Open Source Governance Skill

Purpose

Defines governance for open source software use, contribution, and publication ensuring license compliance and supply chain security.

License Compliance

Approved Licenses

• MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause

• ISC, CC-BY-4.0, Unlicense, 0BSD

Restricted Licenses (Require Review)

• GPL-2.0, GPL-3.0, LGPL, AGPL

• SSPL, BSL, Commons Clause

Prohibited

• No license specified (proprietary by default)

• Licenses incompatible with project license

Dependency Management

• Pin dependencies to specific versions

• Use lock files (package-lock.json)

• Regular dependency updates via Dependabot

• Security scanning for known vulnerabilities

• SBOM generation for supply chain transparency

Contribution Guidelines

• CONTRIBUTING.md required in all repos

• Code of Conduct (Contributor Covenant)

• Developer Certificate of Origin (DCO)

• PR review requirements

• CLA not required for Hack23 projects

Supply Chain Security

• Pin GitHub Actions to SHA (not tags)

• Use step-security/harden-runner

• Enable Dependabot security updates

• Secret scanning with push protection

• SLSA provenance for releases

ISO 27001 Mapping

• A.5.23 — Information security for use of cloud services

• A.8.28 — Secure coding

Related Policies

• Secure Development Policy