Home / cert-manager / cert-manager
Repository Analysis

cert-manager/cert-manager

Automatically provision and manage TLS certificates in Kubernetes

2.4 Likely human-written View on GitHub
2.4
Adjusted Score
2.4
Raw Score
100%
Time Factor
2026-05-29
Last Push
13,835
Stars
Go
Language
241,802
Lines of Code
1080
Files
590
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 0HIGH 0MEDIUM 11LOW 579

Pattern Findings

590 matches across 6 categories. Click a row to expand file-level details.

Over-Commented Block571 hits · 528 pts
SeverityFileLineSnippet
LOW.clomonitor.yml1# License scanning information
LOWcmd/cainjector/app/controller.go101 // Why do we disable the cache for v1.Secret?
LOWcmd/cainjector/app/controller.go121 // This initial list operation can place enormous load on
LOWdesign/20190708.certificate-request-crd.md121## Proposal
LOWdesign/20200326.extensible-certificate-controller.md121 //
LOWdesign/20200326.extensible-certificate-controller.md141 // for the next certificate iteration.
LOWdesign/20200326.extensible-certificate-controller.md161 // the options on the Certificate resource are compared against the
LOWdesign/acme-orders-challenges-crd.md81 // If the Issuer does not exist, processing will be retried.
LOWdesign/acme-orders-challenges-crd.md101 // Config specifies a mapping from DNS identifiers to how those identifiers
LOWdesign/acme-orders-challenges-crd.md141// State represents the state of an ACME resource, such as an Order.
LOWdesign/acme-orders-challenges-crd.md161 // If an Order is marked 'Ready', the corresponding certificate
LOWdesign/acme-orders-challenges-crd.md181 // Expired signifies that an ACME resource has expired.
LOWdesign/acme-orders-challenges-crd.md261 // or not.
LOWtools/setup-integration-test-dependencies.sh1#!/usr/bin/env bash
LOW…st/integration/certificates/metrics_controller_test.go241certmanager_certificate_challenge_status{domain="example.com",name="test-challenge-status",namespace="testns",processing
LOWtest/e2e/framework/addon/internal/globals.go41 SupportsGlobal() bool
LOWtest/e2e/framework/log/log.go41
LOWtest/e2e/framework/helper/featureset/featureset.go41 // IPAddressFeature denotes tests that set the IPAddresses field.
LOWtest/e2e/framework/helper/featureset/featureset.go61
LOWtest/e2e/suite/issuers/ca/fixtures.go21 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
LOWtest/e2e/suite/issuers/ca/fixtures.go41// Public Key Algorithm: id-ecPublicKey
LOWtest/e2e/suite/issuers/ca/fixtures.go101// Version: 3 (0x2)
LOWtest/e2e/suite/issuers/ca/fixtures.go121// X509v3 extensions:
LOWtest/e2e/suite/issuers/ca/fixtures.go181// Not After : Oct 21 13:13:40 2121 GMT
LOW…/suite/conformance/certificatesigningrequests/suite.go41 // returns an SignerName to that Issuer that will be used as the SignerName
LOW…/suite/conformance/certificatesigningrequests/suite.go61
LOWtest/e2e/suite/conformance/certificates/suite.go41 // IssuerRef on Certificate resources that this suite creates.
LOWdeploy/charts/cert-manager/values.yaml1# +docs:section=Global
LOWdeploy/charts/cert-manager/values.yaml21 # If a component-specific nodeSelector is also set, it will be merged and take precedence.
LOWdeploy/charts/cert-manager/values.yaml41 priorityClassName: ""
LOWdeploy/charts/cert-manager/values.yaml81 # +docs:property
LOWdeploy/charts/cert-manager/values.yaml101 # as part of the Helm installation.
LOWdeploy/charts/cert-manager/values.yaml121# only be a single instance active at a time.
LOWdeploy/charts/cert-manager/values.yaml141 # Pod is currently running.
LOWdeploy/charts/cert-manager/values.yaml161 # +docs:property
LOWdeploy/charts/cert-manager/values.yaml181# +docs:property
LOWdeploy/charts/cert-manager/values.yaml201 # Full repository override (takes precedence over `imageRegistry`, `imageNamespace`, and `image.name`).
LOWdeploy/charts/cert-manager/values.yaml221# used. This namespace will not be automatically created by the Helm chart.
LOWdeploy/charts/cert-manager/values.yaml241
LOWdeploy/charts/cert-manager/values.yaml261
