HashiTalks 2025 Learn about unique use cases, homelab setups, and best practices at scale at our 24-hour virtual knowledge sharing event. Register
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

scan ci tip

The scan ci tip command is used for scanning the tip of a branch in a continous integration workflow.

Authentication

The command is intended to be used offline as part of a CI workflow within an application (such as GitHub). There should not be any additional Auth needed.

Usage

Usage: vault-radar scan ci tip [options]

Command Options

  • --clone-dir, -c: Define a path to a clone of the repository. If not defined, the current directory is used.
  • --outfile, -o: Define the localtion to a file where information about found secrets will be stored.
  • --format, -f: Define the output format. Supported values: csv, json, and sarif. json is the default if this is option is not defined.
  • --fail-severity, -s: Define the severity level of found risks that will cause the command to fail. Supported values: info, low, medium, high, and critical.
  • --log-path, -l: Define the path to a file where logging will be output to.
  • --skip-ignored: Specifies that risks with the ignore tag should be skipped.
  • --pretty, -p: Define how to output information about found risk.
  • --summary-pretty: Define how to output summary about all found risks. Supported values are: markdown. Defaults to skipping the summary output.
  • --summary-outfile: Define the file to output the summary to. Defaults to stdout.

Tip of Branch Scan

This scan will fail when a risk of high severity is found, output information about found risks to a file vault-radar.jsonl, log information to a file vault-radar.log and output the results to stdout in a format for GitHub Actions. 

vault-radar scan ci tip -s high -o vault-radar.jsonl -l vault-radar.log --pretty=gha