Source code, CI/CD, and supply chain security #312
Description
User Story
As a project maintainer, in order to have confidence in the code, how it is tested, built, and published, with it dependencies, in this repository hosting system and elsewhere, I want policy, process, and supporting automation to check security properties of the source code, the CI/CD system, and the supply chain of dependent software.
NOTE: Once maintainers (and interested community members) determine the overall policy and process approach, maintainers will integrate the relevant policy, process, and supporting automation into the other repositories. At that time, the list below will be cross-linked to relevant GitHub issues for other projects.
- metaschema-framework/liboscal-java
- metaschema-framework/oscal-cli
- metaschema-framework/oscal-server
- metaschema-framework/metaschema
- metaschema-framework/metaschema.dev
Goals
- Identify, monitor, and demonstrate key security properties of
- this project's source code
- changes to the code, specifically pull requests from community members that are not maintainers
- it dependencies
- the environment(s) used to test project code and dependencies
- the environment(s) used to deploy project code and dependencies
Dependencies
N/A
Acceptance Criteria
- All website and readme documentation affected by the changes in this issue have been updated.
- A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
- The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.
Revisions
No response