February 17 2026 by Alexander Schwartz
Keycloak is the open-source IAM backbone for countless applications, and provides single sign-on, strong authentication and user federation across organizations.
We were part of the GitHub Secure Open Source Fund Session 3, participated in the three-week training and gained insights into how other projects handle incidents and implement security best practices. 67 projects were part of the training, so we received a lot of feedback.
For Keycloak, we strengthened several aspects of our security posture. My personal highlights were:
We already had CodeQL running for Java and JavaScript sources. The training gave us better insights into how it is working, and we cleaned up existing findings and enabled additional queries. A key takeaway for us: CodeQL can scan your GitHub Actions!
An incident response plan (IRP) helps you to get things right when a vulnerability is reported, you suspect a leaked credential, or some other security incident happens. We already had an IRP, but got feedback what other steps we wanted to add to it. We might even make parts of it public in the future to better collaborate with security researchers.
When analyzing for example CodeQL reports, it was helpful for us to ask GitHub Copilot to provide explanations and tips how to mitigate it.
If you are a software developer or a user of Keycloak: When was the last time you reviewed your incident response plan?
This training helped us to prepare to host our very own Keycloak Bug Bounty!
Thank you to those who funded the training, and presented demos and tools. Special thanks to the GitHub security team that delivered several trainings and acted as security buddies during the program and answered individual questions!