By Chris Aniszczyk and Amir Montazery 

CNCF and Open Source Technology Improvement Fund (OSTIF) have been working together for the last several years to conduct security audits for CNCF’s Graduated and Incubating projects. As a result of CNCF’s strong commitment to improving the security posture of projects, the Foundation and OSTIF have created a sound guiding policy and project maturity model, and a repeatable process for executing audits. Over the course of the last three years, CNCF project maintainers and contributors have been given the opportunity to work with independent audit experts to identify risks, threat vectors, and implement tools to improve the project’s security posture. 

For more background on CNCF’s partnership with OSTIF, security audits, and the previous impact report, check out the blog from last year.

This latest OSTIF report provides an overview of independent security audits carried out in the second half of 2022 and into early 2023. 

The projects audited

Improvements at a glance

OSTIF report improvement at a glance: 50 critical, high or medium severity findings fixed, 196 total security improvements made, 73 tools built or improved to continually monitor open source projects for security issues

Feedback from CNCF project maintainers

“Thanks to the audit we were able to patch some minor vulnerabilities and increase our existing security toolchain to prevent new vulnerabilities from being introduced.”

– Tom Kerkhove – KEDA Maintainer, Senior Software Engineer at Microsoft

“We greatly appreciate OSTIF and Trail of Bits for their thorough security audit of KEDA and for the excellent cooperation we received. The KEDA community is constantly striving to make the project better and more secure for our users, the insights provided in the audit will help us achieve that.”

– Zbynek Roubalik – KEDA Maintainer, Principal Software Engineer at Red Hat

More information

Direct link to the report

OSTIF’s post about this report