Argentum

Miradi inayofuata mazoea bora hapa chini inaweza kujihakikisha kwa hiari na kuonyesha kuwa wamepata nishani ya mazoea bora ya Open Source Security Foundation (OpenSSF).

Hakuna seti ya mazoea yawezayo kuhakikisha kuwa programu haitakuwa na kasoro au udhaifu; hata mbinu rasmi zinaweza kushindwa ikiwa vipimo au dhana ni sahihi. Wala hakuna seti ya mazoea yawezayo kuhakikisha kuwa mradi utaendelea kuwa na jamii ya maendeleo yenye afya na inayofanya kazi vizuri. Hata hivyo, kufuata mazoea bora kunaweza kusaidia kuboresha matokeo ya miradi. Kwa mfano, baadhi ya mazoea huwezesha ukaguzi wa watu wengi kabla ya kutolewa, ambayo inaweza kusaidia kupata udhaifu wa kiufundi ambao vinginevyo ni vigumu kupata na kusaidia kujenga uaminifu na hamu ya mwingiliano wa kurudia kati ya wasanidi programu kutoka makampuni tofauti. Ili kupata nishani, vigezo vyote vya LAZIMA na LAZIMA WALA USIWAHI lazima vifuatwe, vigezo vyote vya INAPASWA lazima vifuatwe AU visivyo fufufutiliana na thibitisho, na vigezo vyote vya PENDEKEZA lazima vifuatwe AU visivyo fufufutiliana (tunataka vifikiwe angalau). Ikiwa unataka kuingiza maandishi ya thibitisho kama maoni ya jumla, badala ya kuwa maelezo ya busara kwamba hali ni inakubaliwa, anza kifungu cha maandishi na '//' ikifuatiwa na nafasi. Maoni ni karibu kupitia tovuti ya GitHub kama masuala au maombi ya kuvuta Kuna pia orodha ya barua pepe kwa majadiliano ya jumla.

Tunafuraha kutoa habari katika lugha nyingi, hata hivyo, ikiwa kuna mgongano au kutokuwa na usawa kati ya tafsiri, toleo la Kiingereza ni toleo lenye mamlaka.
Ikiwa huu ni mradi wako, tafadhali onyesha hali ya nishani yako ya msingi kwenye ukurasa wa mradi wako! Hali ya nishani ya msingi inaonekana kama hii: Kiwango cha nishani ya msingi kwa mradi 12957 ni baseline-3 Huu ndiyo jinsi ya kuweka nishani ya msingi:
Unaweza kuonyesha hali ya nishani yako ya msingi kwa kuweka hii katika faili yako ya markdown:
[![OpenSSF Baseline](https://www.bestpractices.dev/projects/12957/baseline)](https://www.bestpractices.dev/projects/12957)
au kwa kuweka hii katika HTML yako:
<a href="https://www.bestpractices.dev/projects/12957"><img src="https://www.bestpractices.dev/projects/12957/baseline"></a>


Hizi ni vigezo vya Kiwango cha Msingi 3. Hizi ni vigezo vya toleo v2026.02.19.

Baseline Series: Kiwango cha Msingi 1 Kiwango cha Msingi 2 Kiwango cha Msingi 3

        

 Misingi

  • Jumla

    Kumbuka kwamba miradi mingine inaweza kutumia jina sawa.

    Argentum is a local-first AI workspace. It runs on your own machine so your data stays with you. You can chat with AI providers you choose, route conversations through Telegram, Discord, or other channels, keep memory across sessions, and use a full desktop app instead of juggling browser tabs.

    Tafadhali tumia muundo wa maneno ya leseni ya SPDX; mifano ni pamoja na "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", na "(BSD-2-Clause OR Ruby)". Usitumie alama za nukuu za moja au mbili.
    Ikiwa kuna lugha zaidi ya moja, ziorodhe kama thamani zilizotengwa kwa koma (nafasi ni za hiari) na ziorodhe kuanzia iliyotumiwa zaidi hadi iliyotumiwa kidogo. Ikiwa kuna orodha ndefu, tafadhali orodhesha angalau tatu za kawaida zaidi. Ikiwa hakuna lugha (k.m., huu ni mradi wa nyaraka tu au wa majaribio tu), tumia herufi moja "-". Tafadhali tumia herufi kubwa za kawaida kwa kila lugha, k.m., "JavaScript".
    Common Platform Enumeration (CPE) ni mpango wa kuweka majina yenye muundo kwa mifumo ya teknolojia ya habari, programu, na vifurushi. Inatumika katika mifumo na hifadhidata nyingi wakati wa kuripoti udhaifu.

