Re: [eclipse.org-committers] Guidance following the Trivy security incid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [eclipse.org-committers] Guidance following the Trivy security incident

From: Eclipse Foundation Security Team <security@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Mar 2026 04:38:32 -0700
Arc-authentication-results: i=1; mx.google.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=6Fg2cSpqYfXc5cdhyOEhc0H0QPGXpM1bewjPUHrlpMI=; fh=m058yWI7m8+rsuXIiwWSIHvDlc0DbUPT9mLjAQAdR/0=; b=jxYrbKTTBNfZV5TzsK5NWZZ707ONrApl8QLo1leCkWoEP1dELia0tfq1zyh6V4NVZY 6q4j98thS2JXLyzjM/ZePoxsJV4IwR8r7V3nGqSKXPGBC6Xxi9xgBJfqxvkS8+IL6t4J JOeqETACdqChm0QIMhES98rLmnA2YKmUGhz+LPL/HlUz0iOfE5S3ry0LYgo6jVCo4TEy JgaBKFAPWhsaHuuBLe207U4WFQGBIZYyrhEdQO01AIeDjBLHyK0qsagRHr7aVI3EaLIM cknqmoKD/dm/TNHrV5QWOvhgRSoCi4xNnJpgEGR/uAO4ODsJx3Nw0PDwrEqXV5uXnUsN tAzA==; darn=eclipse.org
Arc-seal: i=1; a=rsa-sha256; t=1774352314; cv=none; d=google.com; s=arc-20240605; b=M3ztW2vG3CGjssjSWlzDkiG0k3j11/dtcRJPRybvxO/F0Wbw8ptqZylHi9pgTUPmsz 8FuoLHlq4U29MdAo7BDxzCj+Lcz30aDV6LXlwDvseUtSgyqZIAwTtS9b/rOX77mvw16p GlcUSYDbnQEn30/jKnpBDN1RGShvZ/b1EpbYO68KQMNg5Ixenfp6JuJE1Ffc9V1yOVhj DM/8Po0cd1M6NPJSUdVFnV+l8q7QtmJRWpK6IsGrRK7mHMlww3fTS2O8m0nb3GvJ6Mxr E/YqejpxqPZ7ekz5uhIYrwNiMJ6Z0f+1EYzh+ZGWOi4aqbrBMwnLf9LLusFiKHJUA8ws HOZA==
Delivered-to: eclipse.org-committers@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/eclipse.org-committers/>
List-help: <mailto:eclipse.org-committers-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/eclipse.org-committers>, <mailto:eclipse.org-committers-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/eclipse.org-committers>, <mailto:eclipse.org-committers-request@eclipse.org?subject=unsubscribe>

Following up on my earlier message, I have just published a blog post that expands on these recommendations and outlines concrete steps projects can take to reduce the risk of similar supply-chain breaches in the future:

https://mikael.barbero.tech/blog/post/2026-03-24-stop-trusting-mutable-references/

If you would like help implementing any of these recommendations, the Eclipse Foundation Security Team is available to support you. You can reach us by email at security@xxxxxxxxxxxxxxxxxxxxxx, or start a discussion in the Eclipse CSI GitHub organization: https://github.com/orgs/eclipse-csi/discussions

Kind regards,

On behalf of the Eclipse Foundation Security Team,
Mikaël Barbero — Head of Security

🔗 Eclipse Foundation Security Homepage

💬 Discuss at GitHub

On 24 Mar 2026 at 09:15:06, Eclipse Foundation Security Team <security@xxxxxxxxxxxxxxxxxxxxxx> wrote:

Dear Eclipse Foundation Committers,

You may be aware of the recent security compromise involving the open source project Trivy.

The Eclipse Foundation Security Team has thoroughly scanned all projects for signs of compromise and we have contacted the projects identified as potentially exposed. We are working with them, together with the Release Engineering team, to rotate any potentially compromised secrets and strengthen protections against similar incidents in the future.

As part of this effort, we encourage projects to consider using Harden-Runner to improve visibility into CI/CD pipelines and make post-incident analysis easier in the event of a broader compromise.

We also recommend pinning GitHub Actions to immutable references rather than floating tags whenever possible. Tools such as Pinact can help automate this process, while Dependabot can assist in keeping pinned actions up to date.

We also want to acknowledge the work done by the Aqua Security team to address the issue, document it publicly, and notify users.

If your project has used any of the compromised resources, please let us know. We are ready to work with you to assess any potential exposure and determine appropriate next steps.

Kind regards,

On behalf of the Eclipse Foundation Security Team,
Mikaël Barbero — Head of Security
🔗 Eclipse Foundation Security Homepage
💬 Discuss at GitHub

References:
- [eclipse.org-committers] Guidance following the Trivy security incident
  - From: Eclipse Foundation Security Team

Prev by Date: [eclipse.org-committers] Guidance following the Trivy security incident
Next by Date: Re: [eclipse.org-committers] Guidance following the Trivy security incident
Previous by thread: [eclipse.org-committers] Guidance following the Trivy security incident
Next by thread: Re: [eclipse.org-committers] Guidance following the Trivy security incident
Index(es):
- Date
- Thread

Breadcrumbs