Introduction

Note

This operating guide for HCP Vault Radar is emerging guidance. We continually update this guide as we identify common best practices and configurations to help customers get the most from the product.

Throughout this guide, the terms HCP Vault Radar, Vault Radar, and Radar are interchangeable. There is no self-managed or enterprise version of Vault Radar.

Vault Radar’s purpose is to help inspect, protect, and govern environments by automating the detection and identification of unmanaged secrets in code and other locations so that security teams can take appropriate actions to remediate issues. It continuously scans in real-time for secrets.

Vault Radar scans connected cloud and on-premise data sources, detecting over 300 secret patterns across a large number of data sources. Radar automatically scans data sources when they are initially added, and also when there are new commits and new pull requests.

It provides severity, source, type, and other details to help you prioritize and remediate insecure secrets.

Vault Radar also provides the following benefits:

Supports easy hand-off to developers and code repository owners for follow-up either in the application or via notification integrations
Can warn or block pull requests when it finds risk in code
Prevents secrets and sensitive information appearing in code, before and during CI activities
Progress reporting

Tip

Vault Radar does not send or store source code or sensitive data. Instead, Vault Radar performs a two-phase hash or peppering so Vault Radar can identify if the sensitive data exists in different data sources. This hash is then tokenized and returns a universally unique identifier (UUID) which Vault Radar stores in the HashiCorp Cloud Platform. The generated UUID, the commit hash, and the line number where Vault Radar finds the sensitive data is available in the HCP Portal.

Vault Radar deployment models