docs(README): visual refresh + OpenSSF / Sigstore / SLSA badges#171
Merged
Conversation
User-requested README glow-up. Replaces the dense 109-line version
with a 409-line layout that's actually scannable, plus the badge set
the user asked for (OpenSSF Best Practices, OpenSSF Scorecard,
Sigstore, SLSA, plus a pkg.go.dev reference).
Visual changes:
* Centered title block with subtitle + hero badges in 4 grouped rows
(release / CI / supply-chain / project-fact).
* Three-column feature grid ("Why codeiq") with deterministic /
agent-ready / supply-chain-hardened / polyglot / no-AI /
single-binary callouts.
* ASCII pipeline diagram in "How it works".
* Documentation as a 3-column grouped table (starter / reference /
operate) for quick navigation.
* Collapsible CLI cheatsheet + MCP tool list.
* Verification section with three concrete commands (cosign-checksum,
cosign-darwin, gh attestation verify).
Badge additions:
* OpenSSF Best Practices (cii/percentage/12650 — auto-updates with
project score)
* OpenSSF Scorecard (img.shields.io/ossf-scorecard/<repo>)
* Sigstore keyless badge (project-fact, not auto-status)
* SLSA build provenance badge (project-fact)
* Perf-gate workflow status
* Scorecard workflow status
* pkg.go.dev reference
* 880+ tests fact
* CGO required fact
Badge omission with explicit footnote:
* SonarQube/SonarCloud — codeiq deliberately replaced Sonar + CodeQL
+ OWASP Dependency-Check with the OSS-CLI security stack in CI
(semgrep + osv-scanner + trivy + gitleaks + jscpd + govulncheck
+ native GitHub CodeQL). A Sonar badge would misrepresent the
setup. Inline <sup> note under the badge block + cross-link to
docs/07-integrations.md.
All badge URLs spot-checked HTTP 200/302 from this host.
No code changes.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
User-requested README glow-up. Replaces the dense 109-line version with a 409-line layout that's actually scannable, plus the badge set the user asked for.
Badge additions
Sonar — deliberately omitted with footnote
The user asked for a SonarQube badge. codeiq doesn't use Sonar — the project explicitly replaced `Sonar + CodeQL + OWASP Dependency-Check` with the OSS-CLI stack in `security.yml` (Semgrep, OSV-Scanner, Trivy, Gitleaks, jscpd, govulncheck, plus native GitHub CodeQL via default setup). A Sonar badge would misrepresent the setup, so the README has an inline `` note under the badges and a cross-link to `docs/07-integrations.md`.
Visual changes
Details
`)Test plan
🤖 Generated with Claude Code