CII Best practices badge addition

[UlisesGascon]

In order to obtain the silver level ( nodejs/security-wg#955 ) we will need to met this criteria:

The project repository front page and/or website MUST identify and hyperlink to any achievements, including this best practices badge, within 48 hours of public recognition that the achievement has been attained. (URL required)

It was not possible to be done in the Node README.md (nodejs/node#48427)

I am not very sure where this badge can be added in the website, this is the sample code that is provided.

<a href="https://bestpractices.coreinfrastructure.org/projects/29"><img src="https://bestpractices.coreinfrastructure.org/projects/29/badge"></a>

[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/29/badge)](https://bestpractices.coreinfrastructure.org/projects/29)

Related:

• Node.js Security WorkGroup Meeting 2023-06-08 security-wg#1012
• Assessment against best practices (OpenSSF Scorecards ...) security-wg#859

cc: @nodejs/security

[ovflowd]

I think it's fine to add it here :)

At least I don't mind the extra badge, cc @nodejs/website what y'all think about it?

[mikeesto]

Fine by me FWIW. Does it need to be on the home page or could it be on another page?

[RafflesiaKhan]

I think it's better to add that after Nodejs(line 1) or add a new section as Badges before License :)

[ovflowd]

Yeah I also believe it's better fitting on the README rather than the website itself.

[ljharb]

It would be ideal to have it in the repo readme; I'm about to begin an OpenJS Foundation initiative with the goal of having every Foundation project follow these best practices, which include displaying the badge - the website would count, but the repo feels more appropriate to me.

[HinataKah0]

I also don't mind an extra badge

I checked other projects and I saw the badge is put in README under the project name... IMO it's more appropriate
But it seems there's a consensus of not putting this in the README :)

[ovflowd]

@UlisesGascon feel free to open a PR against our README. It sounds clear that the Website Team isn't against this.

To be honest, I don't think this falls to the Website Team, since this is an OpenJS initiative (correct me if I'm wrong) and probably the @nodejs/tsc is more interested in knowing we're setting up a badge that will theoretically grant us a certain status.

But again, I think we're fine with proceeding with getting this adopted here :)

[tniessen]

feel free to open a PR against our README

I don't think the website repo's README is what the requirement demands. The only reason for adding the badge is to comply with their demand, not to actually showcase it :)

[ljharb]

oh sorry, i meant the node repo was the more appropriate place to put it.

[RafaelGSS]

We should either have it on nodejs/node#README.md or Node.js website to display the badge. Otherwise, the requirements won't be met.

[mhdawson]

And to make sure everybody on the thread has the context, there were objections to adding it to the node repo README.md in nodejs/node#48427 when @UlisesGascon opened a PR to do that. That is why the request to add it to the Website.

[UlisesGascon]

@nodejs/website can you help us to progress the initiative? We are submitting the Silver badge currently, and this is a requirement. Maybe we can include it in the footer? Not sure where we can include the badge in the website 🤔

[bmuenzenmeyer]

I had a couple minutes and I mocked up what it would look like on the current site - the footer seems like an okay place to me.

But the new proposed layout has vastly streamlined this area of the site and I feel like simply duplicating it in the new footer would be a mistake. If the rest of @nodejs/nodejs-website agrees...

• I think we should add to the current footer with as little work as possible - we will be throwing that work away.
• We should engage with @haydenbleasel and @nodejs/ux-and-design to think through what makes the most sense in the proposed design.
  • Potential areas:
    • About page
    • Project governance page (my current preference)
    • Sidebar

[ljharb]

Governance is about how decisions are made, not about technical rubrics. Perhaps under "about" or "security reporting"?