Slam26 Spring Transparency Report

Published: July 1, 2026

The title image of the Security Slam Spring 2026 report

Setting the stage for the Spring 2026 Security Slam

The CNCF Security Slam has continuously evolved to meet the community’s need for robust software supply chain security. In 2022 and 2023, the event functioned as highly successful month-long remote challenges. By gamifying security hygiene with charitable donations, badges, and swag, these early Slams drove dozens of projects to 100% security compliance scores and successfully shifted community attitudes toward security hygiene.

Later events experimented with new directions, however. The Kubernetes Lightning Round was a 24-hour event with a persistent video conference and teams of new contributors who each focused on different Kubernetes subprojects. Then the 2025 Security Slam took stage at KubeCon Europe with a shift to live, 45-minute deep-collaboration sprints focused on just four specific projects. 

This targeted approach yielded a different category of wins from previous years: it led to the relaunch of OpenTelemetry’s Security SIG and resulted in multiple immediate pull requests merged for CNCF projects like Flux and OSCAL Compass. However, this experimental format also surfaced critical learnings which served as the ultimate trigger for our 2026 strategy. 

Feedback from the Kubernetes Lighting Round and Slam25 events strongly suggested that future Slams run by the newly restructured CNCF TAG Security & Compliance should return to the long-form remote structure of 2022 and 2023, with only a celebratory or reflective in-person component. This set the stage for the action that followed in the Spring 2026 Security Slam.

OpenSSF joined returning sponsor Sonatype to enable this event, providing structural support as well as supplementary guidance related to the ways Slam success can support end users who are regulated by the EU’s Cyber Resilience Act (CRA).

A photo of attendees at the Spring Slam26 event.

Executing the Spring 2026 Security Slam

Running from February 20 to March 20, 2026, CNCF TAG Security & Compliance launched the Spring Security Slam as a month-long community effort with support from CNCF, OpenSSF, Sonatype. The core action of this event pivoted to focus deeply on the OpenSSF’s Open Source Project Security Baseline (OSPS Baseline), which serves as a realistic, actionable set of minimum security requirements organized by a project’s maturity level.

The 2026 event challenged maintainers and contributors to hit five new objectives, inspired by the badges from the 2023 event. These had previously guided participants through milestones like documentation, SBOMs, security self-assessments, and compliance with CNCF policies. The new objectives had similar content, breaking down the OSPS Baseline’s strict “MUST” controls into tangible, focused milestones for the community.

The Slam objectives were organized into a stair-step approach which guided projects to create and compile their documentation, store links in a machine-readable file, and strengthen all it with a self-assessment of the project’s security posture before scanning and publishing the results.

To ensure participants could effectively leverage these tools and navigate the baseline requirements, the preparation involved a strong alignment with the creators of the Best Practices Badge and LFX Insights. Then, the entire action phase was underpinned by a comprehensive Slam library of support resources. Coupled with dedicated advisors actively answering questions on Slack, this resource library ensured that contributors were fully equipped to drive their projects toward measurable security compliance.

A photo of two attendees at Slam 26

Measurable gains in security hygiene

While the full breadth of the final leaderboard and all participating projects are not detailed in the available materials, post-event community updates paint a clear picture of the Slam’s direct, positive consequences. 

The Spring 2026 Security Slam successfully drove tangible security improvements, culminating in the recognition of the Top 5 Security Champions who went the extra mile for their communities:

The direct outcome of this effort was a measurable improvement in foundational “security hygiene” across the ecosystem. By completing the focused objectives, these projects successfully implemented baseline protections against common software compromises, improved CRA-readiness for their end users, and ultimately set a higher security standard for the entire open-source community.

These broader ecosystem outcomes were built on individual, ground-level contributions. For example, Kyverno’s champion, Shuting Zhao, highlighted the tangible impact of the event by celebrating two specific, high-quality pull requests merged by a community contributor during the Slam. 

Ultimately, these successful outcomes were made possible by expert Slam Mentors who guided the projects across the finish line with the backing of sponsors OpenSSF and Sonatype: 

Aaron Linskens, Ben Cotton, Dr. David Wheeler, Evan Anderson, Jason Meridth, Jennifer Power, Jonathan Reimer, Satarupa Deb, Madalin Neag, and Roman Zhukov

A photo of two attendees at Slam 26.

Strategic adjustments for the fall Slam

The ultimate measure of the Spring 2026 Security Slam lies in the strategic lessons we can carry forward to improve the ecosystem. The biggest takeaway from this iteration was that leaning heavily into automation and standardized requirements is highly effective. Thanks to the guardrails provided by automated tooling and the OSPS Baseline, participants reported significantly fewer hangups and roadblocks compared to previous years.

However, the event also highlighted areas for operational improvement, particularly regarding our communication strategy leading up to the event: our late announcement this spring was not helpful. 

Moving forward, we will need to make a series of earlier announcements to generate sustained awareness, accompanied by dedicated outreach specifically targeting incubating CNCF projects. These incubating projects are the ideal candidates for this initiative: they are mature enough to have a solid structural foundation in place, yet young enough to genuinely benefit from a focused security polish and the accompanying event publicity.

As we look ahead, we are fully committed to applying these lessons to the Fall 2026 Security Slam. By combining earlier, targeted outreach with the success of our Spring approach, we plan to roll out the fall event with only minor modifications to the core objectives.