Installations
npm install @sigstore/bundleReleases
@sigstore/mock@0.9.0
Published on 26 Nov 2024
@sigstore/verify@2.0.0
Published on 14 Oct 2024
@sigstore/tuf@3.0.0
Published on 14 Oct 2024
@sigstore/sign@3.0.0
Published on 14 Oct 2024
@sigstore/rekor-types@3.0.0
Published on 14 Oct 2024
@sigstore/oci@0.4.0
Published on 14 Oct 2024
Developer
sigstore
Developer Guide
Module System
CommonJS
Min. Node Version
^18.17.0 || >=20.5.0
Typescript Support
Yes
Node Version
18.17.0
NPM Version
10.9.0
Statistics
157 Stars
1,084 Commits
23 Forks
7 Watching
23 Branches
43 Contributors
Updated on 28 Nov 2024
Bundle Size
38.07 kB
Minified
7.10 kB
Minified + Gzipped
Languages
TypeScript (97.99%)
JavaScript (1.26%)
Makefile (0.67%)
Shell (0.08%)
Batchfile (0.01%)
Total Downloads
Cumulative downloads
Total Downloads
251,137,842
Last day
-4.7%
928,014
Compared to previous day
Last week
5.8%
5,307,120
Compared to previous week
Last month
7.7%
21,696,476
Compared to previous month
Last year
536.2%
217,023,975
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
1
sigstore-js · 
JavaScript libraries for interacting with Sigstore services.
Packages
sigstore- Client library implementing Sigstore signing/verification workflows.@sigstore/bundle- TypeScript types and utility functions for working with Sigstore bundles.@sigstore/cli- Command line interface for signing/verifying artifacts with Sigstore.@sigstore/sign- Library for generating Sigstore signatures.@sigstore/tuf- Library for interacting with the Sigstore TUF repository.@sigstore/rekor-types- TypeScript types for the Sigstore Rekor REST API.@sigstore/mock- Mocking library for Sigstore services.
Development
Changesets
If you are contributing a user-facing or noteworthy change that should be added to the changelog, you should include a changeset with your PR by running the following command:
1npx changeset add
Follow the prompts to specify whether the change is a major, minor or patch change. This will create a file in the .changesets directory of the repo. This change should be committed and included with your PR.
Release Steps
Whenever a new changeset is merged to the "main" branch, the release workflow will open a PR (or append to the existing PR if one is already open) with the all of the pending changesets.
Publishing a release simply requires that you approve/merge this PR. This will trigger the publishing of the package to the npm registry and the creation of the GitHub release.
Licensing
sigstore-js is licensed under the Apache 2.0 License.
Contributing
See the contributing docs for details.
Code of Conduct
Everyone interacting with this project is expected to follow the sigstore Code of Conduct.
Security
Should you discover any security issues, please refer to sigstore's security process.
Info
sigstore-js is developed as part of the sigstore project.
We also use a slack channel! Click here for the invite link.
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
all changesets reviewed
Reason
no dangerous workflow patterns detected
Reason
update tool detected
Details
- Info: detected update tool: Dependabot: .github/dependabot.yml:1
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0
Reason
30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/sigstore/.github/SECURITY.md:1
- Info: Found linked content: github.com/sigstore/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/sigstore/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/sigstore/.github/SECURITY.md:1
Reason
GitHub workflow tokens follow principle of least privilege
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/auto-merge.yml:14
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/compatibility-check.yml:18
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/dependabot-changesets.yml:12
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:18
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/smoke-test.yml:53
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/smoke-test.yml:106
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/smoke-test.yml:18
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/update-tuf-seeds.yml:16
- Info: topLevel 'contents' permission set to 'read': .github/workflows/auto-merge.yml:8
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:10
- Info: topLevel 'contents' permission set to 'read': .github/workflows/compatibility-check.yml:11
- Info: topLevel 'contents' permission set to 'read': .github/workflows/conformance.yml:11
- Info: topLevel 'contents' permission set to 'read': .github/workflows/dependabot-changesets.yml:6
- Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yml:11
- Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18
- Info: topLevel 'contents' permission set to 'read': .github/workflows/smoke-test.yml:11
- Info: topLevel 'contents' permission set to 'read': .github/workflows/update-tuf-seeds.yml:10
Reason
0 existing vulnerabilities detected
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'main'
- Info: 'force pushes' disabled on branch 'main'
- Info: 'branch protection settings apply to administrators' is required to merge on branch 'main'
- Info: 'stale review dismissal' is required to merge on branch 'main'
- Warn: required approving review count is 1 on branch 'main'
- Info: codeowner review is required on branch 'main'
- Info: 'last push approval' is required to merge on branch 'main'
- Info: 'up-to-date branches' is required to merge on branch 'main'
- Info: status check found to merge onto on branch 'main'
- Info: PRs are required in order to make changes on branch 'main'
Reason
dependency not pinned by hash detected -- score normalized to 8
Details
- Warn: npmCommand not pinned by hash: .github/workflows/compatibility-check.yml:30
- Warn: npmCommand not pinned by hash: .github/workflows/release.yml:34
- Info: 26 out of 26 GitHub-owned GitHubAction dependencies pinned
- Info: 6 out of 6 third-party GitHubAction dependencies pinned
- Info: 7 out of 9 npmCommand dependencies pinned
Reason
project has 2 contributing companies or organizations -- score normalized to 6
Details
- Info: github contributor org/company found, sigstore contributor org/company found,
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
8.7
/10
Last Scanned on 2024-11-26T20:54:57Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More