Add FLOSS best practices criteria documentation#1101
Open
r33drichards wants to merge 3 commits intomainfrom
Open
Add FLOSS best practices criteria documentation#1101r33drichards wants to merge 3 commits intomainfrom
r33drichards wants to merge 3 commits intomainfrom
Conversation
Comprehensive audit of the cua repository against all OpenSSF Best Practices passing-level criteria. Identifies 4 MUST-level gaps blocking the passing badge: missing SECURITY.md, no private vulnerability disclosure mechanism, auto-generated release notes lacking human curation, and missing CHANGELOG.md. Includes prioritized recommendations. https://claude.ai/code/session_012QQhopcjqK8NVmURcTcKiA
Add specific findings from deep code security analysis: MD5 usage in 4 files (non-security context), shell=True in 3 controlled environments, secure OAuth 2.0 auth implementation, parameterized SQL queries. Update crypto criteria with concrete file-level evidence. https://claude.ai/code/session_012QQhopcjqK8NVmURcTcKiA
60 test files across 15 directories for 555 source files (10.8% ratio). Coverage concentrated in cua-cli (15 tests) while lume has 0 tests. https://claude.ai/code/session_012QQhopcjqK8NVmURcTcKiA
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
|
Important Review skippedAuto reviews are limited based on label configuration. 🏷️ Required labels (at least one) (1)
Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
cuaclaw
added a commit
to cuaclaw/cua
that referenced
this pull request
Mar 9, 2026
- Add .github/SECURITY.md with vulnerability reporting policy,
response timelines, scope, and private disclosure via GitHub
Security Advisories + security@cua.ai
- Add .github/dependabot.yml to automate dependency updates across
pip, npm, and GitHub Actions ecosystems
- Update CONTRIBUTING.md: add explicit English language requirement
and Testing Requirements section mandating tests for all new
features and bug fixes
- Update FLOSS_BEST_PRACTICES_AUDIT.md:
- Fix release_notes to PASS (confirmed: GitHub Releases have
human-readable notes)
- Fix vulnerability_report_process and vulnerability_report_private
to PASS (SECURITY.md added)
- Fix english SHOULD to PASS (CONTRIBUTING.md updated)
- Fix tests_documented_added to PASS (CONTRIBUTING.md updated)
- Update summary: 29/34 → 31/34 MUST passing (3 failures remain)
- Revised Critical Gaps section to reflect resolved items
Remaining MUST failure: vulnerabilities_fixed_60_days (85 Dependabot
alerts including 3 critical — requires manual triage)
Closes gaps identified in trycua#1101
This was referenced Mar 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://claude.ai/code/session_012QQhopcjqK8NVmURcTcKiA