Cloud Native Open Source Security

AI Code Floods Open Source: How Kusari Inspector Secures CNCF Projects Against Supply Chain Attacks | TFiR

CRob and Michael Lieberman discuss how Kusari Inspector helps CNCF and OpenSSF projects defend against AI-generated supply chain attacks and prepare for EU Cyber Resilience Act compliance.

By Monika Chauhan April 22, 2026

0

Open source maintainers are drowning. AI bots now generate more pull requests than human contributors, creating an impossible burden: how do you manually review thousands of code submissions when some are helpful, some are harmless mistakes, and some are actively malicious? A single compromised dependency can trigger supply chain attacks affecting millions of downstream users, yet maintainers—who are rarely security experts—must now defend against sophisticated threats while keeping development velocity high.

The cost of getting it wrong is massive. Supply chain attacks like the recent LiteLLM compromise demonstrate how AI-generated malicious code can steal secrets, act as worms, and exploit CI/CD pipelines. With the EU Cyber Resilience Act (CRA) enforcement approaching, open source projects face both security threats and regulatory pressure to harden their codebases.

The Guests: CRob, CTO at OpenSSF, and Michael Lieberman, Co-founder and CTO at Kusari

Key Takeaways

Kusari Inspector is now free for all CNCF and OpenSSF projects, providing automated security reviews that filter noise and catch real threats before code merges
The tool combines SAST scans, secret detection, and LLM analysis with prompt engineering—functioning as an expert system focused on application security best practices
Kusari Inspector has already detected supply chain attacks including malicious CI/CD pipeline modifications and dependency poisoning attempts in real CNCF projects
OpenSSF and CNCF are partnering with frontier AI model companies to provide developers with token access to high-quality tools ahead of CRA enforcement
Multi-modal deployment options (GitHub app, GitHub Actions, CLI) enable integration into both traditional workflows and agentic AI coding environments

***

[expander_maker]

In this exclusive interview with Swapnil Bhartiya at TFiR, CRob, CTO of OpenSSF, and Michael Lieberman, Co-founder and CTO of Kusari, discuss the escalating threat of AI-generated code in open source ecosystems, the launch of free Kusari Inspector access for CNCF and OpenSSF projects, and strategies to prepare the open source community for EU Cyber Resilience Act compliance.

The AI Code Flood: When Bots Outnumber Human Contributors

The open source contribution model is breaking under the weight of automation. AI code generators now produce pull requests at a scale that makes manual human review mathematically impossible, creating an asymmetric threat where a single maintainer must evaluate potentially malicious submissions from thousands of AI agents.

Q: What’s the core problem with AI-generated code flooding open source repositories?

Michael Lieberman: “There’s been a problem for years with open source communities growing and growing, lots of new contributors, and now we have an even bigger problem with a lot of those contributors aren’t even human. They’re AI bots, robots. It’s impossible for humans to keep up with the never ending deluge of new pull requests. Some of those pull requests look very good. Some of those pull requests are potentially malicious behind the scenes, and some of those pull requests just maybe just have issues, mistakes that either a human or an AI made.”

CRob: “All these LLMs are trained off of public software, so broadly, open source is helping train these robots to get better, but every piece of software that you find on the internet is not necessarily written in a way that a commercial enterprise or a downstream user could securely use it. Sometimes the robot might give you good advice based off of a good, well written, secure project. Sometimes it might not, and it doesn’t present those results to you as a choice. It will just confidently tell you this is your answer, no matter whether that’s right, wrong or indifferent.”

The challenge extends beyond code quality. Training data for large language models includes insecure legacy code, abandoned projects, and code written before modern security practices existed. When AI confidently suggests patterns based on this corpus, it can introduce vulnerabilities that look legitimate to cursory review.

Kusari Inspector: Free Security Engineering for CNCF and OpenSSF Projects

At KubeCon CloudNativeCon Amsterdam, Kusari and OpenSSF announced that Kusari Inspector would be free for all Cloud Native Computing Foundation and Open Source Security Foundation projects. The tool addresses the AI code review crisis by functioning as an automated security engineer in the pull request workflow.

Q: How does Kusari Inspector actually work under the hood?

Michael Lieberman: “It’s a GitHub app, it’s a GitHub action, it’s a CLI tool that you can run as well. What really it’s focused on is analyzing changes to your code. It looks at those changes and tries to understand them and run security against them. What it doesn’t do is just ask the LLM, can you please give me security? Because that doesn’t work. What it does is it actually uses a lot of the great tools coming out of open source, those in CNCF and OpenSSF. Tools like scorecard, tools like zyr and similar, and it runs various scans. It runs SAST scans, secret scans, linters, all sorts of great stuff like that. It then filters out some immediate noise and then combines the code along with those results and feeds it into an LLM with some good prompt engineering in order to answer the question, hey, what actually is going on here? What actually is wrong?”

The architecture reflects a crucial insight: LLMs alone cannot guarantee security. Instead, Kusari Inspector uses established security scanning tools to generate objective findings, then employs AI to contextualize those findings within the specific code change, eliminating false positives that plague traditional scanners.

