# Seasonal readiness Scorecard

For organizations that have a busy season, they can implement a seasonal readiness Scorecard to proactively ensure operational efficiency and consistency.

You can use our [example rules](#example-rules) as a starting point, and you can learn more below about [how customer H\&R Block reduced bugs by 50% year-over-year by implementing a seasonal readiness Scorecard](#example-h-and-r-blocks-season-readiness-scorecard).

### Example rules

The focus areas of this type of Scorecard may be be specific to your organization's needs, but as general guidance, we would recommend creating a Scorecard that contains rules in these key focus areas:

<details>

<summary>Operational readiness</summary>

Example rules:

* Entity has an owner\
  `ownership != null`
* Runbook is linked\
  `links("runbook").length > 0`
* Logs are linked\
  `links("logs").length > 0`

</details>

<details>

<summary>Reliability</summary>

Example rules:

* SLO coverage\
  `slos().length > 0`
  * Before configuring this rule, set up an integration that supports querying SLOs: [Datadog](/ingesting-data-into-cortex/integrations/datadog.md), [Dynatrace](/ingesting-data-into-cortex/integrations/dynatrace.md), [Google](/ingesting-data-into-cortex/integrations/google.md), [Lightstep](/ingesting-data-into-cortex/integrations/lightstep.md), [New Relic](/ingesting-data-into-cortex/integrations/newrelic.md), [Prometheus](/ingesting-data-into-cortex/integrations/prometheus.md), [Splunk Observability Cloud (SignalFx)](/ingesting-data-into-cortex/integrations/splunk-observability.md), or [Sumo Logic](/ingesting-data-into-cortex/integrations/sumologic.md).&#x20;
* Test coverage minimum met\
  `captures("test-coverage", sonarqube.metric("coverage") >= 80)`
  * Before configuring this rule, set up an integration with [SonarQube](/ingesting-data-into-cortex/integrations/sonarqube.md). The [Codecov](/ingesting-data-into-cortex/integrations/codecov.md) integration also supports querying code coverage. You can [surface these code coverage metrics in failure messages](/guides/security/code-coverage-rules.md) for failed Scorecard rules.
* Zero critical and high vulnerabilities in Mend\
  `mend.vulnerabilities(risk = ["Critical", "High"]).length == 0`
  * Before configuring this rule, set up an integration with [Mend](/ingesting-data-into-cortex/integrations/mend.md). Other integrations that support querying on vulnerabilities include [Apiiro](/ingesting-data-into-cortex/integrations/apiiro.md), [Checkmarx](/ingesting-data-into-cortex/integrations/checkmarx.md), [GitHub](/ingesting-data-into-cortex/integrations/github.md), [Mend](/ingesting-data-into-cortex/integrations/mend.md), [Semgrep](/ingesting-data-into-cortex/integrations/semgrep.md), and [Snyk](/ingesting-data-into-cortex/integrations/snyk.md).
* On-call rotation has at least one escalation\
  `oncall.numOfEscalations() > 1`
  * Before configuring this rule, set up an integration that supports querying on-call: [Opsgenie](/ingesting-data-into-cortex/integrations/opsgenie.md), [PagerDuty](/ingesting-data-into-cortex/integrations/pagerduty.md), [Splunk On-Call (VictorOps)](/ingesting-data-into-cortex/integrations/splunk-oncall.md), or [xMatters](/ingesting-data-into-cortex/integrations/xmatters.md).
* Datadog monitor is set\
  `datadog.monitors().length > 0`
  * Before configuring this rule, set up an integration with [Datadog](/ingesting-data-into-cortex/integrations/datadog.md).

</details>

<details>

<summary>Security</summary>

Example rules:

* At least one required approval to merge\
  `git.numOfRequiredApprovals() > 0`<br>
  * Before configuring this rule, set up a version control integration: [Azure DevOps](/ingesting-data-into-cortex/integrations/azuredevops.md), [Bitbucket](/ingesting-data-into-cortex/integrations/bitbucket.md), [GitHub](/ingesting-data-into-cortex/integrations/github.md), or [GitLab](/ingesting-data-into-cortex/integrations/gitlab.md).
* Code updated in the last week\
  `git.lastCommit().freshness < duration("P7D")`
  * Before configuring this rule, set up a version control integration.
* 0 critical Snyk issues \
  `snyk.issues(severity=["CRITICAL"], fixability=["FIXABLE"]) <= 0`
  * Before configuring this rule, set up an integration with Snyk. Other integrations that support querying on vulnerabilities include [Apiiro](/ingesting-data-into-cortex/integrations/apiiro.md), [Checkmarx](/ingesting-data-into-cortex/integrations/checkmarx.md), [GitHub](/ingesting-data-into-cortex/integrations/github.md), [Mend](/ingesting-data-into-cortex/integrations/mend.md), [Semgrep](/ingesting-data-into-cortex/integrations/semgrep.md), and [Snyk](/ingesting-data-into-cortex/integrations/snyk.md).

</details>

### Get started with an example Scorecard

You can use the example rules above as a starting point for your Scorecard.

In this example Scorecard, the levels are organized by focus area. Scorecard levels are progressive, with the last level including the highest priority rules. Based on your organization's needs, you may want to reorder rules, add or remove rules, or rename the levels.

