HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

scan repo

Note

You must have version 0.17.0 or higher of the Vault Radar CLI installed.

To check the current version of your CLI, use the version command.

The scan repo command is used for scanning a git repository.

Authentication

The scan repo command can either scan an existing repo clone or automatically clone the repo using provided repo URL. If existing clone is used, then no authentication needed. If a repo is public, then no authentication is needed. Otherwise, a git token must be provided, so CLI can clone the repo. CLI will read the token from VAULT_RADAR_GIT_TOKEN environmental variable. The environment variable value depends on git server provider. For GitHub and GitLab it can be just a personal access token (PAT). For Bitbucket and Azure DevOps, it should be in format <username>:<PAT>.

Note

CLI internally uses https:// to clone the repo and sets HTTP username:password part of the clone URL to the value of VAULT_RADAR_GIT_TOKEN. Contact your git server provider documentation about the exact format used for https:// auth in case the format described above does not work.

Usage

Usage: vault-radar scan repo [options]

Command options

  • --url, -u: If specified clones and scans the given repo
  • --clone-dir, -c: If specified scans the given existing repo clone
  • --outfile, -o: Specifies the file to store information about found secrets
  • --format, -f: Specifies the output format, csv and json are supported. Defaults to csv
  • --baseline, -b: Specifies the file with previous scan results. Only new secrets will be reported
  • --limit, -l: Specifies the maximum number of secrets to be reported. The scan will stop when the limit is reached
  • --commit-limit: Specifies the maximum number of commits to be scanned. The scan will stop when the limit is reached
  • --index-file: Specifies the index file path to use in order to determine which risks are Vaulted
  • --disable-ui: Specifies that the scan summary should not be logged to stdout
  • --skip-activeness: If specified, skips activeness checks

Scanning a repo

Automatically clones and scans all commits available in a repo and uploads the results to HCP.

$ vault-radar scan repo -u <REPO URL>

Scanning an existing clone

Scan an existing repo (clone) and write the results to a file in CSV format

$ vault-radar scan repo -c <PATH TO CLONE DIR> -o <PATH TO OUTPUT>.csv

Note

The difference between automatically cloning a repo and above is that with existing clone only commits available in the clone will be scanned, not all the repo reachable commits. The clone might have much fewer commits than the repo itself, e.g. if the clone is a shallow clone or if only a single branch was cloned. To scan all the reachable commits it is recommended to scan repo using the -u parameter.

Scanning an existing clone and output in JSON

Scan a repo (clone) and write the results to a file in JSON Lines format. 

$ vault-radar scan repo -c <PATH TO CLONE DIR> -o <PATH TO OUTPUT>.jsonl -f json

HCP connection scanning behavior

The scan commands require an HCP cloud connection to ensure that hashes are generated using a shared salt from the cloud keeping consistency across scans. In order to populate the HCP connection information needed, refer to the HCP upload page.

Note

To properly attribute found risks to git_reference (branch) where risks were introduced, it is expected that the default branch is checked out or the clone is a bare clone. If non-default branch is checked out most risks will be attributed to that branch instead.

Note

Only risks that are still on tip of that branch will be reported.

Scanning using a baseline file

Perform a scan using a previous scan's result and write the new changes to an outfile. With -b option, only new risks, risks that were not found in the previous scan will be reported. 

$ vault-radar scan repo -u <REPO URL> -b <PATH TO BASELINE>.csv \
    -o <PATH TO OUTPUT>.csv

Note

It is expected that previous and current scans are "similar", e.g. both either clone or repo scans, with or without history, etc.

Scanning using a Vault index file

Perform a scan using a generated vault index and upload results to HCP. In this mode, if a risk was previously found in Vault, the scan results will report the location in Vault as well.

$ vault-radar scan repo -u <REPO URL> \
    --index-file <PATH TO VAULT INDEX>.jsonl

How to generate a Vault Index

Scan and restrict the number of secrets found

Stop scanning the repo when a defined number of secrets are found.

$ vault-radar scan repo -u <REPO URL> -l <NUM OF SECRETS>

Scan and restrict the number of commits scanned

Stop scanning the repo when a defined number of commits are scanned.

$ vault-radar scan repo -u <REPO URL> --commit-limit <NUM OF COMMITS>
Edit this page on GitHub