devops-automation icon indicating copy to clipboard operation
devops-automation copied to clipboard

Published 20 hours ago verified publisher icon finos

Discussion Topic: Criteria used to regulate OSS libraries/modules used

Open ashukla13 opened this issue 1 year ago • 1 comments

Discussion Topic for OSS Supply Chain Risks WG

Description of Problem:

Most regulated organizations have a predefined criteria to regulate which OSS libraries/modules get onboarded and used in their applications to conform to security, compliance, and licensing requirements.

Topics to discuss

  • What criteria does your organization use to onboard OSS libraries/modules?
  • Beyond the initial onboard at what stages in the delivery pipeline is this criteria enforced?
  • Is there an exception process? If yes, what does that process look like?

Potential Solutions:

To be discussed

ashukla13 avatar Jul 17 '23 15:07 ashukla13

discussion point: golden repos vs or with scanning

johnmark avatar Aug 01 '23 12:08 johnmark