    Argentum runs entirely locally - no cloud subscriptions, no data leaves the machine.
    Suitable for self-hosting on desktop, server, or via Docker.

    Built with TypeScript-first approach, with Rust-based desktop client for Windows/macOS/Linux.
    Supports 8+ messaging channels to unify communication in one interface.

    Ideal for developers and power users who want an AI assistant under their own control.

 Udhibiti 21/21

  • Udhibiti


    Ya kutosha kwa nishani!

    Ruhusa zinapopeana kwa kazi katika mfumo wa CI/CD, msimbo wa chanzo au usanidi LAZIMA upee tu ruhusa za chini zaidi zinazohitajika kwa shughuli zinazohusiana. [OSPS-AC-04.02]
    Sanidi mifumo ya CI/CD ya mradi ili kupea ruhusa za chini zinazopatikana kwa watumiaji na huduma kwa chaguomsingi, ukipandisha ruhusa tu inapohitajika kwa kazi maalum. Katika baadhi ya mifumo ya udhibiti wa toleo, hii inaweza kufanyika katika kiwango cha shirika au hifadhi. Ikiwa sivyo, weka ruhusa katika kiwango cha juu cha mfumo.
    • ci.yml: contents: read (minimal)
    • codeql.yml: contents: read + security-events: write (only at job level)
    • scorecard.yml: contents: read + security-events: write (only at job level)
    • trivy.yml: contents: read
    • semgrep.yml: contents: read
    • release.yml: contents: read + id-token: write (only for Sigstore OIDC)
    • npm-version-check.yml: contents: read

    Top-level permissions are minimal; elevated only when necessary.


    Ya kutosha kwa nishani!

    Mifuko ya CI/CD inayokubali pembejeo za mshirika anayeaminika LAZIMA isafishe na kuthibitisha pembejeo hiyo kabla ya kutumia katika mfuko. [OSPS-BR-01.04]
    Mifuko ya CI/CD inapaswa kusafisha (kunukuu, kutoroka au kutoka kwa maadili yanayotarajiwa) pembejeo zote za mshirika kwenye utekelezaji wa mtiririko wa kazi wa wazi. Ingawa washirika kwa ujumla wanaaminika, pembejeo za mwongozo kwa mtiririko wa kazi haiwezi kukaguliwa na inaweza kutumiwa vibaya na utekaji wa akaunti au tishio la ndani.
    • security-changelog.yml: version input validated via semantic version check in generate-security-changelog.js
    • release.yml: version derived from git tag (git ref), not user-controlled
    • All user inputs are typed (string) and used via GitHub Actions environment (automatic escaping)
    • No direct shell injection possible: inputs used via ${{ }} template syntax with proper quoting
    • Version validation in script ensures only valid SemVer patterns used

    Ya kutosha kwa nishani!

    Toleo rasmi linapobuniwa, mali zote ndani ya toleo hilo LAZIMA zihusianishwe wazi na kitambulisho cha toleo au kitambulisho kingine cha kipekee kwa mali hiyo. [OSPS-BR-02.02]
    Panga kitambulisho cha kipekee cha toleo kwa kila mali ya programu inayozalishwa na mradi, ukifuata kawaida ya uainishaji thabiti au mpango wa nambari. Mifano ni pamoja na SemVer, CalVer, au kitambulisho cha git commit.
    • Release assets named with SemVer pattern: argentum-v0.0.7-linux-x64, argentum-cli-v0.0.7-win-x64.exe, etc.
    • Sigstore cosign bundles created alongside each binary (e.g., argentum-v0.0.7-linux-x64.cosign-bundle) - bundles contain cryptographic signature tied to GitHub OIDC issuer + repository + SHA256 hash
    • SHA256SUMS.txt maps each asset filename to its cryptographic hash
    • Release ID (tag name) associated with all assets via GitHub Releases UI
    • Tauri desktop installers include version in filename: Argentum_0.0.7_x64-setup.exe, etc.

