{"id":37220040,"url":"https://github.com/aarnaud/vault-pki-exporter","last_synced_at":"2026-01-15T01:20:38.105Z","repository":{"id":35962902,"uuid":"219828304","full_name":"aarnaud/vault-pki-exporter","owner":"aarnaud","description":"Provides information about X509 certificate on HashiCorp Vault for Prometheus and InfluxDB","archived":false,"fork":false,"pushed_at":"2025-06-26T14:45:07.000Z","size":312,"stargazers_count":14,"open_issues_count":3,"forks_count":14,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-06-26T15:35:24.008Z","etag":null,"topics":["certificate","certificate-authority","crl","pki","prometheus","vault"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aarnaud.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-11-05T18:57:36.000Z","updated_at":"2025-06-26T14:40:39.000Z","dependencies_parsed_at":"2023-12-21T05:23:48.553Z","dependency_job_id":"ddb4b7f5-8b01-48b6-9add-23b3cc1cbdd6","html_url":"https://github.com/aarnaud/vault-pki-exporter","commit_stats":null,"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/aarnaud/vault-pki-exporter","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aarnaud%2Fvault-pki-exporter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aarnaud%2Fvault-pki-exporter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aarnaud%2Fvault-pki-exporter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aarnaud%2Fvault-pki-exporter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aarnaud","download_url":"https://codeload.github.com/aarnaud/vault-pki-exporter/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aarnaud%2Fvault-pki-exporter/sbom","scorecard":{"id":159043,"data":{"date":"2025-08-11","repo":{"name":"github.com/aarnaud/vault-pki-exporter","commit":"e517fb656b3350e67e910c4dea6588ec910def96"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.6,"checks":[{"name":"Maintained","score":2,"reason":"3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":8,"reason":"Found 5/6 approved changesets -- score normalized to 8","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/docker-image.yml:26","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:15","Warn: no topLevel permission defined: .github/workflows/docker-image.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/golangci-lint.yaml:11","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Warn: no topLevel permission defined: .github/workflows/tests.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker-image.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/aarnaud/vault-pki-exporter/docker-image.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/golangci-lint.yaml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/aarnaud/vault-pki-exporter/golangci-lint.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/golangci-lint.yaml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/aarnaud/vault-pki-exporter/golangci-lint.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/golangci-lint.yaml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/aarnaud/vault-pki-exporter/golangci-lint.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/aarnaud/vault-pki-exporter/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/aarnaud/vault-pki-exporter/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/aarnaud/vault-pki-exporter/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/aarnaud/vault-pki-exporter/tests.yml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1","Warn: containerImage not pinned by hash: Dockerfile:9: pin your Docker image by updating alpine to alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","Info:   0 out of   6 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   2 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"License","score":0,"reason":"license file not detected","details":["Warn: project does not have a license file"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v2.2.2 not signed: https://api.github.com/repos/aarnaud/vault-pki-exporter/releases/228114844","Warn: release artifact v2.2.1 not signed: https://api.github.com/repos/aarnaud/vault-pki-exporter/releases/228114136","Warn: release artifact v2.2.0 not signed: https://api.github.com/repos/aarnaud/vault-pki-exporter/releases/194197208","Warn: release artifact v2.1.1 not signed: