HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

scan ci pr

The scan ci pr command is used for scanning pull request or branch changes in a continuous integration workflow.

Authentication

The command is intended to be used offline as part of a CI workflow within an application (such as GitHub). There should not be any additional Auth needed.

Usage

Usage: vault-radar scan ci pr [options]

Command Options

  • --clone-dir, -c: Define a path to a clone of the repository. If not defined, the current directory is used.
  • --head-ref, -r: Define the head ref or source branch of the PR (required)
  • --base-ref, -b: Define the base ref or target branch of the PR (required)
  • --ref-name, -n: Define the source branch name of the PR
  • --outfile, -o: Define the location to a file where information about found secrets will be stored.
  • --format, -f: Define the output format. Supported values: csv, json, and sarif. json is the default if this is option is not defined.
  • --fail-severity, -s: Define a severity level that will cause the command to fail if any risks are found with a severity level equal to or higher than defined one.
  • --fail-not-latest: When toggled, this will cause the command to fail when a found risk is not part of the latest version.
  • --log-path, -l: Define a path to a file to where logging will be written to.
  • --skip-ignored: Enables skipping risks with the ignore tag.
  • --skip-not-latest: Toggles skipping evaluaton of earlier versions of a risk.
  • --pretty, -p: Define how to output information about found risk.
  • --summary-pretty: Define how to output summary about all found risks. Supported values are: markdown. Defaults to skipping the summary output.
  • --summary-outfile: Define a file to output the summary to. Defaults to stdout.

Simple CI Scan

vault-radar scan ci pr --head-ref HEAD_REF --base-ref BASE_REF --ref-name REFERENCE_NAME

CI Scan That Fails When A High Severity Risk Is Found

vault-radar scan ci pr --head-ref HEAD_REF --base-ref BASE_REF --ref-name REFERENCE_NAME -s high

CI Scan That Skips Ignored Errors

vault-radar scan ci pr --head-ref HEAD_REF --base-ref BASE_REF --ref-name REFERENCE_NAME -s high --skip-ignored

CI Scan That Outputs Information In GHA Format

vault-radar scan ci pr --head-ref HEAD_REF --base-ref BASE_REF --ref-name REFERENCE_NAME --pretty=gha_pr
Edit this page on GitHub