Claude-skill-registry enterprise-readiness

Assess and enhance software projects for enterprise-grade security, quality, and automation. This skill should be used when evaluating projects for production readiness, implementing supply chain security (SLSA, signing, SBOMs), hardening CI/CD pipelines, establishing quality gates, reviewing code or PRs, writing documentation (ADRs, changelogs, migration guides), or pursuing OpenSSF Best Practices Badge. Aligned with OpenSSF Scorecard, Best Practices Badge (all levels), SLSA, and S2C2F. By Netresearch.

install

source · Clone the upstream repo

git clone https://github.com/majiayu000/claude-skill-registry

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/enterprise-readiness" ~/.claude/skills/majiayu000-claude-skill-registry-enterprise-readiness && rm -rf "$T"

manifest: skills/data/enterprise-readiness/SKILL.md

source content

Enterprise Readiness Assessment

When to Use

Evaluating projects for production/enterprise readiness
Implementing supply chain security (SLSA, signing, SBOMs)
Hardening CI/CD pipelines
Establishing quality gates
Pursuing OpenSSF Best Practices Badge (Passing/Silver/Gold)
Reviewing code or PRs for quality
Writing ADRs, changelogs, or migration guides
Configuring Git hooks or CI pipelines

MANDATORY Requirements

CRITICAL: The following are NOT optional. Every project MUST have ALL of these. Do not skip any.

README Badges (MANDATORY)

Every project README.md MUST display these badges at the top, in this order:

<!-- Row 1: CI/Quality -->
[![CI](https://github.com/ORG/REPO/actions/workflows/ci.yml/badge.svg)](https://github.com/ORG/REPO/actions/workflows/ci.yml)
[![codecov](https://codecov.io/gh/ORG/REPO/graph/badge.svg)](https://codecov.io/gh/ORG/REPO)

<!-- Row 2: Security (MANDATORY) -->
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ORG/REPO/badge)](https://securityscorecards.dev/viewer/?uri=github.com/ORG/REPO)
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/PROJECT_ID/badge)](https://www.bestpractices.dev/projects/PROJECT_ID)

Badge	URL Pattern	MANDATORY
CI Status	`github.com/ORG/REPO/actions/workflows/ci.yml/badge.svg`	YES
Codecov	`codecov.io/gh/ORG/REPO/graph/badge.svg`	YES
OpenSSF Scorecard	`api.securityscorecards.dev/projects/github.com/ORG/REPO/badge`	YES
OpenSSF Best Practices	`www.bestpractices.dev/projects/PROJECT_ID/badge`	YES

CI/CD Workflows (MANDATORY)

Every GitHub project MUST have these workflows in

.github/workflows/

Workflow	File	Purpose	MANDATORY
CI	`ci.yml`	Build, test, lint	YES
CodeQL	`codeql.yml`	Security scanning	YES
Scorecard	`scorecard.yml`	OpenSSF Scorecard	YES
Dependency Review	`dependency-review.yml`	PR CVE check	YES

CI Must Include (MANDATORY)

Requirement Implementation MANDATORY

Coverage upload

codecov/codecov-action

after tests

YES

Security audit

composer audit

npm audit

govulncheck

YES

SHA-pinned actions All actions use full SHA with version comment YES

OpenSSF Registration (MANDATORY)

Register at bestpractices.dev: https://www.bestpractices.dev/en/projects/new
Note the Project ID assigned after registration
Add badge to README with correct PROJECT_ID
Run Scorecard workflow to generate initial score

Codecov Setup (MANDATORY)

Enable Codecov for the repository at codecov.io
Collect coverage from ALL test suites (not just unit tests):

Test Suite	Coverage Command	Output File	MANDATORY
Unit	`phpunit -c UnitTests.xml --coverage-clover`	`.Build/coverage/unit.xml`	YES
Integration	`phpunit -c IntegrationTests.xml --coverage-clover`	`.Build/coverage/integration.xml`	YES
E2E	`phpunit -c E2ETests.xml --coverage-clover`	`.Build/coverage/e2e.xml`	YES
Functional	`phpunit -c FunctionalTests.xml --coverage-clover`	`.Build/coverage/functional.xml`	YES
JavaScript	`npm run test:coverage`	`coverage/lcov.info`	YES (if JS exists)

Upload ALL coverage files to Codecov:

- uses: codecov/codecov-action@SHA # vX.Y.Z
  with:
    token: ${{ secrets.CODECOV_TOKEN }}  # MANDATORY - see below
    files: .Build/coverage/unit.xml,.Build/coverage/integration.xml,.Build/coverage/e2e.xml,coverage/lcov.info
    fail_ci_if_error: false

CODECOV_TOKEN (MANDATORY)

Never rely on tokenless uploads. They fail for protected branches and are unreliable.

