scan ci

The scan ci command is used to enable scanning content in a continuous integration workflow.

Usage

Usage: vault-radar scan ci [subcommand]

Command Options

pr: Scans a git repository branch/pr for a CI/CD workflow
tip: Scans the tip of a git repository branch for a CI/CD workflow

Example Vault Radar CI configurations

Your HCP_PROJECT_ID, HCP_CLIENT_ID, and HCP_CLIENT_SECRET from your project are needed to use the vault-radar scan ci commands. These values will need to be available to the workflow runner as environment variables.

The following sample GitHub workflow yaml is an example of using the vault-radar scan ci commands in a configuration that will scan for risks when commits or PRs are created within a repository.

Note: When using the tip scan, it's important to add the with section to the checkout step, and a variable fetch-depth set to 0 so the cloned repository has the entire history. Without this, the results can be inaccurate.

jobs:
 vault-radar:
   runs-on: ubuntu-latest


   steps:
   - name: Checkout code
     uses: actions/checkout@v4
     with:
       fetch-depth: 0


   - name: Run Vault Radar
     env: 
       HCP_CLIENT_ID: ${{ secrets.HCP_CLIENT_ID }}
       HCP_CLIENT_SECRET: ${{ secrets.HCP_CLIENT_SECRET }}
       HCP_PROJECT_ID: ${{ secrets.HCP_PROJECT_ID }}
     run: |
       set -x

       export LATEST_VERSION=$(curl https://api.releases.hashicorp.com/v1/releases/vault-radar/latest | jq -r .version)
       curl https://releases.hashicorp.com/vault-radar/${LATEST_VERSION}/vault-radar_${LATEST_VERSION}_linux_amd64.zip -o vr.zip # download latest binary# This can be replaced with other package managers or to other release versions. See: https://releases.hashicorp.com/vault-radar
       unzip vr.zip -d vr
       mv vr/vault-radar .

       chmod +x vault-radar

       if [[ "${{ github.event_name }}" == "pull_request" ]];
       then
         head_ref="${{ github.event.pull_request.head.sha }}" 
         base_ref="${{ github.event.pull_request.base.sha }}"
         ref_name="${{ github.head_ref }}"
         
         ./vault-radar scan ci pr \
           --head-ref ${head_ref} \
           --base-ref ${base_ref} \
           --ref-name ${ref_name} \
           -s high \ 
           -o vault-radar.jsonl \
           -l vault-radar.log \
           --skip-ignored \
           --pretty=gha_pr
       else
         ./vault-radar scan ci tip -s high -o vault-radar.jsonl -l vault-radar.log --pretty=gha
       fi

This is an example GitLab pipeline configuration yaml file. The pipeline downloads the latest vault-radar executable and then runs the vault-radar scan ci commands to scan for risks when commits made and merge requests are opened.

HCP_PROJECT_ID, HCP_CLIENT_ID, and HCP_CLIENT_SECRET can be made available to the pipeline job as pipeline variables in GitLab natively. Please mask your secret if using GitLab variables! A better alternative is to use a secret manager, see here for instructions on how to integrate a Secret Manager like Vault with your GitLab pipelines.

GitLab's default runners use an amd64 architecture and the sample below is configured to support that architecture. If you are using a different architecture be sure to tag the jobs appropriately and additionally you will likely need to use a different vault-radar binary, please see this for the available versions and architectures supported.

Note: It's important to add the variables section with a variable GIT_DEPTH set to 0 so the cloned repository has the entire history. Without this, the results can be inaccurate.

variables:
  GIT_DEPTH: 0

stages:
  - install-vault-radar
  - run-vault-radar

install-vault-radar:
  tags:
    - saas-linux-small-amd64 # default runner
  stage: install-vault-radar
  rules: # Run on commits and merge requests
  - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
  - if: $CI_PIPELINE_SOURCE != 'merge_request_event'
  before_script:
    - apt-get -qq update
    - apt-get install -y jq # install jq to use later
  script:
    - export LATEST_VERSION=$(curl https://api.releases.hashicorp.com/v1/releases/vault-radar/latest | jq -r .version)
    - curl https://releases.hashicorp.com/vault-radar/${LATEST_VERSION}/vault-radar_${LATEST_VERSION}_linux_amd64.zip -o vr.zip # download latest binary
    - unzip vr.zip -d vr # unzip the archive
    - mv vr/vault-radar vault-radar
  artifacts:
    when: on_success
    access: none
    expire_in: 1 hour
    paths:
      - vault-radar

