Skip to content
Apothem
Security

OpenSSF Scorecard posture

Apothem's OpenSSF Scorecard target and the evidence surfaces used to keep the score improving.

Apothem targets the maximum OpenSSF Scorecard score while keeping the public facade honest about what Scorecard can and cannot infer from a new single-maintainer repository. This document enumerates each check, the evidence surface that backs it, and the control that keeps the posture current.

The live score is at the Scorecard viewer; the badge is in the README header.

Per-check evidence matrix

CheckEvidence surfaceNotes
Binary-Artifactsbinary-artifacts-sweep.mdZero executable binaries tracked in source; generated distribution archives stay in dist/.
Branch-Protectionbranch-protection-ruleset.mdmain is protected before public release promotion; force-pushes and deletions are blocked after the fresh release commit lands.
CI-Tests.github/workflows/ci.ymlPytest matrix, ruff, mypy, CodeQL, Trivy, docs build, and packaging smoke checks.
CII-Best-PracticesOpenSSF Best Practices registrationRequires maintainer-side registration at the OpenSSF Best Practices site; this cannot be completed by repository files alone.
Code-ReviewBranch protection + CODEOWNERSEnforced for future pull requests; Scorecard history remains limited until reviewed PRs exist.
ContributorsAUTHORSA new solo-maintainer project cannot manufacture multi-organization contribution history; this improves naturally as contributors join.
Dangerous-WorkflowWorkflow auditNo pull_request_target; Actions are SHA-pinned and scoped with explicit permissions.
Dependency-Update-Toolrenovate.jsonRenovate covers GitHub Actions, Python manifests, hash-locked release requirements, and npm surfaces while keeping grouped dependency PRs available.
Fuzzingtests/property/Hypothesis property tests exercise parser and frontmatter invariants; upstream Scorecard may not credit Hypothesis as a fuzzer integration.
LicenseLICENSEMIT license at repository root.
MaintainedGit historyCurrent release commit and active workflow cadence demonstrate maintenance; very new repositories may receive an age warning.
Packaging.github/workflows/Release, Pages, and npmjs.com workflows producing the sdist, wheel, SBOM, SLSA provenance, and Sigstore signatures.
Pinned-DependenciesWorkflow audit + hash-locked requirementsActions are SHA-pinned; release tooling installs use --require-hashes; workflow-only pip tools use exact pins.
SAST.github/workflows/codeql.ymlCodeQL security-extended queries across Python and Actions.
Security-PolicySECURITY.mdCoordinated-disclosure policy, supported-version matrix, and response timeline.
Signed-Releases.github/workflows/release.ymlSigstore keyless signatures, SLSA provenance, SBOM, checksums, and release artifacts.
Token-PermissionsWorkflow auditWorkflows default to read-only permissions; write scopes are job-local and tied to deployment/package operations.
Vulnerabilities.github/workflows/pip-audit.yml + .github/workflows/dependency-review.ymlWeekly vulnerability scan and CI scan with SARIF upload; the dependency-review gate blocks pull requests that introduce vulnerable or disallowed-license dependencies.

Score interpretation

Scorecard scores each check on a 0-10 scale and the overall score is a weighted mean. Controls that depend on repository history, third-party registration, or contributor diversity are tracked explicitly instead of overclaimed. Drift on any file-controlled check triggers immediate remediation.

Refresh cadence

  • Per-push: Scorecard workflow re-runs on every push to main.
  • Weekly: Mondays 02:30 UTC — catches changes in upstream-scoring methodology + new vulnerabilities disclosed against existing pinned deps.
  • Per-release: Before public promotion, the maintainer verifies the live Scorecard viewer surface and records any platform-state limits.

References

On this page