Requirement	Implementation	Why
Token in secrets	Add `CODECOV_TOKEN` to repo or org secrets	Authentication
Token in workflow	`token: ${{ secrets.CODECOV_TOKEN }}`	Required for protected branches
Org-level secret	Preferred for consistency across repos	Single point of management

Failure without token:

Upload failed: {"message":"Token required because branch is protected"}

Get token from: https://app.codecov.io/gh/ORG/REPO/settings

Add as org secret (recommended):

# Organization-level (covers all repos)
gh secret set CODECOV_TOKEN --org netresearch --visibility all

# Or repository-level
gh secret set CODECOV_TOKEN --repo OWNER/REPO

JavaScript Coverage (MANDATORY for projects with JS/TS)

When a project contains JavaScript or TypeScript files:

vitest.config.js MUST include lcov reporter for Codecov:

coverage: {
    provider: 'v8',
    reporter: ['text', 'json', 'html', 'lcov'],  // lcov REQUIRED for Codecov
    reportsDirectory: 'coverage',
}

CI workflow MUST include JavaScript test job:

- uses: actions/setup-node@SHA # vX.Y.Z
  with:
    node-version: '22'
- run: npm install
- run: npm run test:coverage

Codecov upload MUST include
```
coverage/lcov.info
```

Verification Checklist

Before marking enterprise-readiness complete, verify ALL:

README has CI badge linking to workflow
README has Codecov badge (not "unknown")
README has OpenSSF Scorecard badge (correct URL with
```
api.securityscorecards.dev
```
)
README has OpenSSF Best Practices badge (correct PROJECT_ID, not placeholder)
```
.github/workflows/ci.yml
```
exists and uploads coverage
```
.github/workflows/codeql.yml
```
exists
```
.github/workflows/scorecard.yml
```
exists
Codecov shows actual coverage percentage
Scorecard shows actual score

If any badge shows "unknown", "invalid", or placeholder ID - FIX IT. Do not proceed.

Assessment Workflow

Discovery: Identify platform (GitHub/GitLab), languages, existing CI/CD
Scoring: Apply checklists from references based on stack
Badge Assessment: Check OpenSSF criteria status
Gap Analysis: List missing controls by severity
Implementation: Apply fixes using scripts and templates

Dependency CVE Workflow

When assessing enterprise readiness, always run dependency audit as part of discovery:

# PHP/Composer
composer audit

# Node.js
npm audit

# Python
pip-audit

# Go
govulncheck ./...

CVE Handling Best Practice

Separate dependency updates from code changes:

PR Type	Content	Why
Code changes	Business logic, bug fixes, features	Reviewable, testable in isolation
Dependency updates	`composer update` , version bumps	Clear diff, easy rollback if issues

Real-world example from t3x-cowriter review:

Found 4 CVEs during enterprise assessment

CVE fixes required

composer update typo3/cms-core typo3/cms-backend

Kept separate from code fixes (JS bug, AGENTS.md updates) for clean PR history

CVE Severity Response

Severity	Response Time	Action
CRITICAL	Immediate	Hotfix PR, expedited review
HIGH	24-48 hours	Priority PR, security review
MEDIUM	1 week	Normal PR cycle
LOW	Next release	Batch with other updates

CI Integration

Add dependency audit to CI pipeline:

# .github/workflows/ci.yml
- name: Security audit
  run: composer audit --format=plain

Reference Files (Load Based on Stack)

Reference	When to Load
`references/general.md`	Always (universal 60 pts)
`references/github.md`	GitHub-hosted projects (40 pts)
`references/go.md`	Go projects (20 pts)
`references/openssf-badge-silver.md`	Pursuing Silver badge
`references/openssf-badge-gold.md`	Pursuing Gold badge

Quality & Process References (Language-Agnostic)

Reference	When to Load
`references/code-review.md`	Code review, PR quality checks
`references/documentation.md`	ADRs, API docs, migration guides, changelogs
`references/ci-patterns.md`	CI/CD pipelines, Git hooks, quality gates

Explicit Content Triggers

When reviewing PRs or code, load

references/code-review.md

for the comprehensive checklist covering test resource management, state mutation, defensive enum handling, documentation accuracy, and defensive code coverage.

