Security Deep Dive
werf
Security posture and CVE patch evidence from tracked releases.
4 critical dependency CVEs affects v2.69.1.
Audit transitive dependencies; consider upgrading or pinning replacements.
— Signed
— SLSA
— SBOM
✓ Security policy
Weekly cadence · 4d median
Active maintainer
Trust Signals — 3 of 9 Present
Evidence already collected from releases and repository metadata.
3/9
Present
Signed releases
Unknown
Latest release artifact signature
Latest release
—
SLSA provenance
Unknown
Attestation predicate level
Latest release
—
SBOM published
Unknown
GitHub SBOM API
Latest release
—
SECURITY.md
Present
GitHub repository metadata
Repository policy
Checked: 22d ago
Release cadence: weekly
Present
4d median over recent releases
Release history
Latest release: 7d ago
Maintainer active
Present
Recent commit activity
Repository
Last commit: 1d ago
Checksums (SHA256SUMS)
Not active yet
SHA256SUMS or equivalent
Release asset
Latest release: 7d ago
GitHub Actions attestation
Not active yet
actions/attest-build-provenance
Workflow file
Latest release: 7d ago
Signing assets
Not active yet
.sig, .crt, cosign.pub, or similar
Release asset
Latest release: 7d ago
4.1/10
Security Score
5.8/10
Scorecard
Dependency Exposure
112 transitive dependency
CVEs found in the latest SBOM.
4 critical.
Security Score
A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.
epss
0.25 / 0.5
No EPSS data
freshness
1.00 / 1.0
Up to date
scorecard
2.32 / 4.0
Score 5.8/10
cve health
0.00 / 2.5
⚠ No direct scan — 4c/40h transitive CVEs
patch speed
0.50 / 0.5
⚠ Estimated — no CVE patch history
kev exposure
1.50 / 1.5
No KEV exposure
supply chain risk
-1.50 / 10.0
Risk 96.4/100
Score breakdown
schema v2Vulnerability posture
vulnerability posture
0.0
25%
direct cves: clear
cve scan: estimated
Release responsiveness
release responsiveness
10.0
5%
patch speed days: no_history
Dependency exposure
dependency exposure
0.4
10%
supply chain risk: 96.37
transitive cves: 4c/40h
Provenance trust
provenance trust
5.8
40%
scorecard score: 5.8
openssf badge: none
Maintainer health
maintainer health
10.0
10%
activity freshness: 0d
Operational risk
operational risk
8.5
10%
kev exposure: clear
epss max: none
How is this calculated?
The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.
Supply Chain Risk
Risk 96.4/100
4
Transitive critical CVEs
0
KEV-transitive CVEs
81%
Dependency freshness
Scorecard
Scorecard 5.8/10OpenSSF Scorecard evaluates supply-chain security practices automatically. Score ≥ 6 is passing; ≥ 8 is excellent.
| Check | Score | Reason |
|---|---|---|
| Code-Review | 6 | Found 15/23 approved changesets -- score normalized to 6 |
| Maintained | 10 | 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 |
| Security-Policy | 10 | security policy file detected |
| Packaging | -1 | packaging workflow not detected |
| Dangerous-Workflow | 10 | no dangerous workflow patterns detected |
| CII-Best-Practices | 2 | badge detected: InProgress |
| Token-Permissions | 0 | detected GitHub workflow tokens with excessive permissions |
| Binary-Artifacts | 10 | no binaries found in the repo |
| Fuzzing | 0 | project is not fuzzed |
| License | 10 | license file detected |
| Branch-Protection | -1 | internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md |
| Signed-Releases | -1 | no releases found |
| SAST | 0 | SAST tool is not run on all commits -- score normalized to 0 |
| Pinned-Dependencies | 0 | dependency not pinned by hash detected -- score normalized to 0 |
Dependency Vulnerabilities
742 dependencies scanned
View full dependency list →
Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.
