.

    Parser: LineLoader(yaml.SafeLoader) rejects unsafe YAML constructs (Python-object tags, arbitrary class instantiation). Documented in ADR-003.
    Engine: validates that services: exists and is a mapping; emits a usage error (exit 2) otherwise. ADR-013 covers the missing-services-key handling.
    Rules: receive only plain Python primitives; rule code does not reach back to parser internals.
    Allowlist nature: rules check for known-bad patterns, not arbitrary input shapes; the allowlist for what counts as "valid Compose" is delegated to authoritative Compose schema (the linter is intentionally lenient on schema compliance to focus on security findings — see feedback_scope_security_not_style memory).
    Fuzzing: fuzz/fuzz_compose.py runs continuously via ClusterFuzzLite (.clusterfuzzlite/) on every PR, attacking the parser surface with adversarial input.


    Ya kutosha kwa nishani!

    Taratibu za kuimarisha ZINAPASWA kutumiwa katika programu iliyozalishwa na mradi ili kasoro za programu ziwe na uwezekano mdogo wa kusababisha udhaifu wa usalama. [hardening]
    Taratibu za kuimarisha zinaweza kujumuisha vichwa vya HTTP kama Sera ya Usalama wa Maudhui (CSP), bendera za mkusanyaji ili kupunguza mashambulizi (kama vile -fstack-protector), au bendera za mkusanyaji ili kuondoa tabia isiyofafanuliwa. Kwa madhumuni yetu upendeleo mdogo hauhesabiwi kuwa utaratibu wa kuimarisha (upendeleo mdogo ni muhimu, lakini tofauti).

    Memory-safe language: pure Python. Type system enforcement: mypy --strict in CI. Lint-level hardening: ruff B (bugbear correctness rules), UP (pyupgrade), SIM (simplify), TCH (type-checking) — all run on every PR. Runtime container hardening: published Docker image is distroless, multi-arch, nonroot (uid 65532); README documents the fully-hardened invocation (--read-only --cap-drop ALL --security-opt no-new-privileges:true --network none --user 65532:65532 --pids-limit 256). CI workflow hardening: every workflow declares permissions: {} deny-all at top; jobs request only the scopes they need; every uses: is SHA-pinned with a trailing tag comment. Supply-chain hardening: PyPI Trusted Publishing (no long-lived tokens), hash-pinned lockfiles, signed annotated tags, Sigstore attestations, cosign-signed Docker images.


    Ya kutosha kwa nishani!

    Mradi LAZIMA utoe kesi ya uhakika inayosababisha kwa nini mahitaji yake ya usalama yanakidhi. Kesi ya uhakika LAZIMA ijumuishe: maelezo ya muundo wa tishio, utambulisho wazi wa mipaka ya kuaminiwa, hoja kwamba kanuni za muundo salama zimetumika, na hoja kwamba udhaifu wa kawaida wa utekelezaji wa usalama umekabiliana nao. (URL inahitajika) [assurance_case]
    Kesi ya uhakika ni "mwili wa ushahidi ulioandikwa unaotoa hoja inayoshawishi na halali kwamba seti maalum ya madai muhimu kuhusu mali za mfumo ziko na sababu za kutosha kwa programu maalum katika mazingira maalum" ("Uhakika wa Programu Kwa kutumia Miundo ya Kesi ya Uhakika Iliyopangwa", Thomas Rhodes et al, NIST Interagency Report 7608). Mipaka ya kuaminiwa ni mipaka ambapo data au utekelezaji hubadilisha kiwango chake cha kuaminiwa, k.m., mipaka ya seva katika programu ya kawaida ya wavuti. Ni ya kawaida kuorodhesha kanuni za muundo salama (kama vile Saltzer na Schroeer) na udhaifu wa kawaida wa utekelezaji wa usalama (kama vile OWASP top 10 au CWE/SANS top 25), na kuonyesha jinsi kila moja unavyokabiliana. Kesi ya uhakika ya BadgeApp inaweza kuwa mfano wenye manufaa. Hii inahusiana na documentation_security, documentation_architecture, na implement_secure_design.

