Refactor high-complexity React components in Dify frontend. Use when `pnpm analyze-component...
enterprise-readiness
2
0
# Install this skill:
npx skills add netresearch/enterprise-readiness-skill --skill "enterprise-readiness"
Install specific skill from multi-skill repository
# Description
Assess and enhance software projects for enterprise-grade security, quality, and automation. This skill should be used when evaluating projects for production readiness, implementing supply chain security (SLSA, signing, SBOMs), hardening CI/CD pipelines, establishing quality gates, reviewing code or PRs, writing documentation (ADRs, changelogs, migration guides), or pursuing OpenSSF Best Practices Badge. Aligned with OpenSSF Scorecard, Best Practices Badge (all levels), SLSA, and S2C2F. By Netresearch.
# SKILL.md
name: enterprise-readiness
description: "Assess and enhance software projects for enterprise-grade security, quality, and automation. This skill should be used when evaluating projects for production readiness, implementing supply chain security (SLSA, signing, SBOMs), hardening CI/CD pipelines, establishing quality gates, reviewing code or PRs, writing documentation (ADRs, changelogs, migration guides), or pursuing OpenSSF Best Practices Badge. Aligned with OpenSSF Scorecard, Best Practices Badge (all levels), SLSA, and S2C2F. By Netresearch."
Enterprise Readiness Assessment
When to Use
- Evaluating projects for production/enterprise readiness
- Implementing supply chain security (SLSA, signing, SBOMs)
- Hardening CI/CD pipelines
- Establishing quality gates
- Pursuing OpenSSF Best Practices Badge (Passing/Silver/Gold)
- Reviewing code or PRs for quality
- Writing ADRs, changelogs, or migration guides
- Configuring Git hooks or CI pipelines
Assessment Workflow
- Discovery: Identify platform (GitHub/GitLab), languages, existing CI/CD
- Scoring: Apply checklists from references based on stack
- Badge Assessment: Check OpenSSF criteria status
- Gap Analysis: List missing controls by severity
- Implementation: Apply fixes using scripts and templates
Dependency CVE Workflow
When assessing enterprise readiness, always run dependency audit as part of discovery:
# PHP/Composer
composer audit
# Node.js
npm audit
# Python
pip-audit
# Go
govulncheck ./...
CVE Handling Best Practice
Separate dependency updates from code changes:
| PR Type | Content | Why |
|---|---|---|
| Code changes | Business logic, bug fixes, features | Reviewable, testable in isolation |
| Dependency updates | composer update, version bumps |
Clear diff, easy rollback if issues |
Real-world example from t3x-cowriter review:
- Found 4 CVEs during enterprise assessment
- CVE fixes required composer update typo3/cms-core typo3/cms-backend
- Kept separate from code fixes (JS bug, AGENTS.md updates) for clean PR history
CVE Severity Response
| Severity | Response Time | Action |
|---|---|---|
| CRITICAL | Immediate | Hotfix PR, expedited review |
| HIGH | 24-48 hours | Priority PR, security review |
| MEDIUM | 1 week | Normal PR cycle |
| LOW | Next release | Batch with other updates |
CI Integration
Add dependency audit to CI pipeline:
# .github/workflows/ci.yml
- name: Security audit
run: composer audit --format=plain
Reference Files (Load Based on Stack)
| Reference | When to Load |
|---|---|
references/general.md |
Always (universal 60 pts) |
references/github.md |
GitHub-hosted projects (40 pts) |
references/go.md |
Go projects (20 pts) |
references/openssf-badge-silver.md |
Pursuing Silver badge |
references/openssf-badge-gold.md |
Pursuing Gold badge |
Quality & Process References (Language-Agnostic)
| Reference | When to Load |
|---|---|
references/code-review.md |
Code review, PR quality checks |
references/documentation.md |
ADRs, API docs, migration guides, changelogs |
references/ci-patterns.md |
CI/CD pipelines, Git hooks, quality gates |
Explicit Content Triggers
When reviewing PRs or code, load references/code-review.md for the comprehensive checklist covering test resource management, state mutation, defensive enum handling, documentation accuracy, and defensive code coverage.
When writing ADRs (Architecture Decision Records), load references/documentation.md for templates, file organization, and required sections (Context, Decision, Consequences, Alternatives).
When writing changelogs or release notes, load references/documentation.md for Keep a Changelog format and conventional commit mapping.
