From craft-workspace-webconsulting-skills
Evaluates projects for enterprise production readiness, implements supply chain security (SLSA provenance, cosign signing, SBOMs), hardens CI/CD pipelines with quality gates, and pursues OpenSSF Best Practices badges.
npx claudepluginhub dirnbauer/webconsulting-skillsThis skill uses the workspace's default tool permissions.
- Production/enterprise readiness evaluations
references/2fa-enforcement.mdreferences/badge-display.mdreferences/badge-submission-api.mdreferences/badges-and-workflows.mdreferences/branch-coverage.mdreferences/ci-docker-worktree.mdreferences/ci-patterns.mdreferences/code-review.mdreferences/cve-workflow.mdreferences/dco-implementation.mdreferences/documentation.mdreferences/dynamic-analysis.mdreferences/general.mdreferences/github.mdreferences/go.mdreferences/harden-runner-guide.mdreferences/mandatory-requirements.mdreferences/openssf-badge-baseline.mdreferences/openssf-badge-gold.mdreferences/openssf-badge-silver.mdAudits dependency configs for supply chain risks like unpinned versions, missing lockfiles, postinstall scripts in package.json, requirements.txt, Gemfile, go.mod, Cargo.toml, pom.xml. Hardens with pinning, SBOM, signing best practices.
Provides software supply chain security guidance on SBOM generation, SLSA framework, dependency scanning, SCA tools, and protections against attacks like dependency confusion and typosquatting.
Implements SCA with Snyk to scan open-source dependencies for vulnerabilities in CI/CD pipelines. Generates fix PRs, checks licenses, monitors apps, integrates with GitHub, GitLab, Jenkins.
Share bugs, ideas, or general feedback.
Coverage required: CI, CodeQL, OpenSSF Scorecard, dependency review, security (composer audit + SBOM). Each may be a dedicated .github/workflows/<name>.yml OR a job that calls the netresearch reusable workflow. Badges: CI, Codecov, Scorecard, Best Practices, Baseline. See references/badges-and-workflows.md.
permissions: contents: read at workflow-level; grant write only per-job# v4.2.0). Org-internal reusable workflows use @mainstep-security/harden-runner as first step in every job; prefer egress-policy: block with allowed-endpointsdependabot.yml with all ecosystems (composer, npm, github-actions, docker); set up auto-merge workflow for dependency PRs using pull_request_targetcodecov-action; configure codecov.yml with patch coverage thresholdpush: trigger to branches: [main] when pull_request: is also presentactions/attest-build-provenance with id-token: write and attestations: write permissions; verify with gh attestation verifySECURITY.md with vulnerability disclosure process and response SLA (Critical: 7 days, High: 30 days)${{ github.event.* }} or ${{ inputs.* }} in run: blocks (script injection)https:// URLs in badge justifications| Reference | Use |
|---|---|
references/general.md | Always |
references/scorecard-playbook.md | Scorecard optimization |
references/badges-and-workflows.md | Badge URLs, workflows |
references/mandatory-requirements.md | Checklist |
references/ci-patterns.md | CI/CD, hooks |
references/code-review.md | PR quality |
references/documentation.md | ADRs, changelogs |
references/slsa-provenance.md | SLSA Level 3 |
references/signed-releases.md | Cosign/GPG |
references/openssf-badge-silver.md | Silver |
references/openssf-badge-gold.md | Gold |
references/openssf-badge-baseline.md | OSPS Baseline |
references/harden-runner-guide.md | Harden-Runner |
references/solo-maintainer-guide.md | N/A criteria |
Related skills: go-development, github-project, security-audit, git-workflow.
This skill is based on the excellent work by Netresearch DTT GmbH.
Original repository: https://github.com/netresearch/enterprise-readiness-skill
Copyright (c) Netresearch DTT GmbH — Methodology and best practices (MIT / CC-BY-SA-4.0)
Special thanks to Netresearch DTT GmbH for their generous open-source contributions to the TYPO3 community, which helped shape this skill collection. Adapted by webconsulting.at for this skill collection