Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Source code, CI/CD, and supply chain security #1022

Open
11 tasks
aj-stein-gsa opened this issue Dec 21, 2024 · 0 comments
Open
11 tasks

Source code, CI/CD, and supply chain security #1022

aj-stein-gsa opened this issue Dec 21, 2024 · 0 comments
Labels
devops type: backlog item For developer work that is not part of a user-facing epic or user story. type: epic

Comments

@aj-stein-gsa
Copy link
Contributor

aj-stein-gsa commented Dec 21, 2024

User Story

As a project maintainer, in order to have confidence in the code, how it is tested, built, and published, with it dependencies, in this repository hosting system and elsewhere, I want policy, process, and supporting automation to check security properties of the source code, the CI/CD system, and the supply chain of dependent software.

NOTE: Once maintainers (and interested community members) determine the overall policy and process approach, maintainers will integrate the relevant policy, process, and supporting automation into the other repositories. At that time, the list below will be cross-linked to relevant GitHub issues for other projects.

  • GSA/automate.fedramp.gov
  • GSA/oscal-js

Goals

  • Identify, monitor, and demonstrate key security properties of
    • this project's source code
    • changes to the code, specifically pull requests from community members that are not maintainers
    • it dependencies
    • the environment(s) used to test project code and dependencies
    • the environment(s) used to deploy project code and dependencies

Dependencies

N/A

Acceptance Criteria

  • All website and readme documentation affected by the changes in this issue have been updated.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

Revisions

@aj-stein-gsa aj-stein-gsa added devops type: epic type: backlog item For developer work that is not part of a user-facing epic or user story. labels Dec 21, 2024
@aj-stein-gsa aj-stein-gsa moved this from 🆕 New to 📋 Backlog in FedRAMP Automation Dec 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
devops type: backlog item For developer work that is not part of a user-facing epic or user story. type: epic
Projects
Status: 📋 Backlog
Development

No branches or pull requests

1 participant