Static analysis flagged 114 findings (53 CRITICAL, 60 HIGH, 1 MEDIUM) across 6 anti-pattern categories. After verifying each against source code with controller-runtime and K8s API domain expertise, ~75% are false positives.
The scanner doesn't trace field-level client resolution (e.g. APIReader vs cached Client),
doesn't check go.mod for typed alternatives before flagging unstructured usage, and projects
core-resource cardinality onto singleton CRDs.
Base ref: 290712c on main