Skip to content

OpenSSF Baseline L2 Self-Assessment

Baseline version: 2026-02-19Target maturity: Level 2 (includes all Level 1 controls) Scope: OSS portion of the repository under LICENSE. The Enterprise portion under ee-LICENSE is out of scope. Assessment date: 2026-04-20 Assessor: @jobinlawrance (sole maintainer; see MAINTAINERS.md)

This document is the evidence log that maps each Level 1 and Level 2 control to the artifact, PR, or setting that satisfies it. It is updated whenever a control state changes. The baseline version is pinned in the filename so future baseline revisions are captured in new files, not in place.

Summary

CategoryControlsSatisfied
Access Control5✅ 5
Build & Release8✅ 8
Documentation3✅ 3
Governance4✅ 4
Legal3✅ 3
Quality5✅ 5
Security Assessment3✅ 3
Vulnerability Management3✅ 3

Verification commands

Every signed release artifact can be verified with cosign. After a tag release, run:

bash
# Verify signed Go binary checksums
cosign verify-blob \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp '^https://github.com/ravencloak-org/Raven/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  checksums.txt

# Verify a signed Docker image
cosign verify ghcr.io/ravencloak-org/go-api:<VERSION> \
  --certificate-identity-regexp '^https://github.com/ravencloak-org/Raven/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'

# Verify signed frontend bundle
cosign verify-blob \
  --certificate frontend-<VERSION>.tgz.pem \
  --signature frontend-<VERSION>.tgz.sig \
  --certificate-identity-regexp '^https://github.com/ravencloak-org/Raven/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  frontend-<VERSION>.tgz

Access Control

ControlRequirementEvidence
OSPS-AC-01.01MFA required for sensitive actionsEnforced at the org level on 2026-04-24. Verified via gh api orgs/ravencloak-org --jq .two_factor_requirement_enabledtrue. Every current and future org member must have 2FA on their GitHub account.
OSPS-AC-02.01New collaborators default to least privilegeGitHub default; org default permission set to read per gh api orgs/ravencloak-org output.
OSPS-AC-03.01Block direct commits to primary branchBranch protection on main: required_pull_request_reviews.required_approving_review_count = 1, require_code_owner_reviews = true. Verified via gh api repos/ravencloak-org/Raven/branches/main/protection.
OSPS-AC-03.02Prevent primary branch deletionBranch protection: allow_deletions = false, allow_force_pushes = false, required_linear_history = true.
OSPS-AC-04.01CI/CD least-privilege defaultPR #340: top-level permissions: {} + explicit per-job grants across all 11 workflows.

Build & Release

ControlRequirementEvidence
OSPS-BR-01.01Sanitize untrusted CI metadataAudit in PR #340: all $&#123;&#123; github.event.* }} references are in if: guards, none in run: blocks.
OSPS-BR-01.03Prevent privileged creds on untrusted codeAudit in PR #340: no pull_request_target usage anywhere.
OSPS-BR-02.01Unique version identifier per releasePR #341: release pipeline accepts only SemVer tags (v[0-9]+.[0-9]+.[0-9]+(-rc[0-9]+)?); preflight job rejects non-SemVer tags.
OSPS-BR-03.01Encrypted channels for dev/releaseGitHub HTTPS + GHCR HTTPS; documented in docs/architecture.md §"Security-Relevant Notes".
OSPS-BR-04.01Release changelogPR #341: cliff.toml + changelog job generates release notes from conventional commits via git-cliff.
OSPS-BR-05.01Standardized dep toolinggo mod, npm (with bun.lock), pip (via pyproject.toml) — documented in docs/dependency-policy.md.
OSPS-BR-06.01Signed release / manifestPR #341: .goreleaser.yaml signs checksums.txt via cosign keyless; release.yml signs Docker images and frontend bundle via cosign keyless. Signatures (.sig) and certificates (.pem) attached to every GitHub Release.
OSPS-BR-07.01No unencrypted secrets in VCSPR #337: gitleaks CI check + .gitleaks.toml allowlist. Blocks PRs on detection. GitHub native secret scanning + push protection also enabled at repo level.

Documentation

ControlRequirementEvidence
OSPS-DO-01.01User guides for basic functionalityREADME.md + docs/quickstart.md + DEVELOPMENT.md + docs/wiki/.
OSPS-DO-06.01Dependency selection/tracking docsPR #339: docs/dependency-policy.md.
OSPS-DO-07.01Build instructionsDEVELOPMENT.md + docker compose up path in README.md.

