Giters

finos / devops-automation

Provide a continuous compliance and assurance approach to DevOps that mutually benefits banks, auditors and regulators whilst accelerating DevOps adoption in engineering and fintech IT departments.

Home Page:http://devops.finos.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Discussion Topic: Criteria used to regulate OSS libraries/modules used

ashukla13 opened this issue · comments

commented

Discussion Topic for OSS Supply Chain Risks WG

Description of Problem:

Most regulated organizations have a predefined criteria to regulate which OSS libraries/modules get onboarded and used in their applications to conform to security, compliance, and licensing requirements.

Topics to discuss

  • What criteria does your organization use to onboard OSS libraries/modules?
  • Beyond the initial onboard at what stages in the delivery pipeline is this criteria enforced?
  • Is there an exception process? If yes, what does that process look like?

Potential Solutions:

To be discussed

commented

discussion point: golden repos vs or with scanning