Acquisition complete HashiCorp officially joins the IBM family. Learn more
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Pull request check policies

Pull request checks allow Vault Radar to perform a scan against a pull request for every pull request, and for every new commit to any open pull requests.

Vault Radar will alert you to any sensitive data found in the pull request, including both the tip of the pull request and the history of any commits. The alert includes details on where and what type of secrets it finds.

There are two levels to the policies today -

  1. Whether the scan marks the pull request as failed if any secrets are at the tip of the pull request.
  2. Whether the pull request should be blocked from merging into the target branch if the uploaded scan result shows secrets at the tip.

Set the scan to fail in the Vault Radar UI. Set the scan to block in your provider or pipeline settings.

PR Checks

GitHub Checks

To enable pull request checks on GitHub, install the Vault Radar GitHub App.

Prerequisites

GitHub Cloud

Vault Radar accounts are monitored by the Vault Radar Checks App.

  1. Install the Vault Radar Checks App. (You must have permissions in GitHub to install the app).

Once installed, Vault Radar checks your future PRs and commits to PRs in monitored repositories.

GitHub Enterprise Server

This version of GitHub Checks is for customers using the self-managed GitHub Enterprise Server.

  1. Create the GitHub Enterprise Server Checks app following the instructions here. Note: a step in those instructions is to add the app configuration details in the Vault Radar UI.

  2. Install the app created from step 1 on the organization (performed by someone who has permission in GitHub to install the app).

Once installed, Vault Radar checks your future pull requests + commits to pull requests in monitored repositories.

Configure repositories

To configure which repositories the Vault Radar app for GitHub Checks monitors after installation:

  1. Go to your GitHub organization → settings → GitHub apps (the URL pattern is https://github.com/organizations/{orgname}/settings/installations) to review all applications installed in the org.

  2. Find the Vault Radar app for GitHub Checks in the list and click the Configure button.

  3. Using the GitHub interface, make selections about which repositories the app can access, and save the changes.

    Any changes take effect with the next pull request (or commit in an open pull request), and apply to all users of the org.

Blocking pull requests

To block merging pull requests when Vault Radar uploads a failed scan to your pull request, configure the following repository-level settings in GitHub.

  1. Navigate to your GitHub repository at https://github.com/{orgname}/{reponame}

  2. Click on Settings in the top bar.

  3. Click on Branches in the left nav.

  4. Add a branch protection rule or update an existing branch protection rule based against the target branch you'd like to protect. These rules apply when pull requests try to merge into the target branch.

    GitHub Branch Protections Nav

  5. Make sure to select Require status checks to pass before merging, and find and select the HashiCorp Vault Radar Secret Scan status check.

    Note

    The HashiCorp Vault Radar Secret Scan status checks may not appear unless Vault Radar has uploaded a scan result to your repository within the past 7 days. If you get stuck in this state, you may need to first create a pull request to trigger a check before proceeding.

    GitHub Branch Protections Rules

Disable GitHub checks

  1. Follow the steps to configure the Vault Radar GitHub Checks app.

  2. From the configuration page, select either suspend or uninstall.

    Both options take effect and apply to the entire GitHub org.

Bitbucket Insights

To enable pull request scans on Bitbucket:

  1. Navigate to your Bitbucket repository, and click on any commit. Within that commit view, in the bottom right hand corner there should be an option to index your repository by clicking Go to pull request. This may take a several minutes while the repository gets indexed in the background.

    Bitbucket repository indexing

  2. Contact the customer success team to enable Bitbucket Code Insights in your project.

Once set up, Vault Radar checks future pull requests, and commits to pull requests to monitored repositories, and uploads results to the Reports section of your pull request.