scan ci

The scan ci command is used to enable scanning content in a continuous integration workflow.

Usage

Usage: vault-radar scan ci [subcommand]

Command Options

pr: Scans a git repository branch/pr for a CI/CD workflow
tip: Scans the tip of a git repository branch for a CI/CD workflow

Example Vault Radar CI configurations

Your HCP_PROJECT_ID, HCP_CLIENT_ID, and HCP_CLIENT_SECRET from your project are needed to use the vault-radar scan ci commands. These values will need to be available to the workflow runner as environment variables.

The following sample GitHub workflow YAML is an example of using the vault-radar scan ci commands in a configuration that will scan for risks when You create commits or PRs in a repository.

Note

When using the tip scan, it's important to add the with section to the checkout step, and a variable fetch-depth set to 0 so the cloned repository has the entire history. Without this, the results can be inaccurate.

jobs:
 vault-radar:
   runs-on: ubuntu-latest


   steps:
   - name: Checkout code
     uses: actions/checkout@v4
     with:
       fetch-depth: 0


   - name: Run Vault Radar
     env: 
       HCP_CLIENT_ID: ${{ secrets.HCP_CLIENT_ID }}
       HCP_CLIENT_SECRET: ${{ secrets.HCP_CLIENT_SECRET }}
       HCP_PROJECT_ID: ${{ secrets.HCP_PROJECT_ID }}
     run: |
       set -x

       export LATEST_VERSION=$(curl https://api.releases.hashicorp.com/v1/releases/vault-radar/latest | jq -r .version)
       curl https://releases.hashicorp.com/vault-radar/${LATEST_VERSION}/vault-radar_${LATEST_VERSION}_linux_amd64.zip -o vr.zip # download latest binary# This can be replaced with other package managers or to other release versions. See: https://releases.hashicorp.com/vault-radar
       unzip vr.zip -d vr
       mv vr/vault-radar .

       chmod +x vault-radar

       if [[ "${{ github.event_name }}" == "pull_request" ]];
       then
         head_ref="${{ github.event.pull_request.head.sha }}" 
         base_ref="${{ github.event.pull_request.base.sha }}"
         ref_name="${{ github.head_ref }}"
         
         ./vault-radar scan ci pr \
           --head-ref ${head_ref} \
           --base-ref ${base_ref} \
           --ref-name ${ref_name} \
           -s high \ 
           -o vault-radar.jsonl \
           -l vault-radar.log \
           --skip-ignored \
           --pretty=gha_pr
       else
         ./vault-radar scan ci tip -s high -o vault-radar.jsonl -l vault-radar.log --pretty=gha
       fi

This is an example GitLab pipeline configuration YAML file. The pipeline downloads the latest vault-radar executable and then runs the vault-radar scan ci commands to scan for risks when you create commits and open merge requests.

Make the HCP_PROJECT_ID, HCP_CLIENT_ID, and HCP_CLIENT_SECRET evnironment variables available to the pipeline job as pipeline variables in GitLab natively.

Warning

Mask your secret if using GitLab variables.

An alternative is to use a secret manager, see here for instructions on how to integrate a Secret Manager like Vault with your GitLab pipelines.

GitLab's default runners use an amd64 architecture. The sample provided supports that architecture. If you are using a different architecture, tag the jobs appropriately and use the matching vault-radar CLI.

Refer to the release page for the available versions and architectures supported.

Note

Add the variables section with a variable GIT_DEPTH set to 0 so the cloned repository has the entire history. Without this, the results can be inaccurate.

variables:
  GIT_DEPTH: 0

stages:
  - install-vault-radar
  - run-vault-radar

install-vault-radar:
  tags:
    - saas-linux-small-amd64 # default runner
  stage: install-vault-radar
  rules: # Run on commits and merge requests
  - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
  - if: $CI_PIPELINE_SOURCE != 'merge_request_event'
  before_script:
    - apt-get -qq update
    - apt-get install -y jq # install jq to use later
  script:
    - export LATEST_VERSION=$(curl https://api.releases.hashicorp.com/v1/releases/vault-radar/latest | jq -r .version)
    - curl https://releases.hashicorp.com/vault-radar/${LATEST_VERSION}/vault-radar_${LATEST_VERSION}_linux_amd64.zip -o vr.zip # download latest binary
    - unzip vr.zip -d vr # unzip the archive
    - mv vr/vault-radar vault-radar
  artifacts:
    when: on_success
    access: none
    expire_in: 1 hour
    paths:
      - vault-radar