Q: What kind of real-world threats has Kusari Inspector detected?

Michael Lieberman: “If you have some test code with a secret in it, and it’s clearly a test secret, we’re not going to tell you, hey, this is a big issue you have to fix. We’re going to focus on the issues like you’re using an unmaintained project. Hey, did you know that you’re about to be supply chain compromised because you’re using something that’s clearly a malicious package here? We can help answer those questions, along with the normal stuff of, hey, here you actually do have a SQL injection vulnerability. You’re not pinning your dependencies.”

Michael Lieberman: “We’ve seen some supply chain incidents this week where folks are using AI to change the build process slightly. And then, hey, you as a maintainer, you’re not noticing. You say, cool, I’m going to run their CI. I’m going to run this through my GitHub CI, and then steal all the secrets, act as a worm, stuff like that. This is the LiteLLM situation we saw this week as well, with a compromise. Kusari Inspector can detect these things of, hey, did you know that you are allowing this malicious change to this pipeline? It tries to cross the whole gamut for projects. Not just maybe they’re a security expert in their code, but they might not be a security expert in GitHub security and GitHub CI, and inspector will help you there as well.”

The reference to LiteLLM highlights a sophisticated attack vector: malicious contributors submit seemingly innocuous changes to GitHub Actions workflows that exfiltrate repository secrets or compromise the CI/CD pipeline itself. These attacks exploit the trust maintainers place in automated testing infrastructure.

Integration With Agentic Workflows: AI Checking AI

Beyond traditional code review, Kusari Inspector enables a new pattern: using AI coding assistants like Claude or ChatGPT to generate code, then automatically validating that code’s security before human review. This creates a closed-loop system where generative AI output is immediately checked by security-focused AI.

Q: How do developers integrate Kusari Inspector into AI-assisted coding workflows?

Michael Lieberman: “One of the things I use it for myself is I use the CLI and I have it in my agentic coding workflow. So I have Claude write me some code, and then I test its own security using inspector, and then have it fix itself. Because again, the challenge today is, as much as we would like to just ask AI and say, hey, just give me security, and it gives you the best security, that’s not the case. You have to tell it the right things to do. You have to tell it to operate like a security engineer. You have to tell it about, hey, the cool new tool in OpenSSF, I want you to use that.”

CRob: “This kind of thing goes along with the older idea of these systems being expert systems, where you’ve focused it on application best practices and security, and it’s not a multi purpose thing like open ChatGPT or Claude. It’s really focused and integrates with all these other tools through agents or GitHub actions or CLI.”

The expert system approach represents a critical evolution from general-purpose LLMs. By constraining the AI’s domain to security analysis and integrating it with proven scanning tools, Kusari Inspector avoids the hallucination and inconsistency problems that plague generic AI security advice.

Real-World Adoption: CNCF Projects Already Seeing Results

Early adopters within the CNCF ecosystem have integrated Kusari Inspector into their development workflows, catching vulnerabilities that both human reviewers and general-purpose AI coding assistants missed.

Q: What impact have projects seen from using Kusari Inspector?

Michael Lieberman: “A couple of weeks ago, I got a message from my good friend, a maintainer of witness, which is an in-toto project underneath the CNCF, John Chell. He wrote some code, Claude also double checked that code and provided some feedback. But when inspector looked at it, it detected a couple of small security issues in how he was writing the code. Having it flow back through Claude was able to automatically fix it. Folks are starting to use this today, and we’re seeing some other projects getting these AI pull requests, and we’re seeing them also use inspector early on in the pull request process, before tests run.”

The Witness project example demonstrates Kusari Inspector’s value even for security-conscious developers already using AI assistants. The tool caught issues that Claude missed, then provided feedback that enabled Claude to generate secure fixes—a collaborative AI model that leverages the strengths of both generative and analytical systems.

EU Cyber Resilience Act: Hardening Open Source Before Enforcement

The EU Cyber Resilience Act will impose manufacturer obligations on organizations distributing software products, including open source components. This regulatory pressure creates an urgent need for upstream projects to improve their security posture before downstream users begin demanding compliance evidence.

Q: How does Kusari Inspector help projects prepare for the Cyber Resilience Act?

CRob: “What I hope is that open source maintainers embrace this and start using it, and they help harden their project. A lot of developers aren’t security experts, but they care about security, and they’ve done certain things, so hopefully tools like inspector can help tighten up the couple little problems they may have, finding some low hanging fruit items, so that when the CRA comes into effect and the manufacturer’s obligations come in, hopefully these projects are hardened so that downstream isn’t going to be harassing them and filing issues and merge requests for things that honestly the project might not have time for they might have already fixed.”

Michael Lieberman: “We’re having conversations with the folks in the CRA working groups to encode a lot of those rules into inspector to help developers not just know, am I safe and secure? Is this good for the CRA but also when they’re making a change, is this going to impact anything you have to do in those cases as well?”

