At the start of the year, the Eclipse Foundation Security Team launched a new initiative aimed to enhance software supply chain security: “Implementing Software Bills of Materials (SBOMs) for projects”.
SBOMs are detailed inventories of a project’s components and dependencies, widely recognized as essential for supply chain security. They improve visibility, help identify vulnerabilities early, ensure compliance with emerging standards and build community trust through transparency.
In the early phases of this initiative the Security Team provides hands-on support to volunteer projects in designing and implementing Github Actions workflows for generating and uploading SBOMs to a centralized registry.
Each iteration typically begins with the Security Team gathering data about the project context. We would then design a workflow that achieves the objective while minimizing changes to the existing codebase, implement it, and submit it for committers’ review. The project retains full authority over the changes, and we proceed only with those approved by the project team.
Early Adopters projects that collaborated with our team provided highly positive feedback. Our hands-on support has been especially valuable for projects with limited bandwidth or for which SBOMs were not yet a priority on the roadmap, allowing them to adopt best practices without diverting critical resources. So far, we were able to provide direct support to a wide range of projects, including: Eclipse Syson, Eclipse Kuksa, Eclipse JKube, Eclipse LMOS, Eclipse Theia, Eclipse Che, Eclipse Milo, Eclipse Store.
This ambitious initiative represents a proactive step towards improving software supply chain transparency and security. We strongly encourage all projects to take an active role in implementing SBOMs in their own release processes. Alternatively, we maintain a queue of early adopter projects that we are directly supporting. If your project would like to participate, we welcome you to to reach out to the Eclipse Foundation Security, contact information can be found here.
This work is part of an investment by the Sovereign Tech Fund - a program of the Sovereign Tech Agency.
