Kusari and CNCF: Advancing Software Supply Chain Security for Cloud Native Projects
Michael Lieberman
March 23, 2026
.png)
Open source has become the foundation of modern software — but the scale and speed of today’s software supply chains are creating new security challenges. Applications depend on hundreds or thousands of components across complex environments, many of which are pulled in automatically through transitive relationships. Add the rapid rise of AI-generated code and automated development pipelines, and the need for intelligent, integrated security oversight has never been greater.
Attackers are evolving just as quickly with threats that are more targeted and sophisticated. Supply chain compromises, dependency attacks, and license risks are consistently on the rise for open source communities. For maintainers and security teams already operating with limited resources, gaining clear visibility into what’s actually in the software supply chain — and where risk exists — is critical.
Kusari is excited to partner with the Cloud Native Computing Foundation (CNCF), which builds sustainable ecosystems for cloud native software. Our shared goal: make it easier for maintainers and contributors to secure the complex dependency ecosystems that power cloud native software — without needing to become security experts. That’s why we’re thrilled to provide CNCF projects with free access to Kusari Inspector, our AI code review and dependency management tool.
CNCF projects sit at the heart of modern infrastructure. But as dependency graphs grow deeper, license risk expands, and builds become more automated, visibility becomes harder. Many teams rely on multiple tools yet still lack a clear, connected view of what’s in their supply chain — especially across transitive dependencies.
Projects adopting Kusari Inspector include Gemara, GitTUF, GUAC, in-toto/Witness, OpenVEX, Protobom and Supply-chain Levels for Software Artifacts (SLSA). As AI coding tools become standard in open source development, Kusari Inspector serves as the safety net maintainers didn't know they needed.
“I used Claude to submit a pull request to go-witness,” said John Kjell, a maintainer of in-toto/Witness. “Kusari Inspector found an issue that Claude didn’t catch. When I asked Claude to fix what Kusari Inspector flagged, it did.”
Kusari Inspector puts dependency intelligence in the developer workflow, helping projects catch risks early with inline feedback, remediation guidance and safe-to-merge recommendations in seconds, plus:
- Visualize and analyze dependency relationships
- Identify supply chain risk across builds and releases
- Improve provenance and attestation coverage
- Move from reactive scanning to deeper analysis and greater context
Kusari Inspector Helps Maintainers Be Secure at the Pull Request
Beyond visibility, Kusari Inspector improves how developers can produce secure code without needing to be security experts. According to our Application Security in Practice report, most organizations still address security issues only after they surface, and two-thirds of teams spend up to 20 hours a week responding to supply chain incidents. That reactive model strains the development cycle.
For open source projects, the burden is often even heavier. We know from personal experience, many projects are maintained by small teams of part-time contributors and already overextended maintainers without dedicated security staff. Every reactive investigation, dependency review, or license question pulls limited capacity away from priorities and community support — making proactive, workflow-integrated security even more critical.
By increasing automated checks directly in pull requests, projects reduce review latency and catch issues earlier, shifting from reactive firefighting to proactive prevention. Rather than maintainers “owning” reviews in isolation, Kusari Inspector brings them integrated, context-aware feedback — closer to development and accelerating secure delivery.
In partnering with CNCF, we’re supporting the maintainers and community of cloud native software builders, helping them strengthen security and trust without development friction.
“CNCF projects represent some of the most innovative and critical work happening in open source today” said Jonathan Bryce, Executive Director of CNCF. “Through our partnership with Kusari, maintainers can now have better visibility into their software supply chains and stronger security - so these communities can build and grow with confidence, resilience and trust.”
“As a co-creator of GUAC and long-time CNCF contributors and Technical Advisory Council members, this partnership is a powerful reflection of the trust CNCF has placed in Kusari,” said Tim Miller, Kusari Co-Founder and CEO. “For us, this partnership is a natural extension of our open source commitment, helping advance supply chain visibility and security.”
If you’re part of a CNCF project and want greater clarity into your supply chain, use Kusari Inspector for free — https://us.kusari.cloud/signup.
Like what you read? Share it with others.
.webp)
.webp)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.jpg)
Previous
No older posts
Next
No newer posts
Want to learn more about Kusari?