The Open Source Technology Improvement Fund is proud to share the results of our security audit of KEDA. KEDA (which stands for Kubernetes-based Event Driven Autoscaler) is an open source project for scaling containers in Kubernetes. With the help of 7ASecurity and the Cloud Native Computing Foundation, this project underwent a pentest and whitebox security review and audit.
Audit Process:
In February 2026, 6 security auditors began the work of thoroughly reviewing the source code and documentation of KEDA. Performed in 5 work packages, multiple functional aspects of the project were analyzed and targeted:
- WP1: KEDA Controller & CRDs Security Review
- WP2: Admission Webhook + Metrics Server + Internal Comms
- WP3: Auth, Secret Handling, and Scaler Integration Review
- WP4: Deployment Hardening & RBAC Review
- WP5: Supply Chain Review
The KEDA project offers many features important to its use, and therefore a wide range of focus points for this work were identified in order to fulfill the holistic nature of this engagement.
Audit Results:
- 15 Findings with Security Impact
- 4 High
- 5 Medium
- 6 Low
- 5 Hardening Recommendations
- SLSA review of Supply Chain and Release
- Recommendations for Future Work
The report mentions several positive impressions left on the auditors by the project and its development, as well as the helpfulness of the maintainers in supporting the ongoing security work. KEDA has fixed or addressed all the findings in the audit report, so please update to the most recent release to take advantage of the work performed during this audit. If you are interested in supporting the KEDA project and community, learn more about it on their website.
Thank you to the individuals and groups that made this engagement possible:
- KEDA maintainers and community, especially: Jorge Turrado and Zbynek Roubalik
- 7ASecurity, especially: Abraham Aranguren, Daniel Ortiz, Dariusz Jastrzębski, Dheeraj Joshi, Miroslav Štampar, and Szymon Grzybowski
- Cloud Native Computing Foundation
You can read the Audit Report HERE
Everyone around the world depends on open source software. If you’re interested in supporting this critical work, reach out to us!