Security is fundamental to open source software. With growing dependencies, evolving threats, and expanding community usage, proactive security reviews have become essential. In 2025, the Eclipse Foundation Security Team will embark on an exciting new initiative: Rapid Security Reviews—lightweight, scalable, and repeatable assessments designed to help projects quickly improve their security posture.
At the date of this article's publication, we already have four ongoing reviews, with reports to be published soon. These initial reviews are helping us refine our processes and ensure maximum effectiveness from the start.
What is a Rapid Security Review?
A Rapid Security Review is a focused, time-boxed assessment conducted over a short amount of time: the aim is for both the Project Security Team and the Eclipse Foundation Security Team to each spend less than a couple of hours on the entire process. Each review aims to quickly identify and prioritise key security improvements within Eclipse projects, providing actionable guidance without overwhelming maintainers. Detailed documentation about the standard checks conducted during each review can be found in our security handbook.
This streamlined approach ensures:
- Consistency: A structured, repeatable process using standardised tools and templates.
- Scalability: By limiting each review's scope, the security team can sustainably review one project per week.
-
Accessibility: Clear, practical recommendations that maintainers can implement immediately.
Why We're Doing These Reviews
Security isn't a one-time event; it's a continuous conversation. The Rapid Security Reviews will:
- Raise Security Awareness: Initiating meaningful dialogues about security with project teams, helping them understand risks and remediation steps.
- Build Relationships: Creating collaborative relationships between projects and the Eclipse Foundation Security Team for ongoing security improvement.
- Structure Security Visibility: Establishing a clear overview of security status across all Eclipse projects, helping us prioritise efforts effectively.
The goal is to incorporate these security reviews into the standard Eclipse Project lifecycle. This will be achieved by making them an essential component of the customary Project Progress Reviews.
How It Works
The Rapid Security Review process involves several clearly defined steps:
- Kick-off and Outreach:
- We initially select projects based on existing relationships, until the process is refined. We also select projects based on strategic priorities identified by the EMO (Eclipse Management Organisation) Project Team, or volunteer submissions.
- Project maintainers receive a brief survey and a tailored kick-off email, starting the security review process.
- Structured Checklist Review:
- Using our standardised internal checklist, we examine critical security aspects such as vulnerability management, CI/CD security, repository setup, and more.
- The process is strictly time-boxed to ensure efficiency and manageability.
- Actionable Reports:
- Findings are clearly documented, highlighting prioritised recommendations tailored to each project's specific needs.
- Reports are concise, actionable, and shared transparently with project maintainers.
- Collaborative Discussions:
- Reviews conclude with structured discussions with maintainers to establish timelines for implementing improvements.
-
A follow-up check-in ensures accountability and continuous improvement.
Building an Open Source Security Community
An exciting component of this initiative is our commitment to openness and community involvement. We're launching an open source project around Rapid Security Reviews, making our tools, templates, and processes publicly accessible. Integration with community tools such as Otterdog and OpenSSF Scorecard will further automate and enhance security assessments, benefiting the broader open source community. Additionally, we will map our review checklists to the OpenSSF Security Baseline controls and propose new controls or refinements where appropriate, contributing to industry-wide security standards.
This open approach is generously supported by the Alpha-Omega Project, whose backing enables us to scale our security impact significantly.
Get Involved
If your project wants to participate, we warmly welcome volunteer submissions for security reviews. Simply reach out via our GitHub Discussions or by sending an email to security@eclipse-foundation.org, and we'll do our best to prioritise your request. In the meantime, you can conduct your own self-assessment using our public checklists and guidelines. If you have questions about the Rapid Security Reviews, please join the conversation on our GitHub Discussions page.
Stay tuned for more details as we kick off Rapid Security Reviews in 2025. We're excited to partner with all Eclipse Foundation Projects to build a safer, stronger ecosystem.