Quality gates inventory¶
What CI enforces today, what's queued for enrolment, and a self-audit against the OpenSSF Best Practices criteria. The public version of this score arrives when the repo flips public + we complete the enrolment.
Currently enforced (CI-blocking)¶
| Gate | What it checks | Workflow | Badge in README |
|---|---|---|---|
| Lint + typecheck | npm run lint && tsc --noEmit for TypeScript modules; go vet ./... for Go modules |
.github/workflows/ci.yml |
✅ CI |
| Unit tests | npm test / go test ./... across every module that has tests |
.github/workflows/ci.yml |
✅ CI |
| Dashboard build | next build for the Next.js app |
.github/workflows/ci.yml |
✅ CI |
| CodeQL SAST | GitHub-native static analysis (JS/TS + Go) | .github/workflows/codeql.yml |
✅ CodeQL |
| Container vuln scan | Trivy against every published image | .github/workflows/image-scan.yml |
✅ Trivy |
| OSSF Scorecard | Supply-chain security posture (15 checks) | .github/workflows/scorecard.yml |
✅ OpenSSF Scorecard |
| Secret scan | gitleaks against every commit | .github/workflows/secret-scan.yml |
(no badge — fails CI on hit) |
| Forensic tamper | Verifies the project's own audit-chain primitives | .github/workflows/forensic-tamper-check.yml |
(no badge — internal) |
| ZTP-prem SoD audit | Separation-of-duties policy compliance | .github/workflows/ztp-prem-sod-audit.yml |
(no badge — internal) |
| ZTP-prem Tier-B obfuscation | Confirms Tier B binaries are garble-built | .github/workflows/ztp-prem-tier-b-obfuscation.yml |
(no badge — internal) |
| Quarterly stack audit | Flags sliding tags + system-package drift Dependabot can't see | .github/workflows/quarterly-stack-audit.yml |
(no badge — quarterly) |
| Docs link audit | scripts/docs-link-audit.py reports 0 broken internal links |
run before tagging | (no badge — release-prep gate) |
| Module conformance | Every module in modules.yaml has README following the Doc-4 template (6 required sections + Last-verified footer) |
.github/workflows/module-conformance.yml |
(no badge — PR-blocking gate) |
| DCO sign-off | Every commit on every PR carries Signed-off-by: trailer matching the author |
.github/workflows/dco-check.yml |
(no badge — PR-blocking gate) |
| Tag signature | Every v* tag is annotated AND signed (GPG or SSH) |
.github/workflows/tag-signature-verify.yml |
(no badge — release-blocking gate) |
Release-attached artefacts¶
| Artefact | Per release | Workflow |
|---|---|---|
| Multi-arch container images | Yes — ghcr.io/nollagluiz/web-agent-*:vX.Y.Z |
.github/workflows/release.yml |
| Cosign keyless OIDC signatures | Yes — every image | .github/workflows/release.yml |
| SPDX SBOM | Yes — generated by Syft, attached as release asset + GHCR attestation | .github/workflows/release.yml |
| release-feed manifest | Yes — published to the release-feed branch |
.github/workflows/release.yml |
| Tier-policy receipt | Yes — SHA-256 of platform/ztp-prem/tier-policy.yaml |
.github/workflows/release.yml |
Queued for enrolment (not yet visible)¶
OpenSSF Best Practices Badge¶
OpenSSF (Open Source Security Foundation) Best Practices Badge — a self-attestation programme that scores projects against ~70 criteria across security, quality, and project-health dimensions. Three tiers: Passing → Silver → Gold.
- Status: not yet enrolled. Self-audit below shows we likely pass Passing tier on enrolment day. Silver tier needs ~3 additional artefacts (notably a documented release-signing procedure and a documented bug-triage policy — both already exist after G3, just need linking from the registration form).
- Enrolment URL: https://www.bestpractices.dev/en/projects/new
(replace
/en/with/pt/or/es/for translated form) - Badge URL on registration:
https://www.bestpractices.dev/projects/<id>/badge - Action item: enroll after the repo flips public; add the badge to README; revisit Silver criteria in 6 months.
Go Report Card¶
goreportcard.com runs a battery of
gofmt / go vet / golint / ineffassign / misspell checks
and grades the module from A+ to F.
- Status: blocked on Go-module path heterogeneity. Some
modules import as
github.com/nollagluiz/web-agent-cluster/...(legacy), others asgithub.com/nollagluiz/AI_forSE/...(current). Go Report Card cannot resolve the legacy paths. - Action item: standardise all module import paths to
github.com/nollagluiz/AI_forSE/...(separate wave; tracked here as G4-followup). After standardisation, add per-module badges to the relevant module READMEs (not README.md — too many to fit there).
SLSA Build Provenance Level 3¶
slsa.dev — supply-chain integrity framework. We already produce Level 2-equivalent artefacts (Cosign-signed multi-arch images + SBOM + release-feed). Level 3 needs:
- Hermetic builds in isolated workers (GitHub Actions does this for us — already there)
-
Provenance attestations linking source commit to binary digest (we generate but don't currently call it SLSA-provenance)
-
Action item: add an explicit SLSA L3 attestation step using
slsa-framework/slsa-github-generatorinrelease.yml. Adds aBuild provenancebadge once visible.
