遵循以下最佳实践的项目将能够自愿的自我认证,并显示他们已经实现了核心基础设施计划(OpenSSF)徽章。 显示详细资料
[](https://www.bestpractices.dev/projects/7789)
<a href="https://www.bestpractices.dev/projects/7789"><img src="https://www.bestpractices.dev/projects/7789/badge"></a>
gittuf embeds key distribution, revocation, and other security controls such as access control policies in Git repositories. It provides an extensible security layer that can be leveraged to add other security features such as support for SLSA attestations and more!
https://github.com/gittuf/gittuf/blob/main/MAINTAINERS.txt
We have several contributors to the project, of whom most are paid by distinct entities. https://github.com/gittuf/gittuf/graphs/contributors
All source files have a copyright statement at the top.
All source files include SPDX license headers.
Repository on GitHub, which uses git. git is distributed.
The "good first issue" tag is used in the issue tracker. https://github.com/gittuf/gittuf/issues?q=is%3Aissue+label%3A%22good+first+issue%22
All developers who can merge to the main branch of gittuf have 2FA enabled per the GitHub org overview page.
Developers use TOTP-based 2FA.
gittuf uses the NYU Secure Systems Lab guide as documented in the contributing guide. https://github.com/secure-systems-lab/lab-guidelines/blob/master/code-review.md
All changes must be reviewed by a non-author maintainer before they are merged.
gittuf binaries created using Go's tooling are deterministic. gittuf is primarily distributed as source only currently, and relies on Go's determinism. https://words.filippo.io/reproducing-go-binaries-byte-by-byte/
The test suite is invoked using standard go tooling: go test ./...
go test ./...
https://github.com/gittuf/gittuf/blob/main/Makefile#L8
GitHub Actions is used as a CI system for all new changes.
https://github.com/gittuf/gittuf/tree/main/.github/workflows
gittuf does not directly implement any network communication functions.
gittuf does not use TLS directly.
gittuf's website is hosted on GitHub. Releases are available on https://github.com/gittuf/gittuf/releases. // X-Content-Type-Options was not set to "nosniff".
gittuf performs input validation and rigorous error handling for all of its functions. Errors, when they occur, are exposed to users and also result in POSIX style exit codes.
No dynamic analysis tools are currently used.
后退