Re: [eclipse.org-committers] Guidance following the Trivy security incid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [eclipse.org-committers] Guidance following the Trivy security incident

From: Heiko Rupp <hrupp@xxxxxxxxxx>
Date: Wed, 25 Mar 2026 09:41:31 +0100
Delivered-to: eclipse.org-committers@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/eclipse.org-committers/>
List-help: <mailto:eclipse.org-committers-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/eclipse.org-committers>, <mailto:eclipse.org-committers-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/eclipse.org-committers>, <mailto:eclipse.org-committers-request@eclipse.org?subject=unsubscribe>

I think tl;dr don’t use „docker run some/image:latest“, but
pin that on a (trusted) version with some/image:1.2.3 as
concrete version.
Likewise for libraries. Things like dependabot can be a big
help, but have it automatically install latest & greatest
is prone for attacks like the litellm one (that got triggered
via trivy apparently).

On 24 Mar 2026, at 14:05, Edward Willink via eclipse.org-committers wrote:

> Hi
>
> This guidance would appear to be very important, yet I understand very little of it. I have no idea what a GitHub Action is, let alone how to pin it.

References:
- [eclipse.org-committers] Guidance following the Trivy security incident
  - From: Eclipse Foundation Security Team
- Re: [eclipse.org-committers] Guidance following the Trivy security incident
  - From: Edward Willink

Prev by Date: Re: [eclipse.org-committers] Guidance following the Trivy security incident
Previous by thread: Re: [eclipse.org-committers] Guidance following the Trivy security incident
Index(es):
- Date
- Thread

Breadcrumbs