Security Guidance
RSS feed
Table of contents

Source code publishing

This guidance applies to all staff and contractors who work for the Ministry of Justice (MoJ). In particular, it applies to product owners, technical architects, security architects, and developers.

MoJ policy about making source code developed by the MoJ available complies with UK Government guidance.

By default, MoJ developers shall develop source code in a way that means it can be stored and published in the open. There are exceptions, for example sensitive material such as encryption keys.

This document is not about the use of existing open source materials.

Reasons for working in the open and sharing source code by default

Point 8 of the “Digital by Default” Service Standard states that you should:

Make all new source code open and reusable, and publish it under appropriate licences (or provide a convincing explanation as to why this cannot be done for specific subsets of the source code).

This includes “Making source code open and reusable”.

When you should not publish materials in the open

There are some circumstances when materials should not be public.

Obvious examples include security or encryption keys or credentials, and configuration details. Other examples include:

  • Algorithms used to detect fraud.
  • Materials that relate to unreleased policy.
  • API keys for cloud-hosted applications or environments, for example AWS.

An important exception is for materials developed by third parties. They might have retained ownership of the Intellectual Property (IP).

More guidance to help you decide when to publish materials in the open or not is available here.

Contact details

For any further questions or advice relating to security, contact: security@justice.gov.uk.

Feedback

If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.