FOSSA / Snyk-style licence scanning¶
We rely on Dependabot + Trivy + CodeQL for vuln scanning. We do not currently have an automated licence-compliance scanner catching incompatibilities (GPL pulled into a noncommercial distribution, for example).
- Status: planned for Wave G5 (Supply-chain audit) of the GitHub-professionalisation roadmap.
- Candidate tools: FOSSA CLI (free for open source), scancode-toolkit, OWASP Dependency-Check.
VPN/SDWAN multi-tunnel multi-vendor matrix¶
The engine catalog shipped a single-vendor IPSec MVP (Cisco FTD, per ADR 0010 inspection-profile alignment). The full matrix across IPSec / WireGuard / GRE × Cisco / FortiOS / PAN-OS / Check Point / Juniper / Sophos / Forcepoint / WatchGuard / Huawei is deferred pending real DUT hardware.
- Status: blocked. We don't have FortiOS / PAN-OS / Check Point / Juniper appliances available for interop verification. Licensing on those vendors is per-customer; bench setup needs a customer pilot in flight to justify procurement.
- Unblock path: first NGFW-vendor channel agreement (per the Investor Deck Team-Ask milestone: "channel agreement with first NGFW vendor"). Once a vendor partner lab is available, this unblocks within ~6-8 weeks.
- Tier-3 inventory entry: VPN/SDWAN multi-tunnel orchestration completa. Tracked in the master pending inventory.
Self-audit: OpenSSF Best Practices Passing-tier checklist¶
This is what we'd answer if we enrolled today. The criterion numbers match the official form sections.
Basics¶
- Project description — repo description + README first paragraph + SUPPORT.md all explain what the project does
- Discoverable interface — README is the obvious starting point; entry-points list covers every docs surface
- OSI-approved licence — PolyForm Noncommercial 1.0.0 is source-available and OSD-non-compliant by design. We will need to flag this as a deliberate licence choice on the form. Appendix A adds field-of-use restrictions.
- Licence location —
LICENSE+NOTICEat repo root - Project documentation — extensive
docs/tree
Change control¶
- Public version-control system — GitHub
- Interim version-controlled storage — same
- Unique version-identifier — Semantic Versioning per governance/RELEASE_CADENCE.md
- Release notes — CHANGELOG.md + per-major-release notes
in
docs/RELEASE-NOTES-vX.Y.Z.md
Reporting¶
- Bug-reporting process —
.github/ISSUE_TEMPLATE/bug_report.yml - Bug-tracking system — GitHub Issues
- Vulnerability-reporting process —
SECURITY.md+ private GitHub Security Advisories
Quality¶
- Working build system —
.github/workflows/ci.yml - Automated test suite — runs in CI, multiple modules
- Test policy —
docs/governance/RELEASE_CADENCE.mdrelease-prep checklist requires green CI - New functionality testing — PR template requires unit tests; CODEOWNERS enforces review on Tier B paths
- Coding standards — Conventional Commits enforced; eslint + prettier + golangci-lint configured per module
Security¶
- Cryptographic practices — TLS 1.3 forced (ADR 0001); cross-language canonical signing (ADR 0027); Cosign keyless OIDC release signing (ADR 0005)
- Secured delivery — Cosign + SBOM (ADR 0005)
- Public vulnerability disclosure — SECURITY.md + GitHub Security Advisories
- No unpatched vulnerabilities — Trivy + CodeQL gate CI
- 2FA on maintainer account — confirmed
- No hard-coded credentials — gitleaks scan + secret-scan workflow
Analysis¶
- Static analysis — CodeQL (SAST)
- Dynamic analysis — N/A for a library / testbench (would apply to a hosted SaaS)
- Dependency vulnerability scan — Trivy + Dependabot
Estimated tier on enrolment day: Passing with clear path to
Silver within ~6 months (Silver needs documented release
signing — already exists — and documented bug-triage policy —
exists in .github/ISSUE_TEMPLATE/config.yml + this doc tree).
How to add a quality gate¶
- Decide it belongs in CI — does this gate block bad code
from landing on
main? If yes, add a workflow under.github/workflows/. If it's an external service (e.g. a coverage report), document it here instead. - Make the gate visible — add a badge to README.md if the service publishes one, and add a row to the table at the top of this document.
- Document the fail mode — when the gate fires, what does
the contributor see? Update the relevant section of
CONTRIBUTING.mdor this document. - Don't accumulate green badges that don't do anything — every badge claims a promise. Either enforce it or remove it.
Related¶
- Release cadence — release-prep checklist
- Deprecation policy — removing a gate
- Backporting policy — gate state on supported lines
- RFC process — propose a new gate via RFC
- ADR 0005 — supply-chain ADR
- README.md badges — the live badge set
Last verified against shipping code: v3.7.0 (2026-05-12).