The DevOps Maturity specification is standardized to assess the maturity of DevOps practices. It is a set of criteria to help you measure and improve your DevOps maturity.
DevOps Maturity is a broad DevOps baseline assessment. It does not replace specialized supply-chain security standards like SLSA. See the SLSA mapping for where the two frameworks overlap.
The assessment file format is defined by a JSON Schema. Criteria accept both simple boolean values and structured objects with evidence, verification metadata, and rationale:
# Simple boolean — quick self-assessment
D101: true
D202: false
# Structured — auditable evidence
D403:
status: true
evidence:
- type: workflow
path: .github/workflows/release.yml
- type: artifact-signature
tool: cosign
verified_by: devops-maturity-action
verified_at: "2026-05-24T00:00:00Z"
rationale: "Release workflow signs artifacts with Cosign keyless signing"If you find this useful, consider giving it a ⭐️ on GitHub! Your support helps others discover and adopt the spec.
Let others know your project follows the DevOps Maturity specification. Add this badge to your repository README:
[](https://devops-maturity.github.io/)- MAPPING-SLSA.md — Maps DevOps Maturity criteria to SLSA requirements
- schema/devops-maturity.schema.json — JSON Schema for the assessment YAML format
We welcome contributions from the community!
If you'd like to help improve the DevOps Maturity Specification — whether it's fixing a typo, improving the questions, or proposing a new maturity dimension — please check out our contributing guidelines.
No contribution is too small. Thank you for helping us grow! 💛