Critical
4
High
40
Medium
52
Low
12
Unknown
4
Critical
4
High
40
Medium
52
Low
12
Unknown
4
| CVE | Severity | KEV | Dependency | Affected version | Cleared in release |
|---|---|---|---|---|---|
| CVE-2024-41110 | critical | — | github.com/docker/docker | v25.0.5+incompatible | v2.68.0 |
| CVE-2025-21613 | critical | — | github.com/go-git/go-git/v5 | v5.12.0 | v2.68.0 |
| CVE-2026-33186 | critical | — | google.golang.org/grpc | v1.62.1 | v2.68.0 |
| GHSA-353f-x4gh-cqq8 | critical | — | nokogiri | 1.15.5 | v2.68.0 |
| CVE-2022-25883 | high | — | semver | 6.3.0 | v2.68.0 |
| CVE-2024-21538 | high | — | cross-spawn | 7.0.3 | v2.68.0 |
| CVE-2024-25621 | high | — | github.com/containerd/containerd | v1.7.14 | v2.68.0 |
| CVE-2024-3727 | high | — | github.com/containers/image/v5 | v5.30.0 | v2.68.0 |
| CVE-2024-4068 | high | — | braces | 3.0.2 | v2.68.0 |
| CVE-2024-47220 | high | — | webrick | 1.8.1 | v2.68.0 |
| CVE-2024-7254 | high | — | google-protobuf | 3.25.2 | v2.68.0 |
| CVE-2025-15558 | high | — | github.com/docker/cli | v25.0.5+incompatible | v2.68.0 |
| CVE-2025-21614 | high | — | github.com/go-git/go-git/v5 | v5.12.0 | v2.68.0 |
| CVE-2025-22868 | high | — | golang.org/x/oauth2 | v0.18.0 | v2.68.0 |
| CVE-2025-27610 | high | — | rack | 3.0.8 | v2.68.0 |
| CVE-2025-31133 | high | — | github.com/opencontainers/runc | v1.1.12 | v2.68.0 |
| CVE-2025-46727 | high | — | rack | 3.0.8 | v2.68.0 |
| CVE-2025-52565 | high | — | github.com/opencontainers/runc | v1.1.12 | v2.68.0 |
| CVE-2025-52881 | high | — | github.com/opencontainers/selinux | v1.11.0 | v2.68.0 |
| CVE-2025-52881 | high | — | github.com/opencontainers/runc | v1.1.12 | v2.68.0 |
| CVE-2025-61919 | high | — | rack | 3.0.8 | v2.68.0 |
| CVE-2025-65637 | high | — | github.com/sirupsen/logrus | 1.8.0 | v2.68.0 |
| CVE-2025-66506 | high | — | github.com/sigstore/fulcio | v1.4.4 | v2.68.0 |
| CVE-2026-22860 | high | — | rack | 3.0.8 | v2.68.0 |
| CVE-2026-24051 | high | — | go.opentelemetry.io/otel/sdk | v1.24.0 | v2.68.0 |
| CVE-2026-26996 | high | — | minimatch | 3.1.2 | v2.68.0 |
| CVE-2026-27903 | high | — | minimatch | 3.1.2 | v2.68.0 |
| CVE-2026-27904 | high | — | minimatch | 3.1.2 | v2.68.0 |
| CVE-2026-32141 | high | — | flatted | 3.2.6 | v2.68.0 |
| CVE-2026-33228 | high | — | flatted | 3.2.6 | v2.68.0 |
| CVE-2026-33671 | high | — | picomatch | 2.3.1 | v2.68.0 |
| CVE-2026-33747 | high | — | github.com/moby/buildkit | v0.13.1 | v2.68.0 |
| CVE-2026-33748 | high | — | github.com/moby/buildkit | v0.13.1 | v2.68.0 |
| CVE-2026-34040 | high | — | github.com/docker/docker | v25.0.5+incompatible | v2.68.0 |
| CVE-2026-34230 | high | — | rack | 3.0.8 | v2.68.0 |
