Is github.com/sigstore/cosign safe to use?

github.com/sigstore/cosign has 10 known vulnerabilities on the latest version (v1.13.6). DepScope rates its health at 42/100 (high risk).

What is the latest version of github.com/sigstore/cosign?

The latest version of github.com/sigstore/cosign is v1.13.6, released 2024-03-21.

Yes. github.com/sigstore/cosign has 10 known vulnerabilities. See depscope.dev/pkg/go/github.com/sigstore/cosign for details.

No, github.com/sigstore/cosign is actively maintained. Latest release: v1.13.6 (2024-03-21).

DepScope has no curated alternatives for github.com/sigstore/cosign at this time.

github.com/sigstore/cosign is licensed under Apache-2.0.

govv1.13.6

Code signing and transparency for containers and binaries

License Apache-2.0permissive39 versions248 maintainers0 deps5,837 weekly dl

/ 100

Health

safe to use

github.com/sigstore/[email protected] is safe to use (health: 42/100)

Update to >= 3.0.5 to fix known vulnerabilities

Health breakdown0 – 100

0/25

maintenance

6/20

popularity

19/25

security

12/15

maturity

5/15

community

Vulnerabilities

3 medium7 low

Advisories (10)

Severity	ID	Summary	Fixed in
medium	BIT-cosign-2024-29902	Cosign malicious attachments can cause system-wide denial of service	2.2.4
medium	BIT-cosign-2024-29903	Cosign malicious artifacts can cause machine-wide DoS	2.2.4
low	BIT-cosign-2023-46737	Cosign vulnerable to possible endless data attack from attacker-controlled registry	2.2.1
medium	BIT-cosign-2026-39395	Cosign's verify-blob-attestation reports false positive when payload parsing fails	2.6.3
low	BIT-cosign-2026-24122	Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped	3.0.5
unknown	BIT-cosign-2023-46737	Denial of service attack from remote registry in github.com/sigstore/cosign	2.2.1
unknown	BIT-cosign-2024-29902	Cosign malicious attachments can cause system-wide denial of service in github.com/sigstore/cosign	2.2.4
unknown	BIT-cosign-2024-29903	Cosign malicious artifacts can cause machine-wide DoS in github.com/sigstore/cosign	2.2.4
unknown	BIT-cosign-2026-22703	Cosign verification accepts any valid Rekor entry under certain conditions in github.com/sigstore/cosign	3.0.4
unknown	BIT-cosign-2026-24122	Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped in github.com/sigstore/cosign	3.0.5

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/go/github.com/sigstore/cosign

Last updated · 2024-03-21T22:30:20Z