Home / netbirdio / netbird
Repository Analysis

netbirdio/netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.

1.0 Likely human-written View on GitHub
1.0
Adjusted Score
1.0
Raw Score
100%
Time Factor
2026-05-29
Last Push
25,621
Stars
Go
Language
425,777
Lines of Code
1775
Files
285
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 1HIGH 0MEDIUM 46LOW 238

Pattern Findings

285 matches across 10 categories. Click a row to expand file-level details.

Decorative Section Separators44 hits · 108 pts
SeverityFileLineSnippet
MEDIUMmanagement/server/types/networkmap_benchmark_test.go35// ──────────────────────────────────────────────────────────────────────────────
MEDIUMmanagement/server/types/networkmap_benchmark_test.go37// ──────────────────────────────────────────────────────────────────────────────
MEDIUMmanagement/server/types/networkmap_benchmark_test.go59// ──────────────────────────────────────────────────────────────────────────────
MEDIUMmanagement/server/types/networkmap_benchmark_test.go61// ──────────────────────────────────────────────────────────────────────────────
MEDIUMmanagement/server/types/networkmap_benchmark_test.go97// ──────────────────────────────────────────────────────────────────────────────
MEDIUMmanagement/server/types/networkmap_benchmark_test.go99// ──────────────────────────────────────────────────────────────────────────────
MEDIUMmanagement/server/types/networkmap_benchmark_test.go171// ──────────────────────────────────────────────────────────────────────────────
MEDIUMmanagement/server/types/networkmap_benchmark_test.go173// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go259// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go261// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go328// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go330// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go391// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go393// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go423// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go425// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go524// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go526// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go582// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go584// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go631// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go633// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go700// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go702// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go768// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go770// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go798// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go800// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go839// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go841// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go904// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go906// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go947// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go949// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go997// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go999// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go1032// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go1034// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go1073// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go1075// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go1112// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go1114// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go1151// ──────────────────────────────────────────────────────────────────────────────
MEDIUM…server/types/networkmap_components_correctness_test.go1153// ──────────────────────────────────────────────────────────────────────────────
Over-Commented Block101 hits · 101 pts
SeverityFileLineSnippet
LOWrelease_files/freebsd-port-issue-body.sh1#!/bin/bash
LOWrelease_files/freebsd-port-diff.sh1#!/bin/bash
LOWidp/dex/config.go101 RPDisplayName string `yaml:"rpDisplayName" json:"rpDisplayName"`
LOWtools/idp-migrate/main.go1// Package main provides a standalone CLI tool to migrate user IDs from an
LOWproxy/server.go161 // across replicas. Default: CertLockAuto (detect environment).
LOWproxy/server.go181 // When set, forwarding headers from these sources are preserved and
LOWproxy/server.go201 // RequireSubdomain indicates whether a subdomain label is required
LOWproxy/lifecycle.go21 // ListenAddr is the TCP address the main listener binds. Required.
LOWproxy/lifecycle.go41 CertificateDirectory string
LOWproxy/lifecycle.go61 // "http-01"). Empty defaults to "tls-alpn-01".
LOWproxy/lifecycle.go81 ForwardedProto string
LOWproxy/lifecycle.go101 // RequireSubdomain forces accounts to use a subdomain in front of
LOWproxy/internal/acme/manager.go61 watcher *certwatch.Watcher
LOWproxy/internal/auth/middleware.go341// asks management to resolve it to a peer/user and to gate by the service's
LOWproxy/internal/roundtrip/netbird.go81 // ReadyHandler. The roundtrip package never inspects this value; it
LOWproxy/internal/roundtrip/multi.go21// what private (`netbird proxy`) deployments and centralised proxies
LOWproxy/internal/tcp/snipeek.go21 sniHostNameType = 0
LOWutil/capture/filter.go221// | "port" NUM | "net" PREFIX
LOWutil/netrelay/relay.go61
LOWmanagement/server/account_test.go241 // "peer-1": {
LOWmanagement/server/account_test.go261 // Status: &PeerStatus{
LOWmanagement/server/account_test.go281 // LastLogin: time.Now().UTC().Add(-time.Hour * 24 * 30 * 30),
LOWmanagement/server/account_test.go301 // Approved: true,
LOWmanagement/server/account_test.go321 // ID: peerID3,
LOWmanagement/server/account_test.go341 // expectedOfflinePeers: []string{},
LOWmanagement/server/account_test.go361 // Name: peerID2,
LOWmanagement/server/idp/embedded.go41 LocalAddress string
LOWmanagement/server/idp/embedded.go61 // Defaults to "1h" if empty.
