gatekeeper

Patched
Policy & Compliance from mirror.gcr.io/openpolicyagent/gatekeeper
Pull Reference
ghcr.io/verity-org/openpolicyagent/gatekeeper
docker pull ghcr.io/verity-org/openpolicyagent/gatekeeper
Copa-Patched Image

Patched in-place from the upstream image using Copa . OS-level vulnerabilities are fixed without rebuilding \u2014 same layers, same behavior, fewer CVEs.

Supply Chain
Full compliance details
Signed SLSA L3 SBOM Rekor
Verify this artifact
Cosign signature
cosign verify \
  --certificate-identity-regexp "https://github.com/verity-org/verity/.github/workflows/" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  ghcr.io/verity-org/openpolicyagent/gatekeeper:v3.21.0
Build provenance
gh attestation verify \
  oci://ghcr.io/verity-org/openpolicyagent/gatekeeper:v3.21.0 \
  --owner verity-org

Vulnerability Scan

Found 13 vulnerabilit ies — none have upstream fixes available.

2CRITICAL5HIGH5MEDIUM1LOW

Fix available — pending patch

These vulnerabilities have upstream fixes but could not be automatically patched.

IDPackageInstalledFixedSeverity
CVE-2026-33186google.golang.org/grpcv1.75.11.79.3 CRITICAL
CVE-2025-68121stdlibv1.25.31.24.13, 1.25.7, 1.26.0-rc.3 CRITICAL
CVE-2026-24051go.opentelemetry.io/otel/sdkv1.38.01.40.0 HIGH
CVE-2025-61726stdlibv1.25.31.24.12, 1.25.6 HIGH
CVE-2025-61728stdlibv1.25.31.24.12, 1.25.6 HIGH
CVE-2025-61729stdlibv1.25.31.24.11, 1.25.5 HIGH
CVE-2026-25679stdlibv1.25.31.25.8, 1.26.1 HIGH
CVE-2025-47914golang.org/x/cryptov0.43.00.45.0 MEDIUM
CVE-2025-58181golang.org/x/cryptov0.43.00.45.0 MEDIUM
CVE-2025-61727stdlibv1.25.31.24.11, 1.25.5 MEDIUM
CVE-2025-61730stdlibv1.25.31.24.12, 1.25.6 MEDIUM
CVE-2026-27142stdlibv1.25.31.25.8, 1.26.1 MEDIUM
CVE-2026-27139stdlibv1.25.31.25.8, 1.26.1 LOW
Source
Copa (in-place patch)
Platforms
linux/amd64, linux/arm64
Registry
ghcr.io/verity-org
Upstream
mirror.gcr.io/openpolicyagent/gatekeeper