KEDA Audit Complete! – OSTIF.org

Skip to content

Post published:June 29, 2026

Post category:7ASecurity / Audits / CNCF

The Open Source Technology Improvement Fund is proud to share the results of our security audit of KEDA .  KEDA (which stands for Kubernetes-based Event Driven Autoscaler) is an open source project for scaling containers in Kubernetes. With the help of 7ASecurity and the Cloud Native Computing Foundation, this project underwent a pentest and whitebox security review and audit.

Audit Process :

In February 2026, 6 security auditors began the work of thoroughly reviewing the source code and documentation of KEDA. Performed in 5 work packages, multiple functional aspects of the project were analyzed and targeted:

WP1: KEDA Controller & CRDs Security Review

WP2: Admission Webhook + Metrics Server + Internal Comms

WP3: Auth, Secret Handling, and Scaler Integration Review

WP4: Deployment Hardening & RBAC Review

WP5: Supply Chain Review

The KEDA project offers many features important to its use, and therefore a wide range of focus points for this work were identified in order to fulfill the holistic nature of this engagement.

Audit Results :

15 Findings with Security Impact

4 High

5 Medium

6 Low

5 Hardening Recommendations

SLSA review of Supply Chain and Release

Recommendations for Future Work

The report mentions several positive impressions left on the auditors by the project and its development, as well as the helpfulness of the maintainers in supporting the ongoing security work. KEDA has fixed or addressed all the findings in the audit report, so please update to the most recent release to take advantage of the work performed during this audit. If you are interested in supporting the KEDA project and community, learn more about it on their website.

Thank you to the individuals and groups that made this engagement possible:

KEDA maintainers and community, especially: Jorge Turrado and Zbynek Roubalik

7ASecurity, especially: Abraham Aranguren, Daniel Ortiz, Dariusz Jastrzębski, Dheeraj Joshi, Miroslav Štampar, and Szymon Grzybowski

Cloud Native Computing Foundation

You can read the Audit Report HERE

Everyone around the world depends on open source software. If you’re interested in supporting this critical work, reach out to us!

Tags: 7ASecurity, Audit, cncf, keda, OSTIF

Topics

7ASecurity

ADA Logics

Audits

AWS

Bug Bounties

Chainguard

CNCF

Community

Eclipse Foundation

Encryption

Financial

Fundraiser

Include Security

Kudelski Security

Linux Kernel

Monero

News

Open Source

OpenSSL

OpenVPN

QuarksLab

Security

Shielder

Sovereign Tech Agency

Sovereign Tech Agency

Trail of Bits

Transparency

Unbound DNS

Uncategorized

VeraCrypt

WireGuard

X41-Dsec

Archives<br>Archives

Select Month<br>June 2026<br>May 2026<br>April 2026<br>March 2026<br>February 2026<br>January 2026<br>December 2025<br>November 2025<br>October 2025<br>September 2025<br>August 2025<br>July 2025<br>June 2025<br>May 2025<br>April 2025<br>March 2025<br>February 2025<br>January 2025<br>December 2024<br>October 2024<br>September 2024<br>August 2024<br>July 2024<br>June 2024<br>May 2024<br>April 2024<br>March 2024<br>February 2024<br>January 2024<br>December 2023<br>November 2023<br>October 2023<br>September 2023<br>August 2023<br>July 2023<br>June 2023<br>May 2023<br>April 2023<br>March 2023<br>February 2023<br>January 2023<br>December 2022<br>November 2022<br>October 2022<br>August 2022<br>July 2022<br>June 2022<br>November 2021<br>October 2021<br>September 2021<br>June 2021<br>January 2021<br>July 2020<br>April 2020<br>December 2019<br>August 2019<br>July 2019<br>June 2019<br>May 2019<br>February 2019<br>January 2019<br>October 2018<br>September 2018<br>July 2018<br>May 2018<br>March 2018<br>January 2018<br>November 2017<br>October 2017<br>September 2017<br>July 2017<br>June 2017<br>May 2017<br>April 2017<br>March 2017<br>February 2017<br>January 2017<br>December 2016<br>November 2016<br>October 2016<br>September 2016<br>August 2016<br>June 2016<br>May 2016<br>April 2016<br>February 2016<br>January 2016<br>December 2015<br>November 2015<br>October 2015<br>September 2015<br>July 2015<br>May 2015

Categories

7ASecurity

ADA Logics

Audits

AWS

Bug Bounties

Chainguard

CNCF

Community

Eclipse Foundation

Encryption

Financial

Fundraiser

Include Security

Kudelski Security

Linux Kernel

Monero

News

Open Source

OpenSSL

OpenVPN

QuarksLab

Security

Shielder

Sovereign Tech Agency

Sovereign Tech Agency

Trail of Bits

Transparency

Unbound DNS

Uncategorized

VeraCrypt

WireGuard

X41-Dsec

Archives

June 2026

May 2026

April 2026

March 2026

February 2026

January 2026

December 2025

November 2025

October 2025

September 2025

August 2025

July 2025

June 2025

May 2025

April 2025

March 2025

February 2025

January 2025

December 2024

October 2024

September 2024

August 2024

July 2024

June 2024

May 2024

April 2024

March 2024

February 2024

January 2024

December 2023

November 2023

October 2023

September 2023

August 2023

July 2023

June 2023

May 2023

April 2023

March 2023

February 2023

January 2023

December 2022

November 2022

October 2022

August 2022

July 2022

June 2022

November 2021

October 2021

September 2021

June...