OSTIF is proud to share the results of our security audit of cert-manager. Cert-manager is an open source project for certificate management in Kubernetes. With the help of Ada Logics and the Cloud Native Computing Foundation, this project can apply for graduation through the CNCF.
Audit Process:
In order to audit the code quality of cert-manager, the Ada Logics team first designed a threat model for cert-manager and continued to refine it through the process of this engagement. With that guidance, a manual audit of the codebase and the project’s development lifecycle and release practices was performed. During the audit process 20 dependencies relevant to the supply-chain of cert-manager were audited by the SLSA framework, meaning that they were each scored and then scrutinized according to their impact on cert-manager’s security. Additionally, the project was brought on to OSS-Fuzz to undergo continuous dynamic testing.
Audit Results:
- 8 Findings with security impact- all resolved by cert-manager v1.12.8, v1.13.4 and v1.14.3.
- Cert-manager integrated onto OSS-Fuzz
- Supply-chain security of 20 dependent projects audited with the OpenSSF Scorecard and additional future recommendations
- Code base and critical execution paths of cert-manager audited
- Formal threat model of cert-manager with figures and detailed documentation of threat actors and trust boundaries
As cert-manager moves towards graduation status through the CNCF, we hope their users and community continue to support this and other open source projects as they work to improve and harden their security and life cycles.
Thank you to the individuals and groups that made this engagement possible:
- cert-manager maintainers and community- specifically Ashley Davis, Tim Ramlot, Maël Valais, Richard Wall, and Adam Talbot
- Ada Logics- Adam Korczynski and David Korczynski
- the Cloud Native Computing Foundation
Read the audit report HERE
Read cert-manager’s blog https://cert-manager.io/announcements/2024/21/18/cert-manager-security-audit/
Read Ada Logic’s blog at https://adalogics.com/blog/cert-manager-security-audit-2024
Read the CNCF’s announcement at https://www.cncf.io/blog/2024/03/18/cert-manager-completes-cncf-sponsored-security-audit/
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact us at [email protected].