    Threat surface assessed and documented across the project: SECURITY.md defines scope and out-of-scope; the architecture is deliberately minimal (PyYAML only runtime dependency, read-only file processing, no network, no eval); adversarial inputs (malformed YAML, billion-laughs-style attacks, crafted anchor/merge chains) are exercised by ClusterFuzzLite continuous fuzzing. Supply-chain surface hardened via Trusted Publishing, Sigstore attestations, signed commits/tags, SHA-pinned actions, hash-pinned lockfiles. See https://github.com/tmatens/compose-lint/blob/main/SECURITY.md [osps_sa_03_01]


 Uchanganuzi 2/2

  • Uchambuzi tuli wa msimbo


    Ya kutosha kwa nishani!

    Mradi LAZIMA utumie angalau zana moja ya uchanganuzi tuli yenye sheria au mbinu za kutafuta udhaifu wa kawaida katika lugha au mazingira yaliyochanganuliwa, ikiwa kuna angalau zana moja ya FLOSS inayoweza kutekeleza kigezo hiki katika lugha iliyochaguliwa. [static_analysis_common_vulnerabilities]
    Zana za uchambuzi tuli ambazo zimeundwa hasa kutafuta udhaifu wa kawaida zina uwezekano mkubwa wa kuzipata. Hata hivyo, kutumia zana zozote za tuli kwa kawaida itasaidia kupata baadhi ya matatizo, kwa hivyo tunashauri lakini hatunahitaji hii kwa kiwango cha nishani ya 'kupita'.

    Bandit and CodeQL both implement vulnerability-pattern rules. Bandit scans for the Python-specific common-weakness patterns (B-series: shell injection, insecure deserialization, weak crypto calls, hardcoded secrets, etc.). CodeQL's default query suite covers OWASP/CWE categories (injection, path traversal, SSRF, XSS).


  • Uchambuzi wa msimbo wa nguvu za ziada


    Ya kutosha kwa nishani!

    Ikiwa programu iliyozalishwa na mradi inajumuisha programu iliyoandikwa kwa kutumia lugha isiyosalama ya kumbukumbu (k.m., C au C++), basi angalau zana moja ya nguvu (k.m., fuzzer au kitafutaji cha programu ya wavuti) LAZIMA itumike kwa kawaida kwa pamoja na utaratibu wa kugundua matatizo ya usalama wa kumbukumbu kama vile uandikaji zaidi wa kipengele. Ikiwa mradi hauzalishi programu iliyoandikwa katika lugha isiyosalama ya kumbukumbu, chagua "haihusiki" (N/A). [dynamic_analysis_unsafe]
    Mifano ya taratibu za kugundua matatizo ya usalama wa kumbukumbu ni pamoja na Address Sanitizer (ASAN) (inapatikana katika GCC na LLVM), Memory Sanitizer, na valgrind. Zana nyingine zinazoweza kutumika ni pamoja na thread sanitizer na undefined behavior sanitizer. Madai ya kila mahali pia yaweza kufanya kazi.

    compose-lint is written in pure Python (a memory-safe language) with PyYAML as the sole runtime dependency. No C/C++/unsafe-Rust code is produced or shipped.



Data hii inapatikana chini ya Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). Hii inamaanisha kuwa Mpokeaji wa Data anaweza kushiriki Data, na au bila marekebisho, mradi Mpokeaji wa Data anapatanisha maandishi ya mkataba huu na Data iliyoshirikiwa. Tafadhali tambua Todd Matens na wachangiaji wa nishani ya Mazoea Bora ya OpenSSF.

Ingizo la nishani ya mradi linamilikiwa na: Todd Matens.
Ingizo liliundwa siku 2026-04-12 08:08:52 UTC, iliyosasishwa mara ya mwisho siku 2026-05-03 00:49:57 UTC. Ilipata mara ya mwisho nishani ya kupita siku 2026-04-19 05:15:06 UTC.