Open Source Summit North America 2023

How to make sure that the configuration of hundreds of GitHub projects of the Eclipse Foundation stays secure and coherent? This story starts when the OpenSSF Alpha-Omega initiative has enabled the Eclipse Foundation to invest in improving the software security chain for its projects. We ran the OpenSSF Scorecard project and identified some recurrent misconfigurations. But managing numerous organizations and repositories creates challenges. This evaluation with Scorecard shows an urgent need for a tool to effectively manage and rectify misconfigurations in our 1000+ repositories. To tackle this challenge, we are introducing a "configuration as code" solution for managing multiple GitHub organizations. This approach automates many tasks involved in maintaining a secure and consistent supply chain, reducing security vulnerability risk, and increasing project trust. “Configuration as code” provides visibility into security settings and the ability to make configuration changes through a familiar pull-request process. Participants will learn about the tools and techniques we employed in our organization and how they can be adapted for their own purposes.