Governance

ControlRequirementEvidence
OSPS-GV-01.01List of members with sensitive accessPR #335: MAINTAINERS.md.
OSPS-GV-01.02Roles and responsibilitiesMAINTAINERS.md — "Responsibilities" and "Becoming a maintainer" sections.
OSPS-GV-03.01Contribution processCONTRIBUTING.md.
OSPS-GV-03.02Contribution requirementsPR #338: CONTRIBUTING extension covering coding standards, testing requirements, sign-off, PR workflow.
ControlRequirementEvidence
OSPS-LE-01.01Contributor legal assertionPR #338: DCO workflow blocks PRs without Signed-off-by:.
OSPS-LE-02.01OSI-approved source licenseLICENSE is Apache License 2.0 (OSI-approved). Phase 0 verification complete.
OSPS-LE-02.02OSI-approved released-asset licenseReleased artifacts (Go binaries, Docker images, frontend bundle) ship under the same LICENSE; archive configuration in .goreleaser.yaml includes LICENSE in every tarball. EE content explicitly excluded from release pipeline (see README.md § Licensing).

Quality

ControlRequirementEvidence
OSPS-QA-01.02Public commit recordGitHub native; commit history preserved (squash-merge preserves PR metadata while keeping main linear).
OSPS-QA-02.01Direct dependency listgo.mod, frontend/package.json, ai-worker/pyproject.toml + requirements*.txt.
OSPS-QA-04.01Codebase list for multi-repo projectsN/A — monorepo.
OSPS-QA-05.01No generated executables in VCSgitleaks + no build artifacts committed; verified via history inspection.
OSPS-QA-05.02No unreviewable binary artifactsSame as above; repository contains only source plus vendored lockfiles.

Security Assessment

ControlRequirementEvidence
OSPS-SA-01.01Design descriptions of actors and actionsPR #339: docs/architecture.md with actor table, component table, trust boundaries, mermaid diagram, core data flows.
OSPS-SA-02SASTPR #336: CodeQL workflow for Go, Python, JS/TS. Runs on PR + push + weekly.
OSPS-SA-03Dependency scanningExisting .github/workflows/security.yml (Trivy + govulncheck) plus Dependabot for gomod, pip, npm, docker, github-actions.

Vulnerability Management

ControlRequirementEvidence
OSPS-VM-01.01CVD policyPR #335: SECURITY.md — 72h acknowledgement, 7-day triage, 90-day coordinated disclosure window.
OSPS-VM-02.01Security contactsSECURITY.md lists GitHub Security Advisories as primary channel and an email fallback.
OSPS-VM-04.01Publish discovered vulnerabilitiesSECURITY.md documents the GitHub Security Advisories (GHSA) workflow and CVE request process. GitHub private vulnerability reporting is enabled at the repo level.

Phase 2 — Repository Settings (GitHub UI / API)

Applied via gh api:

  • ✅ Branch protection on main: 1 approving review, code-owner review, dismiss-stale, linear history, conversation resolution, no force push, no deletion.
  • ✅ Repo-level GitHub secret scanning + push protection.
  • ✅ Repo-level Dependabot alerts + automated security updates.
  • ✅ Private vulnerability reporting (advisories).
  • ✅ Org-wide defaults for new repos: Dependabot alerts + updates, dependency graph, secret scanning + push protection.

Known gaps / deferred items

  1. Secret scanning non-provider patterns and validity checks — GitHub Advanced Security features that require a paid plan or Enterprise; not enabled. Not required for L2.
  2. SLSA L3 provenance attestation — out of scope for L2. Container builds carry SLSA Build Level 3 attestations as of #352 and the release pipeline publishes them via actions/attest-build-provenance; a formal L3 generator workflow is a future L3 milestone.

Changelog

  • 2026-04-19 — Spec authored (PR #330)
  • 2026-04-19 — Docs + CI hardening PRs opened in parallel (#335, #336, #337, #338, #339, #340)
  • 2026-04-20 — Release pipeline PR opened (#341)
  • 2026-04-20 — Phase 2 repo settings applied via gh api
  • 2026-04-20 — Self-assessment (this doc) authored
  • 2026-04-20 — First signed release cut: v0.1.0
  • 2026-04-22 — SLSA Build Level 3 container attestations (#352)
  • 2026-04-23 — SAST tool stack wired (Semgrep, hadolint, actionlint, no-unsanitized) — PRs #357, #358
  • 2026-04-23 — 17-finding baseline SAST triage complete — PRs #360 through #363; remaining Code Scanning alerts dismissed with per-finding reasons on 2026-04-23
  • 2026-04-23 — v0.3.0 released
  • 2026-04-24 — CodeQL Gate pattern landed (#369); required checks now [Gate, DCO Sign-off, Gitleaks, CodeQL / Gate]
  • 2026-04-24 — Org-level MFA enforcement enabled; closes the last Known gap item. Baseline L2 status: complete.