LOWmanagement/server/idp/migration/store.go41
LOWmanagement/server/posture/network.go21// Requires the same address family, that outer is no more specific than inner (its
LOWmanagement/server/peer/peer.go21// The Peer is a WireGuard peer identified by a public key
LOWmanagement/server/peer/peer.go81 // SessionStartedAt records when the currently-active sync stream began,
LOWmanagement/server/store/sql_store.go521// The peer is marked connected with the given session token only when
LOWmanagement/server/store/sql_store.go5801// GetProxyClusters returns every cluster the account can see (shared
LOW…nagement/server/store/sql_store_proxy_clusters_test.go21// is online and counts only the fresh proxy; a cluster whose
LOWmanagement/internals/server/config/config.go101 // CertKey is the location of the certificate private key
LOWmanagement/internals/server/config/config.go181 Engine types.Engine
LOWmanagement/internals/shared/grpc/conversion.go201}
LOW…nternals/modules/reverseproxy/sessionkey/sessionkey.go21 jwt.RegisteredClaims
LOWshared/management/client/common/types.go1package common
LOWshared/management/client/rest/accounts_test.go181// })
LOWshared/relay/tls/doc.go1// Package tls provides utilities for configuring and managing Transport Layer
LOWshared/relay/tls/doc.go21// - `generateTestTLSConfig`: Generates a self-signed TLS configuration for
LOWshared/relay/client/guard.go41// It attempts to reconnect to the relay server. The function first tries a quick reconnect
LOWcombined/cmd/config.go21
LOWinfrastructure_files/getting-started-with-zitadel.sh581
LOWinfrastructure_files/migrate.sh1#!/bin/bash
LOWinfrastructure_files/getting-started-with-dex.sh281# Enable password database for static users
LOWinfrastructure_files/getting-started-with-dex.sh301# - type: ldap
LOWinfrastructure_files/getting-started.sh1101 server_name $NETBIRD_DOMAIN;
LOWclient/embed/embed.go81 StatePath string
LOWclient/embed/embed.go101 MTU *uint16
LOWclient/embed/doc.go1// Package embed provides a way to embed the NetBird client directly
LOWclient/embed/doc.go21//
LOWclient/embed/doc.go41// client, err := netbird.New(netbird.Options{
LOWclient/embed/doc.go61// fmt.Printf("Request from %s: %s %s\n", r.RemoteAddr, r.Method, r.URL.Path)
LOWclient/embed/doc.go81// stop := make(chan os.Signal, 1)
LOWclient/embed/doc.go101// "context"
LOWclient/embed/doc.go121// }
LOWclient/embed/doc.go141// defer resp.Body.Close()
41 more matches not shown…
Fake / Example Data86 hits · 98 pts
SeverityFileLineSnippet
LOWencryption/route53_test.go69 {"example.com", "admin@example.com"},
LOWencryption/route53_test.go70 {"x.example.com", "admin@example.com"},
LOWencryption/route53_test.go71 {"x.x.example.com", "admin@example.com"},
LOWencryption/route53_test.go72 {"*.example.com", "admin@example.com"},
LOWutil/crypt/crypt_test.go55 {name: "Email Address", input: "user@example.com"},
LOWmanagement/server/user_test.go466 Name: "John Doe",
LOWmanagement/server/user_test.go1187 tud := &idp.UserData{ID: externalUser.Id, Name: "Test User", Email: "user@example.com"}
LOWmanagement/server/user_test.go1205 assert.Equal(t, "user@example.com", user.Email)
LOWmanagement/server/idp/jumpcloud_test.go81 assert.Equal(t, "John Doe", userData.Name)
LOWmanagement/server/idp/embedded_test.go45 invitedByEmail := "admin@example.com"
LOWmanagement/server/idp/embedded_test.go111 userData, err := manager.CreateUser(ctx, "test@example.com", "Test User", "account1", "admin@example.com")
