[eclipse.org-committers] Guidance following the Trivy security incident

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[eclipse.org-committers] Guidance following the Trivy security incident

From: Eclipse Foundation Security Team <security@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Mar 2026 08:15:06 +0000
Arc-authentication-results: i=1; mx.google.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=aH4h5zbT7AfUGRL+D7/jsekbkmGV2ips6xXIAxIqiUM=; fh=m058yWI7m8+rsuXIiwWSIHvDlc0DbUPT9mLjAQAdR/0=; b=dGUL0B/H5XXwikWmyHuaM8DqrlNhYdfYgRoc/pVV3UJcsE4GXz6vxOh0JxmaXtCh7T jzuOq+INEv7JQkGl5FQcBxCbcra3As5fcFeoBIZ90fYnRxZBSphlfPvBikWrM6P6yYEM 83LgZF7qxwepPl14tYsV4+kL4AbWjhPVFTMOVk0SgOb8Eo1okHjQ90b8FSMaEL4Rc1U2 wkWsIGk5Ez3XlhvaDZNoBrX2aXZ3Ps5GKRx5K2A7aN3AGyvbpiXJQp7Wa1jgQ7K9fyu7 WWNzeFqZXAfciZknIdWzVLNRyni8XxO5tYy4oPL1VEIWK7T4s3gsJyzoVr62rqxK14WR b2MQ==; darn=eclipse.org
Arc-seal: i=1; a=rsa-sha256; t=1774340108; cv=none; d=google.com; s=arc-20240605; b=hzvx/8b2oVaI+BCdUzMjnPen4Ok9VWFZDIDC9PrYa7pb8zTYDG29vUAUERj8RKAPQy 4awrq3KJ1AwRkCQqgGRv43LUNXOaphjOZ9x651fUWmWXS6amh/ewV5QSD40pFf6hr2sf zHvfePsuNqSAFKA7MZajlYLEdYLsghIAgdGkhxT4FtqVu4EqGzV2ld7rc2JSbJZS7lKK Ozbh2jIy/xJRtWU0CiEF/6tiyT6LiTnaVsABOoiyaI8X6Y9jWDtTig3jMRH26XDKzqpQ xzRSIR5kquxcUOWRSbWrc4wHJHvBOdieIXTffKLxZ9XXXpdEb7nDdXlq2vf5RlhxeWAE 0HQw==
Delivered-to: eclipse.org-committers@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/eclipse.org-committers/>
List-help: <mailto:eclipse.org-committers-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/eclipse.org-committers>, <mailto:eclipse.org-committers-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/eclipse.org-committers>, <mailto:eclipse.org-committers-request@eclipse.org?subject=unsubscribe>

Dear Eclipse Foundation Committers,

You may be aware of the recent security compromise involving the open source project Trivy.

The Eclipse Foundation Security Team has thoroughly scanned all projects for signs of compromise and we have contacted the projects identified as potentially exposed. We are working with them, together with the Release Engineering team, to rotate any potentially compromised secrets and strengthen protections against similar incidents in the future.

As part of this effort, we encourage projects to consider using Harden-Runner to improve visibility into CI/CD pipelines and make post-incident analysis easier in the event of a broader compromise.

We also recommend pinning GitHub Actions to immutable references rather than floating tags whenever possible. Tools such as Pinact can help automate this process, while Dependabot can assist in keeping pinned actions up to date.

We also want to acknowledge the work done by the Aqua Security team to address the issue, document it publicly, and notify users.

If your project has used any of the compromised resources, please let us know. We are ready to work with you to assess any potential exposure and determine appropriate next steps.

Kind regards,

On behalf of the Eclipse Foundation Security Team,
Mikaël Barbero — Head of Security

🔗 Eclipse Foundation Security Homepage

💬 Discuss at GitHub

Prev by Date: [eclipse.org-committers] OCX Project Lead invitation and Discount!!!
Previous by thread: [eclipse.org-committers] OCX Project Lead invitation and Discount!!!
Index(es):
- Date
- Thread

Breadcrumbs