The source code, user stories, backlog, and some build definitions are openly available on Github. Open source allows others to analyze the code for vulnerabilities and quality. On the one hand, this is a great advantage (especially if vulnerabilities are reported back to DigDir), on the other hand, it can lead to malicious exploitation.
The source code has been on Github for a long time (maturation), and security experts have analyzed and security-tested Altinn 3. DigDir focuses on the openness and trust that open source provides rather than the likelihood of malicious exploitation of a vulnerability found in the source code.
Github, along with other vendors, offers “free” varied security tools for open source projects. The tools cover areas such as static code analysis (SonarQube, LGTM/CodeQL) and handling of dependencies/third-party libraries (Dependabot, Snyk, WhiteSource Bolt). Altinn 3 has adopted several of these.