LOWdeploy/charts/cert-manager/values.yaml281# apiVersion: controller.config.cert-manager.io/v1alpha1
LOWdeploy/charts/cert-manager/values.yaml301# LiteralCertificateSubject: true # BETA - default=true
LOWdeploy/charts/cert-manager/values.yaml321# maxChainLength: 95000 # Maximum size in bytes for certificate chains (default: 95000)
LOWdeploy/charts/cert-manager/values.yaml341# List of signer names that cert-manager will approve by default. CertificateRequests
LOWdeploy/charts/cert-manager/values.yaml361
LOWdeploy/charts/cert-manager/values.yaml381# - $PROFILE_ARN
LOWdeploy/charts/cert-manager/values.yaml401# Resources to provide to the cert-manager controller pod.
LOWdeploy/charts/cert-manager/values.yaml441# podAnnotations: {}
LOWdeploy/charts/cert-manager/values.yaml461
LOWdeploy/charts/cert-manager/values.yaml481
LOWdeploy/charts/cert-manager/values.yaml541
LOWdeploy/charts/cert-manager/values.yaml561# http_proxy: "http://proxy:8080"
LOWdeploy/charts/cert-manager/values.yaml581# operator: In
LOWdeploy/charts/cert-manager/values.yaml601# topologyKey: topology.kubernetes.io/zone
LOWdeploy/charts/cert-manager/values.yaml621 timeoutSeconds: 15
LOWdeploy/charts/cert-manager/values.yaml641 enabled: true
LOWdeploy/charts/cert-manager/values.yaml681 # endpoint such as relabelings, metricRelabelings etc.
LOWdeploy/charts/cert-manager/values.yaml721 # Additional annotations to add to the PodMonitor.
LOWdeploy/charts/cert-manager/values.yaml741 # serverName: cert-manager-metrics
LOWdeploy/charts/cert-manager/values.yaml761 # The number of seconds the API server should wait for the webhook to respond before treating the call as a failure.
511 more matches not shown…
Self-Referential Comments7 hits · 21 pts
SeverityFileLineSnippet
MEDIUMdeploy/charts/cert-manager/values.yaml644 # Create a ServiceMonitor to add cert-manager to Prometheus.
MEDIUMdeploy/charts/cert-manager/values.yaml696 # Create a PodMonitor to add cert-manager to Prometheus.
MEDIUMdeploy/charts/cert-manager/values.yaml1167 # Create the CA Injector deployment
MEDIUMhack/verify-upgrade.sh92# Create a cert-manager issuer and cert
MEDIUMhack/verify-upgrade.sh152# Create a cert-manager issuer and cert
MEDIUMmake/config/samplewebhook/chart/templates/pki.yaml2# Create a selfsigned Issuer, in order to create a root CA certificate for
MEDIUMmake/config/samplewebhook/chart/templates/pki.yaml40# Create an Issuer that uses the above generated CA certificate to issue certs
AI Slop Vocabulary3 hits · 9 pts
SeverityFileLineSnippet
MEDIUMinternal/controller/certificates/policies/checks.go219 // This comparison is a lot less robust than comparing against the CertificateRequest
MEDIUMhack/latest-base-images.sh25# We use the nonroot variants of the distroless images to follow best practices around container security.
MEDIUMhack/latest-kind-images.sh35# It can be made more robust if / when Kind
Fake / Example Data6 hits · 6 pts
SeverityFileLineSnippet
LOWpkg/util/pki/nameconstraints_test.go59 PermittedEmailAddresses: []string{"user@example.com"},
LOWpkg/util/pki/nameconstraints_test.go87 PermittedEmailAddresses: []string{"user@example.com"},
LOW…oller/certificaterequests/venafi/custom_fields_test.go31 {"name": "Authoriser Name", "value": "John Doe"},{"name": "Division", "value": "BU1"}
LOW…oller/certificaterequests/venafi/custom_fields_test.go36 {Name: "Authoriser Name", Value: "John Doe"},
LOW…oller/certificaterequests/venafi/custom_fields_test.go51 {Name: "Authoriser Name", Value: "John Doe"},
LOWpkg/issuer/acme/setup_test.go90 someEmail = "test@test.com"
Slop Phrases1 hit · 3 pts
SeverityFileLineSnippet
MEDIUMmake/config/kind/cluster.yaml19# TIP: If you are running kind on a computer with corporate MITM VPN, you can add
Verbosity Indicators2 hits · 3 pts
SeverityFileLineSnippet
LOWpkg/controller/certificate-shim/ingresses/controller.go80 // We re-queue on "Update" because we need to check if the Certificate is
LOWpkg/controller/certificate-shim/gateways/controller.go66 // Gateway because we need to check if the Certificate is still up to date.