KEDA audit by 7ASecurity

Posted on by Admin

7ASecurity is proud to share the results of our security audit of KEDA. KEDA (Kubernetes-based Event Driven Autoscaler) is an open source project for scaling containers in Kubernetes. In collaboration with The Open Source Technology Improvement Fund and the Cloud Native Computing Foundation, this project underwent a pentest and whitebox security review contributing to KEDA's ongoing security and development work.

keda

Audit Process:

In February 2026, an audit team of 6 security auditors from 7ASecurity began the work of thoroughly reviewing the source code and documentation of KEDA. Performed in 5 work packages, multiple functional aspects of the project were analyzed and targeted:

  • WP1: KEDA Controller & CRDs Security Review
  • WP2: Admission Webhook + Metrics Server + Internal Comms
  • WP3: Auth, Secret Handling, and Scaler Integration Review
  • WP4: Deployment Hardening & RBAC Review
  • WP5: Supply Chain Review

The KEDA project offers many features important to its use, and therefore a wide range of focus points were identified in order to fulfill the holistic nature of this engagement.

Audit Results:

  • 15 Findings with Security Impact
  • 4 High
  • 5 Medium
  • 6 Low
  • 5 Hardening Recommendations
  • SLSA review of Supply Chain and Release
  • Recommendations for Future Work

The KEDA maintainers and community were engaged and helpful partners throughout the audit, which helps clarify and expedite large, complex security engagements like this one for auditors. The report notes positive impressions left on the 7ASecurity team by the project and its development practices, as well as the helpfulness of the maintainers in supporting the ongoing security work. KEDA has fixed or addressed all the findings in the audit report, so please update to the most recent release to take advantage of the work performed during this audit. If you are interested in supporting the KEDA project and community, learn more about it on their website.

Acknowledgements:

Thank you to the individuals and groups that made this engagement possible:

  • KEDA maintainers and community, especially: Jorge Turrado and Zbynek Roubalik
  • OSTIF for facilitating and coordinating this engagement
  • Cloud Native Computing Foundation

Read the reports:

You can read the Audit Report HERE

You can read OSTIF's Blog HERE

Everyone around the world depends on open source software. If you are interested in financially supporting this critical work, reach out to contactus@ostif.org. Follow https://lu.ma/ostif-meetups to subscribe to OSTIF's events page.

Email this article
Share on Facebook
Share on Twitter
Share on LinkedIn
, , , , , , , , , , , , , , , , , , , Blog