Securing the AI Software Supply Chain: Results Across 67 Open Source Projects
How the GitHub Secure Open Source Fund helped 67 critical AI-stack projects accelerate fixes, strengthen ecosystems, and advance open source resilience.
Securing the AI Software Supply Chain: Results Across 67 Open Source Projects
Modern software, especially in AI, is built on a foundation of open source projects. These components are the invisible infrastructure powering everything from LLM research to CI/CD pipelines. When these projects are secure, developers can innovate confidently; when they’re not, vulnerabilities can ripple across the entire digital ecosystem.
The GitHub Secure Open Source Fund
The GitHub Secure Open Source Fund (SOSF) is dedicated to securing the open source projects that underpin the digital supply chain and are critical to the modern AI stack. The fund links direct financial support to verified security outcomes, providing maintainers with resources, hands-on training, and a community for expert feedback.
Why Securing Critical Open Source Projects Matters
A single production service can depend on hundreds or thousands of transitive dependencies. As incidents like Log4Shell have shown, a vulnerability in one widely used project can have global consequences. Investing in open source security:
- Reinforces security as a baseline requirement for modern software
- Gives maintainers time and support for proactive security work
- Reduces systemic risk across the global software supply chain
Session 3: By the Numbers
- 67 projects
- 98 maintainers
- $670,000 in non-dilutive funding
- 99% of projects completed with core GitHub security features enabled
Cumulative results across all sessions:
- 138 projects
- 219 maintainers
- 38 countries
- $1.38M in funding
- 191 new CVEs issued
- 250+ new secrets prevented from leaking
- 600+ leaked secrets detected and resolved
- Billions of monthly downloads powered by alumni projects
- 500+ CodeQL alerts fixed in the last 6 months
- 66 secrets blocked in the last 6 months
Where Security Work Happened
Core Languages and Runtimes
Projects like CPython, Node.js, LLVM, and Rustls improved their security posture, benefiting entire ecosystems downstream.
Web, Networking, and Infrastructure Libraries
Projects such as curl, urllib3, Netty, and Apache APISIX secured the critical pathways of internet communication.
Build Systems, CI/CD, and Release Tooling
Jenkins, Apache Airflow, GoReleaser, PyPI Warehouse, webpack, and others focused on securing workflows that influence how software is built and shipped.
Data Science, Scientific Computing, and AI Foundations
Projects like pandas, SciPy, PyMC, and OpenSearch expanded security coverage, especially for AI and research pipelines.
Developer Tools and Productivity Utilities
Tools such as Selenium, Sphinx, ImageMagick, and calibre improved security to reduce risks in development and testing environments.
Identity, Secrets, and Security Frameworks
Keycloak, external-secrets, oauth2 libraries, and WebAuthn tooling shifted from reactive fixes to systematic threat modeling and long-term planning.
A Shift in Mindset
One of the most durable outcomes was a shift from reactive patching to proactive, community-driven security. Maintainers are now publishing playbooks, sharing incident response exercises, and passing on best practices to their communities—scaling security one-to-many.
What’s Next?
Securing open source is essential maintenance for the internet. With real funding, focused time, and expert help, maintainers shipped fixes that now protect millions of builds daily. Many are making their playbooks public and sharing incident-response plans that can be adopted by others.
Join the mission:
- Apply to the GitHub Secure Open Source Fund (Session 4 begins April 2026)
- Become a Funding or Ecosystem Partner
Thank you to all partners and maintainers helping secure the open source ecosystem for everyone!
Inspired by GitHub’s official post. For more details, visit the GitHub Security Lab.
Share this post