#601

Global Rank · of 601 Skills

enterprise-readiness AI Agent Skill

View Source: dirnbauer/webconsulting-skills

Safe

Installation

npx skills add dirnbauer/webconsulting-skills --skill enterprise-readiness

33

Installs

Enterprise Readiness Assessment

Assess and enhance software projects for enterprise-grade security, quality, and automation.

When to Use

  • Evaluating projects for production/enterprise readiness
  • Implementing supply chain security (SLSA, signing, SBOMs)
  • Hardening CI/CD pipelines
  • Establishing quality gates
  • Pursuing OpenSSF Best Practices Badge (Passing/Silver/Gold)

Assessment Workflow

  1. Discovery: Identify platform (GitHub/GitLab), languages, existing CI/CD
  2. Scoring: Apply checklists based on stack
  3. Badge Assessment: Check OpenSSF criteria status
  4. Gap Analysis: List missing controls by severity
  5. Implementation: Apply fixes using templates

Scoring System

Base Score (0-100 points)

Category Max Points Focus Areas
Universal Controls 60 License, SECURITY.md, branch protection, CI
Platform-Specific 40 GitHub/GitLab specific features
Language-Specific 20 Go, PHP, JS specific tooling

Severity Levels

Level Impact Priority
Critical Security vulnerability, compliance blocker Immediate
High Major quality issue, missing automation This sprint
Medium Best practice gap, technical debt This quarter
Low Nice-to-have improvement Backlog

Universal Controls Checklist (60 pts)

Repository Basics (15 pts)

  • LICENSE file present (SPDX identifier)
  • README.md with project description
  • CONTRIBUTING.md with contribution guidelines
  • CODE_OF_CONDUCT.md (Contributor Covenant)
  • SECURITY.md with vulnerability reporting process

Branch Protection (15 pts)

  • Default branch protected
  • Require pull request reviews (1+ reviewers)
  • Require status checks before merging
  • Require signed commits (GPG/SSH)
  • No force pushes to protected branches

CI/CD Pipeline (15 pts)

  • Automated tests on every PR
  • Linting and static analysis
  • Dependency vulnerability scanning
  • Build verification
  • Coverage reporting

Security Practices (15 pts)

  • Dependabot or Renovate enabled
  • Secret scanning enabled
  • CodeQL or similar SAST
  • No secrets in repository
  • Signed releases

GitHub-Specific Controls (40 pts)

Security Features

  • Secret scanning enabled
  • Push protection enabled
  • Dependabot security updates
  • CodeQL analysis
  • Private vulnerability reporting

Actions Security

  • Actions pinned by SHA (not tag)
  • Minimal permissions (least privilege)
  • No pull_request_target with untrusted input
  • GITHUB_TOKEN scoped appropriately

Example: Secure Action Reference

# ❌ INSECURE - Tag can be moved
- uses: actions/checkout@v4

# ✅ SECURE - SHA-pinned with version comment
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

OpenSSF Best Practices Badge

Passing Level Requirements

Criterion Requirement
Basics LICENSE, documentation, build instructions
Change Control Version control, unique versioning
Reporting Public issue tracker, vulnerability reporting
Quality Working build, automated tests
Security No unaddressed vulnerabilities, secure development

Silver Level Requirements

All Passing criteria plus:

  • DCO or CLA for contributions
  • Detailed documentation (ARCHITECTURE.md)
  • Code review required for changes
  • 80%+ statement coverage
  • Test policy documented

Gold Level Requirements

All Silver criteria plus:

  • Multiple security-knowledgeable reviewers
  • Dynamic analysis (fuzzing)
  • 80%+ branch coverage
  • Security audit completed
  • Reproducible builds

SLSA Framework

SLSA Levels

Level Requirements
SLSA 1 Documented build process
SLSA 2 Hosted build, signed provenance
SLSA 3 Hardened builds, non-falsifiable provenance
SLSA 4 Two-person review, hermetic builds

GitHub Actions SLSA Provenance

# .github/workflows/release.yml
name: Release

on:
  push:
    tags:
      - 'v*'

permissions:
  contents: write
  id-token: write
  attestations: write

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      
      - name: Build
        run: make build
        
      - name: Generate SLSA Provenance
        uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
        with:
          base64-subjects: ${{ steps.hash.outputs.hashes }}

Signed Releases

Cosign (Containers)

# Sign container image
cosign sign --key cosign.key myregistry/myimage:v1.0.0

# Verify signature
cosign verify --key cosign.pub myregistry/myimage:v1.0.0

GPG (Git Tags)

