meta: OSSF Silver badge remediation tracking #178
Description
Description
Meta-tracking issue for all OSSF Silver badge remediation work. Links to all Silver-specific issues and references the Passing badge tracker (#159) as a prerequisite. Follows the same tracking pattern as #159.
Important
The Passing badge (#159) must be achieved before the Silver badge. This tracker coordinates the additional Silver-specific work.
Silver Badge Progress
Prerequisite: Passing Badge
- meta: OSSF passing badge remediation tracking #159 — meta: OSSF Passing badge remediation tracking (MUST complete first)
Phase 1 — Governance & Documentation (Easy)
- docs(governance): create GOVERNANCE.md #160 — docs(governance): create GOVERNANCE.md
- docs(governance): add roles and responsibilities to GOVERNANCE.md #161 — docs(governance): add roles and responsibilities
- docs(badges): register OSSF Best Practices and add badges to README #162 — docs(badges): register OSSF Best Practices badge
- docs(versioning): create versioning policy document #163 — docs(versioning): create versioning policy
- docs(security): add vulnerability reporter credit section to SECURITY.md #164 — docs(security): vulnerability reporter credit
- docs(security): add vulnerability response timeline to SECURITY.md #165 — docs(security): vulnerability response timeline
Phase 2 — Build & Tooling Quick Wins (Easy–Medium)
- docs(build): document Terraform lock file exclusion rationale #166 — docs(build): Terraform lock file rationale
- chore(python): add pip lock files for reproducible builds #167 — chore(python): pip lock files
- ci(rust): add CI environment variables to preserve debug info in release builds #168 — ci(rust): CI env vars for debug info
- ci(lint): add per-crate Rust clippy lints and CI integration #169 — ci(lint): Rust clippy workspace lints
- ci(lint): add Python ruff linter to MegaLinter configuration #170 — ci(lint): Python ruff linter
- chore(rust): standardize strip = true across all Rust crates #177 — chore(rust): standardize strip = true
Phase 3 — Security Hardening (Medium–Hard)
- ci(security): establish security review gate with CODEOWNERS #171 — ci(security): security review gate
- ci(release): implement Sigstore keyless signing for release tags #172 — ci(release): Sigstore tag signing
- ci(release): add container image signing with Cosign #173 — ci(release): container image signing
- ci(provenance): standardize SLSA L3 provenance across workflows #174 — ci(provenance): SLSA L3 standardization
Phase 4 — Test Infrastructure (Hard)
- ci(coverage): enforce 80% coverage thresholds across all language stacks #175 — ci(coverage): 80% coverage enforcement
- docs(testing): add regression test tracking policy #176 — docs(testing): regression test tracking policy
Already Covered by Passing Badge Issues (No Change)
- chore(dependabot): expand to npm, cargo, pip, terraform, docker, nuget ecosystems #142 — chore(dependabot): expand ecosystems (
dependency_monitoring) - docs(test-policy): create formal test policy document #145 — docs(test-policy): create formal test policy (
test_policy_mandated) - ci(dynamic-analysis): add address sanitizer nightly build (soft warning) #151, test(dynamic-analysis): add cargo-fuzz targets for Rust services #154 — ci/test(dynamic-analysis) (
dynamic_analysis)
Estimated Timeline
| Phase | Effort | Silver Criteria Covered |
|---|---|---|
| Phase 1 — Docs | 3–5 days | 6 MUST criteria |
| Phase 2 — Tooling | 4–6 days | 3 MUST + 1 SHOULD |
| Phase 3 — Security | 7–10 days | 1 SHOULD + 2 SUGGESTED |
| Phase 4 — Testing | Weeks–months | 2 MUST criteria |
| Total | ~17–21+ days | 17 Silver criteria |
References
- Passing tracker: meta: OSSF passing badge remediation tracking #159
- Research:
.copilot-tracking/research/2026-02-07-ossf-silver-gaps-detail-research.md
Relationships
- Blocked by meta: OSSF passing badge remediation tracking #159 (Passing badge must complete first)
- Parent of docs(governance): create GOVERNANCE.md #160–chore(rust): standardize strip = true across all Rust crates #177