This is one of nine FOSS teams selected for the first round of the STF Contribute Back Challenges. It is in the Securing FOSS Software Production area.
Apache Airflow is a top-level Apache project and a pivotal component in the Python ecosystem. It is the go-to solution for workflow orchestration, enabling data scientists and engineers to schedule and execute complex data pipelines. Enhancing its security model will provide a safe, state-of-the-art workflow orchestration tool.
Each participating team submitted a final report and included a portion to be published.
Thanks to the Contribute Back Challenge from the STF and the hard work of the community, Apache Airflow is now more secure than ever. During the last 4 months, the focused efforts on security allowed us to patch a certain number of vulnerabilities as well as strengthening our software supply chain. We can mention the new security model, SBOMs files, reproducible builds for providers and static code analysis to prevent new vulnerabilities.
Apache Airflow is proactively aligning with the latest security requirements of the industry. The team is currently engaged in planning and undertaking additional efforts, including discussions on VEX files, reproducible builds for the airflow core, docker images signing, and various other considerations.