    Ya kutosha kwa nishani!

    Mradi LAZIMA ufafanue sera ya kudhibiti siri na ushahidi unaotumika na mradi. Sera inapaswa kujumuisha mwongozo wa kuhifadhi, kufikia, na kuzungusha siri na ushahidi. [OSPS-BR-07.02]
    Eleza jinsi siri na ushahidi vinavyodhibitiwa na kutumika ndani ya mradi. Hii inapaswa kujumuisha maelezo ya jinsi siri zinavyohifadhiwa (k.m., kwa kutumia zana ya usimamizi wa siri), jinsi ufikiaji unavyodhibitiwa, na jinsi siri zinavyozungushwa au kusasishwa. Hakikisha kwamba habari nyeti haziingizwi kwa msimbo katika msimbo wa chanzo au kuhifadhiwa katika mifumo ya udhibiti wa toleo.

    SECURITY.md "Security Features" section documents:

    • AES-256-GCM encryption for credentials at rest
    • Credential manager with short-lived key rotation
    • No secrets hard-coded in source code
    • argenta.yaml (config with encrypted secrets) gitignored
    • GitHub Secrets used for CI/CD pipelines
    • Access controlled via GitHub repository permissions

    Secrets stored encrypted in config/argenta.yaml, never in version control.


    Ya kutosha kwa nishani!

    Mradi ulipotoa toleo, nyaraka za mradi LAZIMA ziwe na maelekezo ya kuthibitisha uadilifu na uhalali wa mali za toleo. [OSPS-DO-03.01]
    Maelekezo katika mradi yanapaswa kuwa na habari kuhusu teknolojia iliyotumika, amri za kuendesha, na matokeo yanayotarajiwa. Inapowezekana, epuka kuhifadhi nyaraka hizi katika mahali pamoja na mfumo wa ujenzi na utoaji wa toleo ili kuepuka ukiukaji mmoja kuhatarisha programu na nyaraka za kuthibitisha uadilifu wa programu.

    docs/releases/v0.0.7.md includes dedicated "Verify Release Integrity" section with:

    • Technology used: SHA256 checksums + Sigstore cosign (cryptographic verification)
    • Commands to run: sha256sum --check + cosign verify-blob
    • Expected output: "<filename>: OK" for SHA256; signature verification result for cosign
    • Documentation is separate from build/release pipeline (in docs/releases/, not in .github/workflows/)
    • Both integrity (SHA256) and authenticity (Sigstore) verification methods explained

    Ya kutosha kwa nishani!

    Mradi unapotoa toleo, nyaraka za mradi LAZIMA ziwe na maelekezo ya kuthibitisha utambulisho unaotarajiwa wa mtu au mchakato unaothibitisha toleo la programu. [OSPS-DO-03.02]
    Utambulisho unaotarajiwa unaweza kuwa katika muundo wa vitambulisho vya funguo vilivyotumika kusaini, mtoa na utambulisho kutoka cheti cha sigstore, au aina nyingine zinazofanana. Inapowezekana, epuka kuhifadhi nyaraka hii mahali palipo sawa na mirija ya kujenga na kutoa ili kuepuka ukiukaji mmoja kuhatarisha programu na nyaraka za kuthibitisha uadilifu wa programu.

    cosign verify-blob command includes:
    --certificate-identity-regexp "https://github.com/AG064/argentum"
    --certificate-oidc-issuer https://token.actions.githubusercontent.com

    This verifies:

    • The binary was signed by GitHub Actions workflow in AG064/argentum repository
    • The OIDC issuer is token.actions.githubusercontent.com (GitHub's Sigstore issuer)
    • The certificate identity matches our repository URL

    Documentation is in docs/releases/ (separate from .github/workflows/).


    Ya kutosha kwa nishani!

    Mradi unapotoa toleo, nyaraka za mradi LAZIMA zijumuishe kauli ya maelezo kuhusu wigo na muda wa msaada kwa kila toleo. [OSPS-DO-04.01]
    Ili kuwasilisha wigo na muda wa msaada kwa rasilimali za programu zilizotolewa za mradi, mradi unapaswa kuwa na faili ya SUPPORT.md, sehemu ya "Msaada" katika SECURITY.md, au nyaraka nyingine zinazoweka wazi mzunguko wa maisha wa msaada, ikijumuisha muda unaotarajiwa wa msaada kwa kila toleo, aina za msaada zinazotolewa (k.m., marekebisho ya hitilafu, sasisho za usalama), na sera au taratibu yoyote husika ya kupata msaada.

