Securing kgateway with the GitHub Secure Open Source Fund

Earlier this year, kgateway was selected to participate in the GitHub Secure Open Source Fund, an initiative that provides maintainers with a three-week education sprint focused on the latest tooling, best practices, and strategies for securing open source software projects.

Being part of this program was both an honor and an opportunity. The GitHub Secure Open Source Fund provided expert insights, structured guidance, and a collaborative environment where we learned alongside other open source maintainers who share the same commitment to strengthening the security of the ecosystem.

Building on a Strong Foundation

Kgateway is a Kubernetes-native ingress controller and next-generation API gateway that builds on top of the Envoy proxy and implements the Kubernetes Gateway API. As such, security has always been a priority for kgateway. As part of the CNCF ecosystem, we emphasize licensing clarity, community governance, and responsible disclosure practices.

One key takeaway from the program was that security isn’t just about detecting issues; it’s about building processes that make fixing them routine and predictable.

Before the program began, we had already put important foundations in place, especially to handle an influx of AI-generated contributions:

• Community standards, including an AI-generated code policy section.
• GitHub Copilot running automated reviews on pull requests.

However, the Secure Open Source Fund helped us formalize, automate, and strengthen our approach in meaningful ways.

What We Improved

The kgateway team improved security processes related to vulnerability reporting, code scanning, and repository hygiene.

🔐 Formalized Vulnerability Reporting

We created a SECURITY.md file that clearly documents how to report vulnerabilities and what contributors can expect from our disclosure process. Alongside this, we refined our security incident response documentation to ensure we have a well-defined and actionable response plan. For more information, see the docs.

🔎 Enabled gosec as a Required Check

We activated gosec static analysis scanning and made it a required check on every pull request. While enabling it, we:

• Fixed type conversion issues
• Addressed file permission concerns
• Cleaned up findings surfaced by the scanner

For a project extending the Gateway API with Kubernetes custom resources using Kubebuilder, kgateway introduces new types like TrafficPolicy and GatewayParameters. Catching unsafe type conversions, invalid references, or misconfigured RBAC early is critical. Static analysis with gosec provides an additional layer of guardrails, complementing Kubebuilder’s CRD validation, before changes ever reach production clusters.

When gosec fails locally or in CI on a pull request, it prints the specific rule ID, affected file, and line number, and a brief explanation of the issue, so contributors can quickly identify and remediate the finding.

This not only improved the codebase immediately but also ensured future contributions meet a higher security bar.

🧹 Cleaned Up Repository Secrets

We audited and removed unused secrets in our repository environments, reducing risk and improving overall repository hygiene.

Why This Matters

The GitHub Secure Open Source Fund does more than support individual projects; it strengthens the entire open-source ecosystem by investing in its security foundation.

For kgateway, this experience helped us:

• Formalize and document our security processes.
• Automate enforcement of secure coding practices.
• Connect with other maintainers facing similar security challenges.
• Engage our community more transparently around security.

Security is not a one-time milestone, but rather an ongoing commitment. This program accelerated our progress and reinforced our dedication to building kgateway as a secure, reliable project for the community. Because many of our maintainers are also involved in other open source projects such as agentgateway, we are also applying the lessons learned from this security initiative to other projects.

If you maintain an open source project, start small: add a SECURITY.md file, enable dependency scanning, and audit unused secrets. Small steps compound quickly.

Acknowledgements

We are immensely grateful to GitHub and everyone involved in the Secure Open Source Fund for their support and expertise.

We want to reiterate our thanks to the following partners who supported the Secure Open Source Fund.

Funding Partners: Alfred P. Sloan Foundation, American Express, Chainguard, Datadog, Herodevs, Kraken, Mayfield, Microsoft, Shopify, Stripe, Superbloom, Vercel, Zerodha, 1Password

Ecosystem Partners: Atlantic Council, Ecosyste.ms, CURIOSS, Digital Data Design Institute Lab for Innovation Science, Digital Infrastructure Insights Fund, Microsoft for Startups, Mozilla, OpenForum Europe, Open Source Collective, OpenUK, Open Technology Fund, OpenSSF, Open Source Initiative, OpenJS Foundation, University of California, OWASP, Santa Cruz OSPO, Sovereign Tech Agency, SustainOSS

And as always, thanks to our kgateway community! If you haven’t already, come join us in the #kgateway channel on the CNCF Slack and share your security best practices.