| Re: [eclipse.org-committers] [Eclipse Foundation Security Team] Re: Guidance following the Trivy security incident |
This only affects projects utilizing GitHub actions in some way. While that was implied, I believed it was evident from the context. Apparently not.
If you're unfamiliar with GitHub action, it means you're not affected. Enjoy! 🙂Â
(re-sent as my previous email was not including eclipse.org-committers ML as recipient)
--Hi
This guidance would appear to be very important, yet I understand very little of it. I have no idea what a GitHub Action is, let alone how to pin it.
On the one hand, the guidance references a number of projects that I am not aware of using and in some cases had not even heard of.
On the other hand, a couple of days ago I was struggling with string interpolation in a Jenkinsfile and came across some security 'do not's that I didn't really understand and put off till 'tomorrow'.
I have a test Jenkins job that takes a possibly arbitrary jenkinsfile argument. Is that a security hole? Probably not since surely only my co-project-committers have execute access?
My OOMPH setups reference tags. Is that a security hole? OOMPH setups can be displaced by a user-defined overwrite so can perhaps do clever things. Is that a security hole?
Bottom line. I would like to comply with best security practice, but when you send out guidance that is unintelligible, you encourage even willing respondents to ignore the hassle.
(The continued need to 'trust selected' to install Eclipse with even the most modest add-ons, even those using OOMPH, further re-inforces this dangerous ignore security attitude.)
Regards
Edward Willink
On 24/03/2026 08:15, Eclipse Foundation Security Team via eclipse.org-committers wrote:
Dear Eclipse Foundation Committers,
You may be aware of the recent security compromise involving the open source project Trivy.
The Eclipse Foundation Security Team has thoroughly scanned all projects for signs of compromise and we have contacted the projects identified as potentially exposed. We are working with them, together with the Release Engineering team, to rotate any potentially compromised secrets and strengthen protections against similar incidents in the future.
As part of this effort, we encourage projects to consider using Harden-Runner to improve visibility into CI/CD pipelines and make post-incident analysis easier in the event of a broader compromise.
We also recommend pinning GitHub Actions to immutable references rather than floating tags whenever possible. Tools such as Pinact can help automate this process, while Dependabot can assist in keeping pinned actions up to date.Â
We also want to acknowledge the work done by the Aqua Security team to address the issue, document it publicly, and notify users.Â
If your project has used any of the compromised resources, please let us know. We are ready to work with you to assess any potential exposure and determine appropriate next steps.
Kind regards,
On behalf of the Eclipse Foundation Security Team,
Mikaël Barbero — Head of Security
_______________________________________________ eclipse.org-committers mailing list eclipse.org-committers@xxxxxxxxxxx This list is mandatory for all committers and cannot be unsubscribed. Questions: privacy@xxxxxxxxxxx
You received this message because you are subscribed to the Google Groups "Eclipse Foundation Security Incident Response Team" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security+unsubscribe@xxxxxxxxxxxxxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/eclipse-foundation.org/d/msgid/security/e3166225-0549-4f8c-9f8a-1ff3242c5c14%40willink.me.uk.