LOWmanagement/server/idp/embedded_test.go147 userData, err := manager.CreateUser(ctx, "delete-me@example.com", "Delete Me", "account1", "admin@example.com")
LOWmanagement/server/idp/embedded_test.go182 _, err = manager.CreateUser(ctx, "user1@example.com", "User 1", "account1", "admin@example.com")
LOWmanagement/server/idp/embedded_test.go185 _, err = manager.CreateUser(ctx, "user2@example.com", "User 2", "account1", "admin@example.com")
LOWmanagement/server/idp/embedded_test.go226 userData, err := manager.CreateUser(ctx, "jwt-test@example.com", "JWT Test", "account1", "admin@example.com")
LOWmanagement/server/idp/embedded_test.go541 userData, err := manager1.CreateUser(ctx, "preserved@example.com", "Preserved User", "account1", "admin@example.com")
LOWmanagement/server/idp/embedded_test.go637 _, err = manager2.CreateUser(ctx, "newuser@example.com", "New User", "account1", "admin@example.com")
LOWmanagement/server/idp/azure_test.go132 "displayName": "John Doe",
LOWmanagement/server/idp/azure_test.go137 Name: "John Doe",
LOWmanagement/server/idp/azure_test.go146 "displayName": "John Doe",
LOWmanagement/server/idp/azure_test.go151 Name: "John Doe",
LOWmanagement/server/idp/okta_test.go30 Name: "John Doe",
LOWmanagement/server/idp/migration/migration_test.go591 "acc-1": {{ID: "original-idp-id", Email: "user@example.com", Name: "User"}},
LOWmanagement/server/idp/migration/migration_test.go601 assert.Equal(t, "user@example.com", ms.updateInfoCalls[0].Email)
LOWmanagement/server/types/user_test.go238 email: "user@example.com",
LOWmanagement/server/types/user_test.go239 uname: "John Doe",
LOWmanagement/server/types/user_test.go248 email: "user@example.com",
LOW…/server/activity/store/sql_store_idp_migration_test.go84 "email": "user@example.com",
LOW…/server/activity/store/sql_store_idp_migration_test.go102 "email": "user@example.com",
LOW…server/http/handlers/instance/instance_handler_test.go162 assert.Equal(t, "admin@example.com", email)
LOW…server/http/handlers/instance/instance_handler_test.go174 body := `{"email": "admin@example.com", "password": "securepassword123", "name": "Admin User"}`
LOW…server/http/handlers/instance/instance_handler_test.go188 assert.Equal(t, "admin@example.com", response.Email)
LOW…server/http/handlers/instance/instance_handler_test.go195 body := `{"email": "admin@example.com", "password": "securepassword123"}`
LOW…server/http/handlers/instance/instance_handler_test.go239 body := `{"email": "admin@example.com", "name": "User"}`
LOW…server/http/handlers/instance/instance_handler_test.go253 body := `{"email": "admin@example.com", "password": "short", "name": "User"}`
LOW…server/http/handlers/instance/instance_handler_test.go286 body := `{"email": "admin@example.com", "password": "securepassword123", "name": "User"}`
LOW…server/http/handlers/instance/instance_handler_test.go305 body := `{"email": "admin@example.com", "password": "securepassword123", "name": "User"}`
LOW…server/http/handlers/instance/instance_handler_test.go322 body := `{"email": "admin@example.com", "password": "securepassword123", "name": "Admin", "create_pat": true}`
LOW…server/http/handlers/instance/instance_handler_test.go341 body := `{"email": "admin@example.com", "password": "securepassword123", "name": "Admin"}`
