Skip to content

Add bestpractices.dev as trusted image domain#10618

Draft
Copilot wants to merge 4 commits intodevfrom
copilot/add-bestpractices-dev-domain
Draft

Add bestpractices.dev as trusted image domain#10618
Copilot wants to merge 4 commits intodevfrom
copilot/add-bestpractices-dev-domain

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Nov 3, 2025
edited
Loading

OpenSSF Best Practices badges from bestpractices.dev are not rendering in package READMEs (e.g., OpenFeature).

Changes

  • Added bestpractices.dev to Trusted-Image-Domains.json. The domain expansion logic automatically trusts both bestpractices.dev and www.bestpractices.dev, handling HTTP→HTTPS conversion.

  • Added test coverage in ImageDomainValidatorFacts.cs for all URL variants (http/https, with/without www).

  • Created TrustedImageDomainsFacts.cs with unit tests for the TrustedImageDomains domain expansion logic.

Context

The OpenSSF Best Practices Working Group (Open Source Security Foundation) maintains this domain for security and development best practices badges.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • 1javsblobprodcus364.vsblob.vsassets.io
    • Triggering command: dotnet build tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj --configuration Debug (dns block)
  • 1s1vsblobprodcus386.vsblob.vsassets.io
    • Triggering command: dotnet build tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj --configuration Debug (dns block)
  • 6s7vsblobprodcus313.vsblob.vsassets.io
    • Triggering command: dotnet build tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj --configuration Debug (dns block)
  • dlbvsblobprodcus316.vsblob.vsassets.io
    • Triggering command: dotnet build tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj --configuration Debug (dns block)
  • k0ivsblobprodcus356.vsblob.vsassets.io
    • Triggering command: dotnet build tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj --configuration Debug (dns block)
  • st8vsblobprodcus339.vsblob.vsassets.io
    • Triggering command: dotnet build tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj --configuration Debug (dns block)
  • u6ovsblobprodcus377.vsblob.vsassets.io
    • Triggering command: dotnet build tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj --configuration Debug (dns block)
  • x3yvsblobprodcus370.vsblob.vsassets.io
    • Triggering command: dotnet build tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj --configuration Debug (dns block)
  • xupvsblobprodcus332.vsblob.vsassets.io
    • Triggering command: dotnet build tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj --configuration Debug (dns block)
  • yttvsblobprodcus357.vsblob.vsassets.io
    • Triggering command: dotnet build tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj --configuration Debug (dns block)
  • ytvvsblobprodcus310.vsblob.vsassets.io
    • Triggering command: dotnet build tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj --configuration Debug (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>[Feature]: Add https://www.bestpractices.dev as a trusted domain</issue_title>
<issue_description>### Related Problem

Currently, https://www.bestpractices.dev is not listed as a trusted domain in NuGet Gallery. Which renders some READMEs wrong. Example: https://www.nuget.org/packages/OpenFeature

The Elevator Pitch

Add https://www.bestpractices.dev to the trusted domains list. This domain is owned and maintained by the OpenSSF Best Practices Working Group. Including it as a trusted domain will promote safer linking to well-vetted guidance and resources on security and development best practices for package maintainers and users.

Additional Context and Details

OpenSSF (Open Source Security Foundation) Best Practices Working Group is responsible for the domain and its content. The site is widely recognized as an authoritative source for open source security and development best practices. </issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 3 commits November 3, 2025 23:07
@skofman1
Add bestpractices.dev to trusted image domains
c1bf74d 
Co-authored-by: skofman1 <16807822+skofman1@users.noreply.github.com>
@skofman1
Fix test to match actual TrustedImageDomains behavior
8905976 
Co-authored-by: skofman1 <16807822+skofman1@users.noreply.github.com>
@skofman1
Fix indentation: convert tabs to spaces
db4e78d 
Co-authored-by: skofman1 <16807822+skofman1@users.noreply.github.com>
Copilot AI changed the title [WIP] Add https://www.bestpractices.dev as a trusted domain Add bestpractices.dev as trusted image domain Nov 3, 2025
Copilot AI requested a review from skofman1 November 3, 2025 23:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skofman1 skofman1 Awaiting requested review from skofman1

At least 1 approving review is required to merge this pull request.

Assignees

@skofman1 skofman1

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@skofman1