#601

Globales Ranking · von 601 Skills

enterprise-readiness AI Agent Skill

Quellcode ansehen: dirnbauer/webconsulting-skills

Safe

Installation

npx skills add dirnbauer/webconsulting-skills --skill enterprise-readiness

33

Installationen

Enterprise Readiness Assessment

Assess and enhance software projects for enterprise-grade security, quality, and automation.

When to Use

  • Evaluating projects for production/enterprise readiness
  • Implementing supply chain security (SLSA, signing, SBOMs)
  • Hardening CI/CD pipelines
  • Establishing quality gates
  • Pursuing OpenSSF Best Practices Badge (Passing/Silver/Gold)

Assessment Workflow

  1. Discovery: Identify platform (GitHub/GitLab), languages, existing CI/CD
  2. Scoring: Apply checklists based on stack
  3. Badge Assessment: Check OpenSSF criteria status
  4. Gap Analysis: List missing controls by severity
  5. Implementation: Apply fixes using templates

Scoring System

Base Score (0-100 points)

Category Max Points Focus Areas
Universal Controls 60 License, SECURITY.md, branch protection, CI
Platform-Specific 40 GitHub/GitLab specific features
Language-Specific 20 Go, PHP, JS specific tooling

Severity Levels

Level Impact Priority
Critical Security vulnerability, compliance blocker Immediate
High Major quality issue, missing automation This sprint
Medium Best practice gap, technical debt This quarter
Low Nice-to-have improvement Backlog

Universal Controls Checklist (60 pts)

Repository Basics (15 pts)

  • LICENSE file present (SPDX identifier)
  • README.md with project description
  • CONTRIBUTING.md with contribution guidelines
  • CODE_OF_CONDUCT.md (Contributor Covenant)
  • SECURITY.md with vulnerability reporting process

Branch Protection (15 pts)

  • Default branch protected
  • Require pull request reviews (1+ reviewers)
  • Require status checks before merging
  • Require signed commits (GPG/SSH)
  • No force pushes to protected branches

CI/CD Pipeline (15 pts)

  • Automated tests on every PR
  • Linting and static analysis
  • Dependency vulnerability scanning
  • Build verification
  • Coverage reporting

Security Practices (15 pts)

  • Dependabot or Renovate enabled
  • Secret scanning enabled
  • CodeQL or similar SAST
  • No secrets in repository
  • Signed releases

GitHub-Specific Controls (40 pts)

Security Features

  • Secret scanning enabled
  • Push protection enabled
  • Dependabot security updates
  • CodeQL analysis
  • Private vulnerability reporting

Actions Security

  • Actions pinned by SHA (not tag)
  • Minimal permissions (least privilege)
  • No pull_request_target with untrusted input
  • GITHUB_TOKEN scoped appropriately

Example: Secure Action Reference

# ❌ INSECURE - Tag can be moved
- uses: actions/checkout@v4

# ✅ SECURE - SHA-pinned with version comment
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

OpenSSF Best Practices Badge

Passing Level Requirements

Criterion Requirement
Basics LICENSE, documentation, build instructions
Change Control Version control, unique versioning
Reporting Public issue tracker, vulnerability reporting
Quality Working build, automated tests
Security No unaddressed vulnerabilities, secure development

Silver Level Requirements

All Passing criteria plus:

  • DCO or CLA for contributions
  • Detailed documentation (ARCHITECTURE.md)
  • Code review required for changes
  • 80%+ statement coverage
  • Test policy documented

Gold Level Requirements

All Silver criteria plus:

  • Multiple security-knowledgeable reviewers
  • Dynamic analysis (fuzzing)
  • 80%+ branch coverage
  • Security audit completed
  • Reproducible builds

SLSA Framework

SLSA Levels

Level Requirements
SLSA 1 Documented build process
SLSA 2 Hosted build, signed provenance
SLSA 3 Hardened builds, non-falsifiable provenance
SLSA 4 Two-person review, hermetic builds

GitHub Actions SLSA Provenance

# .github/workflows/release.yml
name: Release

on:
  push:
    tags:
      - 'v*'

permissions:
  contents: write
  id-token: write
  attestations: write

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      
      - name: Build
        run: make build
        
      - name: Generate SLSA Provenance
        uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
        with:
          base64-subjects: ${{ steps.hash.outputs.hashes }}

Signed Releases

Cosign (Containers)

# Sign container image
cosign sign --key cosign.key myregistry/myimage:v1.0.0

# Verify signature
cosign verify --key cosign.pub myregistry/myimage:v1.0.0

GPG (Git Tags)

# Sign tag
git tag -s v1.0.0 -m "Release v1.0.0"

# Verify tag
git tag -v v1.0.0

Software Bill of Materials (SBOM)

