Security - Review against OpenSSF Open Source Project Security Baseline

[matglas]

I highly recommend reviewing the project against the OpenSSF Security Baseline (https://baseline.openssf.org/). It is the recommend starting point for open source projects to establish a foundation for securely developing open source projects. As part of maturing this project into something solid it would be very important.

The baseline project maintains three levels depending on the maturity of the project that is evaluated. Here are the levels.

Level 1: for any code or non-code project with any number of maintainers or users
Level 2: for any code project that has at least 2 maintainers and a small number of consistent users
Level 3: for any code project that has a large number of consistent users

When we do this and action on it we should be able to communicate more easily on the posture of our security practices.
Besides this baseline there is the scorecard.dev project by OpenSSF that complements it.

[github-actions]

Issue Triage

Summary: The issue requests that mxcli be evaluated against the OpenSSF Open Source Project Security Baseline to improve the project’s security posture.

Checklist for feature request

Required info	Present?	Notes
Use case – why the feature is needed, what problem it solves	✅	Explained: establishing a security foundation and communicating posture.
Proposed syntax or behavior (if applicable)	❌	No concrete CLI command, option, or behavior described.
Mendix version relevance (if version‑specific)	❌	No mention of whether this applies to specific Mendix versions.

Next steps
Could you please add:

1. A brief description of how you envision the feature working in mxcli (e.g., a new subcommand, flag, or output format).
2. Whether this feature should apply to all Mendix versions or only certain ones, and if any version‑specific considerations are needed.

Thanks for the suggestion! Once we have those details we can move forward.

---

Automated triage via OpenRouter — workflow source

[ako]

Thanks @matglas — this is a valuable suggestion. Here's a quick audit of where the project stands against the OpenSSF Baseline Level 1 requirements:

What we already have

• License: Apache 2.0 (LICENSE in repo root)
• CI/CD: Push tests, nightly integration tests, release workflow (GitHub Actions)
• SBOM generation: CycloneDX via make sbom (Go + TypeScript dependencies)
• Linting: make lint-go (fmt + vet) runs on every push
• Minimal permissions: Workflows use contents: read where possible
• Pinned actions: Using major version tags (actions/checkout@v5, etc.)

What's missing for Level 1

Gap	Priority	Notes
SECURITY.md	High	No vulnerability reporting policy
Dependabot / Renovate	High	No automated dependency update PRs
Branch protection	High	Needs documented rules (require reviews, status checks)
SAST scanning	Medium	No CodeQL, gosec, or govulncheck in CI
OpenSSF Scorecard	Medium	Not integrated, would give visibility into gaps

What would help for Level 2+

• SLSA provenance on release artifacts (via slsa-framework/slsa-github-generator)
• Signed releases (Sigstore/cosign)
• CODEOWNERS file
• 2+ maintainer requirement for releases

I'll start with the quick wins (SECURITY.md, dependabot) and we can iterate toward Level 2 as the project matures. Will link PRs here as they land.

[matglas]

Awesome!