LOW…server/http/handlers/instance/instance_handler_test.go381 body := `{"email": "admin@example.com", "password": "securepassword123", "name": "Admin", "create_pat": true}`
LOW…server/http/handlers/instance/instance_handler_test.go403 body := `{"email": "admin@example.com", "password": "securepassword123", "name": "Admin", "create_pat": true, "pat_expi
LOW…server/http/handlers/instance/instance_handler_test.go445 body := `{"email": "admin@example.com", "password": "securepassword123", "name": "Admin", "create_pat": true, "pat_expi
LOW…server/http/handlers/instance/instance_handler_test.go460 assert.Equal(t, "admin@example.com", gotAccountArgs.email)
LOW…server/http/handlers/instance/instance_handler_test.go492 body := `{"email": "admin@example.com", "password": "securepassword123", "name": "Admin", "create_pat": true, "pat_expi
LOW…server/http/handlers/instance/instance_handler_test.go537 body := `{"email": "admin@example.com", "password": "securepassword123", "name": "Admin", "create_pat": true, "pat_expi
LOWmanagement/server/instance/manager_test.go77 userData, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
LOWmanagement/server/instance/manager_test.go79 assert.Equal(t, "admin@example.com", userData.Email)
LOWmanagement/server/instance/manager_test.go90 _, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
LOWmanagement/server/instance/manager_test.go98 _, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
LOWmanagement/server/instance/manager_test.go111 _, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
LOWmanagement/server/instance/manager_test.go122 _, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
LOWmanagement/server/instance/manager_test.go130 userData, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
LOWmanagement/server/instance/manager_test.go132 assert.Equal(t, "admin@example.com", userData.Email)
LOWmanagement/server/instance/manager_test.go139 _, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
LOWmanagement/server/instance/manager_test.go147 userData, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
LOWmanagement/server/instance/manager_test.go149 assert.Equal(t, "admin@example.com", userData.Email)
LOWmanagement/server/instance/manager_test.go160 _, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
LOWmanagement/server/instance/manager_test.go168 _, err := mgr.CreateOwnerUser(context.Background(), "admin@example.com", "password123", "Admin")
LOWmanagement/server/instance/manager_test.go320 email: "admin@example.com",
LOWmanagement/server/instance/manager_test.go342 email: "admin@example.com",
26 more matches not shown…
Verbosity Indicators37 hits · 72 pts
SeverityFileLineSnippet
LOWproxy/server.go848 // Step 1: Fail readiness probe so load balancers stop routing new traffic.
LOWproxy/server.go853 // Step 2: When running behind a load balancer, wait for endpoint removal
LOWproxy/server.go860 // Step 3: Stop accepting new connections and drain in-flight requests.
LOWproxy/server.go871 // Step 4: Close hijacked connections (WebSocket) that Shutdown does not handle.
LOWproxy/server.go879 // Step 5: Stop all remaining background services.
LOWproxy/internal/tcp/router_test.go1531 // Step 1: Add fallback first (port mapping), then SNI route (TLS service).
LOWproxy/internal/tcp/router_test.go1561 // Step 2: Remove SNI route. Fallback still works, router not empty.
LOWproxy/internal/tcp/router_test.go1576 // Step 3: Remove fallback. Router is now empty.
