Dosu Logo
Home
Documents
CNCF Security Contributions
CNCF Security Contributions
Type
Document
Status
Published
Created
Nov 5, 2025
Updated
Nov 5, 2025
Created by
Phippy
Updated by
Dosu Bot

The Cloud Native Computing Foundation (CNCF) hosts a wide range of projects at various maturity levels—Graduated, Incubating, and Sandbox—that are actively seeking security contributions. Security contributions can include code, documentation, threat modeling, vulnerability reporting, audits, and participation in working groups or special initiatives. While there is no single, up-to-date centralized list of projects seeking security contributions, several CNCF-wide initiatives, recurring events, and project-specific efforts provide clear entry points for security-minded contributors.

CNCF-Wide Security Initiatives#

TAG Security and Compliance#

The CNCF Technical Advisory Group for Security and Compliance (TAG Security) is the primary forum for security collaboration across CNCF projects. TAG Security coordinates best practices, organizes security assessments, and runs working groups and initiatives that aggregate security needs across the ecosystem. Contributors of all experience levels are welcome to participate in open meetings, join working groups, or help author guidance and assessments. See the TAG Security GitHub and community site for meeting schedules, working group charters, and contribution opportunities.

Notable Ongoing Initiatives#

  • Cloud Native Top 10: This project aims to document the most critical security risks in cloud native technologies (e.g., Istio mesh, Kubernetes) and is actively seeking contributors to help define, review, and publish guidance. Join the #tag-security-top-ten Slack channel or attend bi-weekly meetings to get involved. See the initiative thread for details.
  • Security Baseline Working Group: In partnership with OpenSSF, this group is aligning CNCF project security hygiene recommendations and tooling. Contributors can help define baselines, develop tooling, and participate in regular meetings. See the initiative thread for meeting info and participation details.
  • Security Assessment Guide: TAG Security is developing a comprehensive guide and training for performing security assessments on CNCF projects. Community feedback and expert contributions are encouraged, especially from those with experience in threat modeling, risk assessment, and post-assessment remediation. See the discussion and join the #security-assessment-book Slack channel.

Security Slam and Community Events#

CNCF regularly hosts events such as Security Slam that challenge projects to improve their security posture through specific tasks (e.g., adopting OpenSSF Scorecards, automating SBOMs, implementing supply chain security). Projects recognized for their security efforts in recent Security Slam events include Artifact Hub, Jaeger, K8GB, Capsule, OpenFGA, and Argo. These projects, and others participating in such events, are often open to new security contributors and may have open issues or tasks related to event challenges.

Project-Specific Security Contribution Opportunities#

While most CNCF projects welcome security contributions, several have explicit security teams, working groups, or documented processes for engaging with security issues. Below are examples of projects with active security engagement:

Buildpacks (Incubating)#

Buildpacks maintains a SECURITY.md for reporting vulnerabilities, enforces access control (including 2FA), and has a documented security response team. The project has completed both self-assessments and external audits, with findings and improvements tracked publicly. Contributors can help by reviewing code for vulnerabilities, improving documentation, and participating in security reviews. See the contribution guide and recent audit results for more information.

WasmEdge (Incubating)#

WasmEdge is undergoing a Joint Security Assessment managed by TAG Security and Compliance. Contributors can participate in reviewing the project's security design, identifying risks, and proposing improvements. The assessment process is documented in the TAG Security Assessment Process.

Keycloak (Incubating)#

Keycloak, an identity and access management project, has active security contributors and maintainers. Security contributions can include reviewing authentication flows, threat modeling, and improving documentation. See the Keycloak GitHub and join community discussions for current needs.

SPIFFE/SPIRE (Graduated)#

SPIFFE and SPIRE focus on workload identity and secure service-to-service mTLS. The projects prioritize "secure by default" principles and welcome contributions to their security model, codebase, and documentation. See SPIFFE and SPIRE for contribution guidelines.

Cert-Manager, Secrets Store CSI Driver, External Secrets Operator#

These projects focus on certificate lifecycle automation and secrets management. Contributors can help with security hardening, policy enforcement, and integration testing. See their respective GitHub repositories for open issues and contribution instructions.

Supply Chain Security Projects#

Projects such as in-toto, The Update Framework (TUF), GUAC, SBOMit, SLSA, and protobom are central to CNCF's supply chain security efforts and are actively seeking contributors for code, documentation, and threat modeling. Many of these projects are also involved in OpenSSF collaborations.

Policy as Code and Security Enforcement#

Projects like Kyverno and Open Policy Agent (OPA) enable security policy enforcement in Kubernetes and cloud native environments. Contributors can help write policies, improve validation tools, and participate in community discussions.

How to Find and Engage with Security Contribution Opportunities#

  • Visit the CNCF Contribute site for up-to-date information on contribution opportunities, including security-related tasks and working groups.
  • Join the CNCF Slack and participate in channels such as #tag-security, #sig-security-whitepaper, and project-specific channels.
  • Review project SECURITY.md files and contribution guides for instructions on reporting vulnerabilities and contributing to security.
  • Attend open meetings and working groups organized by TAG Security and Compliance, as well as project-specific security meetings.
  • Look for issues labeled "security", "help wanted", or "good first issue" in project GitHub repositories.

CNCF and Linux Foundation Security Training#

CNCF and the Linux Foundation offer training resources to help contributors build security expertise:

These resources are recommended for anyone looking to contribute to security in CNCF projects or to deepen their understanding of cloud native security best practices.

For the most current opportunities, always refer to project repositories, the CNCF Contribute portal, and TAG Security communications.