enterprise-readiness
npx machina-cli add skill netresearch/enterprise-readiness-skill/enterprise-readiness --openclawFiles (1)
SKILL.md
3.4 KB
Enterprise Readiness Assessment
When to Use
- Evaluating projects for production/enterprise readiness
- Implementing supply chain security (SLSA, signing, SBOMs)
- Hardening CI/CD pipelines
- Establishing quality gates
- Pursuing OpenSSF Best Practices Badge (Passing/Silver/Gold)
- Pursuing OpenSSF OSPS Baseline levels (1/2/3)
- Reviewing code or PRs for quality
- Writing ADRs, changelogs, or migration guides
- Configuring Git hooks or CI pipelines
Quick Reference
Required badges: CI Status, Codecov, OpenSSF Scorecard, Best Practices, Baseline.
Required workflows: ci.yml, codeql.yml, scorecard.yml, dependency-review.yml.
See references/badges-and-workflows.md for URL patterns and Scorecard quick wins.
Assessment Workflow
- Discovery: Identify platform, languages, existing CI/CD
- Scoring: Apply checklists from references based on stack
- Badge Assessment: Check OpenSSF criteria status
- Gap Analysis: List missing controls by severity
- Implementation: Apply fixes using scripts and templates
- Verification: Re-score and compare
References
| Reference | When to Load |
|---|---|
references/badges-and-workflows.md | Badge URLs, workflow list, Scorecard quick wins |
references/general.md | Always (universal checks) |
references/github.md | GitHub-hosted projects |
references/go.md | Go projects |
references/mandatory-requirements.md | Badge/workflow/Codecov setup checklist |
references/scorecard-playbook.md | Raising Scorecard ~6.8 to ~9.0 |
references/cve-workflow.md | CVE triage and response |
references/code-review.md | PR quality checks |
references/documentation.md | ADRs, changelogs, migration guides |
references/ci-patterns.md | CI/CD pipelines, Git hooks |
references/openssf-badge-silver.md | Silver badge criteria |
references/openssf-badge-gold.md | Gold badge criteria |
references/openssf-badge-baseline.md | OSPS Baseline levels 1/2/3 |
references/badge-submission-api.md | Programmatic badge data submission gotchas |
references/slsa-provenance.md | SLSA Level 3 implementation |
references/signed-releases.md | Cosign/GPG signing |
references/solo-maintainer-guide.md | N/A criteria justification |
Scripts & Templates
| Directory | Contents |
|---|---|
scripts/ | Badge verification, coverage checks, SPDX headers, signed tag verification |
Critical Rules
- NEVER interpolate
${{ github.event.* }}inrun:blocks (script injection) - NEVER guess action versions -- always fetch from GitHub API
- ALWAYS use SHA pins for actions with version comments
- ALWAYS verify commit hashes against official tags
- ALWAYS include
https://URLs in badge justification text (platform rejects criteria without URLs) - NEVER URL-decode session cookies when submitting badge data (breaks authentication silently)
Related Skills
| Skill | Purpose |
|---|---|
go-development | Go code patterns, testing |
github-project | Repository setup, branch protection |
security-audit | Deep security audits (OWASP, XXE, SQLi) |
git-workflow | Git branching, commits, PR workflows |
Source
git clone https://github.com/netresearch/enterprise-readiness-skill/blob/main/skills/enterprise-readiness/SKILL.mdView on GitHub Overview
The Enterprise Readiness Assessment helps teams evaluate projects for production readiness, implement supply chain security (SLSA, signing, SBOMs), harden CI/CD pipelines, and establish quality gates. It also guides pursuing OpenSSF Best Practices Badges and OSPS baselines through structured discovery, scoring, gap analysis, and remediation.
How This Skill Works
Start with Discovery to identify platform, languages, and existing CI/CD. Then score against stack-specific OpenSSF criteria using referenced checklists, and perform a Badge Assessment. Finally, conduct Gap Analysis, implement fixes with scripts and templates, and re-score to verify improvements.
When to Use It
- Evaluating projects for production/enterprise readiness
- Implementing supply chain security (SLSA, signing, SBOMs)
- Hardening CI/CD pipelines and establishing quality gates
- Pursuing OpenSSF Best Practices Badge (Passing/Silver/Gold) and OSPS Baseline levels (1/2/3)
- Reviewing code or PRs for quality and writing ADRs, changelogs, or migration guides
Quick Start
- Step 1: Discovery — identify platform, languages, and existing CI/CD setup
- Step 2: Assessment — apply references-based checklists and confirm required badges/workflows
- Step 3: Implement & Verify — apply fixes via scripts/templates and re-score to verify improvements
Best Practices
- Track and enforce required badges: CI Status, Codecov, OpenSSF Scorecard, Best Practices, Baseline, and associated workflows (ci.yml, codeql.yml, scorecard.yml, dependency-review.yml)
- Adopt SLSA provenance, code signing, and SBOM generation for all releases
- Harden CI/CD with documented patterns, Git hooks, and secure pipeline configurations
- Conduct regular gap analyses and remediation using templated scripts and templates
- Aim for OpenSSF Best Practices Badge levels (Passing/Silver/Gold) and OSPS Baseline levels (1/2/3) with verifiable evidence
Example Use Cases
- A project implements SLSA provenance and cryptographic signing for releases to pursue Gold badge
- Teams run OpenSSF Scorecard assessments, identify gaps, and close controls across CI/CD and dependencies
- ADR-driven documentation, along with ADRs, changelogs, and migration guides, accompany major upgrades
- CI pipelines are hardened with ci.yml, codeql.yml, and dependency-review.yml plus Git hook checks
- SBOMs and signing are integrated into the release flow to meet enterprise governance standards
Frequently Asked Questions
Add this skill to your agents
