[cncf]：安全大满贯2025 -尊龙凯时人生就博

" data-src="https://public.fxbaogao.com/report-image/2025/05/19/4852658-1.png?x-oss-process=image/crop,x_0,y_0,w_1980,h_2800/resize,p_60" data-sizes="200px" data-error="fx-img-error-default;;;height: 720px;" data-srcset="https://public.fxbaogao.com/report-image/2025/05/19/4852658-1.png?x-oss-process=image/crop,x_0,y_0,w_1980,h_2800/resize,p_60" class="lazy"/>

transparency report 2025securityslam at kccneurope 2025 security slam the security slam at kubecon cloudnativecon europe was a stark change in style and structurecompared to the previous events run by cncf’s security technical advisory group (tag security). for starters, this was the first time the event was ever restricted to a subset of projects — which we’ll lookat more closely throughout this article. this year’s events were a far cry from the2022 security slam, which targeted maintainers with a 30-dayperiod with a $30,000 prize pool in the form of diversity scholarship fund donations made in the nameof each project. and again this was unlike the2023 security slam— a month-long period with plaques, badges, andbuckets of swag for participating project maintainers. in a way, this year’s events were more similar to thekubernetes lightning round, which was a 48-hourfocus period of targeted collaboration between maintainers and new contributors. still, this year’s efforts were largely experimental. at the direction of cncf’s events team, tag securityand members of the cncf technical oversight committee (toc) together identified four projects whichwere given a 45-minute period to collaborate with maintainers on the project pavilion stage in london. four projects of various maturity levels were selected: flux, opentelemetry, meshery, and oscalcompass. similar to contribfest or the kubernetes lightning round, anyone and everyone was invited toparticipate alongside maintainers in the event. at the end of the week, four prizes sponsored bysonatype were issued to the most impactful contributors. while maintainers were encouraged to create their own backlog of tasks, driven by the project’s currentgoals, a recurring theme was the controls defined in theopen source project security baseline. flux flux and its maintainer team has seen no shortage of obstacles in the past year, and yet the adoption ofthis graduated project continues to rise at astonishing rates. with flux contributors already integratedinto the tag security community, it was a natural fit to participate in this year’s security slam. maintainers from the project, including stefan prodan and matheus pimenta, rallied around the slam tocreate a highly refined backlog for new contributors — and the entire team showed a forceful presenceon the project pavilion during the event! in the flux project we had people working on all of the issues we added to the securityslam backlog! three pull requests were merged during the event, with two of themeffectively improving the security of our ci. we saw solid contributions for our securityinsights files, and a single person worked with the maintainers to draft an entire selfassessment! we need more of those slams! - matheus pimenta opentelemetry the opentelemetry project is among the most popular projects in the cncf ecosystem. aftercompleting a security self-assessment through tag security, maintainers austin parker and traskstalnaker accepted an invitation to join the security slam. the project made excellent strides to improve their 70 repositories during the event, but none as muchas the revival of the special interest group dedicated specifically to project security. if you are interestedin contributing to the security of opentelemetry, read more here about how you can join the sig! working with tag security to prepare for the security slam helped us consolidateour goals and reflect on our current security posture. in addition to the work done bykubecon participants, we have taken advantage of this momentum to re-launch theopen telemetry security sig! - trask stalnaker meshery meshery is one of two sandbox projects that were invited to this security slam on a recommendationfrom the technical oversight committee, to help bolster its application for promotion to incubationstatus. several meshery project maintainers and contributors from across the community showed enthusiasticparticipation during the participation phase, as they used scanning tools and best practices guides tocreate a backlog of improvements for the 10 project repos. the project also issued special “securitysentinel” badges for both remote and in-person participants! meshery’s participation in security slam wasn’t just a session, but was the communityand maintainers rolling up their sleeves together, turning shared knowledge intotangible security improvements for the project right at kubecon. it was inspiring to seecontributors and maintainers unite, earning their security sentinel badges while makingmeshery stronger for everyone. events like this push the community forward—not just incode, but in culture. - lee calcote oscal compass the second sandbox project that was recommended for the security slam by the cncf toc was oscalcompass, home of the trestle compliance tool. though it was last on the schedule, with the least time for participants to qualify for a prize, multiple taskswere completed and four pull requests