Autonomous vehicle (AV) software supply chains face severe security risks, primarily due to pervasive reliance on open-source components—including AI models, third-party libraries, and datasets—and the absence of robust security practices during development. This paper presents the first systematic, cross-project security audit of three major open-source AV platforms—Autoware, Apollo, and openpilot—leveraging software composition analysis (SCA) and static vulnerability scanning. The study identifies recurrent vulnerabilities across all platforms and empirically demonstrates that nearly 50% of automotive cyberattacks originate from supply-chain weaknesses; it further reveals widespread misalignment between security governance and development lifecycles. Key contributions include: (1) establishing the first benchmark for evaluating security in the AV open-source ecosystem; (2) providing empirical evidence underscoring the critical need for “shift-left” security integration; and (3) delivering actionable, stakeholder-specific mitigation strategies for researchers, engineering teams, and policymakers.

The interest in autonomous vehicles (AVs) for critical missions, including transportation, rescue, surveillance, reconnaissance, and mapping, is growing rapidly due to their significant safety and mobility benefits. AVs consist of complex software systems that leverage artificial intelligence (AI), sensor fusion algorithms, and real-time data processing. Additionally, AVs are becoming increasingly reliant on open-source software supply chains, such as open-source packages, third-party software components, AI models, and third-party datasets. Software security best practices in the automotive sector are often an afterthought for developers. Thus, significant cybersecurity risks exist in the software supply chain of AVs, particularly when secure software development practices are not rigorously implemented. For example, Upstream's 2024 Automotive Cybersecurity Report states that 49.5% of cyberattacks in the automotive sector are related to exploiting security vulnerabilities in software systems. In this chapter, we analyze security vulnerabilities in open-source software components in AVs. We utilize static analyzers on popular open-source AV software, such as Autoware, Apollo, and openpilot. Specifically, this chapter covers: (1) prevalent software security vulnerabilities of AVs; and (2) a comparison of static analyzer outputs for different open-source AV repositories. The goal is to inform researchers, practitioners, and policymakers about the existing security flaws in the commonplace open-source software ecosystem in the AV domain. The findings would emphasize the necessity of security best practices earlier in the software development lifecycle to reduce cybersecurity risks, thereby ensuring system reliability, safeguarding user data, and maintaining public trust in an increasingly automated world.