During this year's EclipseCon, the Eclipse Foundation staff offered a tutorial on best practices in open-source projects. For people who could not be there or want to learn more, repositories are available for everyone to re-use!
Repository Best Practices Tutorial
The first tutorial focuses on securing repositories. Your task is to use prepared repositories and change them to make them more secure with simple means. This includes some configuration changes that you can perform via this repository and changes to the repo's contents.
This tutorial covers the different concepts:
- Using branch protection rules to avoid unwanted or accidental changes.
- Enabling secret scanning to find passwords and API keys committed by error.
- Using fine-grained workflow permissions.
- Adding alerts on vulnerable dependencies with dependabot.
The tutorial is available at https://github.com/EclipseConTutorial. If you want to use it, create a new repository from this template, and you can start working on it! For detailed tasks and discussion from the in-person tutorial, see https://github.com/orgs/EclipseConTutorial/discussions/1.
Note: During the tutorial changes to the settings of the vulnerable repositories was performed by using the self-service mechanism of the Eclipse Foundation. If you created your own repository from the template, there is no need to use the self-service but you can rather change the settings yourself via the normal GitHub UI.
Responding to Reports of Potential Vulnerabilities with VulnGame
The second tutorial shows how to deal with reports on potential vulnerabilities. Handling such reports is similar to managing any other bugs, but it can be stressful the first time. Because of that, with VulnGame you can test-run the whole process on three scenarios. You get the reports, and then it is your turn.
VulnGame contains two repositories. The sources in https://github.com/VulnGame/VulnGame-source contain your game environment. The programming language offers surprises – every spelling mistake is a security issue. Everyone can participate!
Game scenarios, starting with messages from security researchers, have their place in the second repository https://github.com/VulnGame/VulnGame-scenarios It also contains solutions and suggestions for grading if you prefer to play amongst several groups.
All those resources are open source – you can share and adapt them! Add your tasks and challenges, and share with friends and work colleagues. Let's increase common knowledge of the security best practices!
Previous blog posts on security:
Eclipse Jetty Security Audit Has Been Completed https://blogs.eclipse.org/post/mika%C3%ABl-barbero/eclipse-jetty-security-audit-has-been-completed
Eclipse Foundation Publishes Results of Eclipse JKube Security Audit https://blogs.eclipse.org/post/mika%C3%ABl-barbero/eclipse-foundation-publishes-results-eclipse-jkube-security-audit
SECURITY.md: should I have it? https://blogs.eclipse.org/post/marta-rybczynska/securitymd-should-i-have-it