The proactive approach aims to prevent a future scenario where downstream manufacturers flood open source maintainers with automated compliance requests for vulnerabilities that have already been remediated. By hardening projects now, the ecosystem can absorb CRA requirements without overwhelming volunteer maintainers.

OpenSSF and CNCF Partnership Strategy: Access to Frontier AI Models

Beyond making Kusari Inspector free, OpenSSF and CNCF are creating an infrastructure to democratize access to cutting-edge AI security tools across the open source ecosystem.

Q: How are the foundations supporting broader AI adoption for security?

CRob: “We just recently are forming a partnership with the frontier model companies, where they’ve created a fund, where we’re going to try to go out and give developers access to these high quality tools, and give them tokens so that they can actually use it. Then we’re going to create a group of people that can help be the liaisons and help teach the developers at whatever level they want, whatever type of engagement they want, help them to understand the value of these tools, and hopefully that prepares us in advance of the avalanche for the CRA coming ahead. If we can get them access to these very sophisticated tools, ideally, they are going to do the homework, and hopefully we’ll all get through the CRA coming online with minimal speed bumps.”

The token fund addresses a practical barrier: even free tools incur costs when they use frontier AI models like GPT-4 or Claude. By subsidizing those API costs for open source projects, the foundations enable widespread adoption without requiring projects to budget for infrastructure.

Changing Developer Attitudes Toward AI Tooling

The open source community has developed skepticism toward AI, driven by spam research reports, low-quality automated contributions, and concerns about training data provenance. Changing this perception requires demonstrating concrete value through tools designed by maintainers who understand the problem space.

Q: How do you change the negative perception of AI among open source maintainers?

CRob: “Right now AI is a really bad word with upstream maintainers, mainly because of the research reports and the fact that they’re just being bombarded by robots and reports. I would like to try to change that attitude and help developers understand when properly used, these things can be amazing helpers, and you don’t have to be a CISSP like me. You can have the robot help you out. It’s this helper, this assistant. When you’re going in and coding, these tools can be infinitely helpful, giving you ideas, suggesting patches, reviewing your code. We’re trying to help destigmatize AI for the upstream developer, because it is, whether they like it or not, it’s coming. I want to try to make that land and make it as palatable for them as possible.”

Michael Lieberman: “It reminds me of the early days of fuzzing, where one of the problems with fuzzing was you would get these fuzzing reports that would tell you a million different things that were going wrong, but when you looked at it, only 10 percent of it was actually valid. A lot of stuff, it’s like, no, there’s no way it could ever be called in the way this fuzzer is expecting it to be called. When it comes to AI, what we need is we need to make sure that the experience for the actual maintainer and contributor to these projects is good, so that they feel enabled through this. We’re hoping tools like inspector and other tools that are coming out in the space make them feel that way.”

The fuzzing analogy is instructive: early security tools generated so much noise that practitioners ignored them. Inspector’s focus on filtering false positives before presenting findings to maintainers reflects lessons learned from that history.

Beyond Kusari Inspector: Educational Resources for Secure AI Development

The foundations are also investing in educational content to help developers use AI tools securely across their entire workflow, not just code review.

Q: What educational resources are you creating around AI and security?

CRob: “We’re working on guidance for developers. We have a whole class on how they can securely use vibe coding within their practice. We’re working on a much larger class about other AI techniques like LLMs and agents and MCP that’ll be out later this year. Trying to get knowledge to the people that are creating all these amazing ideas and sharing it with the world. I want to make it easy for them, and I want to help them do it securely so they don’t have to have somebody like me around. I’m trying to work myself out of a job.”

The mention of Model Context Protocol (MCP) indicates the foundations are tracking emerging AI development patterns. As AI coding tools evolve from simple autocomplete to complex agent systems with persistent context, security guidance must evolve in parallel.

Watch the full TFiR interview with CRob and Michael Lieberman here

[/expander_maker]

You may also like

AI Autonomously Fixed 25 Production Incidents Overnight—Engineer Never Woke Up | Hong Wang, Akuity | TFiR

By Monika Chauhan2 days ago

Cloud Native

Linux Is Not Self-Healing: How SIOS LifeKeeper Closes the Application Recovery Gap on RHEL | TFiR

By Monika Chauhan2 days ago

Open Source

Where Is the AI Data Perimeter? Rob Hirschfeld of RackN Draws the Line | TFiR

By Monika Chauhan4 days ago

AI Infrastructure

SQL Server HA in Europe Is a Compliance Decision—SIOS Technology’s Aaron West Explains the Difference | TFiR

By Monika Chauhan4 days ago

Cloud Native

Cloud Waste Is a CFO Problem Now — Peter Maloney of Azul on the Hidden Tax Draining AI Budgets | TFiR

By Monika Chauhan4 days ago

AI Infrastructure

Enterprise AI Infrastructure Is Harder Than It Looks—Mirantis Built k0rdent AI to Fix That | TFiR

By Monika Chauhan5 days ago

AI Infrastructure