Before going live with a public repository, the following considerations should be taken.
- Remove all PII
- Use Clouseau for scanning source code, pre-commit
- Visually inspect each image to ensure there is no GSA-specific information
- Remove all potential security information
- Passwords, keys, IPs, tokens, etc.
- Consider proper use of licensing for the code base
- Consider proper use of open source code within the code base
- Review code for any legal or contractual issues
- Include GSA standard or updated
README.md- Have installation instructions documented and tried out before posting
- Make sure to include and test all configuration dependencies
- Include GSA standard or updated
CONTRIBUTING.mdfile - Include GSA standard or updated
LICENSE.md - Include an updated
codeinventory.yml - If desired, include
CHANGELOG.md - Use
.gitignore - Setup or use a standard development pipeline
- Look at GSA's code scanning documentation - static_code_scan and checkmarx_poc docs
- Contact the CTO's office for support - cto@gsa.gov
*18F Before You Ship and 12 Factor App are good resources with lots of helpful info on open source SW creation