cncf
Safeguard articles tagged "cncf" — guides, analysis, and best practices for software supply chain and application security.
7 articles
What Is the in-toto Framework?
in-toto is a framework for cryptographically verifying that every step in a software supply chain was performed as planned by authorized parties. Here's how layouts, link metadata, and functionaries fit together.
Lessons from the CNCF Kubernetes security audit
The 2019 CNCF Kubernetes security audit found 37 issues rooted in insecure defaults. Here's what it uncovered and what still applies today.
OCI + CNCF Image Supply Chain: 2026 Snapshot
Where the OCI and CNCF image supply chain ecosystem actually sits in 2026, what has stabilized, what is still contested, and what to deploy now versus later.
CNCF Supply Chain Security Best Practices v2: What Changed
CNCF TAG Security shipped the v2 Supply Chain Security paper in 2025, mainstreaming SBOMs, signed attestations, and zero-trust workload identity. We walk through the practical guidance.
in-toto Graduates from CNCF: Attestation Bundles and the v1 Layer
in-toto reached CNCF graduation in April 2025 and shipped a major attestation framework release. We walk through the bundle layer, resource descriptors, and what producers should adopt.
Open Source Foundation Governance Models
The Linux Foundation, Apache Software Foundation, CNCF, and Eclipse each codify different theories of how open source projects should be governed. The differences matter more than most adopters realize.
CNCF Project Security Audits: What They Find and Why They Matter
The Cloud Native Computing Foundation funds independent security audits for its projects. The findings reveal patterns that every cloud native adopter should understand.