The CD Foundation currently has 6 open source projects: CDEvents, Jenkins, Jenkins X, Ortelius, Screwdriver, and Spinnaker.
Our projects solve some of the biggest issues in the Continuous Delivery and Continuous Integration space. We always want to expand our project communities with additional contributors, end users, and passionate technologists. Please check out each project to see what you can do to get involved!
Here are the early 2026 highlights for each project Features and Releases. Click “Read More” for everything else this project has been up to.
CDEvents
Features and releases
During the first quarter of 2026, the CDEvents project made a new patch release v0.5.1, which addresses an issue with the schema for three events. CI has been improved to prevent this issue from happening again.
SDK releases for v0.5.x:
In terms of new features scheduled for v0.6:
- Approval Events have been added
- Support for domain-level IDs in links (WIP)
- Changes to improve consistency of the specification (WIP)
Talks at Events
- FOSDEM 2026 (2026-02-02): “Building CDviz: Lessons from Creating CI/CD Observability Tooling”
- CfgMgmtCamp 2026 (2026-02-03): “Event-Driven CI/CD Observability: Infrastructure as Observable Events“
Jenkins
Features and releases
Notable weekly releases in Q1 2026 included:
- Jenkins 2.545 (January 5) – Require Java 21 or newer for the Jenkins controller
- Jenkins 2.551 (February 18) – Security fixes as published in the security advisory
- Jenkins 2.552 (February 24) – Add experimental plugin manager UI
- Jenkins 2.554 (March 7) – Adapt script console for experimental UI
- Jenkins 2.555 (March 18) – Security fixes as published in the security advisory
- Jenkins 2.556 (March 25) – Upgrade to Spring Security 7 and Spring Framework 7
LTS releases in Q1 2026:
- Jenkins 2.541.1 (January 21) – Unified RPM repository and updated GPG signing key for RPM and DEB packages
- Jenkins 2.541.2 (February 18) – Security fixes as published in the security advisory
- Jenkins 2.541.3 (March 18) – Security fixes as published in the security advisory
Jenkins continued its pattern of releasing a new version every week and a new long term support version every 4 weeks. New features in long term support releases are summarized in the “What’s new in Jenkins LTS” playlist.
Google Summer of Code 2026
Jenkins has been accepted as a Google Summer of Code 2026 project. Over 300 proposals have been received and are being reviewed. Accepted projects will be announced April 30, 2026, with the projects beginning May 1, 2026. Special thanks to our organization lead mentor, Kris Stern, and the other Google Summer of Code mentors.
Security Updates
This advisory addressed multiple plugin vulnerabilities, including:
- Stored XSS vulnerability in node offline cause description (CVE-2026-27099) – Cross-site scripting vulnerability
- Build information disclosure vulnerability through Run Parameter (CVE-2026-27100) – Medium severity information disclosure through Run Parameter
This advisory addressed vulnerabilities in core plugins:
- File system information disclosure in Git client Plugin (CVE-2026-58458) – Medium severity allowing attackers to check file existence on Jenkins controller
- SMTP command injection in Jakarta Mail API Plugin (CVE-2026-7962) – Medium severity allowing arbitrary email contents to be sent
- Missing permission checks in global-build-stats Plugin (CVE-2026-58459) – Medium severity allowing enumeration of graph IDs
- Missing permission check in OpenTelemetry Plugin (CVE-2026-58460) – Medium severity allowing credential capture
JayeX
The Jenkins X project has officially changed it’s name to JayeX. There are still a lot of work to have the name change permeate the whole project. Read the announcement.
- Work is ongoing to replace Ingress NGINX with Envoy Proxy as the default ingress controller.
- Various improvements have been made to make lighthouse—more scalable with the number of repositories. This includes being more efficient in the use of the GitHub API and concurrency support.
Ortelius
Roadmap
- Continue to refine the Ortelius AI for updating package manager files using the Claude LLM and Ortelius MCP.
- Next is to add in GitLab support for getting the release and deployment data from GitLab workflow logs.
- Add more “how to” videos.
- Blog-a-thon is current being worked on by the contributors.
Features and release
- Completed V12 release for the new UI and backend using pure ArangoDB. REST, GraphQL and Kafka are now supported. This also includes easy onboarding using a GitHub Ortelius App to bring in release artifacts and deployment data.
Adoption updates
Working on implementing Ortelius for Space Domain Awareness TAP Lab and BlueStaq.
Community updates
VulnCon outreach brought in new members include folks from IBM and RedHat.
Security updates
Revonate runs on all (~40) repos keeping dependencies up to date. CVEs are fixed within 2-3 days.
Screwdriver
Features and release
Component versions as of Q1 2026:
- API v8.0.135
- UI v1.0.1399
- Store v7.0.0
- Queue-Service v5.0.6
- Launcher v6.0.233
- Build Cluster Worker v6.1.0
Notable Updates:
- Expanded permissions for admins to perform actions.
- Improved log downloading for large logs.
Spinnaker
- AWS SDK2 is slowly going into various services.
- Spring boot 3 is merged, fixes have been applied for auth and is now considered stable
- The spinnaker docs on installation have been rewritten. The old installation tool (Halyard) is deprecated and removed from most documentation. Migration scripts from halyard are provided. The default installation is native using kustomize and an example repository with configurations is available.
- Spinnaker is moving all future images from google’s artifact storage to GHCR due to GAR cost spend. You can find the images for the spinnaker microservices here
We have had multiple releases since the last update and are getting ready for a new release with some new secret manager features, improved performance features and similar updates.
Features and release
Currently supported releases and release notes are available here: https://spinnaker.io/docs/releases/versions/
Adoption updates
No major known changes in adoption. However, dashboards and reports showing spinnaker installation and utilization have been fixed and are available again on the stats pages and show continued usage and lots of activity.
WE THINK this data MAY not be entirely accurate at this time. Example:
- January shows 6,202 instances, 349k applications, 20 million deployments.
- February shows 6,687 instances of spinnaker running, 12 million deployments, 232,000 applications. An increase of 10% on instances.
- March shows 7324 instances, 236,000 applications, and 20 million deployments.
The data is inconsistent and could be tests or restarts or similar data that somewhat randomizes the results on statistics reporting.
Security updates
New vulnerabilities HAVE been published. These are critical and high. It’s HIGHLY recommended to upgrade as soon as possible to a supported release.
Infrastructure updates
Per above, we are moving all docker images out of GAR to GHCR due to cost of image pulls from the community, as GHCR is free for open source projects and given our CI is all in GHA, this was a simple migration path.
For more information on the CD Foundation projects and how to contribute, check out the project page.