2025: A year in review for the Eclipse Foundation Security Team

The past year has been one of the most transformative in the history of the Eclipse Foundation’s security program. From strengthening identity systems and hardening infrastructure, to scaling project-level security reviews, to launching an end-to-end SBOM ecosystem used across the Foundation, 2025 marked a decisive leap forward in our ability to support and secure the thousands of developers and hundreds of projects that rely on Eclipse Foundation technologies.

Much of this progress was made possible through two complementary sources of support. Alpha-Omega continued to fund the operational backbone of our security work: GitHub configuration governance, supply-chain hardening, infrastructure security, and our Rapid Security Reviews program. Meanwhile, an investment from the Sovereign Tech Fund (STF) (a program of the German Sovereign Tech Agency) enabled us to build new SBOM generation and analysis capabilities now used to secure some of our most complex software supply chains.

Together, these grants and investments empowered the Security Team to deliver a year of significant advancements, deeper automation, closer engagement with projects, and a much stronger defensive posture across the entire Eclipse Foundation ecosystem.

Strengthening GitHub governance at scale

A central pillar of the year was the continued evolution of Eclipse Otterdog, the automation platform that manages configuration across more than 240 GitHub organisations. Initially funded through Alpha-Omega, Otterdog has now matured into an indispensable governance tool.

Early in the year, we deployed standardised .github repositories and SECURITY.md files across hundreds of projects, opening remediation PRs where required and ensuring consistent security practices throughout the ecosystem. Across several releases, Otterdog added support for archived organisations, improved GitHub API compatibility, introduced a new check-status command, and delivered major improvements to contributor onboarding and error visibility.

Otterdog also expanded into vulnerability operations. It now tracks activity on GitHub private advisories, helping the Security Team surface stale or reactivated reports far more efficiently. This automation significantly reduces manual workload and ensures that sensitive reports (especially those affecting critical components) are never overlooked.

By year’s end, Otterdog had processed hundreds of configuration changes, strengthened branch-protection and scanning settings, and established a consistent baseline of secure configuration across the entire ecosystem.

Rapid security reviews take off

Another Alpha-Omega–funded initiative, the Rapid Security Review program, scaled substantially in 2025. These time-boxed reviews provide projects with a structured assessment of their security posture and concrete recommendations for improvement.

We launched five reviews early in the year, identified dozens of additional projects for future cycles, and published our first report together with community-facing guidance in May. This inaugural review, focused on Eclipse SysON, not only demonstrated strong security maturity but also established a clear blueprint other projects can follow.

These reviews have already become a catalyst for deeper engagement, improving preparedness for vulnerability handling, dependency management, and secure development workflows.

Responding to incidents: together with the community

Security incidents inevitably test the resilience of our infrastructure, and 2025 brought several such tests.

In late April and early May, the Eclipse Foundation experienced a major on-premise infrastructure outage. Although the outage was ultimately determined not to be security-related, the Security Team helped IT to rule out compromise, support mitigations, and restore critical services (including Otterdog and Dependency-Track) without data loss.

Later in the year, the tj-actions supply-chain compromise placed thousands of repositories across the open source world at risk. Our team proactively reviewed more than 1,270 repositories across 266 organisations, identified a small number of workflows requiring attention, and analysed every run executed during the vulnerability window. No secrets were leaked, and results were transparently communicated to affected projects.

We also collaborated with researchers from Koi Security on a vulnerability in the Open VSX extension publication process, deploying a fix after extensive testing and temporarily disabling 81 extensions as a precaution. In partnership with Microsoft’s MSRC, we introduced a new token prefix format to make future token-leak detection far more reliable.

Throughout the year, the Security Team continued to triage and remediate numerous malware submissions to Open VSX, underscoring the scale and persistence of modern supply-chain threats.

Hardening identity, infrastructure & domain governance

2025 also marked major investments in foundational security infrastructure:

• Multi-Factor Authentication (MFA) was quietly rolled out for all Eclipse Foundation accounts following the migration to Keycloak. Work is underway to unify MFA for gitlab.eclipse.org as well.
• A new authenticated GitHub account linking workflow eliminates the risk of contributors accidentally or maliciously claiming incorrect GitHub identities.
• Internal DNS was migrated from Bind9 to a highly available, container-based PowerDNS setup with modern auditing and redundancy.
• Domain governance was standardised across 134 Cloudflare-managed domains, enforcing HSTS, TLS 1.2/1.3, strict HTTPS workflows, and minimal exposed attack surface.
• The Foundation completed its first code-signing certificate rotation under Google KMS, validating our secure key infrastructure end to end.

Together, these changes significantly enhanced the reliability, auditability, and security of the Foundation’s digital presence.

Advancing SBOM capabilities with STF support

While Alpha-Omega strengthened operational security, an investment from the Sovereign Tech Fund (STF) enabled the creation of a robust SBOM ecosystem spanning generation, ingestion, storage, and visualisation.

A central dependency-tracking service at sbom.eclipse.org was deployed, integrated with our IAM, and supported by a secure upload proxy that prevents accidental cross-project writes by using Otterdog’s repository mapping. Dozens of projects (including Kuksa, Che, Milo, Store, and others) have already adopted this SBOM workflow.

The STF investment also funded development of SBOM generation tooling for the Eclipse IDE and the p2 ecosystem, contributed via the Eclipse CBI project. This toolchain now generates CycloneDX SBOMs for major releases such as SimRel, EPP, and the Eclipse Platform SDK, and includes a powerful web-based viewer for navigating dependencies, licenses, and hashes.

One of the year’s most significant accomplishments, and a major STF-funded milestone, was the breakthrough in SBOM generation support for the Eclipse IDE and the p2-based ecosystem.

For the first time in the IDE’s history, we now have:

• A repeatable, extensible CycloneDX SBOM generator for Eclipse-based products
• An integrated web viewer for developers, auditors, and downstream consumers
• A pipeline capable of generating SBOMs for SimRel, EPP packages, and the Eclipse Platform SDK
• Tycho integration, enabling future automation across the entire build system

This work involved extensive refactoring, performance tuning, SimRel-scale testing, and contributions to upstream projects such as CycloneDX, purl-spec, Equinox/p2, and Tycho.

By year’s end, the toolchain was producing fully navigable SBOMs for major Eclipse Foundation releases, all published at sbom.eclipse.org, a major step forward for the transparency and auditability of the Eclipse IDE’s software supply chain.

Building security skills through training

STF funding also enabled us to design and deliver a two-part vulnerability-management and SBOM training series, attended by nearly 200 developers.

Topics included responsible disclosure, coordinated releases, GitHub private advisories, using SBOMs in vulnerability assessment, and the role of the Eclipse Foundation Security Team. These recordings have since become valuable onboarding material for new maintainers.

Looking ahead

2025 was a year of consolidation, innovation, and strengthened collaboration with the projects we serve. Our automation tooling became more capable, our infrastructure more resilient, our SBOM ecosystem reached maturity, and our incident-response capabilities grew faster and more precise.

Most importantly, many of these improvements now reinforce one another: secure GitHub workflows feed into better reviews; SBOM generation feeds into a central registry; advisory tracking ties back into governance automation; and the community is increasingly equipped to secure its own projects.

As we move into 2026, the Security Team is well-positioned to continue scaling its efforts, deepen project engagement, and strengthen the Foundation’s role as a leader in open source security. The progress of the past year reflects not only the work of our team but also the commitment of our community, our partners, and our contributors across the Eclipse Foundation ecosystem.

Here’s to an even more secure year ahead.