HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Contextual remediation with Vault Radar

Vault Enterprise Only

Remediation between HCP Vault Radar and HashiCorp Vault is supported on HCP Vault Dedicated or Vault Enterprise clusters.

Vault Radar provides built-in remediation recommendations to developers based on the type of secret found in code and the secret's activeness.

View the list of built-in remediations in the HCP Vault Radar Portal. See All Built-in Remediations

Access the recommendation for each secret in the HCP Vault Radar Portal. See Event Remediation Recommendation

Remediation recommendations are also accessible within GitHub pull requests when using the Vault Radar GitHub App.

See Remediation Recommendations on GitHub

Remediation priorities

When multiple remediations match a secret, the remediation with the highest priority is the one recommended to developers. The priorities are shown in the Settings/Remediation page.

To edit a priority -

  1. Select Settings/Remediation.

  2. Click Edit priority

  3. Use the arrow buttons to change the priority .

You can change the priority of a remediation up or down as needed. Priorities are unique within your project so that each secret will map to only one remediation recommendation. HCP Vault Radar web UI with the priority editor

Create custom remediation mapping

The built-in remediations map to fixed categories of secret types and secret activeness. You can create custom remediation mappings and map them to custom categories of risks. New remediations have the highest priority, but you can edit the priority of remediations as needed.

  1. Select Settings/Remediation.

  2. Click Add remediation. HCP Vault Radar web UI with add remediation link form

    The Add remediation page allows you to map secrets matching the selected filter to the new remediation guidance with a customized link.

  3. (Optional) Check Enable PR workflow.

    The Enable PR workflow check box allows Vault Radar to match secrets discovered during pull request scan workflow to the custom remediation. Without checking this box, secrets discovered during pull request scan workflow fall back to lower priority remediations for pull request scan workflows. You can select filters that reference the following fields for the Enable PR workflow:

    • Description
    • Active Secret
    • Resource
    • Severity
    • Category
    • Scanning Method
    • Visibility
    • Data Source

  4. Click Create.

Edit built-in remediation guidance

  1. Select Settings/Remediation.

  2. From the Guidance menu, click Edit remediation. HCP Vault Radar web UI with the edit button

  3. The Edit remediation page allows you to edit the Description text. HCP Vault Radar web UI with the edit remediation link form

  4. Click the radio button for Add link to company remediation guidance.

  5. Paste the new link.

  6. Click Save.

Edit custom remediation guidance

  1. Select Settings/Remediation.

  2. Select the remediation recommendation to edit, and click on the Guidance menu. HCP Vault Radar web UI with the edit remediation link form

  3. Click Edit remediation.

  4. The Edit remediation page allows you to edit the Description text.

  5. The Edit remediation page also allows you to reconfigure the Filter which controls which secrets this remediation maps to, the Status which controls whether the remediation will be applied to secrets shown in the Events page, and the Enable PR workflow setting which controls whether the remediation will be applied to secrets discovered during pull request scan workflow.

  6. The Edit remediation page allows you to edit the Company remediation guidance URL.

Edit this page on GitHub