The Cloud Native Computing Foundation (CNCF) and Kusari have announced a new collaboration aimed at strengthening software supply chain security across cloud-native projects, providing free access to Kusari’s AI-powered security tooling for CNCF-hosted projects. The initiative is designed to help maintainers and contributors better understand, manage, and secure increasingly complex dependency ecosystems without requiring deep security expertise.
The partnership centers on providing CNCF projects with access to Kusari Inspector, a tool that combines AI-assisted code review with dependency analysis to identify risks across both direct and transitive dependencies. As modern applications increasingly rely on hundreds or thousands of interconnected components, and as AI-generated code becomes more prevalent, visibility into the full software supply chain has become both more difficult and more critical.
The announcement highlights a growing challenge facing the cloud-native ecosystem: software supply chains are expanding in both scale and complexity, introducing new attack surfaces and operational risks. Many dependencies are pulled in automatically through transitive relationships, making it difficult for maintainers to fully understand what is included in their software. At the same time, attackers are increasingly targeting these supply chains through techniques such as dependency confusion, malicious package injection, and exploitation of weak provenance controls.
For open source projects, often maintained by small, resource-constrained teams, this complexity is compounded by fragmented tooling and limited visibility. Even when multiple security tools are used, teams frequently lack a unified, contextual view of risk across their supply chain, making it harder to prioritise and remediate vulnerabilities effectively.
A key focus of the Kusari-CNCF initiative is shifting security “left” by embedding it directly into developer workflows. Kusari Inspector provides inline feedback during pull requests, mapping dependencies, identifying gaps in provenance and attestations, and surfacing risks early in the development lifecycle.
This approach reflects a broader industry move away from reactive security processes toward proactive, workflow-integrated security practices. By catching issues earlier and providing context-aware insights, the platform aims to reduce the burden on maintainers, minimise manual investigation, and enable faster, more secure software delivery. It also helps bridge the gap between developers and security teams by embedding actionable intelligence directly into the development process.
The initiative builds on existing efforts within the cloud-native and open source security ecosystem, including projects such as Supply-chain Levels for Software Artifacts (SLSA) and tools like GUAC, in-toto, and OpenVEX, which are already adopting Kusari Inspector. These projects focus on improving provenance, transparency, and trust across software supply chains, key pillars in modern security strategies.
By integrating with these efforts, the collaboration aims to provide a more cohesive and accessible approach to supply chain security, enabling projects to move from fragmented tooling toward connected, ecosystem-wide visibility and governance.
In the broader landscape, this collaboration aligns with similar efforts from other organizations focused on improving software supply chain security, though with varying approaches and levels of integration. For example, Snyk and GitHub (through GitHub Advanced Security) emphasize developer-first security tooling, embedding vulnerability scanning, dependency insights, and code analysis directly into developer workflows. These platforms are widely adopted and provide strong visibility into known vulnerabilities, but they often focus more on detection and remediation rather than the full lifecycle of provenance, attestations, and trust guarantees that initiatives like Kusari are targeting.
At the ecosystem level, efforts such as OpenSSF and the aforementioned SLSA take a more standards-driven approach, defining best practices for build integrity, provenance, and artifact verification. Similarly, tools like Sigstore focus on cryptographic signing and verification to ensure artifact trust. Compared to these, the CNCF-Kusari initiative positions itself as a more integrated and accessible layer, combining AI-assisted insights with supply chain visibility and embedding them directly into developer workflows. This reflects an emerging trend in the industry: moving from fragmented, point-in-time security tools toward unified, continuously enforced supply chain security platforms that balance usability with strong governance and trust guarantees.