run-vault-radar-on-commit:
  tags:
    - saas-linux-small-amd64 # default runner
  stage: run-vault-radar
  dependencies:
    - install-vault-radar
  rules: # Run on merge requests and commits pushed to main branch
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == "main"
  script:
    - ./vault-radar scan ci tip -s high -o vault-radar.jsonl -l vault-radar.log --pretty=gha
  artifacts:
    untracked: false
    when: on_success
    access: all
    expire_in: 1 days
    paths:
      - vault-radar.jsonl
      - vault-radar.log


run-vault-radar-in-merge-request:
  tags:
    - saas-linux-small-amd64 # default runner
  stage: run-vault-radar
  dependencies:
    - install-vault-radar
  rules: # Run only on merge requests
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
  script:
    - | # See: https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
      ./vault-radar scan ci pr \
      --head-ref "${CI_COMMIT_SHA}" \
      --base-ref "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" \
      --ref-name "${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}" \
      -s high -o vault-radar.jsonl -l vault-radar.log --pretty=gha
  artifacts:
    untracked: false
    when: on_success
    access: all
    expire_in: 1 days
    paths:
      - vault-radar.jsonl
      - vault-radar.log

This is an example Bitbucket pipeline configuration. The configuration will run the tip scan on any change merged into main and the pr scan on any pull request.

HCP_PROJECT_ID, HCP_CLIENT_ID, and HCP_CLIENT_SECRET should be available to the pipeline job as repository variables.

To supply the correct information to the ci commands, you need to get additional information about the pull request using the Bitbucket API.

You need an access token which you can generate by going to Repository Settings > Access Tokens from your Bitbucket repository. You can save the token as a secure repository variable REPO_ACCESS_TOKEN.

Note

It's important to add the clone section with a variable depth set to full so the cloned repository has the entire history. Without this, the results can be inaccurate.

image: atlassian/default-image:3

pipelines:
  branches:
    'main':
      - step:
          name: 'Run Vault Radar'
          clone:
            depth: full
          script:
            - export LATEST_VERSION=$(curl https://api.releases.hashicorp.com/v1/releases/vault-radar/latest | jq -r .version)
            - curl https://releases.hashicorp.com/vault-radar/${LATEST_VERSION}/vault-radar_${LATEST_VERSION}_linux_amd64.zip -o vr.zip # download latest binary
            - unzip vr.zip -d vr
            - mv vr/vault-radar vault-radar
            - ./vault-radar scan ci tip -s medium -o vault-radar.jsonl -l vault-radar.log --pretty=gha
          artifacts:
            - vault-radar.log
            - vault-radar.jsonl
          
  pull-requests:
    '**':
      - step:
          name: 'Run Vault Radar in PR'
          clone:
            depth: full
          script:
          - export LATEST_VERSION=$(curl https://api.releases.hashicorp.com/v1/releases/vault-radar/latest | jq -r .version)
          - curl https://releases.hashicorp.com/vault-radar/${LATEST_VERSION}/vault-radar_${LATEST_VERSION}_linux_amd64.zip -o vr.zip # download latest binary
          - unzip vr.zip -d vr
          - mv vr/vault-radar vault-radar
          - |
            BITBUCKET_PR_INFO=$(curl "https://api.bitbucket.org/2.0/repositories/${BITBUCKET_REPO_FULL_NAME}/pullrequests/${BITBUCKET_PR_ID}" -fsS \
            -H 'Content-Type: application/json' \
            -H "Authorization: Bearer $REPO_ACCESS_TOKEN")
          - COMMIT_HEAD_SHA=$(echo -n $BITBUCKET_PR_INFO | jq -r '.source.commit.hash')
          - BASE_HEAD_SHA=$(echo -n $BITBUCKET_PR_INFO | jq -r '.destination.commit.hash')
          - |
            ./vault-radar scan ci pr \
            --head-ref "${COMMIT_HEAD_SHA}" \
            --base-ref "${BASE_HEAD_SHA}" \
            --ref-name "${BITBUCKET_BRANCH}" \
            -s medium -o vault-radar.jsonl -l vault-radar.log --pretty=gha
          artifacts:
            - vault-radar.log
            - vault-radar.jsonl

For Bitbucket server instances, the API used to retrieve the PR details needs to changed to something like so:


BITBUCKET_PR_INFO=$(curl "https://<SERVER DOMAIN>/rest/api/latest/projects/${BITBUCKET_PROJECT_KEY}/repos/${BITBUCKET_REPO_FULL_NAME}/pull-requests/${BITBUCKET_PR_ID}" -fsS \
            -H 'Content-Type: application/json' \
            -H "Authorization: Bearer $REPO_ACCESS_TOKEN")

Bitbucket server API reference