PkgRadar

Go modules · proxy.golang.org

chainguard.dev/apko

Remote Payload: matched "curl "

Why PkgRadar flagged v1.2.15-0.20260527181455-74e64086fae7

SeveritySignalEvidence
mediumRemote Payloadmatched "curl " · chainguard.dev/[email protected]/pkg/sbom/generator/spdx/testdata/apk_sboms/_generate.sh

Scanned versions

VersionVerdictScoreScanned (UTC)
v1.2.18-0.20260616051512-ebd9255d9199Low risk02026-06-17
v1.2.17-0.20260613010730-301fd0d625c7Low risk02026-06-14
v1.2.17-0.20260612182453-ef578c30be29Low risk02026-06-13
v1.2.17-0.20260612124220-6b57924d877dLow risk02026-06-13
v1.2.16Low risk02026-06-09
v1.2.16-0.20260604050125-8bf905593d45Low risk02026-06-05
v1.2.15Low risk02026-06-02
v1.2.15-0.20260527181455-74e64086fae7Review122026-05-29

Block this in CI

PkgRadar gates chainguard.dev/apko (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go chainguard.dev/[email protected]
Start free — 25 scans / moView full evidence