| CVE-2026-34785 | high | — | rack | 3.0.8 | v2.68.0 |
| CVE-2026-34827 | high | — | rack | 3.0.8 | v2.68.0 |
| CVE-2026-34829 | high | — | rack | 3.0.8 | v2.68.0 |
| CVE-2026-34986 | high | — | github.com/go-jose/go-jose/v3 | v3.0.3 | v2.68.0 |
| CVE-2026-35469 | high | — | github.com/moby/spdystream | v0.2.0 | v2.68.0 |
| CVE-2026-35611 | high | — | addressable | 2.8.0 | v2.68.0 |
| CVE-2026-39883 | high | — | go.opentelemetry.io/otel/sdk | v1.24.0 | v2.68.0 |
| GHSA-c4rq-3m3g-8wgx | high | — | nokogiri | 1.15.5 | v2.68.0 |
| GHSA-mrxw-mxhj-p664 | high | — | nokogiri | 1.15.5 | v2.68.0 |
| CVE-2024-25126 | medium | — | rack | 3.0.8 | v2.68.0 |
| CVE-2024-29041 | medium | — | express | 4.18.2 | v2.68.0 |
| CVE-2024-40635 | medium | — | github.com/containerd/containerd | v1.7.14 | v2.68.0 |
| CVE-2024-4067 | medium | — | micromatch | 4.0.5 | v2.68.0 |
| CVE-2024-45310 | medium | — | github.com/opencontainers/runc | v1.1.12 | v2.68.0 |
| CVE-2024-9341 | medium | — | github.com/containers/common | v0.58.1 | v2.68.0 |
| CVE-2025-14762 | medium | — | aws-sdk-s3 | 1.103.0 | v2.68.0 |
| CVE-2025-25184 | medium | — | rack | 3.0.8 | v2.68.0 |
| CVE-2025-25285 | medium | — | @octokit/endpoint | 10.1.1 | v2.68.0 |
| CVE-2025-25288 | medium | — | @octokit/plugin-paginate-rest | 2.21.3 | v2.68.0 |
| CVE-2025-25289 | medium | — | @octokit/request-error | 2.1.0 | v2.68.0 |
| CVE-2025-25290 | medium | — | @octokit/request | 9.1.1 | v2.68.0 |
| CVE-2025-27111 | medium | — | rack | 3.0.8 | v2.68.0 |
| CVE-2025-27144 | medium | — | github.com/go-jose/go-jose/v3 | v3.0.3 | v2.68.0 |
| CVE-2025-27789 | medium | — | @babel/runtime-corejs3 | 7.18.9 | v2.68.0 |
| CVE-2025-27789 | medium | — | @babel/runtime | 7.18.9 | v2.68.0 |
| CVE-2025-47914 | medium | — | golang.org/x/crypto | v0.41.0 | v2.68.0 |
| CVE-2025-58058 | medium | — | github.com/ulikunitz/xz | v0.5.11 | v2.68.0 |
| CVE-2025-58181 | medium | — | golang.org/x/crypto | v0.41.0 | v2.68.0 |
| CVE-2025-61780 | medium | — | rack | 3.0.8 | v2.68.0 |
| CVE-2025-64329 | medium | — | github.com/containerd/containerd | v1.7.14 | v2.68.0 |
| CVE-2025-6442 | medium | — | webrick | 1.8.1 | v2.68.0 |
| CVE-2025-64718 | medium | — | js-yaml | 4.1.0 | v2.68.0 |
| CVE-2025-69873 | medium | — | ajv | 6.12.6 | v2.68.0 |
| CVE-2026-22772 | medium | — | github.com/sigstore/fulcio | v1.4.4 | v2.68.0 |
| CVE-2026-23831 | medium | — | github.com/sigstore/rekor | v1.3.5 | v2.68.0 |
| CVE-2026-24117 | medium | — | github.com/sigstore/rekor | v1.3.5 | v2.68.0 |
| CVE-2026-24137 | medium | — | github.com/sigstore/sigstore | v1.8.2 | v2.68.0 |
| CVE-2026-25500 | medium | — | rack | 3.0.8 | v2.68.0 |
