Open-source security is shifting to the foreground as new code analysis tools flood core projects with vulnerability reports, forcing maintainers and enterprises to rethink how they secure and govern the software supply chain.

This surge is directly related to rapid AI adoption, which has pushed teams to wire new tools into existing pipelines without covering security necessities, including identity, access control or data-handling basics, according to Chris Robinson (pictured, right), chief technology officer of the Open Source Security Foundation. At the same time, frontier AI tools from suppliers such as Anthropic PBC can uncover hundreds of vulnerabilities across popular open-source projects in minutes, dramatically increasing the number of findings landing on maintainers’ desks, he added.

“They’re doing this stuff in minutes or hours, and then they’re submitting it upstream … it’s exponentially more traffic,” Robinson told theCUBE. “This coalition that we’re putting together, this program we’re developing, is going to try to help address this both from an upstream developer perspective — giving developers access to these tools and techniques to do it securely — but then also try to help influence some of these systems.”

Robinson and Greg Kroah-Hartman (left), fellow at the Linux Foundation, spoke with theCUBE’s Rob Strechay and Paul Nashawaty at KubeCon + CloudNativeCon EU, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how open-source security is evolving as AI tools alter the discovery of vulnerabilities and the response across critical software projects. (* Disclosure below.)

Open-source security enters a new era

Somewhat paradoxically, AI is emerging as a core defensive tool for open-source security. The Linux kernel security team is no longer just dismissing AI-generated reports as obvious noise, but is instead seeing a growing number of credible findings that point to real vulnerabilities, Kroah-Hartman explained.

“We’re getting AI-generated health reports that are real,” he said. “And talking to the other open-source maintainers of core infrastructure projects, we’re all getting them. Everybody’s getting these bug reports because the tools are good enough at finding these bugs.”

Those rising volumes of credible reports could create an even heavier burden for maintainers as new regulatory requirements take hold. Pressure will only intensify as the EU Cyber Resilience Act takes effect, requiring manufacturers shipping products into the EU to report vulnerabilities upstream and provide a software bill of materials. OpenSSF is now trying to help developers and enterprises adopt AI more securely while equipping maintainers to manage the growing influx of vulnerability reports, Robinson explained.

“People are sprinting forward in this race and they are just grabbing tools off the shelf,” Robinson said. “We’re trying to work both up and down to educate those constituents and provide guidance.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the KubeCon + CloudNativeCon EU event:

(* Disclosure: The Cloud Native Computing Foundation sponsored this segment of theCUBE. Neither CNCF nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE