As noted in GitHub's post, oapi-codegen was one of the projects taking part in the third GitHub Secure Open Source Fund session.
I'd like to take a moment to reflect on the program, and some learnings I've taken from it.
One of the quotes I shared at the end of the program summed up my time:
Having time dedicated to following best practices has been invaluable☆(well, $10k)
Why did we join the fund?
oapi-codegen is a project that takes an OpenAPI specification and generates Go code for either interacting with that API via an autogenerated client, or generates scaffolding for a number of HTTP servers and web frameworks to reduce the implementation burden, as well as generating types for API request/responses.
Given the project is in a fairly privileged position - interacting with every HTTP request/response on either client or server-side, and likely exposed to sensitive data and credentials - securing the project is very important.
As a code generator, oapi-codegen can generate a fair bit of code for you to commit to your project.
But does everyone review the generated code? Hopefully yes 🫣 But given we can't guarantee it, we want to make sure that nothing dodgy could land in folks' codebases.
Extending the maintainer pool
... continue reading