OpenCost
v1.120.2Observabilityv1.120.2 is a substantial release with security fixes, memory leak patches, AWS CUR 2.0 support, OVH cloud provider, and supply chain security improvements via cosign image signing.
securityUpgrade immediately for CVE-2026-34986 fix
This release patches GHSA-xmrv-pmrh-hhx2 and CVE-2026-34986 in Go dependencies. If you're running any prior v1.120.x or v1.119.x version, upgrade to v1.120.2 now. Check your vulnerability scanner output to confirm the affected packages are resolved post-upgrade.
enhancementVerify cosign image signatures in your admission pipeline
OpenCost images are now signed with cosign keyless signing and include SLSA provenance attestations. If your cluster uses an admission controller (e.g., Kyverno, Connaisseur), add a policy to enforce signature verification on opencost images. This closes a real supply-chain gap for teams running OpenCost in regulated environments.
enhancementEnable AWS CUR 2.0 and tune spot data feed behavior
If your AWS billing is already on CUR 2.0, you can now configure OpenCost to use it directly. Additionally, if you don't use the AWS spot data feed, set the new toggle to disable it — this suppresses noisy warnings and avoids unnecessary config polling. Teams with spot-heavy workloads should also benefit from the new spot price API caching layer reducing API call volume.
Key changes (5)
- Security: Patched vulnerable Go dependencies (GHSA-xmrv-pmrh-hhx2, CVE-2026-34986) — upgrade promptly
- AWS CUR 2.0 support added, plus a configurable toggle to disable the spot data feed and spot price API caching
- Memory leak fixed in scrape target parsing; CPU counter overflow/reset protection added
- Container images now signed with cosign keyless signing and SLSA provenance attestation
- OVH cloud provider added; PV pricing can now be set via annotations; PV capacity parsing fixed for Ki/Mi/Gi/Ti units