When writing ADRs (Architecture Decision Records), load

references/documentation.md

for templates, file organization, and required sections (Context, Decision, Consequences, Alternatives).

When writing changelogs or release notes, load

references/documentation.md

for Keep a Changelog format and conventional commit mapping.

When writing API documentation or migration guides, load

references/documentation.md

for structure patterns and completeness checklists.

When configuring CI/CD pipelines, load

references/ci-patterns.md

for comprehensive pipeline structure, job ordering, and quality gates.

When setting up Git hooks (pre-commit/pre-push), load

references/ci-patterns.md

for the hook division strategy and Lefthook configuration.

When enforcing coverage thresholds, load

references/ci-patterns.md

for threshold tables and enforcement patterns.

When handling signed commits with rebase-only merge, load

references/ci-patterns.md

for the local fast-forward merge workflow.

Implementation Guides

Guide	Purpose
`references/quick-start-guide.md`	Getting started
`references/dco-implementation.md`	DCO enforcement
`references/signed-releases.md`	Cosign/GPG signing
`references/reproducible-builds.md`	Deterministic builds
`references/security-hardening.md`	TLS, headers, validation
`references/solo-maintainer-guide.md`	N/A criteria justification
`references/branch-coverage.md`	Gold 80% branch coverage

Automation Scripts

Script	Purpose
`scripts/verify-badge-criteria.sh`	Verify OpenSSF badge criteria
`scripts/check-coverage-threshold.sh`	Statement coverage check
`scripts/check-branch-coverage.sh`	Branch coverage (Gold)
`scripts/add-spdx-headers.sh`	Add SPDX headers (Gold)
`scripts/verify-signed-tags.sh`	Tag signature verification
`scripts/verify-review-requirements.sh`	PR review requirements

Document Templates

Templates in

assets/templates/

```
GOVERNANCE.md
```
- Project governance (Silver)
```
ARCHITECTURE.md
```
- Technical docs (Silver)
```
CODE_OF_CONDUCT.md
```
- Contributor Covenant v3.0
```
SECURITY_AUDIT.md
```
- Security audit (Gold)
```
BADGE_EXCEPTIONS.md
```
- N/A justifications

CI Workflow Templates

GitHub Actions workflows in

assets/workflows/

Workflow	Purpose
`scorecard.yml`	OpenSSF Scorecard security analysis
`codeql.yml`	Semantic code security scanning
`dependency-review.yml`	PR dependency CVE/license check
`slsa-provenance.yml`	SLSA Level 3 build attestation
`dco-check.yml`	Developer Certificate of Origin

Copy workflows to

.github/workflows/

and pin action versions with SHA hashes.

Scoring Interpretation

Score	Grade	Status
90-100	A	Enterprise Ready
80-89	B	Production Ready
70-79	C	Development Ready
60-69	D	Basic
<60	F	Not Ready

Code Review Quick Checklist

Before approving PRs, verify (see

references/code-review.md

for details):

One resource per test - No duplicate instances
State mutation complete - Tracking fields updated after operations
Defensive enum handling -
```
Valid()
```
method,
```
default
```
case, tested
Documentation accurate - Claims match benchmarks, trade-offs noted
Platform code marked - Limitations documented, alternatives provided
Defensive code tested - Error paths and edge cases covered

Critical Rules

NEVER interpolate
```
${{ github.event.* }}
```
in
```
run:
```
blocks (script injection)
NEVER guess action versions - always fetch from GitHub API
ALWAYS use SHA pins for actions with version comments
ALWAYS verify commit hashes against official tags

Related Skills

Skill	Purpose
`go-development`	Go code patterns, Makefile interface, testing
`github-project`	Repository setup, branch protection, auto-merge
`security-audit`	Deep security audits (OWASP, XXE, SQLi)
`git-workflow`	Git branching, commits, PR workflows

Resources

Contributing: Improvements to this skill should be submitted to the source repository: https://github.com/netresearch/enterprise-readiness-skill