# Sign tag
git tag -s v1.0.0 -m "Release v1.0.0"

# Verify tag
git tag -v v1.0.0

Software Bill of Materials (SBOM)

Generate SBOM

# Using Syft
syft packages . -o spdx-json > sbom.spdx.json

# Using CycloneDX for PHP
composer require --dev cyclonedx/cyclonedx-php-composer
composer make-bom

SBOM in CI

- name: Generate SBOM
  uses: anchore/sbom-action@v0
  with:
    artifact-name: sbom.spdx.json

Security Hardening

Content Security

# _headers or .htaccess
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=31536000; includeSubDomains

Input Validation

// ✅ SECURE - Validate and sanitize all input
$email = filter_var($input, FILTER_VALIDATE_EMAIL);
if ($email === false) {
    throw new ValidationException('Invalid email');
}

CI Workflow Templates

OpenSSF Scorecard

# .github/workflows/scorecard.yml
name: OpenSSF Scorecard

on:
  schedule:
    - cron: '0 0 * * 0'
  push:
    branches: [main]

permissions:
  security-events: write
  id-token: write

jobs:
  analysis:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          persist-credentials: false
          
      - uses: ossf/scorecard-action@v2.3.1
        with:
          results_file: results.sarif
          results_format: sarif
          publish_results: true

Dependency Review

# .github/workflows/dependency-review.yml
name: Dependency Review

on: pull_request

permissions:
  contents: read
  pull-requests: write

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - uses: actions/dependency-review-action@v4
        with:
          fail-on-severity: high
          deny-licenses: GPL-3.0, AGPL-3.0

Score Interpretation

Score Grade Status
90-100+ A Enterprise Ready
80-89 B Production Ready
70-79 C Development Ready
60-69 D Basic
<60 F Not Ready

Critical Rules

  • NEVER interpolate ${{ github.event.* }} in run: blocks (script injection)
  • NEVER guess action versions - fetch from GitHub API or documentation
  • ALWAYS use SHA pins for actions with version comments
  • ALWAYS verify commit hashes against official tags
  • NEVER store secrets in code or commit history

Resources

Credits & Attribution

This skill is based on the excellent work by
Netresearch DTT GmbH.

Original repository: https://github.com/netresearch/enterprise-readiness-skill

Copyright (c) Netresearch DTT GmbH — Methodology and best practices (MIT / CC-BY-SA-4.0)
Adapted by webconsulting.at for this skill collection

Installs

Installs 33
Global Rank #601 of 601

Security Audit

ath Safe
socket Safe
Alerts: 0 Score: 90
snyk Low
EU EU-Hosted Inference API

Power your AI Agents with the best open-source models.

Drop-in OpenAI-compatible API. No data leaves Europe.

Explore Inference API

GLM

GLM 5

$1.00 / $3.20

per M tokens

Kimi

Kimi K2.5

$0.60 / $2.80

per M tokens

MiniMax

MiniMax M2.5

$0.30 / $1.20

per M tokens

Qwen

Qwen3.5 122B

$0.40 / $3.00

per M tokens

How to use this skill

1

Install enterprise-readiness by running npx skills add dirnbauer/webconsulting-skills --skill enterprise-readiness in your project directory. Run the install command above in your project directory. The skill file will be downloaded from GitHub and placed in your project.

2

No configuration needed. Your AI agent (Claude Code, Cursor, Windsurf, etc.) automatically detects installed skills and uses them as context when generating code.

3

The skill enhances your agent's understanding of enterprise-readiness, helping it follow established patterns, avoid common mistakes, and produce production-ready output.

What you get

Skills are plain-text instruction files — not executable code. They encode expert knowledge about frameworks, languages, or tools that your AI agent reads to improve its output. This means zero runtime overhead, no dependency conflicts, and full transparency: you can read and review every instruction before installing.

Compatibility

This skill works with any AI coding agent that supports the skills.sh format, including Claude Code (Anthropic), Cursor, Windsurf, Cline, Aider, and other tools that read project-level context files. Skills are framework-agnostic at the transport level — the content inside determines which language or framework it applies to.

Data sourced from the skills.sh registry and GitHub. Install counts and security audits are updated regularly.

EU Made in Europe

Chat with 100+ AI Models in one App.

Use Claude, ChatGPT, Gemini alongside with EU-Hosted Models like Deepseek, GLM-5, Kimi K2.5 and many more.

Start for free View pricing
Customer Support