HashiTalks 2025 Learn about unique use cases, homelab setups, and best practices at scale at our 24-hour virtual knowledge sharing event. Register
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

scan ci pr

The scan ci pr command is used for scanning pull request or branch changes in a continuous integration workflow.

Authentication

The command is intended to be used offline as part of a CI workflow within an application (such as GitHub). There should not be any additional Auth needed.

Usage

Usage: vault-radar scan ci pr [options]

Command Options

  • --clone-dir, -c: Define a path to a clone of the repository. If not defined, the current directory is used.
  • --head-ref, -r: Define the head ref or source branch of the PR (required)
  • --base-ref, -b: Define the base ref or target branch of the PR (required)
  • --ref-name, -n: Define the source branch name of the PR
  • --outfile, -o: Define the localtion to a file where information about found secrets will be stored.
  • --format, -f: Define the output format. Supported values: csv, json, and sarif. json is the default if this is option is not defined.
  • --fail-severity, -s: Define a severity level that will cause the command to fail if any risks are found with a severity level equal to or higher than defined one.
  • --fail-not-latest: When toggled, this will cause the command to fail when a found risk is not part of the latest version.
  • --log-path, -l: Define a path to a file to where logging will be written to.
  • --skip-ignored: Enables skipping risks with the ignore tag.
  • --skip-not-latest: Toggles skipping evaluaton of earlier versions of a risk.
  • --pretty, -p: Define how to output information about found risk.
  • --summary-pretty: Define how to output summary about all found risks. Supported values are: markdown. Defaults to skipping the summary output.
  • --summary-outfile: Define a file to output the summary to. Defaults to stdout.

Simple CI Scan

vault-radar scan ci pr --head-ref HEAD_REF --base-ref BASE_REF --ref-name REFERENCE_NAME

CI Scan That Fails When A High Severity Risk Is Found

vault-radar scan ci pr --head-ref HEAD_REF --base-ref BASE_REF --ref-name REFERENCE_NAME -s high

CI Scan That Skips Ignored Errors

vault-radar scan ci pr --head-ref HEAD_REF --base-ref BASE_REF --ref-name REFERENCE_NAME -s high --skip-ignored

CI Scan That Outputs Information In GHA Format

vault-radar scan ci pr --head-ref HEAD_REF --base-ref BASE_REF --ref-name REFERENCE_NAME --pretty=gha_pr