원클릭으로 Manus에서 모든 스킬 실행

시작하기

open-source-governance

스타8

포크2

업데이트2026년 4월 17일 13:20

Open source policy, license compliance, contribution guidelines, dependency management, and supply chain security

설치

Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.

Manus에서 실행

출처

Hack23

Hack23/riksdagsmonitor

GitHub 저장소 열기 Creator 저장소 보기

다운로드

Manus에서 실행

Open Source Governance Skill

🔴 AI FIRST Quality Principle

Apply the AI FIRST principle: never accept first-pass quality. Minimum 2 iterations. Read all output, improve every section. No shortcuts.

Purpose

Defines governance for open source software use, contribution, and publication ensuring license compliance and supply chain security.

License Compliance

Approved Licenses

MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause
ISC, CC-BY-4.0, Unlicense, 0BSD

Restricted Licenses (Require Review)

GPL-2.0, GPL-3.0, LGPL, AGPL
SSPL, BSL, Commons Clause

Prohibited

No license specified (proprietary by default)
Licenses incompatible with project license

Dependency Management

Pin dependencies to specific versions
Use lock files (package-lock.json)
Regular dependency updates via Dependabot
Security scanning for known vulnerabilities
SBOM generation for supply chain transparency

Contribution Guidelines

CONTRIBUTING.md required in all repos
Code of Conduct (Contributor Covenant)
Developer Certificate of Origin (DCO)
PR review requirements
CLA not required for Hack23 projects

Supply Chain Security

Pin GitHub Actions to SHA (not tags)
Use step-security/harden-runner
Enable Dependabot security updates
Secret scanning with push protection
SLSA provenance for releases

ISO 27001:2022 Mapping

A.5.5 — Contact with authorities (CVE, disclosure)
A.5.19–A.5.21 — Supplier/ICT supply-chain security (SBOM, approved licences)
A.5.23 — Information security for use of cloud services (GitHub, hosted services)
A.8.8 — Management of technical vulnerabilities (Dependabot, CodeQL)
A.8.25 — Secure development lifecycle
A.8.28 — Secure coding
A.8.30 — Outsourced development (OSS maintainers, third-party libraries)

NIST CSF 2.0 Mapping

GV.SC — Cybersecurity Supply Chain Risk Management
ID.SC — Supply chain inventory (SBOM, licence inventory)
PR.IP-12 — Vulnerability management plan
PR.DS-6 — Integrity checking (signed commits, SLSA attestations)

CIS Controls v8.1 Mapping

2.1–2.7 — Inventory and control of software assets
3.4 — Encrypt data on end-user devices
7.5–7.7 — Continuous vulnerability management
16.4 — Establish and manage authoritative software libraries
16.11 — Leverage vetted modules or services for software components

Related Hack23 ISMS Policies

Information_Security_Policy.md — governance umbrella
Secure_Development_Policy.md — SDLC security requirements
Open_Source_Policy.md — approved/restricted/prohibited licences, contribution rules
Vulnerability_Management.md — remediation SLAs (Crit 24h / High 7d / Med 30d / Low 90d)
Change_Management.md — dependency-update approval flows
AI_Policy.md — AI-assisted contributions require human review
Incident_Response_Plan.md — OSS CVE / supply-chain incident handling

이 저장소의 다른 Skills

같은 저장소

gh-aw-workflow-authoring

Hack23/riksdagsmonitor

Master GitHub Agentic Workflows authoring - markdown syntax, natural language instructions, YAML frontmatter, compilation, and workflow patterns

2026-05-318

github-agentic-workflows

Hack23/riksdagsmonitor

Comprehensive expertise in GitHub Agentic Workflows (v0.68.1) — AI-powered repository automation with five-layer security, safe outputs, MCP tools, and Continuous AI patterns

2026-05-318

github-agentic-workflows-mcp-configuration

Hack23/riksdagsmonitor

Comprehensive guide for MCP (Model Context Protocol) server setup, transport protocols, configuration validation, lifecycle management, tool discovery, and error handling patterns

2026-05-318

threat-modeling

Hack23/riksdagsmonitor

Comprehensive Hack23 threat modeling process using STRIDE, MITRE ATT&CK, attack trees, and quantitative risk assessment per ISMS Threat_Modeling.md policy

2026-05-288

economic-policy-analysis

Hack23/riksdagsmonitor

Fiscal policy, budget analysis, economic forecasting, monetary policy, trade policy for political journalists

2026-05-118

github-actions-integration-for-agentic-workflows

Hack23/riksdagsmonitor

Comprehensive guide to integrating agentic automation with GitHub Actions CI/CD pipelines, including workflow triggers, environment configuration, secrets management, matrix strategies, and deployment patterns for production-ready autonomous systems.

2026-05-058

name	open-source-governance
description	Open source policy, license compliance, contribution guidelines, dependency management, and supply chain security
license	Apache-2.0

Open Source Governance Skill

🔴 AI FIRST Quality Principle

Apply the AI FIRST principle: never accept first-pass quality. Minimum 2 iterations. Read all output, improve every section. No shortcuts.

Purpose

Defines governance for open source software use, contribution, and publication ensuring license compliance and supply chain security.

License Compliance

Approved Licenses

MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause
ISC, CC-BY-4.0, Unlicense, 0BSD

Restricted Licenses (Require Review)

GPL-2.0, GPL-3.0, LGPL, AGPL
SSPL, BSL, Commons Clause

Prohibited

No license specified (proprietary by default)
Licenses incompatible with project license

Dependency Management

Pin dependencies to specific versions
Use lock files (package-lock.json)
Regular dependency updates via Dependabot
Security scanning for known vulnerabilities
SBOM generation for supply chain transparency

Contribution Guidelines

CONTRIBUTING.md required in all repos
Code of Conduct (Contributor Covenant)
Developer Certificate of Origin (DCO)
PR review requirements
CLA not required for Hack23 projects

Supply Chain Security

Pin GitHub Actions to SHA (not tags)
Use step-security/harden-runner
Enable Dependabot security updates
Secret scanning with push protection
SLSA provenance for releases

ISO 27001:2022 Mapping

A.5.5 — Contact with authorities (CVE, disclosure)
A.5.19–A.5.21 — Supplier/ICT supply-chain security (SBOM, approved licences)
A.5.23 — Information security for use of cloud services (GitHub, hosted services)
A.8.8 — Management of technical vulnerabilities (Dependabot, CodeQL)
A.8.25 — Secure development lifecycle
A.8.28 — Secure coding
A.8.30 — Outsourced development (OSS maintainers, third-party libraries)

NIST CSF 2.0 Mapping

GV.SC — Cybersecurity Supply Chain Risk Management
ID.SC — Supply chain inventory (SBOM, licence inventory)
PR.IP-12 — Vulnerability management plan
PR.DS-6 — Integrity checking (signed commits, SLSA attestations)

CIS Controls v8.1 Mapping

2.1–2.7 — Inventory and control of software assets
3.4 — Encrypt data on end-user devices
7.5–7.7 — Continuous vulnerability management
16.4 — Establish and manage authoritative software libraries
16.11 — Leverage vetted modules or services for software components

Related Hack23 ISMS Policies

Information_Security_Policy.md — governance umbrella
Secure_Development_Policy.md — SDLC security requirements
Open_Source_Policy.md — approved/restricted/prohibited licences, contribution rules
Vulnerability_Management.md — remediation SLAs (Crit 24h / High 7d / Med 30d / Low 90d)
Change_Management.md — dependency-update approval flows
AI_Policy.md — AI-assisted contributions require human review
Incident_Response_Plan.md — OSS CVE / supply-chain incident handling