Skip to content

Latest commit

 

History

History
91 lines (68 loc) · 10.4 KB

open_practices.md

File metadata and controls

91 lines (68 loc) · 10.4 KB

CDC GitHub Practices for Open Source Projects

The CDCGov organization on GitHub is designed for use by CDC programs to collaborate with open communities further CDC mission to protect America from health, safety and security threats, both foreign and in the U.S.

This is a collection of practices to help programs design projects and collaborate with diverse communities looking to find, use, and contribute to open science.

We designed these practices to be intuitive, helpful, and evolving based on program and community input. Some practices are required and some are recommended. For required practices, projects that don't adhere to them will be contacted by administrators to help them meet the practices. Projects that habitually fail to meet these practices will be archived or made private. That has never happened, but we want to make sure CDC's projects are usable.

Requesting Access

If you would like to use GitHub for your CDC project, please fill out this Office 365 Form. This will require your CDC login, so if you don't have a login, please find someone who does and ask them to request on your behalf.

GitHub is a third party web application used by CDC to collaborate with the public. Official CDC health messages will always be distributed through www.cdc.gov and through appropriate channels.

Creating Projects

If you would like to create a new project, please complete this Form requesting access and confirming you have completed training on our rules of behavior.

Note that any source code used within CDC systems must comply with all cybersecurity processes prior to production use, including static and dynamic scanning. The state of source code stored on GitHub is independent from, and usually varies, from the built code used in production systems.

If you need support with your project, please submit an issue to the template repo, or send an email to mailto:[email protected].

If you are interested in using GitHub for non-open source projects, please check out our enterprise organization CDCent or search for "GitHub Enterprise" on the CDC intranet.

Required Practices

  • Obtain clearance from your organization prior to setting up and publishing a repository. Until you have completed clearance, include clear language in your repo indicating the current status, something like "As a first step, this document is under governance review. When the review completes as appropriate per local and agency processes, the project team will be allowed to remove this notice. This material is draft."
  • Set a meaningful project name, description, and topics to improve discovery and use of your project. For AI-related projects, the Code.gov Implementation Guidance to Federal Agencies Regarding Enterprise Data and Source Code Inventories must be followed when setting topics.
  • Add a readme.md file at the root with a description of your project, the team responsible for the project. This should help users understand how to setup and use your project.
  • Assign an open source license based on program need. For guidance on licenses, please review the article, "Open Source Development for Public Health Informatics", refer to existing CDCgov projects, or ask for consultation support in choosing a license.
  • Include the required notice sections in your readme.md to comply with relevant CDC policies and procedures, adapt as necessary based on your program need.
  • Include a description of your development process in the readme.md file, if your project is not active, mark it as archived to help users understand that it is not an active project.
  • If active, configure GitHub automated security alerts and respond to them in a timely manner. Projects that do not respond to security alerts will have issues raised in their project by admins.
  • Never commit sensitive information, including usernames, passwords, tokens, PII, PHI. Use pre-commit tools like Clouseau to systematically review material before committing.
  • Enable GitHub Automated security alerts and configuring notification for the repo admin to see and respond to these alerts.
  • Enable issues to allow for administrative and automated issues related to their project.
  • Respond to issues and PRs created by admins in a timely manner. Ignored issues on your project will result in archiving or deletion.

Recommended Practices

Open Source Checklist

This checklist was adapted from the CDC IT Guard Rail and put here to help people who don't have access to the intranet.

Questions or Recommendations

We welcome any feedback and ideas for how to make these practices more useful. Please submit ideas using the built-in issues function of this project.

References

Many existing projects and resources helped us create this set of practices.