Security
Verify Zensu release bundles
Every self-hosted release bundle is cosign-signed and inventoried, so you can prove exactly what you are running — fully offline, without trusting a download or reaching the internet.
Cosign public verifier key
This is the public verifier key that signs every air-gap bundle. It ships inside the bundle and is published here out-of-band so you can compare the two before you trust anything. Download it directly at /cosign.pub.
-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdEg62u6N9tJ4tEuPhqmUYRp/M1fi xOTvFROuMMpSwO9rm4EBw+4PCx7PfsW/VkHokCtGH6Iyob3Gs0oc9Jy2dA== -----END PUBLIC KEY-----
SHA-256 of cosign.pub:
9dbf8ce15cdf1da7f5d81001bc4ea8221e7994978c59853d8424ad29fff74ba9
Verify offline
Verify the bundled SHA256SUMS against the key — no transparency
log, no network:
cosign verify-blob --key cosign.pub --new-bundle-format \ --bundle SHA256SUMS.cosign.bundle \ --insecure-ignore-tlog=true SHA256SUMS
Supply-chain posture
- The air-gap bundle ships a cosign-signed SHA256SUMS — key-based, no transparency log, so it verifies fully offline against the bundled cosign.pub.
- syft generates an SPDX SBOM per image, so your supply-chain review has a complete component inventory before anything is loaded.
- The installer verifies checksums before doing anything and aborts on a mismatch; the public verifier key is published out-of-band on zensu.dev/security.
Report a vulnerability
Found a security issue in Zensu? Please email our contact address with the details and we will follow up.