Here is a markdown table summarizing CNCF projects actively seeking security contributions, including their focus areas and links for more information:
| Project | Description / Focus Area | Maturity Level | Website | Contribution / Security Info |
|---|---|---|---|---|
| NATS | Secure messaging system; needs maintainers and security help for governance and license protection | Graduated | nats.io | CNCF call for support |
| Flux | GitOps for Kubernetes; focused on multi-tenant workload identity and secure delivery | Graduated | fluxcd.io | Security contributions |
| Kubescape | Kubernetes security and compliance; growing project seeking contributors for security features | Incubating | kubescape.io | Incubation announcement |
| Bomctl | SBOM tooling for supply chain security; open to security-focused contributions | Sandbox/Ecosystem | GitHub | Supply chain security guide |
| GUAC | Graph for Understanding Artifact Composition (SBOM analysis); supply chain security | Sandbox/Ecosystem | GitHub | Supply chain security guide |
| in-toto | Supply chain integrity framework; open to security contributions | Incubating | in-toto.io | Supply chain security guide |
| Protobom | SBOM interoperability; supply chain security | Sandbox/Ecosystem | GitHub | Supply chain security guide |
| SBOMit | SBOM generation and management; supply chain security | Sandbox/Ecosystem | GitHub | Supply chain security guide |
| SLSA | Secure software supply chain framework | Sandbox/Ecosystem | slsa.dev | Supply chain security guide |
| TUF | Secure software update framework | Graduated | theupdateframework.io | Supply chain security guide |
| Falco | Runtime threat detection for containers and Kubernetes | Incubating | falco.org | Falco GitHub |
| OPA | Policy as code for cloud native environments | Graduated | openpolicyagent.org | OPA GitHub |
| Kyverno | Kubernetes policy engine | Incubating | kyverno.io | Kyverno GitHub |
| TAG Security | CNCF Security Technical Advisory Group; join working groups, contribute to guides and assessments | Advisory Group | TAG Security | How to get involved |
You’ll find good-first-issues and help-wanted tags in these repositories to get started. For broader impact, consider joining CNCF TAG Security working groups or contributing to supply chain security projects.
For training resources on CNCF security projects, check out Linux Foundation Training for courses like Kubernetes Security Specialist (CKS), Secure Software Supply Chain, and more.
