Guidance

Open-Source Code Publishing Policy

Updated 2 October 2025

Overview 

This Policy defines the requirements for publishing Department for Work and Pensions (DWP) source code securely, in line with the Government Digital Service (GDS) Standard, Section 12, which states: ‘make all new source code open and reusable, and publish it under appropriate licences (or provide a convincing explanation as to why this cannot be done for specific subsets of the source code)’. It also aligns with the Technology Code of Practice, Section 3, which states: ‘Publish your code and use open-source software to improve transparency, flexibility and accountability’.

Purpose

DWP encourages publication of source code created by and on behalf of DWP under open licences where appropriate, and coding in the open, in line with the GDS service manual and the Technology Code of Practice. This policy sets out guidelines for publishing code under open licences and aims to ensure sensitive DWP source code is protected.  

This document draws on the Open Source Project Security Baseline and is intended to be used in conjunction with the DWP Software Development Security Standard (SS-003), which it complements.

Scope

This policy applies to all DWP staff involved in digital projects, including Senior Responsible Officers, Security Architects and Engineers, and to third party staff working on digital projects on behalf of DWP (referred to as ‘users’ throughout the document).  

The policy only applies to source code produced by DWP, or on behalf of DWP by a third-party supplier (hereafter called DWP source code), and only when publishing under open licences to open repositories. The scope does not extend to internal publication of DWP source code or to the use of external source code by DWP.

Policy Statements

1. DWP source code must be developed securely throughout its lifecycle, in line with the SS-003 Software Development Security Standard

2. Users should consider the publication of all DWP source code under appropriate open licences, except where it contains sensitive information (see statement 3 below). 

3. Users must not publish DWP source code under open licences where it operates or confirms: 

  • security enforcing functions

  • internal security or anti-fraud rules

  • non-public IP addresses

  • vulnerabilities in DWP architecture

  • sensitive information that could be used by a threat actor against DWP

4. Before publishing DWP source code under open licences users must: 

  • scan all code and commit history for secrets including Application Programming Interface (API) keys and credentials, using automated tools, and redact all non-publishable information (see statement 3)

  • scan all code and associated dependencies for known vulnerabilities using appropriate digital tooling and take remedial action where necessary

  • ensure that a logic review has been carried out by a security architect to identify and redact sensitive business logic that could be exploited if disclosed

5. Users must not publish code that includes components taken from third party sources (whether open source or proprietary), where the relevant licence terms preclude or restrict such sharing.

6. Documentation or metadata uploaded to open repositories must not contain DWP information classified at OFFICIAL-SENSITIVE or higher, or any information precluded by policy statement 3. For more information on classification, refer to the DWP Security Classification Policy. 

7. Users must ensure that the content of published material including comments is professional. Any inappropriate or political comments, or placeholder material must be removed prior to publication. 

8. Continuous Integration (CI) and Continuous Deployment (CD) pipelines used to build and release open-source code must undergo security validation. 

9. Publication of DWP source code to open repositories must be approved by an appropriate responsible DWP authority, which may include members of the project development team, security architects and the project senior responsible officer.  

10. Prior to publication, the approver must: 

  • validate that source code and all associated dependencies have passed security checks (see statement 4)

  • confirm that the source code complies with this policy

11. DWP source code published under open licences must be hosted in an open repository managed by the department. 

12. All users contributing to or managing DWP open-source repositories must authenticate using multi-factor authentication, where supported by the platform, in line with the SS-001-1 Access & Authentication Security Standard.  

13. Open-source repositories hosting DWP source code must enforce appropriate branch protection. 

14. Code in open repositories managed by DWP must be continuously monitored for new vulnerabilities, unauthorised changes, and licence compliance. 

15.  DWP must maintain an up-to-date list of published open-source repositories and ensure that security responsibilities for ongoing maintenance are clearly assigned.  

16. Publishers must ensure that repositories for which they are responsible are reviewed (at least annually) to assess: 

  • repository security configurations

  • active maintenance status and deprecation plans   

  • compliance with updated government security policies

17. Individuals with responsibilities for publishing and maintaining open-source repositories should receive training on secure open-source practices. 

18. The project development team must provide a secure channel for external parties to report security vulnerabilities privately to DWP

19. External contributions to DWP source code must be reviewed by at least two competent senior developers or security architects and pass automated security checks before merging.

Accountabilities and Responsibilities

The DWP Chief Security Officer is the accountable owner of the DWP Open-Source Code Publishing Policy and is responsible for its maintenance and review, through the DWP Deputy Director for Security Policy and Central Services.

Compliance

a. All DWP employees, whether permanent or temporary (including DWP’s contractors) have security responsibilities and must be aware of, and comply with, DWP’s security policies and standards.  

b. Many of DWP’s employees and contractors handle sensitive information daily and so need to be enacting minimum baseline behaviours appropriate to the sensitivity of the information. Most security incidents and breaches relate to information security. 

c. Failure to report a security incident, potential or otherwise, could result in disciplinary action and, in the most severe circumstances, result in dismissal. A security incident is the attempted or actual unauthorised access, use, disclosure, modification, loss or destruction of a DWP asset (or a supplier asset that provides a service to the Authority) in violation of security policy. The circumstances may include actions that were actual, suspected, accidental, deliberate, or attempted. Security incidents must be reported as soon as possible. DWP users must report security incidents via the DWP Security Incident Referral Webform; third parties and suppliers must follow the SS-014 Security Incident Management Standard. Pull requests containing malicious code, or well-intentioned public modifications which would create security vulnerabilities or negative consequences if pulled and deployed are security incidents and must be reported. 

d. DWP’s Security and Data Protection Team will regularly assess for compliance with this policy and may need to inspect physical locations, technology systems, design and processes and speak to people to facilitate this. All DWP employees, agents, contractors, consultants, business partners and service providers will be required to facilitate, support, and when necessary, participate in any such inspection. DWP Collaboration and Communication Services will use software filters to block access to some online websites and services, additional information can be found in the DWP Employee Privacy Notice. 

e. An exception to policy may be requested in instances where a business case can be made to undertake an activity that is non-compliant with DWP’s Security Policies. This helps to reduce the risk of non-compliant activity and security incidents. If an individual is aware of an activity that falls into this category, they should notify the Security Policy and Standards Team immediately.