Don't become the next Trivy: how to make your releases, tags, and automation resistant to compromise
This is Part 2 of our response to the Trivy supply-chain compromise. Part 1 covered how to consume GitHub Actions...
security
Stop trusting mutable references: how Eclipse Foundation projects should harden GitHub Actions after the Trivy compromise
On March 19, 2026, an attacker used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77...
Security Training on Vulnerability Management and SBOMs from November 2025 - Videos are Online!
In early November 2025, the Eclipse Foundation Security Team delivered the second part of our security training for developers for...
Understanding Open Source Stewards and the Cyber Resilience Act
The “Open Source Stewards and the Cyber Resilience Act” white paper explores a new role introduced by the EU Cyber...
Open VSX security update, October 2025
Over the past few weeks, the Open VSX team and the Eclipse Foundation have been responding to reports of leaked...
The Eclipse Foundation announces a new edition of its security training
Do you want to know more about vulnerability management? As a developer, you might receive reports, or need to create...
Eclipse Open VSX Registry Security Advisory
This security advisory provides additional technical details following our initial statement and the corresponding CVE record. TL;DR A vulnerability in...
Security Training on Vulnerability Management and SBOMs - Videos are Online!
In early June 2025, the Eclipse Foundation Security Team delivered the second part of our security training for developers. The...
Vulnerability in Eclipse Open VSX Registry extension publication process
On May 4th, the Eclipse Foundation (EF) Security Team received a notification from researchers at Koi Security regarding a potential...
Our First Rapid Security Review: Eclipse SysON
We are excited to announce that the Eclipse Foundation Security Team has conducted a Rapid Security Review of Eclipse SysON...