Add some basic guidance for project maintainers (#417)

funnelfiasco · eddie-knight · web-flow · commit 90975b821815 · 2025-11-14T15:34:55.000-05:00
* Add some basic guidance for project maintainers Fixes #413 Signed-off-by: Ben Cotton <ben@kusari.dev> * Rename the revanite GitHub Action Co-authored-by: Eddie Knight <knight@linux.com> Signed-off-by: Ben Cotton <ben@kusari.dev> --------- Signed-off-by: Ben Cotton <ben@kusari.dev> Co-authored-by: Eddie Knight <knight@linux.com>
diff --git a/.project-words.txt b/.project-words.txt
@@ -9,6 +9,7 @@ evolutive
 FINOS
 Fintech
 Gesmer
+GUAC
 golangci
 hyperpage
 incentivizing
diff --git a/docs/_config.yml b/docs/_config.yml
@@ -47,6 +47,7 @@ minima:
    nav_pages:
      - index.md
      - versions/2025-10-10.md
+     - maintainers.md
      - faq.md
      - maintenance.md
 #
diff --git a/docs/maintainers.md b/docs/maintainers.md
@@ -0,0 +1,37 @@
+---
+nav-title: Maintainer Guidance
+---
+
+# Implementation Guidance for Maintainers
+
+Are you a project maintainer looking to evaluate your project against the OSPS Baseline?
+This page contains guidance to help you do it quickly.
+Your feedback is always welcome in the [issues](https://github.com/ossf/security-baseline/issues).
+
+The Baseline website includes a Markdown-formatted checklist that you can use in a repository issue to track the controls by level.
+See the [main page](/) for links to the checklist.
+
+## Use Security Insights
+
+The [Security Insights project](https://github.com/ossf/security-insights) maintains a specification for projects to report information about their security in a machine-processable way.
+Many tools for Baseline evaluation will use this to evaluate controls that are not easily machine-auditable via platform APIs.
+
+To get started with Security Insights:
+
+. Adopt the Security Insights specification by creating a security-insights.yml file in your repository.
+. Populate the security-insights.yml file with security data for your project following the example-full.yml template.
+
+## Evaluation tooling
+
+Several tools are available to help you automate the process.
+
+* [LFX Insights](https://insights.linuxfoundation.org/) provides automated measurement and reporting of a variety of project metrics, including Baseline controls.
+If your project is not already included in LFX Insights, you can [add it](https://github.com/linuxfoundation/insights/discussions/categories/project-onboardings?discussions_q=is:open+category:%22Project+onboardings%22+sort:top).
+Your project does not need to be a part of the Linux Foundation.
+* [Privateer Plugin for GitHub Repositories](https://github.com/revanite-io/pvtr-github-repo) performs automated checks of some Baseline controls.
+This is what powers the LFX Insights evaluation.
+It is also available as a [GitHub Action](https://github.com/marketplace/actions/osps-security-assessment).
+
+## Additional information
+
+* OpenSSF case study for how [GUAC used LFX Insights](https://openssf.org/blog/2025/08/14/case-study-how-lfx-insights-and-osps-baseline-validated-guacs-security-in-under-an-hour/) to quickly evaluate against levels 1 and 2.

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,7 @@ minima:`
`47`	`47`	`nav_pages:`
`48`	`48`	`- index.md`
`49`	`49`	`- versions/2025-10-10.md`
	`50`	`+ - maintainers.md`
`50`	`51`	`- faq.md`
`51`	`52`	`- maintenance.md`
`52`	`53`	`#`