Assess and enhance software projects for enterprise-grade security, quality, and automation. Use when evaluating projects for production readiness, implementing supply chain security (SLSA, signing, SBOMs), hardening CI/CD pipelines, or establishing quality gates. Aligned with OpenSSF Scorecard, Best Practices Badge (all levels), SLSA, and S2C2F. By Netresearch.
/plugin marketplace add netresearch/claude-code-marketplace/plugin install netresearch-skills-bundle@netresearch-claude-code-marketplaceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
LICENSEREADME.mdassets/templates/ARCHITECTURE.mdassets/templates/BADGE_EXCEPTIONS.mdassets/templates/CODE_OF_CONDUCT.mdassets/templates/GOVERNANCE.mdassets/templates/ROADMAP.mdassets/templates/SECURITY_AUDIT.mdassets/workflows/codeql.ymlassets/workflows/dco-check.ymlassets/workflows/dependency-review.ymlassets/workflows/scorecard.ymlassets/workflows/slsa-provenance.ymlcomposer.jsonreferences/2fa-enforcement.mdreferences/badge-display.mdreferences/branch-coverage.mdreferences/dco-implementation.mdreferences/dynamic-analysis.mdreferences/general.md| Reference | When to Load |
|---|---|
references/general.md | Always (universal 60 pts) |
references/github.md | GitHub-hosted projects (40 pts) |
references/go.md | Go projects (20 pts) |
references/openssf-badge-silver.md | Pursuing Silver badge |
references/openssf-badge-gold.md | Pursuing Gold badge |
| Guide | Purpose |
|---|---|
references/quick-start-guide.md | Getting started |
references/dco-implementation.md | DCO enforcement |
references/signed-releases.md | Cosign/GPG signing |
references/reproducible-builds.md | Deterministic builds |
references/security-hardening.md | TLS, headers, validation |
references/solo-maintainer-guide.md | N/A criteria justification |
references/branch-coverage.md | Gold 80% branch coverage |
| Script | Purpose |
|---|---|
scripts/verify-badge-criteria.sh | Verify OpenSSF badge criteria |
scripts/check-coverage-threshold.sh | Statement coverage check |
scripts/check-branch-coverage.sh | Branch coverage (Gold) |
scripts/add-spdx-headers.sh | Add SPDX headers (Gold) |
scripts/verify-signed-tags.sh | Tag signature verification |
scripts/verify-review-requirements.sh | PR review requirements |
Templates in assets/templates/:
GOVERNANCE.md - Project governance (Silver)ARCHITECTURE.md - Technical docs (Silver)CODE_OF_CONDUCT.md - Contributor CovenantSECURITY_AUDIT.md - Security audit (Gold)BADGE_EXCEPTIONS.md - N/A justificationsGitHub Actions workflows in assets/workflows/:
| Workflow | Purpose |
|---|---|
scorecard.yml | OpenSSF Scorecard security analysis |
codeql.yml | Semantic code security scanning |
dependency-review.yml | PR dependency CVE/license check |
slsa-provenance.yml | SLSA Level 3 build attestation |
dco-check.yml | Developer Certificate of Origin |
Copy workflows to .github/workflows/ and pin action versions with SHA hashes.
| Score | Grade | Status |
|---|---|---|
| 90-100 | A | Enterprise Ready |
| 80-89 | B | Production Ready |
| 70-79 | C | Development Ready |
| 60-69 | D | Basic |
| <60 | F | Not Ready |
${{ github.event.* }} in run: blocks (script injection)| Skill | Purpose |
|---|---|
go-development | Go code patterns, Makefile interface, testing |
github-project | Repository setup, branch protection, auto-merge |
security-audit | Deep security audits (OWASP, XXE, SQLi) |
git-workflow | Git branching, commits, PR workflows |
Contributing: Improvements to this skill should be submitted to the source repository: https://github.com/netresearch/enterprise-readiness-skill