The CNCF Technical Advisory Group for Security & Compliance is excited to announce the upcoming 2026 Security Slam at KubeCon + CloudNativeCon Europe, in partnership with Sonatype and OpenSSF.
The event will run from Friday, February 20th until Friday, March 20th.
Security Slam is a CNCF community activity that has taken many different shapes over the years. Now on its fifth iteration, the Slam is designed to help projects understand and improve their high level security posture.
“Security hygiene is something every project should do — and every project can do it with a bit of guidance. It’s everyday stuff, like the equivalent of brushing your teeth. After you learn it once, you can easily do it every day.” –
Christopher “CRob” Robinson, OpenSSF CTO & Chief Architect
Previously restricted to CNCF projects due to the nature of the evaluation tools available, the Slam is now taking advantage of the new LFX Insights dashboard to greatly broaden the qualifications for participation: If your project is published to LFX Insights by the closing date, you qualify to receive Slam recognitions.
Past events have included various incentives to encourage projects to make recommended improvements, such as Google’s 2022 donations on behalf of projects who reach select milestones or the 2025 LEGO prizes awarded to the top contributors for each of the participating projects.
Similarly wide in variation, the event has had several permutations in its length. In the case of the Kubernetes Lightning Round, the slam was a day of onboarding new contributors to Kubernetes with a focus on security hygiene improvements to seven different subprojects. Taking it a step further, the 2025 event featured weeks of preparatory work with maintainers, and 45-minute live sessions with maintainers and anyone who wanted to join from the audience at KubeCon + CloudNativeCon Europe.
This year, however, will imitate the event that had the most statistically significant results. In 2023, projects were given their own iron-on badges and a framed plaque to highlight the milestones that they completed during the 30-day event. Not only were the plaques seen at project tables long after the event ended, but we received reports of significant project wins due to the efforts achieved during that event.
“Work we completed on Argo during the Security Slam paid off big time when the tj-actions GitHub action got compromised. All our workflow versions were pinned during the previous Slam — but if they hadn’t been, we’d have spent a massive amount of time rotating secrets.” – Michael Crenshaw
Here are some key similarities you will see:
- The project will last approximately one month, leading up to KubeCon
- CNCF TAG Security & Compliance will publish a library of support resources to accelerate execution of the more complex goals
- Advisors will be available via a dedicated CNCF slack channel all month, to offer clarifications and answer questions related to security hygiene
- Participating projects will be given custom plaques to demonstrate their successes
- Individual contributors will be given badges corresponding to the project’s completed goals
And there are new elements as well:
- Projects from outside of the CNCF and Linux Foundation are invited to participate
- Advisors and material will be available on the topic of the Cyber Resilience Act (CRA)
- This event’s Slam Library will be hosted online at securityslam.com
Key Dates to Remember:
- Friday, February 20th: Event objectives are announced; Slam Library Opens
- Friday, March 20th: Final scoring submissions closes; Scoring begins
- Thursday, March 26th: Awards are issued on the KubeCon Project Pavillion Stage
Pre-registration is now open: Sign up to receive reminders and instructions related to the event!