Open-Source Wikis

/

Cosign

/

By the numbers

sigstore/cosign

By the numbers

Data collected on 2026-04-30 from commit 13a3d79e on main.

Size

Metric Value
Go source files (excluding tests, vendor) 252
Test files (*_test.go) 112
Total Go files 364
Source LOC (Go, excluding tests) ~31,700
Top-level packages under pkg/ 8
Internal packages 5
Subcommands registered in cmd/cosign/cli/commands.go ~32
Specs in specs/ 6
GitHub workflows 18
xychart-beta horizontal
    title "Largest source files (lines of code)"
    x-axis ["pkg/cosign/verify.go", "pkg/oci/remote/remote.go", "pkg/cosign/keys.go", "cmd/cosign/cli/sign/sign.go", "cmd/cosign/cli/verify/common.go"]
    y-axis "LOC" 0 --> 2100
    bar [2012, 295, 326, 479, 475]

pkg/cosign/verify.go is the centre of gravity at ~2,000 lines and contains the legacy verification logic that predates the move to sigstore-go. cmd/cosign/cli/options/ contains the largest concentration of small files — one per option group — totalling ~270 KB of flag definitions.

Activity

Metric Value
Commits since first commit (2021-02-04) 3,086
Commits in the last 12 months 435
Latest commit 2026-04-23 (Require bundle output or registry upload (#4785))
Released tags (visible) v3.0.6 (latest), v3.0.0 (2025-10-07), v2.0.0 (2023-02-23), v1.0.0 (2021-07-28)
Unique committers 241

The codebase has been actively maintained for over five years with a steady cadence of patch releases. v3.0.0 in October 2025 was the last major release; v3 features have continued through the v3.0.x line.

Bot-attributed commits

A simple substring scan against git log --pretty=%an for bot|dependabot|renovate matches 1,170 / 3,085 author lines (~37%). This is dominated by @dependabot (Go module bumps) and the GitHub Actions renovate-style automation that updates pinned action SHAs. AI-assisted commits with explicit Co-authored-by: trailers are not separately tracked here — the number above is a lower bound on automation involvement.

TODO/FIXME

A repo-wide scan for TODO, FIXME, or HACK markers in Go source finds:

  • 36 files with at least one marker
  • 94 total occurrences

Most occurrences cluster around pkg/cosign/verify.go and cmd/cosign/cli/verify/common.go, reflecting in-progress migration to the protobuf bundle format and sigstore-go-based verification.

Subcommand surface

The CLI registers around 32 top-level subcommands (a few have nested children — for example attach, attest, download, generate, piv-tool, pkcs11-tool, bundle, signing-config, trusted-root, verify-attestation, verify-blob, verify-blob-attestation). The doc/ directory holds 56 markdown files, each describing one (sub)command — see doc/cosign.md for the auto-generated tree.

Build matrix

Makefile cross-compiles for darwin, linux, and windows on amd64 (the cross target). The default cosign target uses CGO_ENABLED=0; PIV/PKCS#11 builds switch to CGO_ENABLED=1 with build tags pivkey,pkcs11key. Container images are produced via ko (Makefile's ko-cosign and ko-cosign-dev targets) and published to ghcr.io/sigstore/cosign.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

By the numbers – Cosign wiki | Factory