@@ -40,11 +40,13 @@ The DevOps Maturity Specification is a set of guidelines and criteria designed t
4040| | D402 | CI/CD as Code | 🟢 |
4141| | D403 | Artifact Signing | 🟡 |
4242| | D404 | Dependency Pinning | 🟡 |
43+ | | D405 | SBOM Generation | 🟡 |
4344| Analysis | D501 | Static Code Analysis | 🟡 |
4445| | D502 | Dynamic Code Analysis | 🟡 |
4546| | D503 | Code Linting | 🟡 |
4647| Reporting | D601 | Notifications & Alerts | 🟢 |
4748| | D602 | Attached Reports | 🟡 |
49+ | | D603 | Compliance Mapping & Auditability | 🟡 |
4850
4951[ ^ 1 ] : A criteria ID code is a unique identifier assigned to specific criteria. For more details, see the [ Code Map] ( #code-map ) .
5052[ ^ 2 ] : Detailed information on each criteria can be found in the [ Criteria Details] ( #criteria-details ) section.
@@ -99,15 +101,17 @@ Your score will generate one of the following badges:
99101| D205 | Accessibility Testing | Supports accessibility testing for standards compliance, such as WCAG.|
100102| D301 | Security Scanning | Supports security scanning, including SAST and DAST. |
101103| D302 | License Scanning | Supports license scanning using tools like SPDX, FOSSology, or license-checkers.|
102- | D401 | Documented Build Process | Provides a documented build process, including build steps or reproducibility.|
103- | D402 | CI/CD as Code | Supports CI/CD workflows defined as code, such as pipeline-as-code. |
104- | D403 | Artifact Signing | Supports artifact signing to ensure authenticity and integrity. |
105- | D404 | Dependency Pinning | Supports dependency pinning or version locking for reproducible builds. |
106- | D501 | Static Code Analysis | Supports static analysis tools like SonarQube, Polaris, or similar. |
107- | D502 | Dynamic Code Analysis | Supports dynamic analysis, including runtime behavior analysis or fuzz testing.|
108- | D503 | Code Linting | Supports code linting using tools like ESLint, Prettier, or pre-commit hooks.|
109- | D601 | Notifications & Alerts | Supports notification systems such as email or Slack alerts. |
110- | D602 | Attached Reports | Supports attaching detailed reports to builds, like test results or coverage.|
104+ | D401 | Documented Build Process | CI/CD build steps are version-controlled and documented.|
105+ | D402 | CI/CD as Code | Pipelines and infrastructure are defined as code (IaC, PaC). |
106+ | D403 | Artifact Signing | Build artifacts are cryptographically signed. |
107+ | D404 | Dependency Pinning | All dependencies are pinned to exact versions. |
108+ | D405 | SBOM Generation | Automatically generate and manage Software Bill of Materials (SBOMs) using SPDX or CycloneDX. |
109+ | D501 | Static Code Analysis | Analyze code for vulnerabilities and bugs without executing it. |
110+ | D502 | Dynamic Code Analysis | Execute code in test environments to find runtime issues.|
111+ | D503 | Code Linting | Enforce code style and formatting rules.|
112+ | D601 | Notifications & Alerts | Notify stakeholders on key CI/CD events. |
113+ | D602 | Attached Reports | CI/CD runs produce and attach structured test and analysis reports.|
114+ | D603 | Compliance Mapping & Auditability | Map controls to standards (e.g., SLSA, NIST, ISO 20243) and provide audit-ready reports. |
111115
112116{{< /details >}}
113117
0 commit comments