SBOM Starter Kit: Get Your Copy

From Prometheus to Kubernetes: Why CNCF Projects Prefer FOSSA

The Cloud Native Computing Foundation (CNCF) is the organization behind some of the world’s biggest and most influential open source software projects. It’s the hub for the likes of Kubernetes, Argo, Prometheus, Dapr, and many more. 

CNCF also hosts the popular Kubecon and CloudNativeCon events, which draw a wide range of leading enterprises, open source projects, and other technologists.

Given its standing as a pillar of the open source community, it shouldn’t come as a surprise that CNCF and its member projects take open source management seriously. That includes using the right software composition analysis tools to automate open source license compliance and security. 

CNCF projects have plenty of freedom to use whichever SCA solution they like most. But, despite the wide variety of tools on the market today, FOSSA is the clear preference for a majority of CNCF’s projects. According to Chris Aniszczyk, CNCF’s CTO and co-founder, roughly two-thirds of the organization’s 160 projects currently use FOSSA.

We recently sat down with Chris to discuss the reasons why CNCF has adopted FOSSA at such an impressive rate, including the maintainer experience and benefits from the tool.

“We have an approach that every CNCF project is welcome to use whatever tools they think are best for their needs, and FOSSA is used by about two-thirds of our 160 projects currently. We allow projects to choose whatever SCA tool they are interested in and most default to FOSSA since it’s easier to get started for them than other tools.”

-Chris Aniszczyk, CNCF CTO and co-founder. 

FOSSA: For individuals not familiar with the CNCF, can you share a little bit about some of its more well-known projects, what makes it unique, and your role within it?

Chris Aniszczyk: The Cloud Native Computing Foundation (CNCF) is the open source, vendor-neutral hub of cloud-native computing, hosting projects like Kubernetes and Prometheus to make cloud native universal and sustainable. It also runs one of the largest, if not the largest, open source conferences in the world, kubecon.io! We recently hosted about 11,000 people in Amsterdam which made it the largest open source conference in Europe.

I’m one of the co-founders and currently serve as the CTO of the organization.

I think what makes CNCF unique compared to traditional open source foundations is that some other foundations are either too focused on the individual maintainer or focused on vendors. CNCF blends individuals, vendors, end-users, and even academics into one non-profit organization, giving everyone representation to support open source projects. Also, CNCF offers a strong backbone of services to open source projects, built around the goal of sustaining most project needs outside of just code management and technical decisions. We offer an enhanced set of services via professional staff that involves technical writing, security audits, and more. We take a data-driven approach to working with our project and maintainer community; we actively survey to improve our services and community satisfaction.

FOSSA: When did the CNCF start using FOSSA, and what were some of the first projects that adopted it? And, what prompted you to start with FOSSA?

Chris Aniszczyk: CNCF first started to adopt FOSSA in 2016 when we were looking to improve and automate the IP cleanliness of our projects, on top of saving project maintainers time. The first projects to adopt the tool were Kubernetes and Prometheus.

The reason we started with FOSSA was we evaluated a variety of tools at the time and no other tool was close in terms of developer experience. Also, FOSSA was an early supporter of the Go language, which is widely used in the CNCF ecosystem.

FOSSA: How does the CNCF use FOSSA today? Which projects use it, and what are their primary use cases?

Chris Aniszczyk: We have an approach that every CNCF project is welcome to use whatever tools they think are best for their needs and FOSSA is used by about two-thirds of our 160 projects currently.

We allow projects to choose whatever SCA tool they are interested in and most default to FOSSA since it’s easier to get started for them than other tools.

FOSSA: What is the developer experience like with FOSSA? From implementation to ongoing usage, can you share some of the highlights/reasons why your projects’ developers like the tool?

Chris Aniszczyk: What our community enjoys about FOSSA is that the developer experience is solid and provides not only a typical web-based UI to explore results but also a great CLI tool that can be used standalone or even integrated into builds.

We also appreciate that FOSSA was an early supporter and adopter of SBOM standards such as SPDX, which we have been a proponent of since the start of CNCF.

FOSSA: What are the biggest benefits your projects have gained from using FOSSA? How does it help in the day-to-day of open source risk management?

Chris Aniszczyk: We used to perform a ton of manual and costly audits of our open source projects, and we were able to scale those down significantly and pair them with the developer-friendly and automated approach that FOSSA provides. We have not only saved money but time across the board. Another benefit is that developers spend more time caring about their dependencies and are more mindful about what software they depend on now.

FOSSA: What advice would you have for organizations considering FOSSA? 

Chris Aniszczyk: Open source now is truly everywhere and part of your software supply chain, whether you are fully aware of it or not. You have to manage your open source risk to protect your organization against software licensing issues and vulnerabilities.

"I think it’s critical to find a solution that is not only friendly to lawyers or engineering leadership but has great experience for day-to-day developers. FOSSA gives you both, and it’s hard to find a solution that has that currently in the market."