cncf
[Initiative]: Showcasing Frictionless Secure Coding Success Stories and Pain Points in CNCF Projects
Name
Showcasing Frictionless Secure Coding Success Stories and Pain Points in CNCF Projects
Short description
This initiative collects and analyzes real-world success stories from CNCF projects that have effectively integrated secure coding practices with minimal developer friction. The goal is to distill what worked, why it worked, and how other projects can adopt similar approaches.
Responsible group
TAG Developer Experience
Does the initiative belong to a subproject?
No
Subproject name
No response
Primary contact
Additional contacts
No response
Initiative description
CNCF projects must adopt strong security practices while allowing for a smooth developer experience. This initiative aims to understand both sides of that spectrum. It will identify and document success stories from CNCF projects that have effectively followed TAG Security’s best practices and uncover the pain points and friction that contributors experience when attempting to adopt similar practices.
Rather than proposing a new framework, the initiative emphasizes learning from what already works—and understanding what doesn’t. It will surface:
- Repeatable patterns and tools that have improved security with minimal friction
- Process and cultural practices that enabled successful adoption
- Identify pain points when integrating security requirements within CNCF projects
By combining insights from successes and challenges, this initiative will help emerging and growing CNCF projects adopt secure coding practices earlier, more smoothly, and with a clearer understanding of where to focus improvement efforts.
Deliverable(s) or exit criteria
- Secure DevEx Pain Point & Usability Report: Findings from maintainers and contributors, with actionable recommendations.
- Maturity Case Studies: Extracted lessons from established CNCF projects to illustrate effective approaches others can adopt.
Tracking document for meeting and progress
https://notes.cncf.io/PchBX0teSauZcRGIVjEG6g
Likely TAG-Security and Compliance should have at least some involvement to steer here. This could largely be removed by going off of OpenSSF or TAG S&C guidance in this space.
Great initiative for TAG DevEX. You might need to explain what the "SAST" is for community folks who haven't heard about it before :)
I see 8 good deliverables. Which ones should be mandatory to complete this initiative? You might not be able to accomplish all of them in a short period of time.
As this has some overlap like mentioning SBOM, I guess this might be related with these other issues?
- https://github.com/cncf/toc/issues/1849
- https://github.com/cncf/toc/issues/1709
- https://github.com/cncf/toc/issues/1711
I've refined the initiative to reduce the amount of deliverables and have more focus on uncovering success stories and pain points of CNCF projects in their journey to integrate security practices.
This should help reduce the size of the initiative and make it more focused on the devex aspects
Concrete examples and guidance for projects to follow in a short tech paper sounds great. Is this something that can be completed by February 2026? @julsemaan
Concrete examples and guidance for projects to follow in a short tech paper sounds great. Is this something that can be completed by February 2026? @julsemaan
@angellk, that would be the intent. We (TAG DevEx) would like our first initiatives to have deliverables that are presented at KC EU in March
TAG DevEx chairs and leaders! @salaboy @SwEngin @kdubois @joshuabezaleel @cloudmelon @graz-dev Please vote on this issue.