    SUPPORT.md (or SECURITY.md "Support" section) documents:

    • Supported versions (latest stable release)
    • Support duration (security fixes only for latest major version)
    • Types of support provided (bug fixes, security updates)
    • How to get support (GitHub Issues, Security Advisories)

    Example: Only latest v0.0.x receives security updates, older versions unsupported.


    Ya kutosha kwa nishani!

    Mradi unapotoa toleo, nyaraka za mradi LAZIMA zitoe kauli ya maelezo ya wakati matoleo au matoleo hayatapokea tena sasisho za usalama. [OSPS-DO-05.01]
    Ili kuwasilisha wigo na muda wa msaada kwa marekebisho ya usalama, mradi unapaswa kuwa na SUPPORT.md au nyaraka nyingine zinazoweka wazi sera ya mradi ya sasisho za usalama.

    SUPPORT.md "Unsupported Versions" section clearly states:

    • Versions older than the latest no longer receive security updates
    • They "likely contain unpatched security vulnerabilities"
    • Users are "strongly encouraged to upgrade"

    Ya kutosha kwa nishani!

    Inapokuwa hai, nyaraka za mradi LAZIMA ziwe na sera kwamba washirikiano wa msimbo wanapimwa kabla ya kupewa ruhusa zilizopandishwa kwa rasilimali nyeti. [OSPS-GV-04.01]
    Chapisha sera inayoweza kutekelezwa katika nyaraka za mradi inayohitaji washirikiano wa msimbo kupimwa na kuidhinishwa kabla ya kupewa ruhusa zilizopandishwa kwa rasilimali nyeti, kama vile idhini ya kuunganisha au ufikiaji kwa siri. Inashauriwa kwamba upimaji ujumuishe kuanzisha mfululizo wa utambulisho unaoweza kuhalalishwa kama vile kuthibitisha ushirikiano wa mchangiaji na shirika linalojulikana na kuaminika.

    CONTRIBUTING.md "Pull Request Checklist" section:

    • PR requires review before merge
    • Branch protection enabled on development (require PR + 1 approval)
    • "Changes that break the build" won't get merged

    MEMBERS.md Access Inventory shows sensitive resource access only to AG064.

    Code review is enforced via GitHub branch protection settings.


    Ya kutosha kwa nishani!

    Mradi unapotoa toleo, rasilimali zote za programu zilizotolewa na zilizokusanywa LAZIMA zikabidhi pamoja na orodha ya bili ya programu. [OSPS-QA-02.02]
    Inashauriwa kuzalisha SBOM kiotomatiki wakati wa kujenga kwa kutumia zana ambayo imepimwa kwa usahihi. Hii huwezesha watumiaji kuingiza data hii kwa njia ya kiwango pamoja na miradi mingine katika mazingira yao.

    Release workflow includes SBOM generation using anchore/sbom-action. Outputs CycloneDX JSON format for each portable binary. SBOM files uploaded as release assets alongside binaries. Auto-generated at build time from build artifacts.


    Ya kutosha kwa nishani!

    Mradi unapotoa toleo linalojumuisha hifadhi nyingi za chanzo cha msimbo, miradi yote midogo LAZIMA ilazimishe mahitaji ya usalama ambayo ni kali au kali zaidi kuliko msimbo wa msingi. [OSPS-QA-04.02]
    Hifadhi yoyote ya ziada ya msimbo wa miradi midogo iliyozalishwa na mradi na kukusanywa katika toleo lazima ilazimishe mahitaji ya usalama kama inavyolingana na hali na nia ya msimbo husika. Kwa kuongeza kufuata mahitaji ya msingi wa OSPS yanayolingana, hii inaweza kujumuisha kuhitaji ukaguzi wa usalama, kuhakikisha kuwa haina udhaifu, na kuhakikisha kuwa haina masuala ya usalama yanayojulikana.

