To ensure that information security is designed and implemented within the development lifecycle for applications and information systems.
All Sourcegraph applications and information systems that are business critical and/or process, store, or transmit sensitive data. This policy applies to all internal and external engineers and developers of Sourcegraph software and infrastructure. This policy applies to all human and/or AI-generated code.
This policy describes the rules for the acquisition and development of software and systems that shall be applied to developments within the Sourcegraph organization.
Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.
Significant code changes must be reviewed and approved by at least one other Sourcegraph employee before being merged into any production branch.
All Sourcegraph software is version controlled and synced between contributors (developers). All code is written, tested, and saved in a temporary git branch before being synced to the main branch.
Modifications to third-party business application packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled.
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.
Engineering style guides and technical references can be found in the Code guidelines documentation here.
Software developers are expected to adhere to Sourcegraph’s coding guidelines throughout the development cycle, including standards for quality, commenting, and security.
Sourcegraph shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development life cycle.