HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

scan docker-image

Beta feature

This feature is currently available as a beta release. Beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.

Note

You must have version 0.44.0 or higher of the Vault Radar CLI installed.

To check the current version of your CLI, use the version command.

The scan docker-image command is used for scanning a Docker image.

Authentication

To scan a private docker image, specify the following environment variables to authenticate against the registry:

Usage

Usage: vault-radar scan docker-image [options]

Command options

  • --image, -i: The image reference (including the tag or digest) of the Docker image to scan. (required)
  • --outfile, -o: Specifies the file to store information about found secrets.
  • --format, -f: Specifies the output format. CSV, JSON, and SARIF are supported. Defaults to CSV.
  • --baseline, -b: Specifies the file with previous scan results. Only new secrets are reported.
  • --limit, -l: Specifies the maximum number of secrets to be reported. The scan stops when the limit is reached.
  • --index-file: Specifies the index file path to use to determine which risks are Vaulted.
  • --disable-ui: Specifies that the scan summary should not be logged to stdout.
  • --skip-activeness: If specified, skips activeness checks.

Scan a Docker image

Scan a public docker image (or a private image that is already pulled/downloaded locally) and write the results to a file in CSV format, this is the default format for output.

Image reference may optionally include a tag or image digest. Vault Radar scans the latest tag if neither is specified.

$ vault-radar scan docker-image -i <IMAGE REFERENCE> -o <PATH TO OUTPUT>.csv

Scan a private Docker image

To scan a private docker image, set the environment variables described in the Authentication section, then run the scan.

$ vault-radar scan docker-image -i <IMAGE REFERENCE> -o <PATH TO OUTPUT>.csv

Example:

First, set the username and password as environment variables.

$ export DOCKER_REGISTRY_USERNAME=<ARTIFACTORY_USERNAME>
$ export DOCKER_REGISTRY_PASSWORD=<ARTIFACTORY_TOKEN>

Scan XXX.artifactory.XXX/YYY-image image.

$ vault-radar scan docker-image -i XXX.artifactory.XXX/YYY-image \
    -o results-docker-image.csv

Scan a Docker image and output in JSON

Scan a docker image and write the results to a file in JSON Lines format.

$ vault-radar scan docker-image -i <IMAGE REFERENCE> \
    -o <PATH TO OUTPUT>.jsonl \
    -f json

HCP connection scanning behavior

The scan commands require an HCP cloud connection to ensure that hashes are generated using a shared salt from the cloud keeping consistency across scans. To populate the HCP connection information needed, refer to the HCP upload page.

Use a Vault index file

Perform a scan using a generated vault index and write the results to an outfile. In this mode, if a risk was previously found in Vault, the scan results report the location in Vault as well.

$ vault-radar scan docker-image -i <IMAGE REFERENCE> \
    -o <PATH TO OUTPUT>.csv \
    --index-file <PATH TO VAULT INDEX>.jsonl

Refer to Generate a vault index for instructions.

Scan and restrict the number of secrets found

Scan a docker image and write the results to an outfile and stop scanning when the defined number of secrets are found.

$ vault-radar scan docker-image -i <IMAGE REFERENCE> \
    -o <PATH TO OUTPUT>.csv \
    -l <NUM OF SECRETS>
Edit this page on GitHub