    SUBPROJECTS.md documents the policy that would apply if subprojects exist:

    • "Currently, Argentum is a single monorepo with no subprojects"
    • If subprojects are added in future, each must:
      • Enforce security requirements at least as strict as main codebase
      • Have CI pipeline with SAST (CodeQL or equivalent)
      • Have dependency scanning (Trivy, osv-scanner)
      • Have Security policy (SECURITY.md, SUPPORT.md)
      • Have SBOM generation for release artifacts
      • Have signed releases (Sigstore cosign)

    This future-proofs the project for when subprojects may be created.


    Ya kutosha kwa nishani!

    Inapokuwa hai, nyaraka za mradi LAZIMA ziweke wazi lini na jinsi majaribio yanavyotekelezwa. [OSPS-QA-06.02]
    Ongeza sehemu kwenye nyaraka za kuchangia inayoweka wazi jinsi ya kutekeleza majaribio kienyeji na jinsi ya kutekeleza majaribio katika mirija ya CI/CD. Nyaraka zinapaswa kuweka wazi majaribio yanajaribu nini na jinsi ya kutafsiri matokeo.

    CONTRIBUTING.md includes "Testing" section (added at line 96):

    • How to run tests locally: npm test, npm run test:unit, npm run test:integration, etc.
    • What the tests cover: table listing test suites and their purposes
    • How to interpret results: explaining pass/fail output
    • CI/CD pipeline: explains when tests run automatically

    Ya kutosha kwa nishani!

    Inapokuwa hai, nyaraka za mradi LAZIMA zijumuishe sera kwamba mabadiliko yote makubwa kwa programu inayozalishwa na mradi yanapaswa kuongeza au kusasisha majaribio ya utendaji katika seti ya majaribio ya kiatomati. [OSPS-QA-06.03]
    Ongeza sehemu kwenye nyaraka za kuchangia inayoweka wazi sera ya kuongeza au kusasisha majaribio. Sera inapaswa kuweka wazi ni nini kinachojumuisha mabadiliko makubwa na majaribio yapi yanapaswa kuongezwa au kusasishwa.

    CONTRIBUTING.md "Test Policy for Major Changes" section exists:

    • Defines what constitutes a major change (new features, API changes, bug fixes, security changes)
    • Specifies what tests to add: unit tests for new functionality, regression tests for bug fixes
    • States PR policy: new features require tests, regression tests required for bug fixes
    • Acknowledges current thin coverage but commits to testing for major changes

    Ya kutosha kwa nishani!

    Wakati kuruhusu kumefanywa kwa tawi kuu, mfumo wa udhibiti wa toleo la mradi LAZIMA uhitaji angalau idhini moja ya binadamu asiye mwandishi ya mabadiliko kabla ya kuunganisha. [OSPS-QA-07.01]
    Sanidi mfumo wa udhibiti wa toleo la mradi kuhitaji angalau idhini moja ya binadamu asiye mwandishi ya mabadiliko kabla ya kuunganisha katika toleo au tawi kuu. Hii inaweza kupatikana kwa kuhitaji ombi la kuvuta kupimwa na kuidhinishwa na angalau mshirikiano mmoja mwingine kabla ya kunaweza kuunganishwa.

    Single-maintainer project: Argentum is maintained by one person (me, AG064) with no additional collaborators.

    Branch protection is enabled (direct pushes to development/main blocked).
    PR workflow exists and is used for all changes.
    Self-review is performed via PR process.

    However, requiring non-author human approval is impossible without a second collaborator.
    This is a project structure constraint, not a security policy failure.
    If the project grows to include additional maintainers, this requirement will be enforced.


    Ya kutosha kwa nishani!

    Mradi unapotoa toleo, mradi LAZIMA ufanye ufuatiliaji wa tisho na uchambuzi wa uso wa shambulio ili kuelewa na kulinda dhidi ya mashambulizi kwenye njia za msimbo muhimu, majukumu, na mwingiliano ndani ya mfumo. [OSPS-SA-03.02]
    Ufuatiliaji wa tisho ni shughuli ambapo mradi unaangalia msimbo, michakato na miundombinu inayohusiana, viunganishi, vipengele muhimu na "kufikiria kama kibogoyo" na kufanya mapendekezo ya jinsi mfumo unaweza kuvunjwa au kuhatarisha. Kila tisho iliyotambuliwa imeorodheshwa ili mradi uweze kufikiria jinsi ya kuepuka au kufunga pengo/udhaifu wowote unaoweza kutokea kwa kujihadhari. Hakikisha hii imesasishwa kwa vipengele vipya au mabadiliko ya kuvunja.