| CVE-2026-25934 | medium | — | github.com/go-git/go-git/v5 | v5.12.0 | v2.68.0 |
| CVE-2026-26961 | medium | — | rack | 3.0.8 | v2.68.0 |
| CVE-2026-32762 | medium | — | rack | 3.0.8 | v2.68.0 |
| CVE-2026-33169 | medium | — | activesupport | 6.1.7.6 | v2.68.0 |
| CVE-2026-33170 | medium | — | activesupport | 6.1.7.6 | v2.68.0 |
| CVE-2026-33176 | medium | — | activesupport | 6.1.7.6 | v2.68.0 |
| CVE-2026-33532 | medium | — | yaml | 1.7.0 | v2.68.0 |
| CVE-2026-33672 | medium | — | picomatch | 2.3.1 | v2.68.0 |
| CVE-2026-33750 | medium | — | brace-expansion | 1.1.11 | v2.68.0 |
| CVE-2026-33997 | medium | — | github.com/docker/docker | v25.0.5+incompatible | v2.68.0 |
| CVE-2026-34165 | medium | — | github.com/go-git/go-git/v5 | v5.12.0 | v2.68.0 |
| CVE-2026-34763 | medium | — | rack | 3.0.8 | v2.68.0 |
| CVE-2026-34786 | medium | — | rack | 3.0.8 | v2.68.0 |
| CVE-2026-34826 | medium | — | rack | 3.0.8 | v2.68.0 |
| CVE-2026-34830 | medium | — | rack | 3.0.8 | v2.68.0 |
| CVE-2026-34831 | medium | — | rack | 3.0.8 | v2.68.0 |
| CVE-2026-34835 | medium | — | rack | 3.0.8 | v2.68.0 |
| CVE-2026-39882 | medium | — | go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp | v1.24.0 | v2.68.0 |
| CVE-2026-39882 | medium | — | go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp | v0.44.0 | v2.68.0 |
| CVE-2026-41506 | medium | — | github.com/go-git/go-git/v5 | v5.12.0 | v2.68.0 |
| GHSA-v2fc-qm4h-8hqv | medium | — | nokogiri | 1.15.5 | v2.68.0 |
| GHSA-wx95-c6cv-8532 | medium | — | nokogiri | 1.15.5 | v2.68.0 |
| GHSA-xc9x-jj77-9p9j | medium | — | nokogiri | 1.15.5 | v2.68.0 |
| CVE-2024-26141 | low | — | rack | 3.0.8 | v2.68.0 |
| CVE-2024-26146 | low | — | rack | 3.0.8 | v2.68.0 |
| CVE-2024-43796 | low | — | express | 4.18.2 | v2.68.0 |
| CVE-2025-54410 | low | — | github.com/docker/docker | v25.0.5+incompatible | v2.68.0 |
| CVE-2025-58767 | low | — | rexml | 3.3.9 | v2.68.0 |
| CVE-2025-5889 | low | — | brace-expansion | 1.1.11 | v2.68.0 |
| CVE-2025-8556 | low | — | github.com/cloudflare/circl | v1.3.7 | v2.68.0 |
| CVE-2026-1229 | low | — | github.com/cloudflare/circl | v1.3.7 | v2.68.0 |
| CVE-2026-33762 | low | — | github.com/go-git/go-git/v5 | v5.12.0 | v2.68.0 |
| GHSA-5w6v-399v-w3cc | low | — | nokogiri | 1.15.5 | v2.68.0 |
| GHSA-r95h-9x8f-r3f7 | low | — | nokogiri | 1.15.5 | v2.68.0 |
| GHSA-vvfq-8hwr-qm4m | low | — | nokogiri | 1.15.5 | v2.68.0 |
| CVE-2025-47911 | unknown | — | golang.org/x/net | v0.43.0 | v2.68.0 |
| CVE-2025-47913 | unknown | — | golang.org/x/crypto | v0.41.0 | v2.68.0 |
| CVE-2025-58190 | unknown | — | golang.org/x/net | v0.43.0 | v2.68.0 |
| CVE-2026-33814 | unknown | — | golang.org/x/net | v0.43.0 | v2.68.0 |
Showing 112 of 112