https://api.github.com/repos/aarnaud/vault-pki-exporter/releases/187411110","Warn: release artifact v2.1.0 not signed: https://api.github.com/repos/aarnaud/vault-pki-exporter/releases/186472915","Warn: release artifact v2.2.2 does not have provenance: https://api.github.com/repos/aarnaud/vault-pki-exporter/releases/228114844","Warn: release artifact v2.2.1 does not have provenance: https://api.github.com/repos/aarnaud/vault-pki-exporter/releases/228114136","Warn: release artifact v2.2.0 does not have provenance: https://api.github.com/repos/aarnaud/vault-pki-exporter/releases/194197208","Warn: release artifact v2.1.1 does not have provenance: https://api.github.com/repos/aarnaud/vault-pki-exporter/releases/187411110","Warn: release artifact v2.1.0 does not have provenance: https://api.github.com/repos/aarnaud/vault-pki-exporter/releases/186472915"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/docker-image.yml:21"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":5,"reason":"5 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2025-3488 / GHSA-6v2p-p543-phr9","Warn: Project is vulnerable to: GO-2024-2631 / GHSA-c5q2-7r4c-mv6g"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-16T12:49:15.446Z","repository_id":35962902,"created_at":"2025-08-16T12:49:15.446Z","updated_at":"2025-08-16T12:49:15.446Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28441031,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-15T00:55:22.719Z","status":"ssl_error","status_checked_at":"2026-01-15T00:55:20.945Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","certificate-authority","crl","pki","prometheus","vault"],"created_at":"2026-01-15T01:20:37.569Z","updated_at":"2026-01-15T01:20:38.092Z","avatar_url":"https://github.com/aarnaud.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vault-pki-exporter\n\n\u003e Exports PKI Certificate and CRL metrics based on certificate metadata and dates\n\n## Vault integration\n\nCompatible with all environment variables used by vault cli.\n\nExample:\n\n```console\nVAULT_SKIP_VERIFY=true;\nVAULT_ADDR=https://vault.hostname.com;\nVAULT_CLIENT_KEY=mycert.pem;\nVAULT_CLIENT_CERT=mycert.pem;\nVAULT_AUTH_METHOD=oidc\n```\n\n`VAULT_AUTH_METHOD` is not native in vault cli but used in this application. Valid values:\n\n- `oidc`\n- `k8s`\n\n- When set to oidc, will authenticate using oidc method, you can customize auth mount point by setting VAULT_AUTH_MOUNT.\n- When set to k8s, will authenticate using kubernetes auth method. You should also set VAULT_K8S_ROLE to vault k8s role name and optionally specify VAULT_AUTH_MOUNT for custom auth mount name.\n\n## Usage\n\n```console\nUsage:\n   [flags]\n   [command]\n\nAvailable Commands:\n  help        Help about any command\n  version     Print the version.\n\nFlags:\n      --fetch-interval duration     How many sec between fetch certs on vault (default 1m0s)\n  -h, --help                        help for this command\n      --influx                      Enable InfluxDB Line Protocol\n      --port int                    Prometheus exporter HTTP port (default 9333)\n      --prometheus                  Enable prometheus exporter, default if nothing else\n      --refresh-interval duration   How many sec between metrics update (default 1m0s)\n      --batch-size-percent          How large of a batch of certificates to get data for at once, supports floats (e.g 0.0 - 100.0) (default 1)\n      --log-level                   Set log level (options: info, warn, error, debug)\n      --request-limit float         Token-bucket limiter for number of requests per second to Vault when fetching certs (0 = disabled)\n      --request-limit-burst int     Token-bucket burst limit for number of requests per second to Vault when fetching certs (0 = match 'request-limit' value)\n  -v, --verbose                     (deprecated) Enable verbose logging. Defaults to debug level logging\n\nUse \"[command] --help\" for more information about a command.