Discussion Topic: Criteria used to regulate OSS libraries/modules used

finos / devops-automation

Provide a continuous compliance and assurance approach to DevOps that mutually benefits banks, auditors and regulators whilst accelerating DevOps adoption in engineering and fintech IT departments.

Apache License 2.0

61 stars 18 forks source link

Discussion Topic for OSS Supply Chain Risks WG

Description of Problem:

Most regulated organizations have a predefined criteria to regulate which OSS libraries/modules get onboarded and used in their applications to conform to security, compliance, and licensing requirements.

Topics to discuss

What criteria does your organization use to onboard OSS libraries/modules?
Beyond the initial onboard at what stages in the delivery pipeline is this criteria enforced?
Is there an exception process? If yes, what does that process look like?

Potential Solutions:

To be discussed

finos / devops-automation