run-vault-radar-on-commit:
  tags:
    - saas-linux-small-amd64 # default runner
  stage: run-vault-radar
  dependencies:
    - install-vault-radar
  rules: # Run on merge requests and commits pushed to main branch
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == "main"
  script:
    - ./vault-radar scan ci tip -s high -o vault-radar.jsonl -l vault-radar.log --pretty=gha
  artifacts:
    untracked: false
    when: on_success
    access: all
    expire_in: 1 days
    paths:
      - vault-radar.jsonl
      - vault-radar.log


run-vault-radar-in-merge-request:
  tags:
    - saas-linux-small-amd64 # default runner
  stage: run-vault-radar
  dependencies:
    - install-vault-radar
  rules: # Run only on merge requests
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
  script:
    - | # See: https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
      ./vault-radar scan ci pr \
      --head-ref "${CI_COMMIT_SHA}" \
      --base-ref "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" \
      --ref-name "${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}" \
      -s high -o vault-radar.jsonl -l vault-radar.log --pretty=gha
  artifacts:
    untracked: false
    when: on_success
    access: all
    expire_in: 1 days
    paths:
      - vault-radar.jsonl
      - vault-radar.log

This is an example Bitbucket pipeline configuration. The configuration will run the tip scan on any change merged into main and the pr scan on any pull request.

HCP_PROJECT_ID, HCP_CLIENT_ID, and HCP_CLIENT_SECRET can be made available to the pipeline job as repository variables.

In order to supply the correct information to the ci commands, additional information about the pull request needs to be fetched using the Bitbucket API. An access token is needed and can be generated by going to Repository Settings > Access Tokens from your Bitbucket repository. In our example the token is saved as a secure repository variable REPO_ACCESS_TOKEN.

Note: It's important to add the clone section with a variable depth set to full so the cloned repository has the entire history. Without this, the results can be inaccurate.

image: atlassian/default-image:3

pipelines:
  branches:
    'main':
      - step:
          name: 'Run Vault Radar'
          clone:
            depth: full
          script:
            - export LATEST_VERSION=$(curl https://api.releases.hashicorp.com/v1/releases/vault-radar/latest | jq -r .version)
            - curl https://releases.hashicorp.com/vault-radar/${LATEST_VERSION}/vault-radar_${LATEST_VERSION}_linux_amd64.zip -o vr.zip # download latest binary
            - unzip vr.zip -d vr
            - mv vr/vault-radar vault-radar
            - ./vault-radar scan ci tip -s medium -o vault-radar.jsonl -l vault-radar.log --pretty=gha
          artifacts:
            - vault-radar.log
            - vault-radar.jsonl
          
  pull-requests:
    '**':
      - step:
          name: 'Run Vault Radar in PR'
          clone:
            depth: full
          script:
          - export LATEST_VERSION=$(curl https://api.releases.hashicorp.com/v1/releases/vault-radar/latest | jq -r .version)
          - curl https://releases.hashicorp.com/vault-radar/${LATEST_VERSION}/vault-radar_${LATEST_VERSION}_linux_amd64.zip -o vr.zip # download latest binary
          - unzip vr.zip -d vr
          - mv vr/vault-radar vault-radar
          - |
            BITBUCKET_PR_INFO=$(curl "https://api.bitbucket.org/2.0/repositories/${BITBUCKET_REPO_FULL_NAME}/pullrequests/${BITBUCKET_PR_ID}" -fsS \
            -H 'Content-Type: application/json' \
            -H "Authorization: Bearer $REPO_ACCESS_TOKEN")
          - COMMIT_HEAD_SHA=$(echo -n $BITBUCKET_PR_INFO | jq -r '.source.commit.hash')
          - BASE_HEAD_SHA=$(echo -n $BITBUCKET_PR_INFO | jq -r '.destination.commit.hash')
          - |
            ./vault-radar scan ci pr \
            --head-ref "${COMMIT_HEAD_SHA}" \
            --base-ref "${BASE_HEAD_SHA}" \
            --ref-name "${BITBUCKET_BRANCH}" \
            -s medium -o vault-radar.jsonl -l vault-radar.log --pretty=gha
          artifacts:
            - vault-radar.log
            - vault-radar.jsonl

For Bitbucket server instances, the API used to retrieve the PR details needs to changed to something like so:


BITBUCKET_PR_INFO=$(curl "https://<SERVER DOMAIN>/rest/api/latest/projects/${BITBUCKET_PROJECT_KEY}/repos/${BITBUCKET_REPO_FULL_NAME}/pull-requests/${BITBUCKET_PR_ID}" -fsS \
            -H 'Content-Type: application/json' \
            -H "Authorization: Bearer $REPO_ACCESS_TOKEN")

Bitbucket server API reference