Quality, security and legal reporting/notifications

[mcleo-d]

Related to #31

Acceptance criteria:

• As a visitor, I want to see all security/legal/quality in a public GitHub Project
• As a FINOS Project Team member, I want to be able to get notified about security/legal/quality issues

Tasks:

• Collect public security/legal/quality issues across all FINOS hosted projects
• Add collected issues into a GitHub Project (using API)
• Document and socialize the "FINOS Projects reporting Board"
• Document and socialize issue notifications (see https://help.github.com/en/github/receiving-notifications-about-activity-on-github/about-notifications)

Dependencies:

This story depends on the following ones:

• Quality : Quality checks are performed automatically and continuously upon any new incoming code #28
• Security: Announce WhiteSource integration with GitHub.com #81
• Legal: Implement ongoing license validation of all hosted repositories #30

Implementation

As we try to enforce GitOps as paradigm to bring continuous quality, security and legal compliance on across all our repositories, also reporting and notifications should align.

For example, in order to report on security, it is already possible to get the raw data from https://api.github.com/search/issues?q=org:finos%20label:%22security%20vulnerability%22

Using JQ, it is possible to export the data in any format.

[maoo]

As soon as finos/metadata-tool#60 is merged, the (FINOS internal) Metadata Tool nightly run will also report all repositories having issues labeled with security vulnerability and quality checks, allowing to have reporting abilities across security and quality aspects of our hosted code.

[maoo]

Given the introduction of LFX (specifically, Insights and Vulnerability Detection) in our infrastructure, we are going to rely on those collaboration tools.

Closing issue and marking it with LFX label.