HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

scan file

Beta feature

This feature is currently available as a beta release. Beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.

Note

You must have version 0.17.0 or higher of the Vault Radar CLI installed.

To check the current version of your CLI, use the version command.

The scan file command is used for scanning a file. It is similar to scan folder command but can scan a single file. One difference though is that it can read data from standard input.

Usage

Usage: vault-radar scan file [options]

Scanning a file

Scan a file and write the results to a file in CSV format, this is the default format for output.

$ vault-radar scan file -p <PATH TO FILE> -o <PATH TO OUTPUT>.csv

Scanning a file and output in JSON

Scan a file and write the results to a file in JSON Lines format. 

$ vault-radar scan file -p <PATH TO FILE> -o <PATH TO OUTPUT>.jsonl -f json

Read data from stdin

Scan data coming from stdin. The --name parameter can be used to name data coming from stdin, and it will be used in secret URI in the output file.

$ echo "password abcABC123" | vault-radar scan file \
    -o <PATH TO OUTPUT>.csv \
    --name <NAME>

Scanning using a baseline file

Perform a scan using a previous scan's result and write the new changes to an outfile. With -b option, only new risks, risks that were not found in the previous scan will be reported. 

$ vault-radar scan file -p <PATH TO FILE> \
    -b <PATH TO BASELINE>.csv \
    -o <PATH TO OUTPUT>.csv

HCP connection scanning behavior

The scan commands require an HCP cloud connection to ensure that hashes are generated using a shared salt from the cloud keeping consistency across scans. In order to populate the HCP connection information needed, refer to the HCP upload page.

Scanning using a Vault index file

Perform a scan using a generated vault index and write the results to an outfile. In this mode, if a risk was previously found in Vault, the scan results will report the location in Vault as well.

$ vault-radar scan file -p <PATH TO FILE> -o <PATH TO OUTPUT>.csv \
    --index-file <PATH TO VAULT INDEX>.jsonl

How to generate a Vault Index

Scan and restrict the number of secrets found

Scan a clone and write the results to an outfile and stop scanning when the defined number of secrets are found.

$ vault-radar scan file -p <PATH TO FILE> \
    -o <PATH TO OUTPUT>.csv \
    -l <NUM OF SECRETS>
Edit this page on GitHub