Skip to content

Restricting External Contributions to cloud.gov Repositories #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wz-gsa merged 1 commit into from
May 21, 2025
Merged

Restricting External Contributions to cloud.gov Repositories #19

wz-gsa merged 1 commit into from
May 21, 2025

Conversation

@wz-gsa
Copy link
Contributor

@wz-gsa wz-gsa commented May 21, 2025

Changes proposed in this pull request:

  • Updated CONTRIBUTING.md to clarify contribution eligibility.
  • Documented Cloud.gov's policy to accept contributions only from U.S. government-affiliated individuals and entities.
  • Aligned contribution policy with our current compliance, trust, and supply chain risk posture.

Things to check

  • For any logging statements, is there any chance that they could be logging sensitive data?
  • Are log statements using a logging library with a logging level set? Setting a logging level means that log statements "below" that level will not be written to the output. For example, if the logging level is set to INFO and debugging statements are written with log.debug or similar, then they won't be written to the output, which can prevent unintentional leaks of sensitive data.

Security considerations

This update explicitly restricts contributions to vetted individuals affiliated with the U.S. government. It mitigates risks associated with:

  • Implicit federal endorsement of unaffiliated contributors.
  • Potential social engineering or credential laundering using commit history.
  • Supply chain risks introduced by unsolicited or unverifiable code contributions.

This change reinforces cloud.gov’s trusted platform posture and supports compliance with FedRAMP, CISA guidance, and zero trust principles.

@wz-gsa wz-gsa self-assigned this May 21, 2025
@wz-gsa wz-gsa requested a review from a team as a code owner May 21, 2025 16:35
@wz-gsa wz-gsa changed the title updated Contribution policies to align with Cloud.gov security posture Restricting External Contributions to cloud.gov Repositories May 21, 2025
@wz-gsa wz-gsa enabled auto-merge May 21, 2025 19:28
@wz-gsa wz-gsa merged commit 54327c5 into main May 21, 2025
4 checks passed
@wz-gsa wz-gsa deleted the 2025-05-21_Update_Contribution branch May 21, 2025 19:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seanmbazemore seanmbazemore seanmbazemore approved these changes

Assignees

@wz-gsa wz-gsa

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wz-gsa @seanmbazemore