OpenSSF Best Practices (Passing)
This page tracks repository evidence for the OpenSSF Best Practices Passing level.
Project page:
Snapshot date for this checklist: 2026-04-12.
Implemented Repository Evidence
- project website and documentation: https://livon.tech/docs
- public source repository: https://github.com/live-input-vector-output-node/livon-ts
- contribution workflow and quality gates: Contributing
- support channels and issue/discussion process: Support and Feedback
- code-of-conduct policy: Code of Conduct
- vulnerability reporting process: Security and Vulnerability Reporting
- release notes policy and entries: Release Notes
- CI and tests:
.github/workflows/ci.yml, Testing and Quality - static analysis: GitHub CodeQL default setup (Code Scanning checks on pull requests)
- leaked credential scanning:
.github/workflows/ci.yml - dependency/security scanning:
.github/workflows/ci.yml(OSV-Scanner and OpenSSF Scorecard jobs) - build and release workflow:
.github/workflows/ci.yml
Criteria Mapping Notes
The repository now provides canonical docs and generated root files for:
CONTRIBUTING.mdCODE_OF_CONDUCT.mdSUPPORT.mdGOVERNANCE.mdSECURITY.md.github/SECURITY.mdCHANGELOG.md
These files are generated from website/docs/core/*.md via:
pnpm run gen:readmespnpm run check:readmes
Mapping config:
configs/docs/readme-sync.json
Generator implementation:
tools/readmes/src/lib.ts
Remaining Badge-App Actions (Manual)
The Best Practices page still includes criteria that require manual status updates and/or rationale input in BadgeApp. Use this repository evidence when updating those entries:
- set criteria with clear repository evidence to
Met, - add direct URL references to docs/workflows/files for each criterion,
- add rationale comments for
SUGGESTEDcriteria that are intentionally not applicable.
Typical examples that still need manual BadgeApp updates:
- maintainer/security knowledge attestation criteria,
- response-time historical criteria,
- cryptography-specific criteria that depend on deployment context,
- dynamic-analysis criteria where applicability varies by package/runtime.