    SECURITY.md "Security Risks & Threat Model" section includes:

    • Threat model covering 11 categories (60+ entries) of critical code paths, functions, and interactions
    • Each threat has Likelihood/Impact/Mitigation assessment
    • "Threat Model Maintenance" section added: MUST be updated for new features/breaking changes
    • "Threat Model Review Required" note at top of section
    • docs/releases/TEMPLATE.md includes checkbox: "Verify SECURITY.md threat model reflects new features/attack paths"
    • Current threat model covers v0.0.7 release
    • Next review scheduled before v0.0.8 release

    Ya kutosha kwa nishani!

    Wakati uko hai, udhaifu wowote katika vipengele vya programu visivyoathiri mradi LAZIMA viwe vimeainishwa katika hati ya VEX, ikiendeleza ripoti ya udhaifu na maelezo ya kutokutumiwa vibaya. [OSPS-VM-04.02]
    Weka mfumo wa mlisho wa VEX unaowasiliana hali ya utumiaji vibaya wa udhaifu unaojulikana, ikiwa ni pamoja na maelezo ya tathmini au marekebisho yoyote yaliyowekwa kusimamisha msimbo ulio na udhaifu usiotekelezwa.

    SECURITY_DEPENDENCY_NOTES.md serves as VEX (Vulnerability Exploitability eXchange) document:

    • Documents known vulnerabilities in software components (npm bundled modules)
    • Provides non-exploitability details: "The project's direct dependency is correctly overridden"
    • Specifies mitigations in place: package.json overrides ensure patched versions are used
    • Status for each vulnerability: "No additional action required - project override ensures correct version"

    Each entry shows:

    • CVE identifier
    • Location (bundled npm modules, not direct project dependency)
    • Project override in place (package.json overrides.picomatch, etc.)
    • Why not exploitable via project code
    • Mitigation: npm package.json overrides resolve to patched versions

    VEX document updated when new vulnerabilities are discovered or mitigations change.


    Ya kutosha kwa nishani!

    Wakati uko hai, nyaraka za mradi LAZIMA zijumuishe sera inayofafanua kiwango cha marekebisho ya matokeo ya SCA yanayohusiana na udhaifu na leseni. [OSPS-VM-05.01]
    Andika sera katika mradi inayofafanua kiwango cha marekebisho ya matokeo ya SCA yanayohusiana na udhaifu na leseni. Jumuisha mchakato wa kutambua, kutanguliza, na kurekebisha matokeo haya.

    SECURITY_DEPENDENCY_NOTES.md now includes "SCA Remediation Policy" section with:

    • Severity threshold table (Critical: 24h, High: 7 days, Medium: 30 days, Low: best effort)
    • License policy (allowed/prohibited licenses)
    • Process: Identify -> Prioritize -> Remediate -> Document -> Verify
    • Exceptions for bundled npm modules, RUSTSEC, false positives

    Trivy runs in CI on every push (from .github/workflows/trivy.yml).
    Process documented for handling SCA findings.


    Ya kutosha kwa nishani!

    Wakati uko hai, nyaraka za mradi LAZIMA zijumuishe sera ya kushughulikia ukiukaji wa SCA kabla ya toleo lolote. [OSPS-VM-05.02]
    Andika sera katika mradi wa kushughulikia matokeo ya Uchambuzi wa Muundo wa Programu yanayotumika kabla ya toleo lolote, na ongeza ukaguzi wa hali unaothibitisha kufuata sera hiyo kabla ya toleo.

    release.yml now includes Trivy SCA scan step:

    • Runs after build, before release artifacts are uploaded
    • Scans release artifacts for Critical/High vulnerabilities
    • Uploads results to GitHub Security tab (SARIF format)
    • Blocks release if Critical/High vulnerabilities found (exit-code: 1)
    • Policy documented in SECURITY_DEPENDENCY_NOTES.md "SCA Remediation Policy" section

    Release workflow now:

    1. Build binaries
    2. Run Trivy scan (CRITICAL/HIGH)
    3. If vulnerabilities found -> fail and block release
    4. Only proceed if scan passes

    Ya kutosha kwa nishani!

