src/components/federal-agencies/html/open-source-pilot/tools-and-resources.html
<h1 id="toolsandresources">Tools and Resources</h1>
<p>
<a href="https://sourcecode.cio.gov/Implementation/" target="_blank">Section 7.4</a> of the
Federal Source Code Policy states:
</p>
<blockquote>
<p>
Accessible, buildable, version-controlled repositories for the storage, discussion, and
modification of custom-developed code are critical to both the Government-wide reuse and OSS
pilot program sections of this policy. Agencies should utilize existing code repositories and
common third-party repository platforms as necessary in order to satisfy the requirements of
this policy.
</p>
</blockquote>
<p>
Agencies can use the list of tools and resources provided here to become more fluent in the open
source marketplace and best practices inside and outside of government.
</p>
<p>
<strong>Important:</strong> the tools and resources outlined here are not mandatory for agency use
and are not endorsed by any part of the government. The purpose of this page is to provide broader
context for agencies and to provide perspective into the breadth of tools available. Also, this
list does not attempt to be exhaustive on any topic; new tools are constantly being developed and
practices are constantly evolving.
</p>
<p>
Individuals and companies that want to suggest tools for inclusion here can do so by opening an
Issue or creating a Pull Request on the
<a href="https://github.com/GSA/code-gov-front-end">Code.gov repository.</a>
</p>
<h2 id="choosingaversioncontrolsystem">Choosing a Version Control System</h2>
<p>
There are a number of version control systems available that may be appropriate to meet your
agency's needs. Some questions to ask when selecting such a system are:
</p>
<ul>
<li>Does the system provide the ability to develop in the open?</li>
<li>
Does your agency need both private and public repositories, and does the system allow seamless
integration between the two?
</li>
<li>
Is the system interoperable with open source version control standards, such as
<a href="https://git-scm.com/">git</a> or
<a href="https://www.mercurial-scm.org/">mercurial</a>? Interoperability with an open standard
is crucial to your agency's ability to collaborate with other agencies and the open source
community and will greatly ease future platform integrations and migrations.
</li>
<li>
To engage the open source community your agency may want to consider the social features of the
system beyond version control. Does it provide features that will help your agency to promote
and share its code? How vibrant is the existing user community?
</li>
</ul>
<p>
Agencies may want to take a look at the following version control systems based on their
functionality and significant adoption by the open source community:
</p>
<ul>
<li><a href="https://github.com/">Github</a></li>
<li><a href="https://gitlab.com/">Gitlab</a></li>
<li><a href="https://bitbucket.org/">Bitbucket</a></li>
</ul>
<h2 id="codequalityandsecurity">Code quality and security</h2>
<p>
A number of paid and free tools exist that agencies can use as part of their development process
that, if used appropriately, should lower the risk that inappropriate or insecure content is
released. Because these tools can help automate some processes that would otherwise be
manual, they can simultaneously help lower costs overall.
</p>
<p>
Increasingly, these tools can be configured to reflect the specific security policies of your
agency and can be integrated directly into your agency's developer workflow, scanning code
automatically whenever code is committed or pushed for passwords, keys, watchwords, and other
potentially sensitive information. Some tools also provide broader capabilities related to coding
standards and quality. In developing its overall source code strategy, your agency may want to
consider integrating these kinds of tools into your developer workflow, contractually require
their use by vendors, or use them to assess the quality and security of deliverables prior to
accepting receipt.
</p>
<p>
We are soliciting input from the development community in building out a list of tools. Agencies
should feel free to join the conversation, make suggestions, and ask questions on the
<a href="https://github.com/GSA/code-gov-front-end/issues"
>open Issue on the code.gov repository</a
>.
</p>
<h2 id="developmentpracticesforgovernment">Development practices for government</h2>
<p>
A number of communities of practice exist that agency staff can use to keep abreast of open source
inside and outside of government, to raise questions, and to share their experiences.
</p>
<ul>
<li>Open Source Listserv (GSA, open to government only)</li>
<li>Security Listserv (GSA, open to government only)</li>
<li>Digital Service Listserv (GSA, open to government only)</li>
<li>
<a href="https://github.com/government/welcome#readme">Github for Government Community</a> (Not
an official Government service)
</li>
</ul>
<p>
As a quick reminder, agency staff must comply with applicable law and regulations and should
obtain the appropriate agency approvals prior to using any of the tools ans services discussed
here.
</p>