一键在 Manus 中运行任何 Skill

开始使用

open-source-governance

星标8

分支2

更新时间2026年4月17日 13:20

Open source policy, license compliance, contribution guidelines, dependency management, and supply chain security

安装

用 Codex 或 Claude 帮你安装复制这段 Prompt，粘贴到 Codex、Claude 或其他助手里，让它检查 Skill 页面并帮你完成安装。

在 Manus 中运行

来源

Hack23

Hack23/riksdagsmonitor

打开 GitHub 仓库查看创作者相关仓库

下载

在 Manus 中运行

Open Source Governance Skill

🔴 AI FIRST Quality Principle

Apply the AI FIRST principle: never accept first-pass quality. Minimum 2 iterations. Read all output, improve every section. No shortcuts.

Purpose

Defines governance for open source software use, contribution, and publication ensuring license compliance and supply chain security.

License Compliance

Approved Licenses

MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause
ISC, CC-BY-4.0, Unlicense, 0BSD

Restricted Licenses (Require Review)

GPL-2.0, GPL-3.0, LGPL, AGPL
SSPL, BSL, Commons Clause

Prohibited

No license specified (proprietary by default)
Licenses incompatible with project license

Dependency Management

Pin dependencies to specific versions
Use lock files (package-lock.json)
Regular dependency updates via Dependabot
Security scanning for known vulnerabilities
SBOM generation for supply chain transparency

Contribution Guidelines

CONTRIBUTING.md required in all repos
Code of Conduct (Contributor Covenant)
Developer Certificate of Origin (DCO)
PR review requirements
CLA not required for Hack23 projects

Supply Chain Security

Pin GitHub Actions to SHA (not tags)
Use step-security/harden-runner
Enable Dependabot security updates
Secret scanning with push protection
SLSA provenance for releases

ISO 27001:2022 Mapping

A.5.5 — Contact with authorities (CVE, disclosure)
A.5.19–A.5.21 — Supplier/ICT supply-chain security (SBOM, approved licences)
A.5.23 — Information security for use of cloud services (GitHub, hosted services)
A.8.8 — Management of technical vulnerabilities (Dependabot, CodeQL)
A.8.25 — Secure development lifecycle
A.8.28 — Secure coding
A.8.30 — Outsourced development (OSS maintainers, third-party libraries)

NIST CSF 2.0 Mapping

GV.SC — Cybersecurity Supply Chain Risk Management
ID.SC — Supply chain inventory (SBOM, licence inventory)
PR.IP-12 — Vulnerability management plan
PR.DS-6 — Integrity checking (signed commits, SLSA attestations)

CIS Controls v8.1 Mapping

2.1–2.7 — Inventory and control of software assets
3.4 — Encrypt data on end-user devices
7.5–7.7 — Continuous vulnerability management
16.4 — Establish and manage authoritative software libraries
16.11 — Leverage vetted modules or services for software components

Related Hack23 ISMS Policies

Information_Security_Policy.md — governance umbrella
Secure_Development_Policy.md — SDLC security requirements
Open_Source_Policy.md — approved/restricted/prohibited licences, contribution rules
Vulnerability_Management.md — remediation SLAs (Crit 24h / High 7d / Med 30d / Low 90d)
Change_Management.md — dependency-update approval flows
AI_Policy.md — AI-assisted contributions require human review
Incident_Response_Plan.md — OSS CVE / supply-chain incident handling

同仓库更多 Skills

同仓库

gh-aw-workflow-authoring

Hack23/riksdagsmonitor

Master GitHub Agentic Workflows authoring - markdown syntax, natural language instructions, YAML frontmatter, compilation, and workflow patterns

2026-05-318

github-agentic-workflows

Hack23/riksdagsmonitor

Comprehensive expertise in GitHub Agentic Workflows (v0.68.1) — AI-powered repository automation with five-layer security, safe outputs, MCP tools, and Continuous AI patterns