    Wakati uko hai, mabadiliko yote kwenye msingi wa msimbo wa mradi LAZIMA yaangaliwe kiatomati dhidi ya sera iliyoandikwa ya utegemezi mbaya na udhaifu unaojulikana katika utegemezi, kisha yazuiliwe katika hali ya ukiukaji, isipokuwa inapotangazwa na kuzuiliwa kama isiyotumiwa vibaya. [OSPS-VM-05.03]
    Unda ukaguzi wa hali katika mfumo wa kudhibiti toleo la mradi unaoendesha zana ya Uchambuzi wa Muundo wa Programu kwenye mabadiliko yote ya msingi wa msimbo. Hitaji kwamba ukaguzi wa hali upite kabla mabadiliko kusanywa.

    .github/workflows/dependency-scan.yml created:

    • Runs on: push to development/main AND pull requests
    • Runs npm audit --audit-level=high
    • Runs Trivy scan on entire codebase (fs mode)
    • Uploads results to GitHub Security tab (SARIF)
    • Blocks merge if Critical/High vulnerabilities found (exit 1)
    • Exceptions can be declared via .trivyignore or osv-scanner.toml

    Policy documented in SECURITY_DEPENDENCY_NOTES.md SCA Remediation Policy section:

    • Critical: 24h remediation
    • High: 7 days
    • Exceptions: documented in .trivyignore or per-CVE suppression

    Branch protection ensures this check must pass before merge.


    Ya kutosha kwa nishani!

    Wakati uko hai, nyaraka za mradi LAZIMA zijumuishe sera inayofafanua kiwango cha marekebisho ya matokeo ya SAST. [OSPS-VM-06.01]
    Andika sera katika mradi inayofafanua kiwango cha marekebisho ya matokeo ya Upimaji wa Usalama wa Programu Tuli (SAST). Jumuisha mchakato wa kutambua, kutanguliza, na kurekebisha matokeo haya.

    SECURITY.md "SAST Remediation Policy" section includes:

    • Severity threshold table (Critical: 24h, High: 7 days, Medium: 30 days, Low: best effort)
    • Process: Identify (CodeQL) -> Prioritize -> Remediate -> Suppress -> Verify
    • Suppression guidelines requiring inline comments explaining why
    • Example suppression comment provided

    CodeQL runs on every push from .github/workflows/codeql.yml


    Ya kutosha kwa nishani!

    Wakati uko hai, mabadiliko yote kwenye msingi wa msimbo wa mradi LAZIMA yaangaliwe kiatomati dhidi ya sera iliyoandikwa ya udhaifu wa usalama na kuzuiliwa katika hali ya ukiukaji isipokuwa inapotangazwa na kuzuiliwa kama isiyotumiwa vibaya. [OSPS-VM-06.02]
    Unda ukaguzi wa hali katika mfumo wa kudhibiti toleo la mradi unaoendesha zana ya Upimaji wa Usalama wa Programu Tuli (SAST) kwenye mabadiliko yote ya msingi wa msimbo. Hitaji kwamba ukaguzi wa hali upite kabla mabadiliko kusanywa.

    Branch ruleset for development includes:

    • CodeQL Analysis as required status check
    • Code scanning rule: CodeQL, Scorecard, Trivy all set to high_or_higher
    • Pull request rule: 1 approval required
    • Branch protection enforced via GitHub's ruleset API (new format)


Data hii inapatikana chini ya Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). Hii inamaanisha kuwa Mpokeaji wa Data anaweza kushiriki Data, na au bila marekebisho, mradi Mpokeaji wa Data anapatanisha maandishi ya mkataba huu na Data iliyoshirikiwa. Tafadhali tambua AG064 na wachangiaji wa nishani ya Mazoea Bora ya OpenSSF.

Ingizo la nishani ya mradi linamilikiwa na: AG064.
Ingizo liliundwa siku 2026-05-24 05:44:50 UTC, iliyosasishwa mara ya mwisho siku 2026-05-26 00:21:59 UTC. Ilipata mara ya mwisho nishani ya kupita siku 2026-05-25 14:37:43 UTC.