Vendor and Tool Governance
Open Source Policy
Open source usage should be easy, safe, and reviewable. The goal is not to block common libraries; the goal is to understand license, security, maintenance, and supply-chain risk.
Policy scope
Define rules for:
- Runtime dependencies.
- Development dependencies.
- Container base images.
- CI/CD actions and plugins.
- Infrastructure modules and providers.
- Copied code and vendored packages.
Review triggers
Require review for:
- New licenses not already approved.
- Dependencies that handle authentication, cryptography, payments, health data, or other sensitive flows.
- Packages with low maintenance or unusual ownership.
- Large transitive dependency trees.
- Native extensions or privileged installation scripts.
- New public-facing frameworks or runtime platforms.
Approved path
Maintenance expectations
Teams that introduce dependencies own keeping them healthy.
- Use automated update tooling.
- Keep lockfiles committed.
- Triage vulnerability alerts.
- Remove unused dependencies.
- Prefer well-maintained packages with clear provenance.
- Document exceptions and review dates.
Watchouts
- Development dependencies can still execute during builds.
- Copy-pasted code still carries license and maintenance obligations.
- Unpinned CI actions can change behavior without review.
- Ignored dependency alerts train teams to ignore real risk.