You can [create this Scorecard in the UI](#create-example-scorecard-via-the-ui), or you can [upload the YAML file via API or GitOps](#create-example-scorecard-via-gitops-or-api).

{% tabs %}
{% tab title="UI" %}

### Create example Scorecard via the UI

#### Step 1: Create the Scorecard and configure its basic details

1. In Cortex, navigate to **Scorecards** and click **+Create Scorecard**. Start with a blank Scorecard.
2. Configure the basic details.&#x20;
   * Include a name that helps your users understand the purpose of the Scorecard (e.g., `Season readiness`) and a description.
   * Learn more about configuring basic fields for Scorecards in [Create a Scorecard](/standardize/scorecards/create.md).

### Step 2: Add levels and rules

1. Under **Define evaluation rules**, add levels. In our example, we added levels based on focus area:
   * Operational readiness
   * Reliability
   * Security
2. Under a level, click **+Add rule** to add a rule.&#x20;
   * For each level, add the [example rules](#example-rules) listed earlier in these instructions.
3. At the bottom of the page, click **Save Scorecard**.
   {% endtab %}

{% tab title="API or GitOps" %}

#### Create example Scorecard via GitOps or API

When following a [GitOps approach](/configure/gitops.md), you can add a Scorecard YAML file to your `.cortex/scorecards` directory in your version control repository. Note that GitOps must be enabled for Scorecards in your [GitOps settings](/configure/settings/gitops-settings.md).

You could also use the [Cortex API,](/api/readme/scorecards.md) where you can submit a Scorecard definition in YAML.&#x20;

<details>

<summary>Seasonal readiness Scorecard YAML</summary>

Use the YAML file below to add this Scorecard to your workspace via the API or via a GitOps flow.

```yaml
tag: seasonal-readiness
name: Seasonal Readiness
description: Ensuring services are ready before the busy season
draft: false
notifications:
  enabled: true
  scoreDropNotificationsEnabled: false
exemptions:
  enabled: true
  autoApprove: false
  userSpecificNotifications: false
ladder:
  name: Default Ladder
  levels:
  - name: Operational readiness
    rank: 1
    description: Minimum seasonal readiness
    color: "#EBA27E"
  - name: Reliability
    rank: 2
    description: Top level readiness rules
    color: "#B3B3B3"
  - name: Security
    rank: 3
    color: "#33393F"
rules:
- title: On-call rotation has at least one escalation
  expression: oncall.numOfEscalations() > 1
  weight: 1
  level: Reliability
- title: Logs are linked
  expression: links("logs").length > 0
  weight: 1
  level: Operational readiness
- title: Entity has owner
  description: "For accountability, ensure entities have clear ownership"
  expression: ownership != null
  weight: 1
  level: Operational readiness
- title: Test coverage minimum met
  expression: "captures(\"test-coverage\", sonarqube.metric(\"coverage\") >= 80)"
  weight: 1
  level: Reliability
- title: SLO coverage
  expression: slos().length > 0
  weight: 1
  level: Reliability
- title: Datadog monitoring is set
  expression: datadog.monitors().length > 0
  weight: 1
  level: Reliability
- title: At least one required approval to merge
  expression: git.numOfRequiredApprovals() > 0
  weight: 1
  level: Security
- title: Runbook is linked
  expression: links("runbook").length > 0
  weight: 1
  level: Operational readiness
- title: Low number of Snyk issues
  expression: snyk.issues().length < 5
  weight: 1
  level: Security
- title: Zero critical and high vulnerabilities
  expression: "captures(\"critical-vulns\", custom(\"critical_vulnerabilities\"))\
    \ == 0 AND captures(\"high-vulns\", custom(\"high_vulnerabilities\")) == 0"
  weight: 1
  level: Reliability
- title: Code updated in the last week
  expression: git.lastCommit().freshness < duration("P7D")
  weight: 1
  level: Security
filter:
  kind: GENERIC
  types:
    include:
    - service
```

</details>
{% endtab %}
{% endtabs %}

## Example: H\&R Block's Season Readiness Scorecard

As described in their IDPCON talk, H\&R Block implemented a Season Readiness Scorecard ahead of tax season to drive operational consistency. Their Scorecard helped them automatically measure their organization's top priority areas: Security, resiliency, code coverage, and software development lifecycle best practices.&#x20;

They included rules to verify on-call coverage, escalation depth, monitoring setup, SLOs, and package versions.

### Outcome

They reduced incidents and bugs by 50% year over year, while automating readiness tracking previously handled manually by six program managers.

#### Their next steps

To continue proactively meeting organizational benchmarks, they also created [Scaffolder templates](/streamline/workflows/scaffolder.md) with built-in compliance and coding standards. This allowed them to ensure that all new projects were scaffolded with the best practices baked in.

### See the IDPCON session

H\&R Block's Manager of Technology spoke at IDPCON to explain how their organization leveled up developer experience with automation in Cortex:

{% embed url="<https://www.youtube.com/watch?v=_wLdQ5Fxb_g>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cortex.io/guides/production-readiness/seasonal-readiness-scorecard.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.