LOWclient/internal/updater/reposign/artifact_test.go1019 // Step 1: Create root key
LOWclient/internal/updater/reposign/artifact_test.go1043 // Step 2: Generate artifact key
LOWclient/internal/updater/reposign/artifact_test.go1047 // Step 3: Create and validate key bundle
LOWclient/internal/updater/reposign/artifact_test.go1061 // Step 4: Sign artifact data
LOWclient/internal/updater/reposign/artifact_test.go1066 // Step 5: Validate artifact
LOWclient/internal/updater/reposign/revocation_test.go826 // Step 1: Create empty revocation list
LOWclient/internal/updater/reposign/revocation_test.go830 // Step 2: Validate it
LOWclient/internal/updater/reposign/revocation_test.go838 // Step 3: Revoke a key
LOWclient/internal/updater/reposign/revocation_test.go846 // Step 4: Validate the extended list
LOWclient/internal/updater/reposign/revocation_test.go855 // Step 5: Verify the revocation time is reasonable
LOWclient/internal/updater/reposign/root_test.go413 // Step 1: Generate root key
LOWclient/internal/updater/reposign/root_test.go420 // Step 2: Parse the private key back
LOWclient/internal/updater/reposign/root_test.go426 // Step 3: Generate an artifact key using root key
LOWclient/internal/updater/reposign/root_test.go431 // Step 4: Verify the artifact key signature
LOWclient/internal/updater/reposign/root_test.go450 // Step 5: Use artifact key to sign data
LOWclient/internal/updater/reposign/root_test.go456 // Step 6: Verify the artifact data signature
LOWclient/internal/updater/reposign/verify_test.go68 // Step 1: Generate root key
LOWclient/internal/updater/reposign/verify_test.go72 // Step 2: Generate artifact key
LOWclient/internal/updater/reposign/verify_test.go79 // Step 3: Create revocation list
LOWclient/internal/updater/reposign/verify_test.go83 // Step 4: Bundle artifact keys
LOWclient/internal/updater/reposign/verify_test.go87 // Step 5: Create test artifact
LOWclient/internal/updater/reposign/verify_test.go93 // Step 6: Sign artifact
LOWclient/internal/updater/reposign/verify_test.go97 // Step 7: Setup mock HTTP server
LOWclient/internal/updater/reposign/verify_test.go118 // Step 8: Create ArtifactVerify with test root key
LOWclient/internal/updater/reposign/verify_test.go127 // Step 9: Verify artifact
LOWclient/ssh/server/getent_test.go93 // Step 1: currentUserWithGetent must resolve the running user.
LOWclient/ssh/server/getent_test.go99 // Step 2: lookupWithGetent by the same username must return matching identity.
LOWclient/ssh/server/getent_test.go106 // Step 3: groupIdsWithFallback must return at least the primary GID.
LOWclient/ssh/server/getent_test.go123 // Step 4: getShellFromGetent should either return a valid shell path or empty
Redundant / Tautological Comments11 hits · 16 pts
SeverityFileLineSnippet
LOWrelease_files/post_install.sh35# Check if this is a clean install or an upgrade
LOWrelease_files/install.sh258 # Check if the package is already installed
LOWrelease_files/freebsd-port-diff.sh104 # Check if old version had PORTREVISION
LOWrelease_files/ui-post-install.sh6# Check if netbird-ui is running
LOW.github/workflows/check-license-dependencies.yml95 # Check if any importer is NOT in management/signal/relay
LOWinfrastructure_files/migrate.sh390 # Check if this volume exists in Docker
LOWinfrastructure_files/migrate.sh721 # Check if it's only the default ["0.0.0.0/0"]
LOWinfrastructure_files/configure.sh44# Check if PostgreSQL is set as the store engine
LOWinfrastructure_files/configure.sh56# Check if MySQL is set as the store engine
LOWinfrastructure_files/configure.sh169# Check if letsencrypt was disabled
LOWinfrastructure_files/configure.sh197# Check if management identity provider is set
Hallucination Indicators1 hit · 10 pts
SeverityFileLineSnippet
CRITICAL.github/workflows/release.yml641 const shortSha = context.payload.pull_request.head.sha.slice(0, 7);
Self-Referential Comments1 hit · 3 pts
SeverityFileLineSnippet
MEDIUMrelease_files/install.sh138 # Create the necessary file structure for /dev/net/tun
AI Slop Vocabulary1 hit · 3 pts
SeverityFileLineSnippet
MEDIUMmanagement/server/idp/embedded.go286 // Absolutely required, otherwise the dex server will omit the MFA configuration entirely
Example Usage Blocks2 hits · 3 pts
SeverityFileLineSnippet
LOWinfrastructure_files/migrate.sh11# Usage:
LOWclient/internal/routemanager/refcounter/refcounter.go58// Usage example:
Overly Generic Function Names1 hit · 1 pts
SeverityFileLineSnippet
LOWproxy/web/src/data.ts31export function getData(): Data {