2026-05-318

github-agentic-workflows-mcp-configuration

Hack23/riksdagsmonitor

Comprehensive guide for MCP (Model Context Protocol) server setup, transport protocols, configuration validation, lifecycle management, tool discovery, and error handling patterns

2026-05-318

threat-modeling

Hack23/riksdagsmonitor

Comprehensive Hack23 threat modeling process using STRIDE, MITRE ATT&CK, attack trees, and quantitative risk assessment per ISMS Threat_Modeling.md policy

2026-05-288

economic-policy-analysis

Hack23/riksdagsmonitor

Fiscal policy, budget analysis, economic forecasting, monetary policy, trade policy for political journalists

2026-05-118

github-actions-integration-for-agentic-workflows

Hack23/riksdagsmonitor

Comprehensive guide to integrating agentic automation with GitHub Actions CI/CD pipelines, including workflow triggers, environment configuration, secrets management, matrix strategies, and deployment patterns for production-ready autonomous systems.

2026-05-058

name	open-source-governance
description	Open source policy, license compliance, contribution guidelines, dependency management, and supply chain security
license	Apache-2.0

Open Source Governance Skill

🔴 AI FIRST Quality Principle

Apply the AI FIRST principle: never accept first-pass quality. Minimum 2 iterations. Read all output, improve every section. No shortcuts.

Purpose

Defines governance for open source software use, contribution, and publication ensuring license compliance and supply chain security.

License Compliance

Approved Licenses

MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause
ISC, CC-BY-4.0, Unlicense, 0BSD

Restricted Licenses (Require Review)

GPL-2.0, GPL-3.0, LGPL, AGPL
SSPL, BSL, Commons Clause

Prohibited

No license specified (proprietary by default)
Licenses incompatible with project license

Dependency Management

Pin dependencies to specific versions
Use lock files (package-lock.json)
Regular dependency updates via Dependabot
Security scanning for known vulnerabilities
SBOM generation for supply chain transparency

Contribution Guidelines

CONTRIBUTING.md required in all repos
Code of Conduct (Contributor Covenant)
Developer Certificate of Origin (DCO)
PR review requirements
CLA not required for Hack23 projects

Supply Chain Security

Pin GitHub Actions to SHA (not tags)
Use step-security/harden-runner
Enable Dependabot security updates
Secret scanning with push protection
SLSA provenance for releases

ISO 27001:2022 Mapping

A.5.5 — Contact with authorities (CVE, disclosure)
A.5.19–A.5.21 — Supplier/ICT supply-chain security (SBOM, approved licences)
A.5.23 — Information security for use of cloud services (GitHub, hosted services)
A.8.8 — Management of technical vulnerabilities (Dependabot, CodeQL)
A.8.25 — Secure development lifecycle
A.8.28 — Secure coding
A.8.30 — Outsourced development (OSS maintainers, third-party libraries)

NIST CSF 2.0 Mapping

GV.SC — Cybersecurity Supply Chain Risk Management
ID.SC — Supply chain inventory (SBOM, licence inventory)
PR.IP-12 — Vulnerability management plan
PR.DS-6 — Integrity checking (signed commits, SLSA attestations)

CIS Controls v8.1 Mapping

2.1–2.7 — Inventory and control of software assets
3.4 — Encrypt data on end-user devices
7.5–7.7 — Continuous vulnerability management
16.4 — Establish and manage authoritative software libraries
16.11 — Leverage vetted modules or services for software components

Related Hack23 ISMS Policies

Information_Security_Policy.md — governance umbrella
Secure_Development_Policy.md — SDLC security requirements
Open_Source_Policy.md — approved/restricted/prohibited licences, contribution rules
Vulnerability_Management.md — remediation SLAs (Crit 24h / High 7d / Med 30d / Low 90d)
Change_Management.md — dependency-update approval flows
AI_Policy.md — AI-assisted contributions require human review
Incident_Response_Plan.md — OSS CVE / supply-chain incident handling