epic: OpenSSF Best Practices — reach Silver and Gold badge levels

[xmudrii]

Description

Platform Mesh has been awarded the OpenSSF Best Practices passing badge (project #12932). This follow-up tracks the work to reach the higher tiers:

• Silver: currently at 96%
• Gold: currently at 61%

Like the passing badge, this is an org-wide, project-level effort — the questionnaire is answered once for Platform Mesh as a whole, not per repo.

Silver — remaining requirements (2)

• build_repeatable — the project MUST be able to repeat the process of generating information from source files and get exactly the same bit-for-bit result.
  • Builds are not currently bit-for-bit reproducible. Dockerfiles embed version strings and build metadata via -ldflags, and the build does not use -trimpath, -buildid=, or
    SOURCE_DATE_EPOCH. Needs investigation into the least-breaking way to make builds repeatable.
• static_analysis_common_vulnerabilities — the project MUST use at least one static analysis tool that looks for common vulnerabilities in the analyzed language.
  • gosec can cover this but is not enabled by default in golangci-lint. Enable it across repos.

Both are considered relatively easily attainable.

Gold — remaining requirements (sorted hardest → easiest)

• security_review — a security review MUST have been performed within the last 5 years, considering the security requirements and security boundary.
• dynamic_analysis — at least one dynamic analysis tool MUST be applied to any proposed major production release before release. (Attainable, but potentially significant
  effort.)
• test_statement_coverage90 — FLOSS automated test suite(s) MUST provide ≥90% statement coverage. (We currently require 80%; closing the gap is non-trivial.)
• build_reproducible — the project MUST have a reproducible build. (Depends on how build_repeatable is handled.)
• copyright_per_file — each source file MUST include a copyright statement identifying the copyright holder. (Easily attainable.)
• license_per_file — each source file MUST include a license statement, e.g. an SPDX-License-Identifier comment near the top. (Easily attainable.)
• small_tasks — the project MUST clearly identify small tasks for new/casual contributors (URL required). Can use the good first issue label. (Easily attainable.)
• hardened_site — the project website, repository, and download site MUST include key hardening headers with non-permissive values. Mostly concerns platform-mesh.io. (Easily attainable.)

Suggested order

1. Lock in Silver first. Two easy requirements (build_repeatable, static_analysis_common_vulnerabilities) — a guaranteed badge, don't block it behind Gold work.
2. Spike the hard Gold gates next — these decide whether Gold is reachable at all:
   • security_review — confirm we have someone to perform/document it.
   • test_statement_coverage90 — assess the real cost of going 80% → 90% across repos.
   • dynamic_analysis — identify a tool and how it fits the release flow.
     If any of these is infeasible, Gold is blocked regardless of the rest — so resolve them before investing in the easy criteria.
3. Only once Gold looks achievable, knock out the easy wins: copyright_per_file, license_per_file, small_tasks, hardened_site, and build_reproducible (follows from
   build_repeatable).

Objectives

• Silver badge awarded for Platform Mesh (project #12932).
• Gold badge feasibility assessed via the three hard gates; if viable, remaining Gold requirements completed (larger items tracked as their own sub-tasks if needed).

Demo Required

None