\n```\n\n## InfluxDB Line Protocol\n\n```console\nx509_crl,host=your.hostname.com,source=pki-test/ expiry=245124i,nextupdate=1573235993i 1572990868\nx509_cert,common_name=My\\ PKI\\ CA,country=CA,host=your.hostname.com,locality=Montreal,organization=Example,organizational_unit=WebService,province=QC,serial=0e-50-38-4d-18-69-52-54-1d-71-31-49-1b-a8-06-c7-4f-23-64-26,source=pki-test/ age=14106i,enddate=1573408792i,expiry=417923i,startdate=1572976762i 1572990868\n```\n\n## Prometheus exporter\n\n```console\n# HELP x509_crl_expiry\n# TYPE x509_crl_expiry gauge\nx509_crl_expiry{source=\"pki-test/\", issuer=\"example.com\"} 243687.999819847\n# HELP x509_crl_nextupdate\n# TYPE x509_crl_nextupdate gauge\nx509_crl_nextupdate{source=\"pki-test/\", issuer=\"example.com\"} 1.573235993e+09\n# HELP x509_cert_age\n# TYPE x509_cert_age gauge\nx509_cert_age{common_name=\"My PKI CA\",country=\"CA\",locality=\"Montreal\",organization=\"Example\",organizational_unit=\"WebService\",province=\"QC\",serial=\"0e-50-38-4d-18-69-52-54-1d-71-31-49-1b-a8-06-c7-4f-23-64-26\",source=\"pki-test/\"} 15543.000180153\n# HELP x509_cert_enddate\n# TYPE x509_cert_enddate gauge\nx509_cert_enddate{common_name=\"My PKI CA\",country=\"CA\",locality=\"Montreal\",organization=\"Example\",organizational_unit=\"WebService\",province=\"QC\",serial=\"0e-50-38-4d-18-69-52-54-1d-71-31-49-1b-a8-06-c7-4f-23-64-26\",source=\"pki-test/\"} 1.573408792e+09\n# HELP x509_cert_expiry\n# TYPE x509_cert_expiry gauge\nx509_cert_expiry{common_name=\"My PKI CA\",country=\"CA\",locality=\"Montreal\",organization=\"Example\",organizational_unit=\"WebService\",province=\"QC\",serial=\"0e-50-38-4d-18-69-52-54-1d-71-31-49-1b-a8-06-c7-4f-23-64-26\",source=\"pki-test/\"} 416486.999819847\n# HELP x509_cert_startdate\n# TYPE x509_cert_startdate gauge\nx509_cert_startdate{common_name=\"My PKI CA\",country=\"CA\",locality=\"Montreal\",organization=\"Example\",organizational_unit=\"WebService\",province=\"QC\",serial=\"0e-50-38-4d-18-69-52-54-1d-71-31-49-1b-a8-06-c7-4f-23-64-26\",source=\"pki-test/\"} 1.572976762e+09\n```\n\n## Batch Size\n\nVault PKI Exporter supports a `--batch-size-percent` flag to batch many requests for individual certificate metrics at once. Each active batch will create a goroutine.\n\nIf you are getting many log messages such as:\n\n```console\nlevel=error msg=\"failed to get certificate for pki/26:97:08:32:44:40:30:de:11:5z:ef:07:64:91:1e:9c:db:93:8c:1f, got error: Get \\\"https://vault.domain.com:8200/v1/pki/cert/26:97:08:32:44:40:30:de:11:5z:ef:07:64:91:1e:9c:db:93:8c:1f\\\": EOF\"\n```\n\nYour batch size is probably too high.\n\n## Rate Limiting\n\nRate limiting flags are also added for large Vault installations. These rate limits apply to all batches with a global, shared limit between batches. This is to prevent overloading Vault with many API calls. You may want to set your `--request-limit-burst` roughly equal to `--request-limit` so the token bucket will begin with as many tokens as your limit uses. This is measured in Vault API calls per second.\n\n## Certificate Selection\n\nAny certificate with a unique subject common name and organizational unit is considered for metrics. If a certificate is renewed in place with the same CN and OU, it will still retain the same time series to avoid false alarms.\n\nRevoked certificates are not considered for metrics and their time series will be deleted when an \"active\" certificate is deleted.\n\nExpired certificates still retain their time series too.\n\n## PKI Engine Selection\n\nRight now the exporter will find any Vault PKI secrets engines and attempt to get certs for all of them. PKI secrets engines are currently not selectable by the exporter.\n\n## Contributing\n\nMake sure run `pre-commit install` to install the various pre-commit linter and formatting hooks.\n\n### Testing\n\nVenom is used for tests, run `sudo venom run tests.yml` to perform integration tests. Make sure you have at least venom version 1.2.0.\n\nUnit tests would also most likely be welcome for contribution with go native tests.\n\n### Local Builds\n\nSimply run the docker compose setup - `sudo docker compose up --build`.\n\nYou can navigate to the Vault UI locally at `http://localhost:8200` and use the root token value of `thisisatokenvalue` to login, as Vault is running in dev mode. It'll setup some initial settings for you with `vault-setup.sh.`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faarnaud%2Fvault-pki-exporter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faarnaud%2Fvault-pki-exporter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faarnaud%2Fvault-pki-exporter/lists"}