When writing API documentation or migration guides, load references/documentation.md for structure patterns and completeness checklists.
When configuring CI/CD pipelines, load references/ci-patterns.md for comprehensive pipeline structure, job ordering, and quality gates.
When setting up Git hooks (pre-commit/pre-push), load references/ci-patterns.md for the hook division strategy and Lefthook configuration.
When enforcing coverage thresholds, load references/ci-patterns.md for threshold tables and enforcement patterns.
When handling signed commits with rebase-only merge, load references/ci-patterns.md for the local fast-forward merge workflow.
Implementation Guides
| Guide | Purpose |
|---|---|
references/quick-start-guide.md |
Getting started |
references/dco-implementation.md |
DCO enforcement |
references/signed-releases.md |
Cosign/GPG signing |
references/reproducible-builds.md |
Deterministic builds |
references/security-hardening.md |
TLS, headers, validation |
references/solo-maintainer-guide.md |
N/A criteria justification |
references/branch-coverage.md |
Gold 80% branch coverage |
Automation Scripts
| Script | Purpose |
|---|---|
scripts/verify-badge-criteria.sh |
Verify OpenSSF badge criteria |
scripts/check-coverage-threshold.sh |
Statement coverage check |
scripts/check-branch-coverage.sh |
Branch coverage (Gold) |
scripts/add-spdx-headers.sh |
Add SPDX headers (Gold) |
scripts/verify-signed-tags.sh |
Tag signature verification |
scripts/verify-review-requirements.sh |
PR review requirements |
Document Templates
Templates in assets/templates/:
- GOVERNANCE.md - Project governance (Silver)
- ARCHITECTURE.md - Technical docs (Silver)
- CODE_OF_CONDUCT.md - Contributor Covenant
- SECURITY_AUDIT.md - Security audit (Gold)
- BADGE_EXCEPTIONS.md - N/A justifications
CI Workflow Templates
GitHub Actions workflows in assets/workflows/:
| Workflow | Purpose |
|---|---|
scorecard.yml |
OpenSSF Scorecard security analysis |
codeql.yml |
Semantic code security scanning |
dependency-review.yml |
PR dependency CVE/license check |
slsa-provenance.yml |
SLSA Level 3 build attestation |
dco-check.yml |
Developer Certificate of Origin |
Copy workflows to .github/workflows/ and pin action versions with SHA hashes.
Scoring Interpretation
| Score | Grade | Status |
|---|---|---|
| 90-100 | A | Enterprise Ready |
| 80-89 | B | Production Ready |
| 70-79 | C | Development Ready |
| 60-69 | D | Basic |
| <60 | F | Not Ready |
Code Review Quick Checklist
Before approving PRs, verify (see references/code-review.md for details):
- [ ] One resource per test - No duplicate instances
- [ ] State mutation complete - Tracking fields updated after operations
- [ ] Defensive enum handling -
Valid()method,defaultcase, tested - [ ] Documentation accurate - Claims match benchmarks, trade-offs noted
- [ ] Platform code marked - Limitations documented, alternatives provided
- [ ] Defensive code tested - Error paths and edge cases covered
Critical Rules
- NEVER interpolate
${{ github.event.* }}inrun:blocks (script injection) - NEVER guess action versions - always fetch from GitHub API
- ALWAYS use SHA pins for actions with version comments
- ALWAYS verify commit hashes against official tags
Related Skills
| Skill | Purpose |
|---|---|
go-development |
Go code patterns, Makefile interface, testing |
github-project |
Repository setup, branch protection, auto-merge |
security-audit |
Deep security audits (OWASP, XXE, SQLi) |
git-workflow |
Git branching, commits, PR workflows |
Resources
Contributing: Improvements to this skill should be submitted to the source repository:
https://github.com/netresearch/enterprise-readiness-skill
# Related Skills
Trigger when the user requests a review of frontend files (e.g., `.tsx`, `.ts`, `.js`). Support...
Generate Vitest + React Testing Library tests for Dify frontend components, hooks, and...
Guide for implementing oRPC contract-first API patterns in Dify frontend. Triggers when creating...
# Supported AI Coding Agents
This skill is compatible with the SKILL.md standard and works with all major AI coding agents:
Amp
Antigravity
Claude Code
Clawdbot
Codex
Cursor
Droid
Gemini CLI
GitHub Copilot
Goose
Kilo Code
Kiro CLI
OpenCode
Roo Code
Trae
Windsurf
Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.