InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now. Learn more →
Cosign Alternatives
Similar projects and alternatives to cosign
-
-
InfluxDB
InfluxDB – Built for High-Performance Time Series Workloads. InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.
-
speedtest
Self-hosted Speed Test for HTML5 and more. Easy setup, examples, configurable, mobile friendly. Supports PHP, Node, Multiple servers, and more
-
-
trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
-
-
kubescape
Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters. It includes risk analysis, security, compliance, and misconfiguration scanning, saving Kubernetes users and administrators precious time, effort, and resources.
-
checkov
Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
-
-
-
syft
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
-
-
-
dependency-track
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
-
metadata-action
GitHub Action to extract metadata (tags, labels) from Git reference and GitHub events for Docker
-
-
-
connaisseur
An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster
-
in-toto-golang
A Go implementation of in-toto. in-toto is a framework to protect software supply chain integrity.
-
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
NOTE:
The number of mentions on this list indicates mentions on common posts plus user suggested alternatives.
Hence, a higher number means a better cosign alternative or higher similarity.
cosign discussion
cosign reviews and mentions
Posts with mentions or reviews of cosign.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2025-04-16.
-
Introduction to Gitless GitOps: A New OCI-Centric and Secure Architecture
Flux uses cosign
-
Top Terraform/OpenTofu tools to Use in 2025
Verifies downloads using cosign and PGP (via gopenpgp), ensuring the integrity and authenticity of tool binaries.
- 1minDocker #13 - Push, build and dockerize with GitHub Actions
-
10 Docker Security Best Practices
SigStore project, including its cosign tool, implements simple signing, storage, and verification of artifacts.
-
Reading the Ruby 3.4 NEWS with professionals (English translation)
RubyGems now supports sigstore.dev, which aims to improve the security of the software supply chain. Sigstore is a series of mechanisms that provide automated signing for the software supply chain. If you pass the file path to a Sigstore Bundle generated using cosign or sigstore-ruby to --attestation, you can upload the Gem signature to RubyGems.
-
Securing CI/CD Images with Cosign and OPA
Cosign: In this context, Cosign from the Sigstore project offers a compelling solution. Its simplicity, registry compatibility, and effective link between images and their signatures provide a user-friendly and versatile approach. The integration of Fulcio for certificate management and Rekor for secure logging enhances Cosign's appeal, making it particularly suitable for modern development environments that prioritize security and agility.
-
An Overview of Kubernetes Security Projects at KubeCon Europe 2023
sigstore is another suite of tools that focuses on attestation and provenance. Within the suite are two tools I heard mentioned a few times at KubeCon: Cosign and Rekor.
-
Spin 1.0 — The Developer Tool for Serverless WebAssembly
Since we can distribute Spin applications using popular registry services, we can also take advantage of ecosystem tools such as Sigstore and Cosign, which address the software supply chain issue by signing and verifying applications using Sigstore's new keyless signatures (using OIDC identity tokens from providers such as GitHub).
-
Iron Bank: Secure Registries, Secure Containers
Use distroless images (which contain only application and its runtime dependencies, and don't include package managers/shells or any other programs you would expect to find in a standard Linux distribution). All distroless images are signed by cosign.
-
Getting hands on with Sigstore Cosign on AWS
$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --cert https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64-keyless.pem --signature https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64-keyless.sig https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64
-
A note from our sponsor - InfluxDB
www.influxdata.com | 24 Jun 2025
Stats
Basic cosign repo stats
35
5,009
9.5
7 days ago
sigstore/cosign is an open source project licensed under Apache License 2.0 which is an OSI approved license.
The primary programming language of cosign is Go.
Sponsored
InfluxDB – Built for High-Performance Time Series Workloads
InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.
www.influxdata.com