| Status | |
|---|---|
| Overview | The page is intended to provide an initial checklist to guide teams in the process of migrating SVN repos to Github |
Advantages to having code in the open:
- Lower cost
- Community visibility and collaboration
- Encourages good development practices
- Github has a suite of extra tools (such as GitHub actions)
- Aligns with the Digital Code of Practice
- Aligns with the BCGov Digital Principles - Working in the Open, Take an Ecosystem Approach
- An extensive number of tests and tools are only free for open source projects
General Principles:
- Code (like data) should take an "Open by Default" position and closed by exception
- The de-facto standard public code repository platform is Github
- On exception, the private code repository platform is Github Enterprise
Under what circumstances should a code repository be Private?
- There are algorithms in the code that would bring harm to individuals, industry or the Province
- Information is hidden with intent, like state data from ArgoCD deployments
- The presense of secrets, passwords, personal information or other sensitive data
- Please be aware that we provide resources and assistance in preventing this situation
| What do I need to do? | How do I do that? | What tools can help? |
|---|---|---|
| Obtain consent from the application/product owner to bring the code in the open; share this content to help inform the conversation | Identify the business owner of the codebase, obtain and document consent | https://a100.gov.bc.ca/int/irs/viewAllApps.do |
| Ensure there is no application data in the code repository (aside from test data) | ||
| Scan the code for secrets, passwords or sensitive data | Trivy can perform secret scanning before and after a repo is provided publicly GitHub has built-in tools to detect accidentally adding this information | |
| Enable built in features of Github such as Dependabot to scan code and recommend remediation | Explore the "Security" tab in Github | Dependabot https://docs.github.com/en/code-security/dependabot Renovate https://docs.renovatebot.com/ ie - https://github.com/bcgov/nr-forests-access-management/blob/main/renovate.json Sonarcloud - ie https://sonarcloud.io/project/overview?id=forest-client-frontend |
| Ensure the underlying codebase, dependent libraries and software versions contain no significant and exploitable vulnerabilities | Contact the security team about using FETT to scan the existing code repository | |
| Ensure that the Province of BC owns the code | https://github.com/bcgov/BC-Policy-Framework-For-GitHub/blob/master/BC-Open-Source-Development-Employee-Guide/COI-Priv-IP.md | |
| Apply an open source license | https://github.com/bcgov/BC-Policy-Framework-For-GitHub/blob/master/BC-Open-Source-Development-Employee-Guide/Licenses.md | |
| Choose an appropriate name for your repository | prefix each repository with "nr-"
| |
| Identify at least two owners for the repository | Identify a product owner and a technical specialist | |