Skip to content
Switch branches/tags

Latest commit

* Create

* Add files via upload

* Create images

* Add files via upload

* Delete images

* Add files via upload

* Temporary placeholder pdf

Signed-off-by: Brandon Lum <>

* add new MD

Signed-off-by: Brandon Lum <>

Co-authored-by: Brandon Lum <>

Git stats


Failed to load latest commit information.

CNCF Security Technical Advisory Group

Cloud Native Security logo

Quick links


STAG facilitates collaboration to discover and produce resources that enable secure access, policy control, and safety for operators, administrators, developers, and end-users across the cloud native ecosystem.


“Cloud Native” is open source cloud computing for applications — a complete trusted toolkit for modern architectures. There are multiple projects which address key parts of the problem of providing access controls and addressing safety concerns. Each of these adds value, yet for these technical solutions to be capable of working well together and manageable to operate they will need a minimal shared context of what defines a secure system architecture.


There is a future where operators, administrators and developers feel confident creating new cloud native applications. They use cloud technologies with clear understanding of risks and the ability to validate that their security policy decisions are reflected in deployed software.

We envision that there could exist an ecosystem of tools that can simplify the experience of cloud native operators, administrators and developers, including:

  1. System security architecture that understands and accommodates the ever growing heterogeneity of systems and provides a framework to protect resources and data while servicing their users.
  2. Common vocabulary and open source libraries that make it easy for developers to create and deploy apps that meet system security requirements.
  3. Common libraries and protocols that enable people to reason about the security of the system, such as auditing and explainability features.


STAG charter outlines the scope of our group activities, as part of our governance process which details how we work.


Anyone is welcome to join our open discussions of STAG projects and share news related to the group's mission and charter. Much of the work of the group happens outside of Security TAG meetings and we encourage project teams to share progress updates or post questions in these channels:

Group communication:


Slack governance

Refer to the slack governance document for details on slack channels and posting to the channels.

Meeting times

Group meeting times are listed below:

  • US: Weekly on Wednesdays at 10:00am UTC-7 (see your timezone here)

See the CNCF Calendar for calendar invites.

Meeting minutes and agenda

Zoom Meeting Details

Meeting Link: (Password: 77777)

One tap mobile:

Location Number
US - New York +16465588656,,7375677271#
US - San Jose +16699006833,,7375677271#

Dial by your location:

Location Number
US - New York +1 646 558 8656
US - San Jose +1 669 900 6833
US - Toll-free 877 369 0926
US - Toll-free 855 880 1246
Australia - Toll-free 1800 945 157

Or find your local number.

Meeting ID: 737 567 7271


Please let us know if you are going and if you are interested in attending (or helping to organize!) a gathering. Create a github issue for an event and add to list below:

  • KubeCon + CloudNativeCon, Europe May 16-20 2022

Past events

New members

If you are new to the group, we encourage you to check out our New Members Page

Related groups

There are several groups that are affiliated to or do work and cover topics relevant to the work of Security TAG. These can be seen here



STAG Chairs

  • Brandon Lum (@lumjjb), Google [Chair term: 6/3/2021 - 6/3/2023]
  • Aradhana Chetal (@achetal01), TIAA [Chair term: 6/3/2021 - 6/3/2023]
  • Andrew Martin (@sublimino), Control Plane [Chair term: 3/17/2022 - 3/17/2024]

Tech Leads

STAG Chair Emeriti

  • Dan Shaw (@dshaw), PayPal [Chair term: 6/3/2019 - 9/3/2020]
  • Sarah Allen (@ultrasaurus), [Chair term: 6/3/2019 - 6/3/2021]
  • Jeyappragash JJ (@pragashj), [Chair term: 6/3/2019 - 6/3/2021]
  • Emily Fox (@TheFoxAtWork), Apple [Chair term: 9/28/2020 - 2/4/2022]

On-going projects

Policy team

Policy is an essential component of a secure system.

Bi-weekly meetings at 3:00 PM PT focus on policy concerns and initiatives.


  • TBD

Co-chair representative: @achetal01

Security reviews

Security reviews are a collaborative process for the benefit of cloud native projects and prospective users by creating a consistent overview of the project and its risk profile.

Facilitator: Justin Cappos (@JustinCappos), New York University

Co-chair representative: @lumjjb

Software Supply Chain Security

Software Supply Chain attacks have come to the wider community's attention following recent high-profile attack, but have been an ongoing threat for a long time. With the ever growing importance of free and open source software, software supply chain security is crucial, particularly in cloud native environments where everything is software-defined.

Weekly meetings at 8:00 AM PT (50 min) (see your timezone here) See CNCF calendar for invite.

Facilitator for current deliverables is listed on the issue

Additional information

CNCF STAG reviews

As part of the CNCF project proposal process projects should create a new security review issue with a self-assessment.

Past events and meetings

For more details on past events and meetings, please see our past events page


🔐CNCF Security Technical Advisory Group -- secure access, policy control, privacy, auditing, explainability and more!




Code of conduct





No releases published


No packages published