DevOps Maturity Specification 1.0.0
Summary
DevOps Maturity Specification provides guidelines for DevOps best practices, aiming to enhance collaboration, automation, and efficiency across software development and operations.
Key Points
- Purpose: Help organizations and teams assess DevOps practices, align on best practices, and drive continuous improvement.
- Scope: Covers key DevOps domains including build, testing, security, supply chain, analysis, and reporting.
- Maturity Levels: Tracks progress with clear visual badges (See Badge Levels) to provide an easy and intuitive overview.
- Scoring: Criteria are weighted as MUST (🟢) or NICE (🟡) enabling clear and actionable evaluation.
- Tooling: Works with devops-maturity to automate scoring via Web UI or CLI.
Specification
| Category | Code | Criteria | Req. |
|---|---|---|---|
| Basics | D101 | Branch Builds | 🟢 |
| D102 | Pull Request Builds | 🟢 | |
| D103 | Clean Build Environments | 🟡 | |
| Quality | D201 | Unit Testing | 🟢 |
| D202 | Functional Testing | 🟢 | |
| D203 | Performance Testing | 🟡 | |
| D204 | Code Coverage | 🟡 | |
| D205 | Accessibility Testing | 🟡 | |
| Security | D301 | Security Scanning | 🟢 |
| D302 | License Scanning | 🟡 | |
| Supply Chain Security | D401 | Documented Build Process | 🟢 |
| D402 | CI/CD as Code | 🟢 | |
| D403 | Artifact Signing | 🟡 | |
| D404 | Dependency Pinning | 🟡 | |
| Analysis | D501 | Static Code Analysis | 🟡 |
| D502 | Dynamic Code Analysis | 🟡 | |
| D503 | Code Linting | 🟡 | |
| Reporting | D601 | Notifications & Alerts | 🟢 |
| D602 | Attached Reports | 🟢 |
- 🟢 MUST have (weight 1)
- 🟡 NICE have (weight 0.5)
Badge Levels
Your score will generate one of the following badges:
| Level | Score Range | Badge |
|---|---|---|
| WIP | 0% |  |
| PASSING | 1–49% |  |
| BRONZE | 50–69% |  |
| SILVER | 70–89% |  |
| GOLD | 90–100% |  |
Criteria Reference
Code Map
| Code | Description |
|---|---|
| D1xx | Basics |
| D2xx | Quality |
| D3xx | Security |
| D4xx | Supply Chain Security |
| D5xx | Analysis |
| D6xx | Reporting |
- All criteria codes are prefixed by domain letter (e.g.,
Dfor DevOps) - Code format:
DXYZD= Domain (DevOps)X= Category (e.g., 1: Basics, 2: Quality)YZ= Criteria number
Criteria Details
D101 Branch Builds
Supports builds from any specific branch, not just the main branch.
D102 Pull Request Builds
Supports building pull requests (PRs), not limited to direct pushes to branches.
D103 Clean Build Environments
Supports building in clean environments, such as containers or virtual machines (VMs).
D201 Unit Testing
Supports unit testing, including unit or component-level tests.
D202 Functional Testing
Supports functional testing, such as integration or end-to-end (E2E) tests.
D203 Performance Testing
Supports performance testing, including load, stress, or throughput testing.
D204 Code Coverage
Supports measuring code coverage, including line, branch, or function coverage.
D205 Accessibility Testing
Supports accessibility testing for standards compliance, such as WCAG.
D301 Security Scanning
Supports security scanning, including SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing).
D302 License Scanning
Supports license scanning using tools like SPDX, FOSSology, or license-checkers.
D401 Documented Build Process
Provides a documented build process, including build steps, manifests, or reproducibility details.
D402 CI/CD as Code
Supports CI/CD workflows defined as code, such as pipeline-as-code or infrastructure-as-code.
D403 Artifact Signing
Supports artifact signing (e.g., with PGP or GPG) to ensure authenticity and integrity.
D404 Dependency Pinning
Supports dependency pinning or version locking to ensure reproducible builds.
D501 Static Code Analysis
Supports static code analysis tools such as SonarQube, Polaris, or similar.
D502 Dynamic Code Analysis
Supports dynamic analysis, including runtime behavior analysis or fuzz testing.
D503 Code Linting
Supports code linting using tools like ESLint, Prettier, or pre-commit hooks.
D601 Notifications & Alerts
Supports notification systems such as email or Slack alerts.
D602 Attached Reports
Supports attaching detailed reports to builds, such as test results or coverage metrics.
FAQ
What tools can be used to caculate your score?
You can used devops-maturity which support web UI and CLI to calculate your score automatically.
What is the difference between OpenSSF Best Practices and DevOps Maturity?
OpenSSF Best Practices targets open source projects across the entire software development lifecycle, while DevOps Maturity focuses specifically on DevOps practices applicable to both open source and internal enterprise projects. DevOps Maturity provides both a web UI and a CLI for automatic maturity scoring. In contrast, OpenSSF Best Practices only offers a web-based SaaS and does not support internal deployment.