Generate SBOM

# Using Syft
syft packages . -o spdx-json > sbom.spdx.json

# Using CycloneDX for PHP
composer require --dev cyclonedx/cyclonedx-php-composer
composer make-bom

SBOM in CI

- name: Generate SBOM
  uses: anchore/sbom-action@v0
  with:
    artifact-name: sbom.spdx.json

Security Hardening

Content Security

# _headers or .htaccess
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=31536000; includeSubDomains

Input Validation

// ✅ SECURE - Validate and sanitize all input
$email = filter_var($input, FILTER_VALIDATE_EMAIL);
if ($email === false) {
    throw new ValidationException('Invalid email');
}

CI Workflow Templates

OpenSSF Scorecard

# .github/workflows/scorecard.yml
name: OpenSSF Scorecard

on:
  schedule:
    - cron: '0 0 * * 0'
  push:
    branches: [main]

permissions:
  security-events: write
  id-token: write

jobs:
  analysis:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          persist-credentials: false
          
      - uses: ossf/scorecard-action@v2.3.1
        with:
          results_file: results.sarif
          results_format: sarif
          publish_results: true

Dependency Review

# .github/workflows/dependency-review.yml
name: Dependency Review

on: pull_request

permissions:
  contents: read
  pull-requests: write

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - uses: actions/dependency-review-action@v4
        with:
          fail-on-severity: high
          deny-licenses: GPL-3.0, AGPL-3.0

Score Interpretation

Score Grade Status
90-100+ A Enterprise Ready
80-89 B Production Ready
70-79 C Development Ready
60-69 D Basic
<60 F Not Ready

Critical Rules

  • NEVER interpolate ${{ github.event.* }} in run: blocks (script injection)
  • NEVER guess action versions - fetch from GitHub API or documentation
  • ALWAYS use SHA pins for actions with version comments
  • ALWAYS verify commit hashes against official tags
  • NEVER store secrets in code or commit history

Resources

Credits & Attribution

This skill is based on the excellent work by
Netresearch DTT GmbH.

Original repository: https://github.com/netresearch/enterprise-readiness-skill

Copyright (c) Netresearch DTT GmbH — Methodology and best practices (MIT / CC-BY-SA-4.0)
Adapted by webconsulting.at for this skill collection

Installationen

Installationen 33
Globales Ranking #601 von 601

Sicherheitsprüfung

ath Safe
socket Safe
Warnungen: 0 Bewertung: 90
snyk Low
EU EU-Hosted Inference API

Power your AI Agents with the best open-source models.

Drop-in OpenAI-compatible API. No data leaves Europe.

Explore Inference API

GLM

GLM 5

$1.00 / $3.20

per M tokens

Kimi

Kimi K2.5

$0.60 / $2.80

per M tokens

MiniMax

MiniMax M2.5

$0.30 / $1.20

per M tokens

Qwen

Qwen3.5 122B

$0.40 / $3.00

per M tokens

So verwenden Sie diesen Skill

1

Install enterprise-readiness by running npx skills add dirnbauer/webconsulting-skills --skill enterprise-readiness in your project directory. Führen Sie den obigen Installationsbefehl in Ihrem Projektverzeichnis aus. Die Skill-Datei wird von GitHub heruntergeladen und in Ihrem Projekt platziert.

2

Keine Konfiguration erforderlich. Ihr KI-Agent (Claude Code, Cursor, Windsurf usw.) erkennt installierte Skills automatisch und nutzt sie als Kontext bei der Code-Generierung.

3

Der Skill verbessert das Verständnis Ihres Agenten für enterprise-readiness, und hilft ihm, etablierte Muster zu befolgen, häufige Fehler zu vermeiden und produktionsreifen Code zu erzeugen.

Was Sie erhalten

Skills sind Klartext-Anweisungsdateien — kein ausführbarer Code. Sie kodieren Expertenwissen über Frameworks, Sprachen oder Tools, das Ihr KI-Agent liest, um seine Ausgabe zu verbessern. Das bedeutet null Laufzeit-Overhead, keine Abhängigkeitskonflikte und volle Transparenz: Sie können jede Anweisung vor der Installation lesen und prüfen.

Kompatibilität

Dieser Skill funktioniert mit jedem KI-Coding-Agenten, der das skills.sh-Format unterstützt, einschließlich Claude Code (Anthropic), Cursor, Windsurf, Cline, Aider und anderen Tools, die projektbezogene Kontextdateien lesen. Skills sind auf Transportebene framework-agnostisch — der Inhalt bestimmt, für welche Sprache oder welches Framework er gilt.

Data sourced from the skills.sh registry and GitHub. Install counts and security audits are updated regularly.

EU Made in Europe

Chat with 100+ AI Models in one App.

Use Claude, ChatGPT, Gemini alongside with EU-Hosted Models like Deepseek, GLM-5, Kimi K2.5 and many more.

Start for free View pricing
Kundensupport