PkgRadar

Go modules · proxy.golang.org

github.com/sigstore/cosign/v3

Remote Payload: matched "curl "

Why PkgRadar flagged v3.1.2-0.20260615173559-ed0efe8cb464

SeveritySignalEvidence
mediumRemote Payloadmatched "curl " · github.com/sigstore/cosign/[email protected]/cmd/cosign/cli/signcommon/common.go

Scanned versions

VersionVerdictScoreScanned (UTC)
v3.1.2-0.20260615173559-ed0efe8cb464Review122026-06-16
v3.1.2-0.20260612211247-a633e3a3272eReview122026-06-14
v3.1.2-0.20260612115720-0fc9811059a0Review122026-06-13
v3.1.2-0.20260609233433-2233166935e2Review122026-06-11
v3.1.1Review122026-06-10
v3.1.0Review122026-06-06
v3.0.7-0.20260602181321-ceeb6f4e4e46Review122026-06-03

Block this in CI

PkgRadar gates github.com/sigstore/cosign/v3 (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/sigstore/cosign/[email protected]
Start free — 25 scans / moView full evidence
github.com/sigstore/cosign/v3 — Go modules security scan | PkgRadar