Code signing and transparency for containers and binaries
github.com/sigstore/cosign/[email protected] is safe to use (health: 78/100)
Update to >= 3.0.5 to fix known vulnerabilities
| Severity | ID | Summary | Fixed in |
|---|---|---|---|
| unknown | BIT-cosign-2026-22703 | Cosign verification accepts any valid Rekor entry under certain conditions in github.com/sigstore/cosign | 3.0.4 |
| unknown | BIT-cosign-2026-24122 | Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped in github.com/sigstore/cosign | 3.0.5 |
Get this data programmatically — free, no authentication.
curl https://depscope.dev/api/check/go/github.com/sigstore/cosign/v2Last updated · 2026-04-06T21:25:20Z