HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Pull request check policies

Pull request checks allow Vault Radar to perform a scan against a pull request for every pull request, and for every new commit to any open pull requests.

Vault Radar will alert you to any sensitive data found in the pull request, including both the tip of the pull request and the history of any commits. The alert includes details on where and what type of secrets it finds.

There are two levels to the policies today -

  1. Whether the scan marks the pull request as failed if any secrets are at the tip of the pull request.
  2. Whether the pull request should be blocked from merging into the target branch if the uploaded scan result shows secrets at the tip.

Set the scan to fail in the Vault Radar UI. Set the scan to block in your provider or pipeline settings.

PR Checks

GitHub Checks

To enable pull request checks on GitHub, install the Vault Radar GitHub App.

Prerequisites

GitHub Cloud

Vault Radar accounts are monitored by the Vault Radar Checks App.

  1. Install the Vault Radar Checks App. (You must have permissions in GitHub to install the app).

Once installed, Vault Radar checks your future PRs and commits to PRs in monitored repositories.

GitHub Enterprise Server

This version of GitHub Checks is for customers using the self-managed GitHub Enterprise Server.

  1. Create the GitHub Enterprise Server Checks app following the instructions here. Note: a step in those instructions is to add the app configuration details in the Vault Radar UI.

  2. Install the app created from step 1 on the organization (performed by someone who has permission in GitHub to install the app).

Once installed, Vault Radar checks your future pull requests + commits to pull requests in monitored repositories.

Configure repositories

To configure which repositories the Vault Radar app for GitHub Checks monitors after installation:

  1. Go to your GitHub organization → settings → GitHub apps (the URL pattern is https://github.com/organizations/{orgname}/settings/installations) to review all applications installed in the org.

  2. Find the Vault Radar app for GitHub Checks in the list and click the Configure button.

  3. Using the GitHub interface, make selections about which repositories the app can access, and save the changes.

    Any changes take effect with the next pull request (or commit in an open pull request), and apply to all users of the org.

Blocking pull requests

To block merging pull requests when Vault Radar uploads a failed scan to your pull request, configure the following repository-level or organization-level ruleset settings in GitHub. Organization-level rulesets will not be enforced unless the organization has a paid GitHub plan.

  1. Navigate to your GitHub organization at https://github.com/{orgname}

  2. Click on Settings in the top bar.

  3. In the left nav, expand the Repository section, and then click on Rulesets.

    GitHub Branch Rulesets Nav

  4. Add a branch ruleset or update an existing branch ruleset based against the target repositories and branches you'd like to protect. These rules apply when pull requests are set to merge into the target branch.

  5. Make sure to select Require status checks to pass, and find and select the HashiCorp Vault Radar Secret Scan status check. If it doesn't auto-populate, please copy and paste the name of the status check directly into the search box.

    GitHub Branch Rulesets Configure

  6. Check the box next to the status check in the dropdown and confirm it populates in the table.

    GitHub Branch Rulesets Confirmation

Disable GitHub checks

  1. Follow the steps to configure the Vault Radar GitHub Checks app.

  2. From the configuration page, select either suspend or uninstall.

    Both options take effect and apply to the entire GitHub org.

Bitbucket Insights

To enable pull request scans on Bitbucket:

  1. Navigate to your Bitbucket repository, and click on any commit. Within that commit view, in the bottom right hand corner there should be an option to index your repository by clicking Go to pull request. This may take a several minutes while the repository gets indexed in the background.

    Bitbucket repository indexing

  2. Contact the customer success team to enable Bitbucket Code Insights in your project.

Once set up, Vault Radar checks future pull requests, and commits to pull requests to monitored repositories, and uploads results to the Reports section of your pull request.

Edit this page on GitHub