Assessing CI/CD Maturity with CII Best Practices Badge and Custom Scoring
This article explains how organizations can quickly evaluate CI/CD maturity across projects by using the open‑source CII Best Practices Badge program, customizing scoring rules, and assigning badge levels to guide teams toward high‑quality, secure software delivery.
Problem
Within an organization, different teams may use various dimensions to assess CI/CD maturity, making it difficult to measure each team's performance.
How can we quickly identify projects that follow best practices and more easily build high‑quality, secure software? A collaboratively defined set of best‑practice guidelines is needed to give teams a clear direction.
How to Evaluate
I refer to the open‑source CII Best Practices Badge program initiated by the Linux Foundation. It provides a set of best‑practice criteria for FLOSS projects. Projects that meet these criteria can self‑certify and obtain a CII badge at no cost, using the BadgeApp web application to display compliance details.
The best‑practice criteria can be used to:
Encourage projects to follow best practices.
Help new projects discover the practices they should adopt.
Allow users to identify projects that follow best practices, making them more likely to choose those projects.
The standards consist of five categories: Basics, Change Control, Reporting, Quality, Security, and Analysis.
Further details can be found in the CII Chinese documentation or the English documentation. Well‑known projects such as Kubernetes and Node.js already use this badge program.
Custom Best‑Practice Standards
If the existing standards do not meet your evaluation needs, I have defined a custom set of best‑practice criteria with associated maturity badges.
Scoring Rules
Each best‑practice item has a score, typically 10 points for regular items and 20 points for critical items.
Items marked with 🔰 are "must‑have".
Items marked with 👍 are "should‑have".
The total score determines which badge the project receives.
Badge Score Table
Badge
Score
Description
🚩WIP
< 100
Work In Progress badge for scores below 100.
✅PASSING
= 100
PASSING badge for exactly 100 points.
🥈SILVER
> 100 && <= 150
Silver badge for scores greater than 100 and up to 150.
🥇GOLD
> 150
Gold badge for scores of 150 or more.
Note: The score ranges can be adjusted.
Best‑Practice Items and Scores
Category
Best‑Practice Item
Score
Description
Basics
🔰
Build any branch
20
Jenkins: support building any branch.
🔰
Build any PR
20
Jenkins: build any Pull Request before merge.
🔰 Upload artifacts
10
Jenkins: upload build artifacts to an artifact repository.
👍 Containerized builds
10
Recommended to use containers for pipelines.
Quality
🔰
Automated testing
20
Jenkins: trigger smoke/unit/regression tests.
👍 Performance testing
10
Jenkins: trigger performance tests.
👍 Code coverage collection
10
Jenkins: collect code coverage metrics.
Security
🔰 Vulnerability scanning
10
Jenkins: run vulnerability scans.
🔰 License scanning
10
Jenkins: perform license checks.
Analysis
👍 Code lint
10
Jenkins: lint code on PRs.
👍 Static code analysis
10
Jenkins: run static analysis on PRs.
👍 Dynamic code analysis
10
Jenkins: run dynamic analysis on PRs.
Reporting
🔰 Email or Slack notifications
10
Notify stakeholders via Email or Slack.
Note: Examples use Jenkins.
Final Results
No
Repository Name
Implemented Best‑Practice Items
Badge
1
project-a
🔰
Build any branch
🔰
Build any PR
🔰 Upload artifacts
🔰
Automated testing
🔰 Email or Slack notifications
🚩WIP
2
project-b
🔰
Build any branch
🔰
Build any PR
🔰 Upload artifacts
🔰
Automated testing
🔰 Vulnerability scanning
🔰 License scanning
🔰 Email or Slack notifications
✅PASSING
3
project-c
🔰
Build any branch
🔰
Build any PR
🔰 Upload artifacts
👍 Containerized builds
🔰
Automated testing
🔰 Vulnerability scanning
🔰 License scanning
🔰 Email or Slack notifications
🥈SILVER
4
project-d
🔰
Build any branch
🔰
Build any PR
🔰 Upload artifacts
👍 Containerized builds
🔰
Automated testing
👍 Performance testing
👍 Code coverage collection
🔰 Vulnerability scanning
🔰 License scanning
👍 Code lint
👍 Static code analysis
👍 Dynamic code analysis
🔰 Email or Slack notifications
🥇GOLD
Q&A
Q: Why use badges instead of raw scores? A: Badges help teams focus on goals rather than chasing numeric scores.
Q: What other benefits does establishing best‑practice standards provide? A: They facilitate technical sharing between teams, make it easier to build high‑quality secure software, and keep teams aligned at a high standard.
References
[1] CII Best Practices Badge Program: https://github.com/coreinfrastructure/best-practices-badge
[2] CII Chinese Documentation: https://hardenedlinux.github.io/2016/08/04/best-practices-criteria-for-floss-part1.html
[3] CII English Documentation: https://github.com/coreinfrastructure/best-practices-badge/blob/main/doc/criteria.md
[4] Kubernetes example: https://bestpractices.coreinfrastructure.org/en/projects/569
[5] Node.js example: https://bestpractices.coreinfrastructure.org/en/projects/29
DevOps Engineer
DevOps engineer, Pythonista and FOSS contributor. Created cpp-linter, commit-check, etc.; contributed to PyPA.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.